{ "id": "f03191b4-5206-4f3f-9647-e9146974f58b", "created_at": "2026-04-06T00:12:14.302036Z", "updated_at": "2026-04-10T13:11:45.587941Z", "deleted_at": null, "sha1_hash": "41a404b913f66db04dc63a92132e388a6c5bb84a", "title": "Analyzing the Shift in Ransomware Dynamics: The Impact of Law Enforcement and Future Outlooks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65891, "plain_text": "Analyzing the Shift in Ransomware Dynamics: The Impact of Law\r\nEnforcement and Future Outlooks\r\nBy Andrei Moldovan\r\nPublished: 2024-06-27 · Archived: 2026-04-05 17:33:21 UTC\r\nThe landscape of ransomware attacks has witnessed significant shifts from Q4 2023 to Q1 2024 after several\r\nransomware disruptions. Ransomware statistics analyzed by QuoIntelligence within this period indicates a 22%\r\ndecrease in the number of publicly announced ransomware victims, a change potentially attributed to several\r\ndynamics within the ransomware threat landscape. Key factors include strategic actions by law enforcement\r\nagencies and the impact of Ransomware-as-a-Service (RaaS) operators executing exit scams on their affiliates.\r\nThese exit scams, coupled with a rise in victims refusing to pay ransoms, led to a substantial 32% decline in\r\nransom payments during this period.\r\nFigure 1: Distribution of the number of ransomware victims since Q4 2023 to Q2 2024. Source: QuoIntelligence.\r\nHowever, it is important to highlight that the spike observed in Q2 2024 during the month of May, where 174 of\r\nthe reported victims were attributed to LockBit, occurred in retaliation against Operation Cronos. The data\r\nacquired during June 2024 is a partial subset of victims, updated to June 26th, and this number may change in the\r\ncoming days.\r\nOur main takeaways for this article includes:\r\nDespite the gradual decline of LockBit in recent months, new groups are expected to rise and exploit the\r\ncurrent ransomware threat landscape to boost their visibility and reputation among cybercriminals and the\r\nunderground community.\r\nWhile law enforcement actions may not yield immediate results, they have a significant long-term impact\r\non the credibility of ransomware groups by gradually eroding the talent pool of skilled affiliates.\r\nRansomware source code leaks will be pivotal in the emergence of future low-level operators and the reuse\r\nof code in prevalent ransomware families.\r\nThe proliferation of FUD (Fear, Uncertainty, Doubt) content and unverified claims made by cybercriminals\r\nand media outlets is exponentially increasing the visibility that these ransomware groups seek to attract\r\nnew talent.\r\nLaw Enforcement’s Role in Mitigating Ransomware Threats\r\nThe efforts of law enforcement actions, although challenging to quantify precisely, play a crucial role in reducing\r\nthe threat posed by ransomware operators and their affiliates. These agencies focus on eroding the ransomware\r\nlandscape and acting as a deterrent to potential cybercriminals. Even though only few operations have resulted in\r\nthe arrest of ransomware operators or affiliates, the cumulative impact of these efforts has led to a reduction in the\r\npool of skilled individuals capable of executing sophisticated attacks.\r\nhttps://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/\r\nPage 1 of 6\n\nLaw enforcement actions not only apprehend cybercriminals but also induce significant psychological stress and\r\ninternal conflict among affiliates, disrupting their coordination and communication. This disruption is critical, as\r\neffective collaboration is essential for RaaS operators to maintain their operations and reputations. The seizure and\r\ndismantling of Dedicated Leak Sites (DLS) further cripples the operability of RaaS models, damaging their\r\ncredibility and operational capabilities.\r\nNotable Law Enforcement Actions and Internal Conflicts During 2023 and 2024\r\nIn recent years, law enforcement agencies have intensified their efforts to combat ransomware operations,\r\nachieving significant milestones in 2023 and 2024. These actions have disrupted major ransomware groups and\r\naffiliation models, affecting their operational capabilities and reducing their threat levels.\r\nHere are some notable actions:\r\n23 January 2023: The Department of Justice (DoJ), in collaboration with the Federal Bureau of\r\nInvestigation (FBI) and thirteen other international law enforcement agencies, successfully dismantled\r\nHIVE. This prominent RaaS model had claimed more than 1500 victims since 2021, making its takedown\r\na critical victory in the fight against ransomware.\r\n18 October 2023: The pro-Ukraine group, Ukraine Cyber Alliance (UCA), defaced and wiped the entire\r\ninfrastructure of Trigona, a smaller RaaS model struggling with internal and management issues related to\r\nits DLS. This action significantly disrupted Trigona‘s operations.\r\n20 October 2023: Multiple European law enforcement agencies seized and dismantled the infrastructure of\r\nRagnar Locker, a long-standing ransomware group that had not transitioned into a RaaS model, marking\r\nRagnar Locker‘s operational end.