{ "id": "8c4dc6a3-10f5-44ce-a8dc-9844943b3cff", "created_at": "2026-04-06T00:21:03.142784Z", "updated_at": "2026-04-10T13:12:26.239147Z", "deleted_at": null, "sha1_hash": "b8dd0f1bfee40891c65f90500f1ac8375cbdd432", "title": "Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 134923, "plain_text": "Ransomware groups continue to target healthcare, critical services;\r\nhere’s how to reduce risk | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-04-28 · Archived: 2026-04-02 12:12:45 UTC\r\nAt a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical\r\nindustries, has never been higher, ransomware actors are unrelenting, continuing their normal operations. Multiple\r\nransomware groups that have been accumulating access and maintaining persistence on target networks for several\r\nmonths activated dozens of ransomware deployments in the first two weeks of April 2020.\r\nSo far the attacks have affected aid organizations, medical billing companies, manufacturing, transport,\r\ngovernment institutions, and educational software providers, showing that these ransomware groups give little\r\nregard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to\r\ncritical services, so organizations should be vigilant for signs of compromise.\r\nAdditional resources\r\nProtect your organization against ransomware: aka.ms/ransomware\r\nLearn how attackers operate: Human-operated ransomware attacks: A preventable disaster\r\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of\r\nransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident\r\nresponse engagements by Microsoft Detection and Response Team (DART) showed that many of the\r\ncompromises that enabled these attacks occurred earlier. Using an attack pattern typical of human-operated\r\nransomware campaigns, attackers have compromised target networks for several months beginning earlier this\r\nyear and have been waiting to monetize their attacks by deploying ransomware when they would see the most\r\nfinancial gain.\r\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used\r\nbrute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the\r\nsame techniques observed in human-operated ransomware campaigns: credential theft and lateral movement,\r\nculminating in the deployment of a ransomware payload of the attacker’s choice. Because the ransomware\r\ninfections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries\r\nperforming credential theft and lateral movement activities to prevent the deployment of ransomware.\r\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\r\nVulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\r\nA motley crew of ransomware payloads\r\nImmediate response actions for active attacks\r\nBuilding security hygiene to defend networks against human-operated ransomware\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 1 of 9\n\nMicrosoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated\r\nransomware\r\nWe have included additional technical details including hunting guidance and recommended prioritization for\r\nsecurity operations (SecOps).\r\nVulnerable and unmonitored internet-facing systems provide easy access to\r\nhuman-operated attacks\r\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with\r\nprevious ransomware campaigns and used the same techniques commonly observed in human-operated\r\nransomware attacks.\r\nIn stark contrast to attacks that deliver ransomware via email—which tend to unfold much faster, with\r\nransomware deployed within an hour of initial entry—the attacks we saw in April are similar to the Doppelpaymer\r\nransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They\r\nthen remained relatively dormant within environments until they identified an opportune time to deploy\r\nransomware.\r\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the\r\nfollowing weaknesses:\r\nRemote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\r\nOlder platforms that have reached end of support and are no longer getting security updates, such as\r\nWindows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\r\nMisconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or\r\nsystems management servers\r\nCitrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781\r\nPulse Secure VPN systems affected by CVE-2019-11510\r\nApplying security patches for internet-facing systems is critical in preventing these attacks. It’s also important to\r\nnote that, although Microsoft security researchers have not observed the recent attacks exploiting the following\r\nvulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they\r\nare worth reviewing: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.\r\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools,\r\nincluding Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns,\r\nthe operators gained access to highly privileged administrator credentials and were ready to take potentially more\r\ndestructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained\r\ntheir presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are\r\nrebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were\r\nobserved viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\r\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment\r\naffecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 2 of 9\n\nexperts to ensure complete removal of attackers from a fully compromised network, it’s critical that vulnerable\r\ninternet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of\r\nattacks.\r\nA motley crew of ransomware payloads\r\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections\r\nbelow, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They\r\nunfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware\r\npayload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\r\nRobbinHood ransomware\r\nRobbinHood ransomware operators gained some attention for exploiting vulnerable drivers late in their attack\r\nchain to turn off security software. However, like many other human-operated ransomware campaigns, they\r\ntypically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged\r\ncredentials, mostly local administrator accounts with shared or common passwords, and service accounts with\r\ndomain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave\r\nbehind new local and Active Directory user accounts, so they can regain access after their malware and tools have\r\nbeen removed.\r\nVatet loader\r\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or\r\nsecurity researchers. They often retain them while waiting for security organizations to start considering\r\nassociated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that\r\nhas been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the\r\nrecent campaigns.