{ "id": "fc6e4124-7b65-409f-850e-a3f366af4973", "created_at": "2026-04-06T00:21:04.293034Z", "updated_at": "2026-04-10T03:36:07.847076Z", "deleted_at": null, "sha1_hash": "50c06520cdfd047eb654a97053d177e21affe3f1", "title": "Ransomware Preparedness: A Call To Action | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82870, "plain_text": "Ransomware Preparedness: A Call To Action | CrowdStrike\r\nBy Josh Dalman - Kamil Janton - Eben Kaplan\r\nArchived: 2026-04-05 14:13:44 UTC\r\nHardly a day passes without news of another company, hospital, school district or municipal government\r\ntemporarily brought to a halt by ransomware. In fact, ransomware attacks have become so commonplace that they\r\nmake the news far less than they used to. Yet while ransomware may no longer captivate the public’s attention,\r\nsecurity professionals justifiably continue to obsess over it. Ransomware remains the most profitable method for\r\ncybercriminals to monetize their unauthorized access into business networks, with increasing ransom demands\r\noften ranging from $1 million to $10 million USD. For this reason alone, all organizations are potential targets for\r\nransomware campaigns that almost always have a costly business impact, including disruption to operations and\r\nextortion that involves sensitive data theft.\r\nRansomware preparedness has become imperative for all organizations, so much so that even chief executives and\r\nboards of directors are recognizing it as part of their responsibility to promote good governance. But it is a cat-and-mouse game — as defenses improve, ransomware actors continue to innovate to find new methods to\r\ncompromise and extort their victims.\r\nThe CrowdStrike® Services team routinely assists organizations both in preparing for and responding to\r\nransomware attacks. The following are some of the practices we recommend most frequently.\r\nImprove Resiliency of Internet-facing Applications\r\nCrowdStrike has observed eCrime threat actors exploiting single-factor authentication and unpatched internet-facing applications. BOSS SPIDER, one of the initial big game hunting (BGH) ransomware threat actors,\r\nroutinely targeted systems with Remote Desktop Protocol (RDP) accessible from the internet. Less sophisticated\r\nthreat actors operating ransomware variants such as Dharma, Phobos and GlobeImposter frequently gain access\r\nthrough RDP brute-force attacks. CrowdStrike recommends against RDP being exposed directly to the internet.\r\nOrganizations currently leveraging the CrowdStrike Falcon® platform can quickly and effectively identify\r\nsystems being actively brute-forced via RDP by using the following query in the Falcon Event Activity Monitor:\r\nevent_simpleName=UserLogonFailed2 | iplocation RemoteAddressIP4 | stats values(ClientComputerName) AS ClientCom\r\nIn a separate but similar campaign in 2020, CrowdStrike observed CIRCUS SPIDER, the group behind the\r\ndevelopment of Netwalker ransomware, and TWISTED SPIDER, the group behind the development of Maze\r\nransomware, exploit CVEs (common vulnerabilities and exposures) associated with Pulse VPN to gain access into\r\nvictim organizations. For this reason, CrowdStrike recommends utilizing a VPN with multifactor authentication,\r\nand ensuring that any CVEs associated with the VPN platform(s) and the underlying authentication application are\r\nprioritized for patching. This principle should extend to all remote methods including, but not limited to Azure\r\nActive Directory (AD) and Citrix Gateway. The latter, being used by threat actors such as TRAVELING SPIDER\r\nhttps://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/\r\nPage 1 of 6\n\n— the criminal developer of Nemty ransomware — has been observed by CrowdStrike to take advantage of\r\nsingle-factor authentication to gain access to victim organizations through Citrix Gateway and send extortion-related emails using the victim’s own Microsoft Office 365 instance.\r\nImplement and Enhance Email Security\r\nGaining an initial foothold into a victim organization through a phishing email is the most common tactic for BGH\r\nransomware groups. Typically, these phishing emails contain a malicious link or URL that delivers a payload to\r\nthe recipient’s workstation.