\r\n19 December 2023: The FBI temporarily took down the infrastructure of the popular RaaS model\r\nBlackCat/ALPHV. Following this seizure and not yet confirmed, the operators reinstated their\r\ninfrastructure but reportedly performed an exit scam against one of their affiliates two months later,\r\nstealing over EUR 20,000,000 and disappearing from the underground. There are unconfirmed theories that\r\nthe new RaaS affiliation model, RansomHub, is a rebranding of BlackCat/ALPHV.\r\n20 February 2024: During Operation Cronos and subsequent months, multiple coordinated law\r\nenforcement agencies compromised LockBit‘s infrastructure via a PHP vulnerability. This operation took\r\nover most of LockBit‘s infrastructure and sensitive information stored on their DLSs. Although the\r\noperation was highly effective, LockBit continues to operate, albeit with questionable practices such as\r\nrecycling old data and creating fake claims. After law enforcement agencies published the individual and\r\nthe personal information behind LockBitSupp, QuoIntelligence noted an increase of victim announcement\r\non LockBit‘s DLS, as well as a reduced online presence of LockBitSupp.\r\nThe following illustrations provides a high-level overview of the most important disruptions to ransomware:\r\nFigure 2: Timeline of the major disruption events against ransomware groups since 2023.\r\nThe Emergence and Impact of Ghost Groups\r\nThroughout 2023 and 2024, the outsourcing of threat operations to highly specialized groups, known as ghost\r\ngroups, were a recurrent phenomenon. Consisting of freelance cybercriminals with advanced technical skills,\r\nhttps://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/\r\nPage 2 of 6\n\ncommand higher percentages of ransom payments than typical affiliates and often go unreported due to an\r\nexceptional proficiency in securing payments from their victims. Prominent ghost groups, such as Zeon and\r\nREvil’s pentesters, have been linked to multiple RaaS models, including BlackCat/ALPHV, Akira, LockBit,\r\nand BlackSuit.\r\nLockBit, in particular, has leveraged ghost groups for covert operations targeting high-value entities, causing\r\nsignificant financial distress. These operations are exceptionally challenging to trace, often compelling victims to\r\npay ransoms to avoid exposure on the group’s DLS. In spite of LockBit’s reputational decline, ghost groups like\r\nZeon are likely transitioning to other emerging RaaS models, with Akira gaining notable popularity since March\r\n2024.\r\nMigration to Other Alternatives and New Entries: An Overview\r\nAfter Operation Cronos, it is likely that skilled affiliates lost trust in LockBit and decided to part ways, either by\r\ndeveloping their own affiliation model or their own closed-sourced group of trusted affiliates. It is important to\r\npinpoint that an affiliate does not pledge alliance to a single affiliation program, but to more than one in order to\r\nuse multiple ransomware builder and potentially to make profiling harder.\r\nExcluding LockBit from our statistics, we have identified the 10 most active ransomware based on the reported\r\nvictims in 2024:\r\nFigure 3: Top 10 Ransomware Groups Ranked by Victims Excluding LockBit. Source: QuoIntelligence.\r\nBased on internal telemetries and seasonal statistics, QuoIntelligence identified the following groups that are more\r\nlikely to compete in the ransomware threat landscape due to high-level targets reported within their own DLS and\r\narsenal sophistication:\r\nAkira: commencing operations in March 2023, it is distinguished by its ‘retro aesthetic’ on its DLS. The\r\ngroup targets large enterprises across various sectors, such as education, finance, manufacturing, real\r\nestate, and medical, prioritizing entities capable of fulfilling their substantial ransom demands.\r\nRansomHub: self-described as a collective of hackers from various global locations, the group’s primary\r\nmotivation is financial gain. The group claims to avoid attacks on organizations from CIS, Cuba, North\r\nKorea, and China, suggesting a possible Russian influence, although direct ties to Russia are speculative.\r\nThere are unverified claims that RansomHub may be a rebranded version of the infamous\r\nBlackCat/ALPHV group or that it has integrated former BlackCat/ALPHV affiliates. Financial\r\ntransactions favor affiliates, who receive 90% of the ransom payments, an arrangement designed to build\r\ntrust among potential collaborators, especially in the wake of the BlackCat/ALPHV scam which eroded\r\ntrust within the RaaS community.\r\nHunters International: it is a highly sophisticated and adaptable group known for its targeted ransomware\r\nattacks and data exfiltration operations. Demonstrating advanced skills in malware development, social\r\nengineering, and exploiting network vulnerabilities, they are primarily driven by financial gain, encrypting\r\nvictim data and demanding ransom payments, while also leveraging the strategic value of stolen\r\ninformation. Hunters International targets a wide range of sectors, including healthcare, finance,\r\ngovernment entities, and critical infrastructure, operating globally with a significant focus on North\r\nAmerica, Europe, and parts of Asia.