\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 3 of 9\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations,\r\ninsulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific\r\nransomware operators during this time and have caused dozens of cases.\r\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have\r\nbeen deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom\r\nnotes copied from older ransomware families. To access target networks, they exploit CVE-2019-19781, brute\r\nforce RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once\r\ninside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally\r\nuntil they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying\r\nransomware.\r\nNetWalker ransomware\r\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails\r\nclaiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as\r\na .vbs attachment, a technique that has gained media attention. However, the campaign operators also\r\ncompromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials,\r\nwhich they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\r\nPonyFinal ransomware\r\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren’t\r\nunusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To\r\nestablish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse\r\nshell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to\r\nmaintain remote desktop connections.\r\nMaze ransomware\r\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target\r\ntechnology providers and public services. Maze has a history of going after managed service providers (MSPs) to\r\ngain access to the data and networks of MSP customers.\r\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining\r\naccess using common vectors, such as RDP brute force. Once inside a network, they perform credential theft,\r\nmove laterally to access resources and exfiltrate data, and then deploy ransomware.\r\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an\r\ninternet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other\r\nendpoints used the same passwords.\r\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt\r\nStrike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 4 of 9\n\npersistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on\r\nWindows Remote Management for persistent control using stolen domain admin privileges. To weaken security\r\ncontrols in preparation for ransomware deployment, they manipulated various settings through Group Policy.\r\nREvil ransomware\r\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal\r\ncredentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing\r\nthe networks and documents of customers – and selling access to both. They kept up this activity during the\r\nCOVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their\r\nuptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft\r\ntools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like\r\nPsExec.\r\nOther ransomware families\r\nOther ransomware families used in human-operated campaigns during this period include:\r\nParadise, which used to be distributed directly via email but is now used in human-operated ransomware\r\nattacks\r\nRagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen\r\ncredentials\r\nMedusaLocker, which is possibly deployed via existing Trickbot infections\r\nLockBit, which is distributed by operators that use the publicly available penetration testing tool\r\nCrackMapExec to move laterally\r\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware\r\nattacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders\r\nshould pay attention to include:\r\nMalicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in\r\nas benign red team activities\r\nCredential theft activities, such as suspicious access to Local Security Authority Subsystem Service\r\n(LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for\r\nstealing credentials\r\nAny tampering with a security event log, forensic artifact such as the USNJournal, or a security agent,\r\nwhich attackers do to evade detections and to erase chances of recovering data\r\nCustomers using Microsoft Defender Advanced Threat Protection (ATP) can consult a companion threat analytics\r\nreport for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the\r\nMicrosoft Threat Experts service can also refer to the targeted attack notification, which has detailed timelines of\r\nattacks, recommended mitigation steps for disrupting attacks, and remediation advice.\r\nIf your network is affected, perform the following scoping and investigation activities immediately to understand\r\nthe impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 5 of 9\n\nnot a durable solution, as most of these ransomware campaigns employ “one-time use” infrastructure for\r\ncampaigns, and often change their tools and systems once they determine the detection capabilities of their targets.\r\nDetections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening\r\ninfrastructure weaknesses favored by these attackers as soon as possible.\r\nInvestigate affected endpoints and credentials\r\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume\r\nthat these credentials were available to attackers and that all associated accounts are compromised. Note that\r\nattackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can\r\nalso dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA\r\nSecrets section of the registry.\r\nFor endpoints onboarded to Microsoft Defender ATP, use advanced hunting to identify accounts that have\r\nlogged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\r\nOtherwise, check the Windows Event Log for post-compromise logons—those that occur after or during\r\nthe earliest suspected breach activity—with event ID 4624 and logon type 2 or 10. For any other\r\ntimeframe, check for logon type 4 or 5.\r\nIsolate compromised endpoints\r\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these\r\nendpoints using advanced hunting queries or other methods of directly searching for related IOCs. Isolate\r\nmachines using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your\r\nSIEM or other centralized event management solutions. Look for lateral movement from known affected\r\nendpoints.\r\nAddress internet-facing weaknesses\r\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public\r\nscanning interface, such as shodan.io, to augment your own data. Systems that should be considered of interest to\r\nattackers include:\r\nRDP or Virtual Desktop endpoints without MFA\r\nCitrix ADC systems affected by CVE-2019-19781\r\nPulse Secure VPN systems affected by CVE-2019-11510\r\nMicrosoft SharePoint servers affected by CVE-2019-0604\r\nMicrosoft Exchange servers affected by CVE-2020-0688\r\nZoho ManageEngine systems affected by CVE-2020-10189\r\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the Threat and\r\nVulnerability Management (TVM) capability to discover, prioritize, and remediate vulnerabilities and\r\nmisconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to\r\nremediate issues.