\r\nCrowdStrike recommends implementing an email security solution that conducts URL filtering and also\r\nattachment sandboxing. To streamline these efforts, an automated response capability can be used to allow for\r\nretroactive quarantining of delivered emails before the user interacts with them. In addition, organizations may\r\nwant to restrict users from receiving password-protected zip files, executables, javascripts or Windows installer\r\npackage files unless there is a legitimate business need. Adding an “” tag to emails originating from outside of the\r\norganization and a warning message on top of the email’s body can help remind users to use discretion when\r\nhandling such emails. Users should also have a documented process to report any emails they are unsure of along\r\nthe way. In addition, if business permits, organizations should consider restricting users’ access to personal email\r\naccounts. As always, organizations should also implement a robust security awareness program that includes\r\nroutine user training, reminders and “phish-me” campaigns. Creating your own “phish-me” campaign is one of the\r\nbest and safest ways for your employees to learn to not be fooled by phishing emails. The old adage applies: “Fool\r\nme once, shame on you — fool me twice, shame on me.” CrowdStrike employs this best practice internally.\r\nHarden Endpoints\r\nThroughout an attack lifecycle that ultimately culminates in a ransomware deployment, threat actors will often\r\nleverage a number of endpoint exploitation techniques. These exploitation techniques vary from exploiting poor\r\nAD configurations to leveraging publicly available exploits against unpatched systems or applications. A proper\r\nendpoint hardening strategy will ensure that threat actors have to defeat multiple defensive layers before achieving\r\nsuccess in the attack. Each layer of defense the threat actor encounters provides an opportunity for defensive\r\nteams to detect and ultimately contain the activity before it results in ransomware deployment. The list below\r\nincludes some key system-hardening actions for defenders to implement. It is important to note this is not an\r\nexhaustive list, and system hardening should be an iterative process.\r\nEnsure full coverage across all endpoints on your network for endpoint security products, and for the\r\nendpoint detection and protection (EDR) platform. Each endpoint security platform should have strict anti-tampering protections and alerting in place if and when a sensor goes offline or gets uninstalled.\r\nDevelop a vulnerability and patch management program. Doing so will ensure that all endpoint\r\napplications and operating systems are kept up-to-date. Ransomware actors leverage endpoint\r\nvulnerabilities for many purposes, including but not limited to privilege escalation and lateral movement.\r\nExisting Falcon customers can leverage CrowdStrike Falcon® Spotlight™ vulnerability management for a\r\nnear real-time way to understand exposure to a particular vulnerability across the environment, without the\r\nneed to deploy additional agents and security tools.\r\nhttps://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/\r\nPage 2 of 6\n\nFollow Active Directory security best practices. Based on some of the most common AD downfalls\r\nobserved by CrowdStrike Services during ransomware engagements, we recommend these steps:\r\nAvoid easy-to-guess passwords with weak authentication methods.\r\nAvoid having regular domain users with local administrator privileges, and local administrator\r\naccounts with the same passwords across the entire enterprise or large portions of the enterprise.\r\nLimit workstation-to-workstation communication. While this can be achieved using group policy\r\nobjects (GPOs), it can be also achieved through a number of micro-segmentation software options.\r\nAvoid sharing privileged credentials. Poor security practices include shared administrative accounts\r\nand using administrator accounts for personal or day-to-day business activity that does not require\r\nadministrator privileges.\r\nNote that the first two points above can be accomplished using AD with little to no additional costs.\r\nAt an additional cost, a privileged access management (PAM) solution can provide a much more\r\nscalable and robust solution to the same problem and is discussed more later in this blog post.