\r\nhttps://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/\r\nPage 3 of 6\n\nPersistence of Lower-Level Affiliates and Future Outlooks\r\nLower-level affiliates continue to support the RaaS model, maintaining connections with leadership even after\r\ninitial takedowns. This persistence highlights the resilience of RaaS operations and the ongoing challenges in\r\ndismantling such networks. The continuation of these lower-level activities underscores the need for sustained\r\nefforts in combating ransomware threats.\r\nThe recent leaks of multiple ransomware builders, including LockBit’s, suggest an imminent increase in the\r\nnumber of RaaS models. New groups are expected to emerge, potentially replacing LockBit in terms of reported\r\nincidents. However, replicating the distinct persona and branding of LockBitSupp, central to LockBit’s\r\noperational identity, is unlikely if the objective is to remain stealthy within media outlets, law enforcement\r\nagencies and security researchers. While it is definitely allowing RaaS models to grow exponentially, it also\r\nattracts unwanted attention.\r\nHigh-profile media stunts have previously been used to divert attention from main ghost groups, this strategy is\r\nexpected to diminish. Increased exposure from such activities can undermine the operational security of RaaS\r\nmodels, prompting a shift towards maintaining a lower profile to avoid detection.\r\nLeaked Builders and Impersonations\r\nWhen ransomware operators sell their ransomware builder’s source code or it gets leaked on underground forums\r\nby rogue affiliates, it is unsurprising that new RaaS operators and low-level groups attempt to create their own\r\nversions of the tool. These groups often modify the ransom note or completely impersonate RaaS affiliates. A\r\nspecific case in point is the emergence of a slightly modified LockBit 3.0 variant, dubbed LockBit 4.0. This\r\nvariant was first seen on February 24th, with 13 samples currently available on VirusTotal. This is one of many\r\nclones of LockBit 3.0, whose source code was leaked in August 2023, enabling the rise of new groups\r\nrepurposing the code.\r\nWhile the reuse of identical source code allows defenders to maintain effective detections without significant\r\nchanges, the involvement of more skilled ransomware operators could pose a serious threat. These operators could\r\nintroduce new capabilities, functionalities, and evasion techniques. A prime example is the leak of Babuk‘s source\r\ncode, which targeted ESXi servers and was quickly adopted by numerous ransomware operators.\r\nIt is not uncommon for lower-level affiliates and new groups to mimic and leverage the reputation of more\r\nestablished entities. APT73, not to be confused with commonly referenced Advanced Persistent Threat (APT)\r\ngroups, published information on their first victim on April 25th. To date, they have 12 known victims.\r\nA distinctive feature of APT73 is the striking visual similarity between their data leak site (DLS) and that of\r\nLockBit. This resemblance likely aims to capitalize on LockBit‘s established reputation, potentially attracting\r\naffiliates to join APT73‘s program. Notably, there are no public advertisements on underground forums promoting\r\nAPT73‘s services.\r\nThe rationale behind the similar design of the DLS remains unclear. However, it is plausible that this mimicry is\r\nintended to signal to others that APT73 operates at a level comparable to LockBit, potentially inspiring trust in\r\nnew affiliates or low-level criminals willing to collaborate with APT73.\r\nhttps://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/\r\nPage 4 of 6\n\nTaking Advantage of Fake Data Breaches\r\nWhile impersonation and code reuse can be effective tactics to leverage the reputation of established groups, the\r\nmost recurring and impactful strategy in the underground is the republication of old data or the creation of fake\r\ndata breaches to attract media attention. This behavior is often amplified by several factors:\r\nSock Puppet Accounts: Cybercriminals create fake accounts on social media platforms to publish and\r\nboost the visibility of their claims.\r\nMedia Attention: Cybercriminals gain media attention by securing interviews with news reporters.\r\nSpreading FUD (Fear, Uncertainty, Doubt): Individuals without malicious intent often spread\r\nsensational content without verifying the reliability of the source.\r\nRegardless of the tools and techniques used, increased visibility and discussion about a group enhance its\r\nreputation in the underground community. However, this strategy can backfire when cybercriminals fail to\r\nsubstantiate their claims. This has been observed repeatedly, even involving some underground forum\r\nmoderators or LockBit‘s operators themselves.\r\nIn essence, while the amplification of claims can elevate a group’s standing, the inability to provide credible\r\nevidence can lead to reputational damage, undermining the group’s credibility in the underground ecosystem.\r\nCurrent Situation of LockBit and LockBitSupp\r\nFollowing the release of personal information about the individual behind the LockBitSupp persona by law\r\nenforcement agencies, the following events were observed in quick succession:\r\nInitially, LockBitSupp denied the allegations. However, the persona gradually faded from both media\r\noutlets and underground forums.