# The Ransomware Threat Intelligence Center **[news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/](https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/)** Tilly Travers March 17, 2022 ## Introduction The ransomware landscape is a complex, crowded and rapidly evolving ecosystem. New and rebranded groups appear and disappear continuously, while the operators behind them share, rent, steal, or copy each other’s attack tools, playbooks and even infrastructure. Sophos has been monitoring and reporting on the ransomware landscape for years, building an unrivalled library of insight and analysis. The Ransomware Threat Intelligence Center brings together a curated list of the most important research articles and reports published by Sophos on prevalent, new, and emerging ransomware threats, including their tools, techniques, and behaviors, from 2018 to the present. The content will be updated regularly as new material becomes available. For further information on ransomware, including advice on security best practice and the latest [State of Ransomware report, visit Sophos’](https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/ransomware-cyberthreat) [Resources to Stop Ransomware.](https://www.sophos.com/en-us/content/ransomware) ## Sophos Research and Reports on Prevalent and New Ransomware Groups, 2018 to 2022 **Astro Locker** [Sophos MTR in real time: What is Astro Locker team?](https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/) ----- March 31, 2021 – A Sophos incident response investigation uncovers similarities between Astro Locker and Mount Locker ransomware **Avos Locker** [Avos Locker remotely accesses boxes, even running in Safe Mode](https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/) Dec. 22, 2021 – Sophos reports how the relatively new ransomware-as-a-service (RaaS), Avos Locker boots target computers into Safe Mode to execute the ransomware and tries to disable security software **Atom Silo** [Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack](https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/) Oct. 4, 2021 – Sophos reports on an attack by the relatively new ransomware group Atom Silo that leveraged a recent vulnerability in Atlassian’s Confluence collaboration software and tried to disrupt endpoint protection software. The Confluence vulnerability was also exploited by a crypto miner **Avaddon** [What to expect when you’ve been hit with Avaddon ransomware](https://news.sophos.com/en-us/2021/05/24/what-to-expect-when-youve-been-hit-with-avaddon-ransomware/) May 24, 2021 – Part of a series designed to help IT administrators facing the impact of an attack involving a particular ransomware family **Black Kingdom** [Black Kingdom ransomware begins appearing on Exchange servers](https://news.sophos.com/en-us/2021/03/23/black-kingdom/) March 23, 2021 – Sophos reports on a novel, if fairly basic ransomware targeting Microsoft [Exchange servers that haven’t been patched against the ProxyLogon exploit](https://news.sophos.com/en-us/2021/03/17/mtr-in-real-time-exchange-proxylogon-edition/) **BlackMatter** [BlackMatter ransomware emerges from the shadow of DarkSide](https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/) Aug. 9, 2021 – Sophos reports on a new RaaS that calls itself BlackMatter and adopts tools and techniques from REvil, DarkSide and LockBit 2.0 **Conti** Sophos has reported extensively on the prolific Conti RaaS operation. Researchers will continue to track the evolution of this high profile threat following the events of early March 2022, when Conti’s stance on the [Russia Ukraine war led to a series of](https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/) [public leaks of its](https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/) [attack playbook, toolset, internal communications, source code and more.](https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/) ----- Sophos analysis and insight on Conti ransomware include: [What to expect when you’ve been hit with Conti ransomware](https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/) Feb. 16, 2021 – Part of a series designed to help IT administrators facing the impact of an attack involving a particular ransomware family [Conti ransomware: Evasive by nature](https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/) Feb. 16, 2021 – Sophos reports on how the attackers spreading Conti have switched gears to a completely fileless attack method [A Conti ransomware attack day-by-day](https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/) Feb. 16, 2021 – Sophos reports on the unfolding of a Conti ransomware incident [Conti affiliates use ProxyShell Exchange exploit in ransomware attacks](https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/) Sep. 3, 2021 – Sophos reports on an investigation into a Conti ransomware attack where the [attackers used a ProxyShell exploit](https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/) **Cring** [Cring ransomware group exploits ancient ColdFusion server](https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/) Sep. 21, 2021 – Sophos reports on an unknown threat actor exploiting a vulnerability in an 11-year-old installation of Adobe ColdFusion 9 and deploying rarely seen Cring ransomware **DearCry** [DearCry ransomware attacks exploit Exchange server vulnerabilities](https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/) March15, 2021 – Sophos reports on an unsophisticated, “beginner” ransomware called DearCry, which mimics the notorious WannaCry ransomware **Dharma** [Color by numbers: inside a Dharma ransomware-as-a-service attack](https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/) Aug.12, 2020 – Sophos reports on the Dharma RaaS that targets smaller businesses and provides affiliates with detailed, step-by-step attack scripts **DarkSide** [A defender’s view inside a DarkSide ransomware