1. Home
  2. Techniques
  3. Enterprise
  4. 数据加密以实现影响

数据加密以实现影响

ID Name
T1486.001 动态加密算法轮换
T1486.002 合法进程注入加密
T1486.003 分阶段加密延迟触发
T1486.004 云存储API滥用加密

数据加密以实现影响是攻击者通过加密关键数据破坏目标系统可用性的终极攻击手段,常见于勒索软件攻击链的最终阶段。传统检测方法主要依赖识别异常文件修改模式(如大规模文件重命名、加密头特征)、监控系统工具滥用(如vssadmin删除卷影副本)以及检测加密进程行为特征。防御方可通过文件完整性监控、存储快照保护和进程行为分析等手段进行缓解。

为对抗日益成熟的加密行为检测技术,攻击者发展出多维度的加密匿迹方法,通过动态算法混淆、进程上下文伪装、时空行为分散及云服务滥用等策略,将恶意加密操作深度嵌入系统正常业务流程,大幅降低加密行为的可观测性与可关联性。

当前数据加密匿迹技术的演进呈现三大共性特征:一是加密行为的上下文融合,通过劫持合法进程或云服务API,使恶意操作获得系统信任背书;二是加密特征的动态变异,采用算法轮换与参数随机化破坏静态特征检测;三是攻击节奏的智能控制,利用分阶段执行与条件触发机制规避突发行为检测。动态加密算法轮换技术通过密码学层面的持续变异,使得每次加密产生独特的特征指纹;合法进程注入加密则重构了恶意行为的进程上下文,将其伪装成用户或系统发起的正常操作;分阶段加密通过长周期行为稀释,规避基于短时间窗口的异常检测;云存储API滥用加密更是将攻击完全融入云平台安全体系,实现"以子之盾,陷子之矛"的对抗效果。这些技术共同构建了加密攻击的"合法化"执行环境,显著提升了防御方识别恶意加密行为的难度。

匿迹技术的发展迫使防御体系从单一特征检测转向多维度行为关联分析,需结合密码学特征动态解析、进程行为链追踪、云API调用上下文理解等新型检测能力,同时构建跨存储介质、跨时间维度的加密行为基线模型,才能有效应对隐蔽性不断增强的数据加密威胁。

ID: T1486
Sub-techniques:  T1486.001, T1486.002, T1486.003, T1486.004
Tactic: 影响释放
Platforms: IaaS, Linux, Windows, macOS
Impact Type: Availability
Contributors: ExtraHop; Harshal Tupsamudre, Qualys; Mayuresh Dani, Qualys; Oleg Kolesnikov, Securonix; Travis Smith, Qualys
Version: 1.4
Created: 15 March 2019
Last Modified: 16 June 2022

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

通过动态加密算法轮换和云存储API滥用,将恶意加密特征伪装成合规的数据保护操作。算法参数的持续变化使得加密流量无法形成稳定指纹,而云服务原生加密API的调用则使攻击行为获得平台合法性背书,有效混淆恶意加密与正常安全加固的界限。

行为透明

合法进程注入加密技术通过深度寄生在系统可信进程中,使加密操作脱离独立恶意进程的可见范围。防御方难以在正常应用行为中区分出被注入的加密线程,导致加密行为在进程监控层面呈现透明化。

数据遮蔽

所有子技术均依赖高强度加密算法对数据进行不可逆混淆,符合数据遮蔽效应中"使防御者望不透"的核心特征。加密后的数据完全丧失可读性,且动态密钥管理机制确保无法通过密码分析恢复原始内容。

时空释痕

分阶段加密延迟触发技术将加密行为分散在长达数周的时间跨度中,同时结合目录随机遍历实现空间维度上的操作分散。这种长周期、低密度的攻击节奏将加密特征稀释在系统正常维护活动中,破坏防御方的时间关联分析能力。

Procedure Examples

ID Name Description
S1129 Akira

Akira encrypts victim filesystems for financial extortion purposes.[1]
G1024 Akira

Akira encrypts files in victim environments as part of ransomware operations.[2]
S1133 Apostle

Apostle creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and ".lock" for an extension.[3]
G0082 APT38

APT38 has used Hermes ransomware to encrypt files with AES256.[4]
G0096 APT41

APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[5] APT41 also used Microsoft Bitlocker to encrypt workstations and Jetico’s BestCrypt to encrypt servers.[6]
S0640 Avaddon

Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.[7]
S1053 AvosLocker

AvosLocker has encrypted files and network resources using AES-256 and added an .avos, .avos2, or .AvosLinux extension to filenames.[8][9][10][11]
S0638 Babuk

Babuk can use ChaCha8 and ECDH to encrypt data.[12][13][14][15]
S0606 Bad Rabbit

Bad Rabbit has encrypted files and disks using AES-128-CBC and RSA-2048.[16]
S0570 BitPaymer

BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending .locked to the filename.[17]
S1070 Black Basta

Black Basta can encrypt files with the ChaCha20 cypher and using a multithreaded process to increase speed.[18][19][20][21][22][23][24][25][26]
S1068 BlackCat

BlackCat has the ability to encrypt Windows devices, Linux devices, and VMWare instances.[27]
C0015 C0015

During C0015, the threat actors used Conti ransomware to encrypt a compromised network.[28]
C0018 C0018

During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network.[10][29]
S1096 Cheerscrypt

Cheerscrypt can encrypt data on victim machines using a Sosemanuk stream cipher with an Elliptic-curve Diffie–Hellman (ECDH) generated key.[30][31]
S0611 Clop

Clop can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files.[32][33][34]

S0575 Conti

Conti can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use "Windows Restart Manager" to ensure files are unlocked and open for encryption.[35][36][37][38][28]
S0625 Cuba

Cuba has the ability to encrypt system data and add the ".cuba" extension to encrypted files.[39]

S1111 DarkGate

DarkGate can deploy follow-on ransomware payloads.[40]
S1033 DCSrv

DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.[41]
S0616 DEATHRANSOM

DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.[42]
S0659 Diavol

Diavol has encrypted files using an RSA key though the CryptEncrypt API and has appended filenames with ".lock64". [43]
S0554 Egregor

Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.[44][45]

S0605 EKANS

EKANS uses standard encryption library functions to encrypt files.[46][47]
G0046 FIN7

FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.[48][49]
G0061 FIN8

FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.[50]
S0618 FIVEHANDS

FIVEHANDS can use an embedded NTRU public key to encrypt data for ransom.[42][51][52]
S0617 HELLOKITTY

HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.[42]
C0038 HomeLand Justice

During HomeLand Justice, threat actors used ROADSWEEP ransomware to encrypt files on targeted systems.[53][54][55]
G1032 INC Ransom

INC Ransom has used INC Ransomware to encrypt victim's data.[56][57][58][59][60][61]
S1139 INC Ransomware

INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.[56][57][60][61][56]
G0119 Indrik Spider

Indrik Spider has encrypted domain-controlled systems using BitPaymer.[17] Additionally, Indrik Spider used PsExec to execute a ransomware script.[62]
S0389 JCry

JCry has encrypted files and demanded Bitcoin to decrypt those files. [63]
S0607 KillDisk

KillDisk has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted.[64]
S0372 LockerGoga

LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.[65][66][67]
G0059 Magic Hound

Magic Hound has used BitLocker and DiskCryptor to encrypt targeted workstations. [68][69]
S0449 Maze

Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.[70]
S0576 MegaCortex

MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.[71][72]
S1137 Moneybird

Moneybird targets a common set of file types such as documents, certificates, and database files for encryption while avoiding executable, dynamic linked libraries, and similar items.[73]
G1036 Moonstone Sleet

Moonstone Sleet has deployed ransomware in victim environments.[74]
S0457 Netwalker

Netwalker can encrypt files on infected machines to extort victims.[75]

S0368 NotPetya

NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[76][77][78]
S0556 Pay2Key

Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.[79][80]
S1162 Playcrypt

Playcrypt encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes.[81][82]
S1058 Prestige

Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with .enc.[83]
S0654 ProLock

ProLock can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024.[84]
S0583 Pysa

Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.[85]

S0481 Ragnar Locker

Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.[86][87]
S0496 REvil

REvil can encrypt files on victim systems and demands a ransom to decrypt the files.[88][89][90][91][92][93][94][95]
S1150 ROADSWEEP

ROADSWEEP can RC4 encrypt content in blocks on targeted systems.[53][54][55]
S0400 RobbinHood

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.[96]