\r\nConcurrently, the DLS saw an increased publication rate of victims, suggesting either ongoing negotiations\r\nwith affiliates or a retaliatory response against law enforcement agencies. Additionally, several companies\r\nthat had previously paid the ransom were re-published, despite promises that their data would be deleted.\r\nThis was corroborated by law enforcement agencies during Operation Cronos, which uncovered the\r\nsupporting infrastructure and terabytes of data that should have been deleted but were instead backed up.\r\nTargets shifted towards new victims in the academic and healthcare sectors, indicating a potential loss of\r\ncontrol and credibility over affiliates by those managing the ransomware operations and the well\r\nestablished rules of engagement.\r\nDuring the end of June 2024, the number of new victims greatly decreased.\r\nOn June 25th, the group allegedly claimed of having breached the Federal Reserve and exfiltrating 33 TBs\r\nof data. While every media outlet exponentially amplified this claim without further validations, the group\r\nfailed yet again to provide solid proofs of the breach and the DLS redirected users to an unrelated breach.\r\nOn June 26th, the targeted company was not the Federal Reserve but Evolve Bank, an US-based financial\r\nentity who confirmed the data breach.\r\nQuoIntelligence was unable to identify further data to substantiate these claims, suggesting they may be used as a\r\ntactic to divert law enforcement agencies by shifting internal resources into investigating the claims within the\r\nFederal Reserve. It is important to highlight that LockBit‘s operators have, on multiple occasions, orchestrated\r\nhttps://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/\r\nPage 5 of 6\n\nfake claims and reused old data breaches to attract attention. A notable example is their claim of a breach against\r\nMandiant after the security vendor published a detailed report on UNC2165, a financially motivated threat actor\r\nknown for deploying ransomware, which had shifted their tools to LockBit‘s ransomware to evade sanctions.\r\nQuoIntelligence assessed with medium confidence that, based on historical data and events, similar claims are\r\nlikely motivated by retaliation against entities to damage their reputation while amplifying media attention\r\ntowards LockBit. This tactic is very likely being used to attract more affiliates by leveraging the enhanced\r\nvisibility and perceived notoriety. While affiliates have the complete control of what information to publish on\r\nLockBit‘s DLS, the administrators are unlikely to verify the claims made by the affiliates.\r\nAlthough Operation Cronos significantly impacted LockBit‘s infrastructure and its affiliates, it is unlikely that\r\nthe group will cease operations in the near future. Affiliates are expected to continue leveraging LockBit‘s\r\nreputation and sophisticated ransomware. Notably, since the end of May, two weeks after law enforcement\r\nagencies released personal information about the persona known as LockBitSupp, its online presence has\r\ndiminished. The future of LockBit is uncertain, as LockBitSupp was the primary figure attracting attention and\r\nvisibility, crucial for the group’s proliferation within the underground.\r\nConclusions\r\nDespite the potential emergence of numerous inexperienced ransomware groups and RaaS models, the overall\r\nthreat level of ransomware attacks is anticipated to remain stable. The pool of highly skilled attackers may\r\ndiminish over time, but organizations must remain vigilant. Even adversaries with lower sophistication can exploit\r\nminor security oversights, leading to significant breaches.\r\nResearch by Andrei Moldovan, Threat Researcher at QuoIntelligence.\r\nAndrei brings extensive expertise in malware reverse engineering and criminology, backed by years of experience\r\nin a Security Operations Center (SOC). His passion for malware and offensive security drives him to shed light on\r\nunknown threats to combat cybercrime and cybercriminals.\r\nSource: https://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/\r\nhttps://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://quointelligence.eu/2024/06/analyzing-shift-in-ransomware-dynamics/" ], "report_names": [ "analyzing-shift-in-ransomware-dynamics" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-10T02:00:03.773129Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67", "created_at": "2025-05-29T02:00:03.220566Z", "updated_at": "2026-04-10T02:00:03.871851Z", "deleted_at": null, "main_name": "Cyber Alliance", "aliases": [], "source_name": "MISPGALAXY:Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "b1ab5200-db35-4b65-815d-824fa842de28", "created_at": "2024-11-13T13:15:31.11592Z", "updated_at": "2026-04-10T02:00:03.766375Z", "deleted_at": null, "main_name": "APT73", "aliases": [ "Eraleig" ], "source_name": "MISPGALAXY:APT73", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434334, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/41a404b913f66db04dc63a92132e388a6c5bb84a.pdf", "text": "https://archive.orkl.eu/41a404b913f66db04dc63a92132e388a6c5bb84a.txt", "img": "https://archive.orkl.eu/41a404b913f66db04dc63a92132e388a6c5bb84a.jpg" } }