attack](https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/) May 11, 2021 – A Sophos deep dive into the attack methods of the DarkSide ransomware group ----- **Egregor** [Egregor ransomware: Maze’s heir apparent](https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/) Dec. 8, 2020 – Sophos reports on a new RaaS variant of Sekhmet ransomware that appears to have picked up where Maze left off **Entropy** [Dridex bots deliver Entropy ransomware in recent attacks](https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/) Feb. 23, 2022 – Sophos reports on how code used in Entropy ransomware bears a resemblance to code used in Dridex malware, suggesting a possible common origin **Epsilon Red** [A new ransomware enters the fray: Epsilon Red](https://news.sophos.com/en-us/2021/05/28/epsilonred/) May 28, 2021 – Sophos reports on a new, bare-bones ransomware that offloads most of its functionality to a series of PowerShell scripts **GandCrab** [GandCrab 101: All about the most widely distributed ransomware of the moment](https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/) March 5, 2019 – A deep dive into a ransomware that dominated the landscape in 2019 [Directed attacks against MySQL servers deliver ransomware](https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/) May 24, 2019 – Sophos reports on an unknown adversary attacking internet-facing Windows database servers with GandCrab ransomware **LockBit** [LockBit ransomware borrows tricks to keep up with REvil and Maze](https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/) April 24, 2020 – Sophos reports on how LockBit is implementing techniques and behaviors from other high profile ransomware groups [LockBit uses automated attack tools to identify tasty targets](https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets/) Oct. 21, 2021 – Sophos reports on how the operators behind LockBit ransomware are using renamed copies of PowerShell and other automated tools to searched for systems with valuable data [Attackers linger on government agency computers before deploying LockBit ransomware](https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/) ----- April 12, 2022 – Sophos reports on how attackers breached and then spent five months in a compromised network, Googling for tools to further their attack before exfiltrating data and deploying LockBit ransomware **LockFile** [LockFile ransomware’s box of tricks: intermittent encryption and evasion](https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/) Aug. 27, 2021 – Sophos discovers a new ransomware family leveraging ProxyShell and using intermittent encryption of files to evade detection by anti-ransomware tools **Matrix** [Matrix: Targeted, small scale, canary in the coalmine ransomware](https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/) Jan. 30, 2019 – Sophos reports on how the unsophisticated Matrix ransomware succeeds by leveraging vulnerable remote desktops to breach networks and disrupt targets **Maze** [Maze ransomware: extorting victims for 1 year and counting](https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/) May 12, 2020 – Sophos reports on how the Maze ransomware operators were one of the first ransomware operations to use data theft as a way of coercing victims to pay the ransom demand [Maze attackers adopt Ragnar Locker virtual machine technique](https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/) Sep. 17, 2020 – Sophos reports on how Maze operators adopted a cumbersome [ransomware delivery technique from Ragnar Locker after several failed attempts to deploy](https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/) the ransomware [MTR Casebook: Blocking a $15 million Maze ransomware attack](https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/) Sep. 22, 2020 – A day-by-day account of the unfolding of a major Maze ransomware attack **MegaCortex** [“MegaCortex” ransomware wants to be The One](https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/) May 3, 2019 – Sophos reports on a new, sophisticated ransomware group leveraging both automated and manual components [MegaCortex, deconstructed: mysteries mount as analysis continues](https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/) May 10, 2019 – A follow on research article including new insight on the ransomware group’s tools, techniques, and misdirection tactics ----- **Memento** [New ransomware actor uses password protected archives to bypass encryption protection](https://news.sophos.com/en-us/2021/11/18/new-ransomware-actor-uses-password-protected-archives-to-bypass-encryption-protection/) Nov. 18, 2021 – Sophos reports on an incident involving the new ransomware group, Memento, that failed to encrypt files so instead copied them into password-protected archives **Midas** [Windows services lay the groundwork for a Midas ransomware attack](https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/) Jan. 25, 2022 – Sophos reports on a ransomware attack that made extensive use of vulnerable remote access services and PowerShell scripts **Nefilim** [Nefilim Ransomware Attack Uses “Ghost” Credentials](https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/) Jan. 26, 202 – Sophos reports on an incident where the attackers gained access to the target using the account credentials of a deceased employee **Netwalker** [Netwalker ransomware tools give insight into threat actor](https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/) May 27, 2020 – Sophos details the tactics, techniques, and procedures (TTPs) used by Netwalker after discovering a trove of malware and related files **ProLock** [ProLock ransomware gives you the first 8 kilobytes of decryption for free](https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/) July 27, 2020 – Sophos reports on the attack chain and TTPs of this new ransomware **Python** [Python ransomware script targets ESXi server for