{ "id": "c5ebfd1d-3dde-4ad2-8321-30761546bda0", "created_at": "2026-04-06T00:10:50.144246Z", "updated_at": "2026-04-10T03:33:52.177034Z", "deleted_at": null, "sha1_hash": "78d644f440a86ee5d35ccf673cfadbf95e5142f5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45424, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:30:25 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool CryptoWall\r\n Tool: CryptoWall\r\nNames CryptoWall\r\nCategory Malware\r\nType Ransomware\r\nDescription\r\n(SecureWorks) After the emergence of the infamous CryptoLocker ransomware in September\r\n2013, CTU researchers observed an increasing number of ransomware families that destroyed\r\ndata in addition to demanding payment from victims. While similar threats have existed for\r\nyears, this tactic did not become widespread until CryptoLocker's considerable success.\r\nTraditionally, ransomware disabled victims' access to their computers through non-destructive\r\nmeans until the victims paid for the computers' release.\r\nEarly CryptoWall variants closely mimicked both the behavior and appearance of the genuine\r\nCryptoLocker. The exact infection vector of these early infections is not known as of this\r\npublication, but anecdotal reports from victims suggest the malware arrived as an email\r\nattachment or drive-by download. Evidence collected by CTU researchers in the first several\r\ndays of the February 2014 campaign showed at least several thousand global infections.\r\nInformation \u003chttps://www.secureworks.com/research/cryptowall-ransomware\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall\u003e\r\nLast change to this tool card: 23 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool CryptoWall\r\nChanged Name Country Observed\r\nAPT groups\r\n  TA530 [Unknown] 2016-Nov 2016  \r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f6a401d-bf9b-42d0-8faf-57e65ba63149\r\nPage 1 of 2\n\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f6a401d-bf9b-42d0-8faf-57e65ba63149\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f6a401d-bf9b-42d0-8faf-57e65ba63149\r\nPage 2 of 2\n\nChanged APT groups Name Country Observed \nTA530 [Unknown] 2016-Nov 2016\n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8f6a401d-bf9b-42d0-8faf-57e65ba63149" ], "report_names": [ "listgroups.cgi?u=8f6a401d-bf9b-42d0-8faf-57e65ba63149" ], "threat_actors": [ { "id": "f8fd6c94-f1bf-43b8-8613-edc46ca097ee", "created_at": "2022-10-25T16:07:24.285532Z", "updated_at": "2026-04-10T02:00:04.922819Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "ETDA:TA530", "tools": [ "AbaddonPOS", "August Stealer", "Bugat v5", "CryptoWall", "Dofoil", "Dridex", "Gozi ISFB", "H1N1", "H1N1 Loader", "ISFB", "Nymaim", "Pandemyia", "Sharik", "Smoke Loader", "SmokeLoader", "SpY-Agent", "TVRAT", "TVSpy", "TeamSpy", "TeamViewerENT", "TinyLoader", "nymain" ], "source_id": "ETDA", "reports": null }, { "id": "af77521e-c35f-4030-a95d-bcd1eaeeaac1", "created_at": "2023-01-06T13:46:38.476089Z", "updated_at": "2026-04-10T02:00:02.990237Z", "deleted_at": null, "main_name": "TA530", "aliases": [], "source_name": "MISPGALAXY:TA530", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434250, "ts_updated_at": 1775792032, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/78d644f440a86ee5d35ccf673cfadbf95e5142f5.pdf", "text": "https://archive.orkl.eu/78d644f440a86ee5d35ccf673cfadbf95e5142f5.txt", "img": "https://archive.orkl.eu/78d644f440a86ee5d35ccf673cfadbf95e5142f5.jpg" } }