\r\nWith the recent acquisition of Preempt, CrowdStrike is continuously adding capabilities to its Zero Trust\r\nframework. The “Implement an Identity and Access Management (IAM)” section of this blog explains how Falcon\r\nZero Trust can help you further harden your endpoints and improve your IAM program.\r\nRansomware-proof Data with Offline Backups\r\nIn recent years, and since the emergence of ransomware as a top method of monetizing attacks, the developers\r\nbehind malicious code have become very effective at ensuring victims and security researchers cannot decrypt\r\naffected data without paying the ransom for the decryption key. Further, when developing a ransomware-proof\r\nbackup infrastructure, the most important idea to consider is that threat actors have targeted online backups before\r\ndeploying ransomware to the environment. For these reasons, the only sure way of salvaging data during a\r\nransomware attack is through ransomware-proof backups. For example, maintaining offline backups of your data\r\nallows for a quicker recovery in emergencies. The following points should be considered when developing a\r\nransomware-proof offline backup infrastructure:\r\nOffline backups, as well as the indexes (describing which volumes contain which data) should be\r\ncompletely separate from the rest of the infrastructure.\r\nAccess to such networks should be controlled via strict access control lists (ACLs), and all authentications\r\nshould be performed using multifactor authentication (MFA).\r\nAdministrators with access to both offline and online infrastructures should avoid reusing account\r\npasswords and use a jump box when accessing the offline backup infrastructure.\r\nCloud storage services, with strict ACLs and rules, can also serve as offline backup infrastructure.\r\nEmergency situations such as a ransomware attack should be the only time the offline infrastructure is\r\nallowed a connection to the live network.\r\nRestrict Access to Virtualization Management Infrastructure\r\nAs mentioned earlier, threat actors engaged in big game hunting ransomware campaigns are continuously\r\ninnovating to increase the effectiveness of their attacks. The most recent such development includes the ability to\r\nattack virtualized infrastructure directly. This approach allows for targeting of hypervisors that deploy and store\r\nhttps://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/\r\nPage 3 of 6\n\nvirtual machines (VMDK). As a result, the endpoint security products installed on the virtualized machines are\r\nblind to malicious actions taken on the hypervisor. To further understand how this attack would unfold, we will\r\nuse some of VMware’s naming convention as it is the most common virtualizing product found in today’s\r\nenterprise environments.\r\nMany ESXi systems (VMware hypervisors) do not have Secure Shell (SSH) protocol enabled by default and are\r\nusually managed via vCenter. If SSH is disabled, previously stolen administrative credentials are used to enable\r\nSSH on all ESXi systems. Once that is complete, a valid account is used to SSH into each ESXi system being\r\ntargeted. Before the threat actor deploys the Linux-based ransomware, VMDKs hosted on the ESXi are stopped to\r\nallow the ransomware binary to access the files for encryption purposes. Systems impacted by the ransomware\r\nthrough this deployment method will be completely offline and inaccessible to the users. Recently, CrowdStrike\r\nIntelligence has observed this method being used by CARBON SPIDER and SPRITE SPIDER, and CrowdStrike\r\nexpects this trend to continue to be used and adopted by eCrime operators. As adoption of this tactic becomes\r\nwider, the following items can help organizations strengthen their virtualized environments.\r\nRestrict access to ESXi hosts to a small number of systems, and ensure these systems are fully patched and\r\nhave proper endpoint monitoring in place.\r\nESXi systems are commonly managed via LDAP-binded Active Directory accounts, which are often\r\nprivileged accounts targeted by the threat actor earlier in the compromise. Removing or limiting such\r\nbindings could minimize the chance of an already-compromised administrative account being used to\r\ntarget the ESXi systems with ransomware.