encryption](https://news.sophos.com/en-us/2021/10/05/python-ransomware-script-targets-esxi-server-for-encryption/) Oct. 5, 2021 – Sophos reports one of the fastest ransomware attacks it has seen, where a Python script on the target’s virtual machine hypervisor encrypted all virtual disks **RagnarLocker** [Ragnar Locker ransomware deploys virtual machine to dodge security](https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/) May 21, 2020 – Sophos reports on an incident where the attackers deployed a full virtual machine on each targeted device to hide the ransomware from view ----- **Ragnarok** [Asnarök attackers twice modified attack midstream](https://news.sophos.com/en-us/2020/05/21/asnarok2/) May 21, 2021 – Sophos reports on how Asnarok attackers try to deploy Ragnarok ransomware through an unpatched firewall **REvil** [Relentless REvil, revealed: RaaS as variable as the criminals who use it](https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/) June 11, 2021 – Sophos details the different TTPs seen among the affiliate customers of the REvil RaaS [What to expect when you’ve been hit with REvil ransomware](https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/) June 30, 2021 – Part of a series designed to help IT administrators facing the impact of an attack involving a particular ransomware family [Independence Day: REvil uses supply chain exploit to attack hundreds of businesses](https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/) July 4, 2021 – Sophos details the crypto-extortion attack launched by a REvil affiliate using a malicious update to exploit Kaseya’s VSA remote management service **RobbinHood** [Living off another land: Ransomware borrows vulnerable driver to remove security software](https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/) Feb. 6, 2020 – Sophos reports on attacks where attackers deployed a legitimate, digitally signed hardware driver to delete security products from targeted computers before deploying RobbinHood ransomware **Ryuk** [They’re back: inside a new Ryuk ransomware attack](https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/) Oct. 14, 2020 – Sophos reports on the return of Ryuk after a period of quiet, with evolved tools for compromise and ransomware deployment [MTR in Real Time: Pirates pave way for Ryuk ransomware](https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/) May 6, 2021 – Sophos reports on an incident where downloading a pirate software program led attackers to breach the network of a research institute and deploy Ryuk ransomware **SamSam** [Sophos releases SamSam ransomware report](https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/) July 31, 2018 – Sophos releases a deep dive into SamSam ransomware ----- [How a SamSam-like attack happens, and what you can do about it](https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/) Nov. 29, 2018 – Sophos details a typical SamSam ransomware attack and how to defend against it **Snatch** [Snatch ransomware reboots PCs into Safe Mode to bypass protection](https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/) Dec. 9, 2019 – Sophos reports on a novel hybrid data theft-ransomware threat that disables security protections by rebooting Windows machines mid-attack **WannaCry** [The WannaCry hangover](https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/) Sep. 16, 2019 – Sophos reports how, more than two years on, modified WannaCry variants still cause headaches for IT admins and security analysts **WastedLocker** [WastedLocker’s techniques point to a familiar heritage](https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/) Aug. 4, 2020 – Sophos reports on how WastedLocker evades detection by performing most operations in memory, and shares several characteristics with the Bitpaymer ransomware family ## Additional Assets **Collective Reports and Analyses** How ransomware attacks: What defenders should know about the most prevalent and persistent ransomware families [The Active Adversary Playbook 2021](https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/) [The Sophos 2019 Threat Report](https://news.sophos.com/en-us/2018/11/14/threat-report-2019/) [The Sophos 2020 Threat Report](https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-uncut-2020-threat-report.pdf) [The Sophos 2021 Threat Report](https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf) [The Sophos 2022 Threat Report](https://news.sophos.com/en-us/2021/11/09/2022-threat-report/) **Insight and Advisory Articles** [How the most damaging ransomware evades IT security](https://news.sophos.com/en-us/2019/11/14/how-the-most-damaging-ransomware-evades-it-security/) ----- [The realities of ransomware: Five signs you re about to be attacked](https://news.sophos.com/en-us/2020/08/04/the-realities-of-ransomware-five-signs-youre-about-to-be-attacked/) [The realities of ransomware: Extortion goes social in 2020](https://news.sophos.com/en-us/2020/08/04/the-realities-of-ransomware-extortion-goes-social-in-2020/) [The realities of ransomware: Why it’s not just a passing fad](https://news.sophos.com/en-us/2020/08/04/the-realities-of-ransomware-why-its-not-just-a-passing-fad/) [The realities of ransomware: A victim’s eye view of an attack](https://news.sophos.com/en-us/2020/08/04/the-realities-of-ransomware-a-victims-eye-view-of-an-attack/) [The realities of ransomware: The evasion arms race](https://news.sophos.com/en-us/2020/08/04/the-realities-of-ransomware-the-evasion-arms-race/) [Winners and losers in the ransomware turf wars](https://news.sophos.com/en-us/2021/11/09/winners-and-losers-in-the-ransomware-turf-wars/) [The top 10 ways ransomware operators ramp up the pressure to pay](https://news.sophos.com/en-us/2021/10/28/the-top-10-ways-ransomware-operators-ramp-up-the-pressure-to-pay/) [Ransomware mishaps: Adversaries have their off days too](https://news.sophos.com/en-us/2021/08/11/ransomware-mishaps-adversaries-have-their-off-days-too/) -----