{
	"id": "4a2db227-dad6-4260-9af3-9f0391f643bb",
	"created_at": "2026-04-06T00:08:17.875549Z",
	"updated_at": "2026-04-10T03:36:37.027234Z",
	"deleted_at": null,
	"sha1_hash": "a3bcb844a370129450bba1e825f52bb72f1759ce",
	"title": "Rapport menaces et incidents - CERT-FR",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31168,
	"plain_text": "Rapport menaces et incidents - CERT-FR\r\nArchived: 2026-04-05 14:18:01 UTC\r\nUne gestion de version détaillée se trouve à la fin de ce document.\r\nCes dernières semaines, l’ANSSI a observé plusieurs attaques impliquant le déploiement du rançongiciel Clop sur\r\ndes systèmes d’information en France. Ce code malveillant chiffre les documents présents sur les SI et leur ajoute,\r\nsuivant les versions, l’extension « .CIop » ou « .Clop ». Les analyses réalisées par l’ANSSI et ses partenaires\r\nmontrent que le chiffrement des postes est précédé par des actions de propagation manuelle réalisées par\r\nl’attaquant au sein du réseau victime. Cette phase en amont du chiffrement dure plusieurs jours et signifie qu’il est\r\npossible de détecter certains signes de l’attaque avant le déclenchement du rançongiciel sur une grande partie du\r\nSI.\r\nCes attaques semblent être le résultat d’une vaste campagne d’hameçonnage ayant eu lieu autour du 16 octobre\r\n2019 et liée au groupe cybercriminel TA505.\r\nTÉLÉCHARGER LE RAPPORT\r\nGestion détaillée du document\r\nle 22 novembre 2019\r\nVersion initiale\r\nSource: https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/\r\nhttps://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "FR",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/"
	],
	"report_names": [
		"CERTFR-2019-CTI-009"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434097,
	"ts_updated_at": 1775792197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3bcb844a370129450bba1e825f52bb72f1759ce.pdf",
		"text": "https://archive.orkl.eu/a3bcb844a370129450bba1e825f52bb72f1759ce.txt",
		"img": "https://archive.orkl.eu/a3bcb844a370129450bba1e825f52bb72f1759ce.jpg"
	}
}