\r\nEnsure SSH access is disabled, or ensure that it is secured by MFA.\r\nEnsure passwords are unique to each ESXi host as well as to the web client and are strong/complex, using\r\na combination of letters, special characters and numbers. Avoid using dictionary words and \"1337\" speak.\r\nEnable Normal Lockdown Mode to further restrict access. See reference here.\r\nImplement an Identity and Access Management (IAM) Program\r\nOrganizations can improve their security posture by implementing a robust IAM program that maintains an\r\nactivity trail for all privileged and service accounts, with immediate identification for anomalous traffic or\r\nabnormal resource requests. To help organizations implement an IAM program, CrowdStrike offers two Identity\r\nProtection modules: Falcon Zero Trust and Falcon Identity Threat Detection. Deploying these modules to an\r\nexisting Falcon instance will create real-time layers of threat prevention of identity-based attacks and anomalies\r\ntargeting an organization. The adaptive capabilities of this platform allow enterprises to automate responses with\r\nthe right type of enforcement or notification based on identity, behavior and risk. For example, service accounts\r\nattempting to connect via RDP, or RDP connecting to an unusual destination, could be challenged via multifactor\r\nauthentication or blocked by Falcon Zero Trust in real time. In addition, nearly all BGH ransomware groups will\r\nutilize off-the-shelf credential dumping tools such as Mimikatz or SPRITE SPIDER’s PyXie and LaZagne\r\nmodules to steal credentials and expand their foothold within the environment. The output of the tools are then\r\nused by the attackers to move laterally within a network using techniques such as Pass-the-Hash, Pass-the-Ticket,\r\nKerberoasting and others.\r\nAn IAM platform such as Falcon Identity Protection can detect credential exploitation as well as the use of risky\r\nprotocols and abnormal behavior within the AD environment. These detections will identify devices and accounts\r\nhttps://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/\r\nPage 4 of 6\n\nthat have been compromised and, based on the configured policy, decide if such accounts need to be challenged\r\nvia MFA/2FA or blocked to halt the progress of the attack. This will significantly cripple BGH ransomware groups\r\nfrom being able to act on their objectives.\r\nDevelop and Pressure-test an Incident Response Plan\r\nOrganizations sometimes become aware of threat actor activity within their environment, but they lack the\r\nvisibility to address the problem or the right intelligence to understand the nature of the threat. Recognizing the\r\nthreat and responding quickly and effectively can be the difference between a major incident and a near\r\nmiss.Incident response plans and playbooks help facilitate that speedy decision making. Plans should cover all\r\nparts of the response effort, across the organization. For the security team, they should provide aids to decision-making so that front-line responders don’t overlook important details while triaging alerts. They should also\r\noutline the extent of the security team’s authority to take decisive actions — such as shutting down business-essential services — if a ransomware attack appears imminent. For the crisis management team, plans should\r\nidentify who will be involved and what their roles and responsibilities are. It should also tee up important\r\ndecisions, like when to activate an incident response retainer, whether to notify insurance carriers, when and how\r\nto involve in-house or outside counsel, and how to discuss ransom demands with executives. Consider conducting\r\nregular tabletop exercises to test the incident response plan and processes. Some organizations may benefit from\r\nsimulated exercises such as “purple team” engagements, where red teamers mimic ransomware operators’ actions\r\non objectives, including data exfiltration and ultimately ransomware deployment. CrowdStrike also recommends\r\nregular exercising of your incident response plan, both planned and unplanned, such as utilizing a red team to\r\nconduct a mock attack operation. Organizations should never be surprised or caught flat-footed by an attack — it\r\nshould be expected and planned for.