S1073 Royal

Royal uses a multi-threaded encryption process that can partially encrypt targeted files with the OpenSSL library and the AES256 algorithm.[97][98][99]
S0446 Ryuk

Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[100][38]
S0370 SamSam

SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.[101]
G0034 Sandworm Team

Sandworm Team has used Prestige ransomware to encrypt data at targeted organizations in transportation and related logistics industries in Ukraine and Poland.[83]
G1015 Scattered Spider

Scattered Spider has used BlackCat ransomware to encrypt files on VMWare ESXi servers.[102][103]
S0639 Seth-Locker

Seth-Locker can encrypt files on a targeted system, appending them with the suffix .seth.[15]
S0140 Shamoon

Shamoon has an operational mode for encrypting data instead of overwriting it.[104][105]
S0242 SynAck

SynAck encrypts the victims machine followed by asking the victim to pay a ransom. [106]
G0092 TA505

TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.[107]
S0595 ThiefQuest

ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.[108]
S0366 WannaCry

WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.[109][110][111]
S0612 WastedLocker

WastedLocker can encrypt data and leave a ransom note.[112][113][114]

S0341 Xbash

Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.[115]
S0658 XCSSET

XCSSET performs AES-CBC encryption on files under ~/Documents, ~/Downloads, and~/Desktop with a fixed key and renames files to give them a .enc extension. Only files with sizes less than 500MB are encrypted.[116]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable cloud-delivered protection and Attack Surface Reduction (ASR) rules to block the execution of files that resemble ransomware. [117]
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.[118] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments to maintain backup copies of storage objects.[119]

Detection

ID Data Source Data Component Detects
DS0010 Cloud Storage Cloud Storage Modification

Monitor for changes made in cloud environments for events that indicate storage objects have been anomalously modified.
DS0017 Command Command Execution

Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit
DS0022 File File Creation

Monitor for newly constructed files in user directories.
File Modification

Monitor for changes made to files in user directories.
DS0033 Network Share Network Share Access

Monitor for unexpected network shares being accessed on target systems or on large numbers of systems.
DS0009 Process Process Creation

Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit.

References

  1. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  2. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  3. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  4. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  5. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  6. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  7. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  8. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  9. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  10. Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
  11. FBI, FinCEN, Treasury. (2022, March 17). Indicators of Compromise Associated with AvosLocker Ransomware. Retrieved January 11, 2023.
  12. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  13. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  14. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.
  15. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  16. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  17. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  18. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  19. Ballmer, D. (2022, May 6). Black Basta: Rebrand of Conti or Something New?. Retrieved March 7, 2023.
  20. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  21. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  22. Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.
  23. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  24. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  25. Trend Micro. (2022, September 1). Ransomware Spotlight Black Basta. Retrieved March 8, 2023.
  26. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  27. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  28. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  29. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
  30. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
  31. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  32. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  33. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
  34. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  35. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  36. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  37. Cybleinc. (2021, January 21). Conti Ransomware Resurfaces, Targeting Government & Large Organizations. Retrieved April 13, 2021.
  38. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  39. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  40. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  41. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  42. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  43. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  44. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
  45. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
  46. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  47. Hinchliffe, A. Santos, D. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.
  48. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  49. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  50. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  51. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  52. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  53. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  54. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  55. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  56. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  57. Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
  58. Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.
  59. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  60. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  1. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  2. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  3. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  4. Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.
  5. CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
  6. Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
  7. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  8. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  9. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  10. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
  11. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  12. ARMmbed. (2018, June 21). Mbed Crypto. Retrieved February 15, 2021.
  13. Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
  14. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  15. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  16. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  17. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  18. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  19. ClearSky. (2020, February 16). Fox Kitten – Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.
  20. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
  21. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  22. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  23. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  24. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  25. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  26. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  27. Gold, B. (2020, April 27). Cynet Detection Report: Ragnar Locker Ransomware. Retrieved June 29, 2020.
  28. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  29. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  30. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  31. Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.
  32. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  33. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  34. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  35. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
  36. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  37. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  38. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
  39. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.
  40. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  41. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  42. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  43. Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
  44. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  45. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  46. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  47. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  48. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  49. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  50. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  51. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  52. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  53. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  54. Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
  55. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  56. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  57. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  58. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.
  59. Gietzen, S. (n.d.). S3 Ransomware Part 2: Prevention and Defense. Retrieved April 14, 2021.