\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 6 of 9\n\nInspect and rebuild devices with related malware infections\r\nMany ransomware operators enter target networks through existing infections of malware like Emotet and\r\nTrickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all\r\nkinds of payloads, including persistent implants. Investigate and remediate any known infections and consider\r\nthem possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials,\r\nadditional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\r\nBuilding security hygiene to defend networks against human-operated\r\nransomware\r\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all\r\navailable tools. You should continue to enforce proven preventive solutions—credential hygiene, minimal\r\nprivileges, and host firewalls—to stymie these attacks, which have been consistently observed taking advantage of\r\nsecurity hygiene issues and over-privileged credentials.\r\nApply these measures to make your network more resilient against new breaches, reactivation of dormant\r\nimplants, or lateral movement:\r\nRandomize local administrator passwords using a tool such as LAPS.\r\nApply Account Lockout Policy.\r\nEnsure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or\r\nvendor-supplied mitigation guidance, for vulnerabilities.\r\nUtilize host firewalls to limit lateral movement. Preventing endpoints from communicating on TCP port\r\n445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary\r\nactivities.\r\nTurn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus\r\nproduct to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections\r\nblock a huge majority of new and unknown variants.\r\nFollow standard guidance in the security baselines for Office and Office 365 and the Windows security\r\nbaselines. Use Microsoft Secure Score assesses to measures security posture and get recommended\r\nimprovement actions, guidance, and control.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nTurn on attack surface reduction rules, including rules that can block ransomware activity:\r\nUse advanced protection against ransomware\r\nBlock process creations originating from PsExec and WMI commands\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nFor additional guidance on improving defenses against human-operated ransomware and building better security\r\nposture against cyberattacks in general, read Human-operated ransomware attacks: A preventable disaster.\r\nMicrosoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 7 of 9\n\nWhat we’ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the\r\nreal-world consequences of disruption in services—in this time of global crisis—that their attacks cause.\r\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems\r\nadministration and security misconfigurations and can therefore adapt to any path of least resistance they find in a\r\ncompromised network. If they run into a wall, they try to break through. And if they can’t break through a wall,\r\nthey’ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\r\nMicrosoft Threat Protections (MTP) provides coordinated defenses that uncover the complete attack chain and\r\nhelp block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple\r\nMicrosoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints,\r\nemail, identities, and apps.\r\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and\r\nauto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for\r\ninvestigation and response. MTP also provides a unique cross-domain hunting capability that can further help\r\ndefenders identify attack sprawl and get org-specific insights for hardening defenses.\r\nMicrosoft Threat Protection is also part of a chip-to-cloud security approach that combines threat defense on the\r\nsilicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout\r\nrandomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced\r\nthreats, including ones that take advantage of vulnerable kernel drivers. These platform security features\r\nseamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong\r\nhardware root of trust. On Secured-core PCs these mitigations are enabled by default.\r\nWe continue to work with our customers, partners, and the research community to track human-operated\r\nransomware and other sophisticated attacks. For dire cases customers can use available services like the Microsoft\r\nDetection and Response (DART) team to help investigate and remediate.\r\nMicrosoft Threat Protection Intelligence Team\r\nAppendix: MITRE ATT\u0026CK techniques observed\r\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control\r\nover privileged domain accounts. The techniques listed here are techniques commonly used during attacks against\r\nhealthcare and critical services in April 2020.\r\nCredential access\r\nT1003 Credential Dumping | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping\r\ntools and exploitation of CVE-2019-11510 on vulnerable endpoints\r\nPersistence\r\nT1084 Windows Management Instrumentation Event Subscription | WMI event subscription\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 8 of 9\n\nT1136 Create Account | Creation of new accounts for RDP\r\nCommand and control\r\nT1043 Commonly Used Port | Use of port 443\r\nDiscovery\r\nT1033 System Owner/User Discovery | Various commands\r\nT1087 Account Discovery | LDAP and AD queries and other commands\r\nT1018 Remote System Discovery | Pings, qwinsta, and other tools and commands\r\nT1482 Domain Trust Discovery | Domain trust enumeration using Nltest\r\nExecution\r\nT1035 Service Execution | Service registered to run CMD (as ComSpec) and PowerShell commands\r\nLateral movement\r\nT1076 Remote Desktop Protocol | Use of RDP to reach other machines in the network\r\nT1105 Remote File Copy | Lateral movement using WMI and PsExec\r\nDefense evasion\r\nT1070 Indicator Removal on Host | Clearing of event logs using wevutil, removal of USNJournal using\r\nfsutil, and deletion of slack space on drive using cipher.exe\r\nT1089 Disabling Security Tools | Stopping or tampering with antivirus and other security using\r\nProcessHacker and exploitation of vulnerable software drivers\r\nImpact\r\nT1489 Service Stop | Stopping of services prior to encryption\r\nT1486 Data Encrypted for Impact | Ransomware encryption\r\nSource: https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nhttps://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/" ], "report_names": [ "ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434863, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8dd0f1bfee40891c65f90500f1ac8375cbdd432.pdf", "text": "https://archive.orkl.eu/b8dd0f1bfee40891c65f90500f1ac8375cbdd432.txt", "img": "https://archive.orkl.eu/b8dd0f1bfee40891c65f90500f1ac8375cbdd432.jpg" } }