\r\nTake Steps Now\r\nAny organization can fall victim to costly ransomware campaigns with\r\nransom demands in the seven digits, but much can be done to stop threat actors before they get a chance to\r\ndetonate a widespread ransomware attack. Locking down common initial entry vectors, implementing multifactor\r\nauthentication, and hardening of both endpoint and Active Directory infrastructure can pay dividends by\r\nimproving an organization’s resiliency to ransomware threat actors. While it’s not possible to prevent all network\r\nintrusions, creating enough obstacles through principles of security-in-depth, and the recommended “1-10-60”\r\nbenchmark time (one minute to detect an incident, 10 minutes to investigate and one hour to remediate), can\r\nensure that threat actors are halted before achieving their objectives of data theft and ransomware deployment.\r\nAdditional Resources\r\nLearn about recent intrusion trends, adversary tactics and highlights of notable intrusions in the\r\nCrowdStrike 2021 Global Threat Report.\r\nUnderstand the trends and themes that we observed while responding to and remediating incidents around\r\nthe globe in 2020 — download the latest CrowdStrike Services Cyber Front Lines Report.\r\nLearn more about the CrowdStrike Falcon® platform by visiting the product webpage.\r\nTest CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.\r\nhttps://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/\r\nPage 5 of 6\n\nSource: https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/\r\nhttps://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/" ], "report_names": [ "ransomware-preparedness-a-call-to-action" ], "threat_actors": [ { "id": "53201ab8-30d2-4722-816e-f914604e78df", "created_at": "2022-10-25T16:07:23.466825Z", "updated_at": "2026-04-10T02:00:04.620188Z", "deleted_at": null, "main_name": "Circus Spider", "aliases": [], "source_name": "ETDA:Circus Spider", "tools": [ "Koko Ransomware", "MailTo", "NetWalker" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8b7faa58-947b-4530-ab1f-250a0370aabf", "created_at": "2022-10-25T16:07:24.34248Z", "updated_at": "2026-04-10T02:00:04.945921Z", "deleted_at": null, "main_name": "Traveling Spider", "aliases": [ "Gold Mansard" ], "source_name": "ETDA:Traveling Spider", "tools": [ "7-Zip", "AdFind", "LaZagne", "MEGAsync", "Mimikatz", "Nefilim", "Nemty", "Nephilim", "Network Password Recovery", "PsExec", "smbtool" ], "source_id": "ETDA", "reports": null }, { "id": "4116df25-aff6-46ee-a5dd-926254a78e89", "created_at": "2023-01-06T13:46:38.894033Z", "updated_at": "2026-04-10T02:00:03.137353Z", "deleted_at": null, "main_name": "BOSS SPIDER", "aliases": [ "GOLD LOWELL" ], "source_name": "MISPGALAXY:BOSS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c76f1b6-a05b-4dba-82ea-07011b47c6cd", "created_at": "2023-01-06T13:46:39.201507Z", "updated_at": "2026-04-10T02:00:03.244851Z", "deleted_at": null, "main_name": "TRAVELING SPIDER", "aliases": [], "source_name": "MISPGALAXY:TRAVELING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "373d61cc-32a0-4c0c-b48b-ff9e3f1357ac", "created_at": "2023-01-06T13:46:39.222456Z", "updated_at": "2026-04-10T02:00:03.250483Z", "deleted_at": null, "main_name": "CIRCUS SPIDER", "aliases": [], "source_name": "MISPGALAXY:CIRCUS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8", "created_at": "2024-06-04T02:03:07.872554Z", "updated_at": "2026-04-10T02:00:03.613698Z", "deleted_at": null, "main_name": "GOLD LOWELL", "aliases": [ "Boss Spider ", "CTG-0007 " ], "source_name": "Secureworks:GOLD LOWELL", "tools": [ "Samas" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "eb8697fd-882a-4323-9eb8-8e20222cfd91", "created_at": "2022-10-25T16:07:23.416834Z", "updated_at": "2026-04-10T02:00:04.589943Z", "deleted_at": null, "main_name": "Boss Spider", "aliases": [ "Boss Spider", "CTG-0007", "Gold Lowell" ], "source_name": "ETDA:Boss Spider", "tools": [ "Mimikatz", "PsExec", "SDelete", "SamSam", "Samas" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775792167, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50c06520cdfd047eb654a97053d177e21affe3f1.pdf", "text": "https://archive.orkl.eu/50c06520cdfd047eb654a97053d177e21affe3f1.txt", "img": "https://archive.orkl.eu/50c06520cdfd047eb654a97053d177e21affe3f1.jpg" } }