{ "id": "a5156234-986c-4034-abbf-f611e81f5760", "created_at": "2026-04-06T00:08:17.420443Z", "updated_at": "2026-04-10T03:37:51.325107Z", "deleted_at": null, "sha1_hash": "c167d0223cad7657c00e347f243303fa56bdefb7", "title": "Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 721378, "plain_text": "Ransomware as a service: Understanding the cybercrime gig\r\neconomy and how to protect yourself | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-05-09 · Archived: 2026-04-05 19:12:29 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. To learn more about this evolution, how the new taxonomy represents the origin,\r\nunique traits, and impact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft\r\nshifts to a new threat actor naming taxonomy.\r\nSeptember 2022 update – New information about recent Qakbot campaigns leading to ransomware deployment.\r\nJuly 2022 update – New information about DEV-0206-associated activity wherein existing Raspberry Robin\r\ninfections are used to deploy FakeUpdates, which then leads to follow-on actions resembling DEV-0243.\r\nJune 2022 update – More details in the Threat actors and campaigns section, including recently observed\r\nactivities from DEV-0193 (Trickbot LLC), DEV-0504, DEV-0237, DEV-0401, and a new section on Qakbot\r\ncampaigns that lead to ransomware deployments.\r\nMicrosoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year\r\nalone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across\r\nobserved nation-state, ransomware, and criminal activities.\r\nThat depth of signal intelligence gathered from various domains—identity, email, data, and cloud—provides us\r\nwith insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for\r\nother attackers, who in turn continue to pay dividends and fund operations through the sale and associated “cut”\r\nfrom their tool’s success.\r\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different\r\ntechniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for\r\nefficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a\r\nportion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy\r\nhas made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\r\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware as a service (RaaS) gig\r\neconomy, called human-operated ransomware, which remains one of the most impactful threats to organizations.\r\nWe coined the industry term “human-operated ransomware” to clarify that these threats are driven by humans who\r\nmake decisions at every stage of their attacks based on what they find in their target’s network.\r\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these\r\nhuman-operated campaigns vary their attack patterns depending on their discoveries—for example, a security\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 1 of 21\n\nproduct that isn‘t configured to prevent tampering or a service that’s running as a highly privileged account like a\r\ndomain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data,\r\nleading to a bigger payout for them—with no guarantee they’ll leave their target environment once they’ve been\r\npaid. Attackers are also often more determined to stay on a network once they gain access and sometimes\r\nrepeatedly monetize that access with additional attacks using different malware or ransomware payloads if they\r\naren’t successfully evicted.\r\nRansomware attacks have become even more impactful in recent years as more ransomware as a service\r\necosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but\r\nnow, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or\r\nthreatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers\r\nopportunistically deploy ransomware to whatever network they get access to, and some even purchase access to\r\nnetworks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others\r\nprefer specific industries for the shock value or type of data they can exfiltrate.\r\nAll human-operated ransomware campaigns—all human-operated attacks in general, for that matter—share\r\ncommon dependencies on security weaknesses that allow them to succeed. Attackers most commonly take\r\nadvantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to find\r\neasy entry and privilege escalation points in an environment. \r\nIn this blog, we detail several of the ransomware ecosystems  using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect\r\nthemselves from this increasingly popular style of attack. We also offer security best practices on credential\r\nhygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your\r\nperimeter, and more. Here’s a quick table of contents:\r\n1. How RaaS redefines our understanding of ransomware incidents\r\nThe RaaS affiliate model explained\r\nAccess for sale and mercurial targeting\r\n2. “Human-operated” means human decisions\r\nExfiltration and double extortion\r\nPersistent and sneaky access methods\r\n3. Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated\r\nransomware attacks\r\n4. Defending against ransomware: Moving beyond protection by detection\r\nBuilding credential hygiene\r\nAuditing credential exposure\r\nPrioritizing deployment of Active Directory updates\r\nCloud hardening\r\nAddressing security blind spots\r\nReducing the attack surface\r\nHardening internet-facing assets and understanding your perimeter\r\nHow RaaS redefines our understanding of ransomware incidents\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 2 of 21\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated\r\nransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This\r\nevolution is driven by the “human-operated” aspect of these attacks—attackers make informed and calculated\r\ndecisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the\r\nattackers are successful or evicted.\r\nIn the past, we’ve observed a tight relationship between the initial entry vector, tools, and ransomware payload\r\nchoices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more\r\ncriminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is\r\nweakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the\r\ntradecraft used in a specific attack to the ransomware payload developers.\r\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic\r\nentity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware\r\nshare common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many\r\nstages of the attack that come before, including actions like data exfiltration and additional persistence\r\nmechanisms, as well as the numerous detection and protection opportunities for network defenders.\r\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven’t\r\nchanged very much over the years—attacks still prey on the same security misconfigurations to succeed. Securing\r\na large corporate network takes disciplined and sustained focus, but there’s a high ROI in implementing critical\r\ncontrols that prevent these attacks from having a wider impact, even if it’s only possible on the most critical assets\r\nand segments of the network. \r\nWithout the ability to steal access to highly privileged accounts, attackers can’t move laterally, spread ransomware\r\nwidely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common\r\nattack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers\r\nbefore they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of\r\nnetwork topologies and configuration data that happens in the first few minutes of execution of some trojans.\r\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the\r\nvarious threat actors at play during a security incident. Gaining this clarity helps surface trends and common\r\nattack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware\r\npayloads. Threat intelligence and insights from this research also enrich our solutions like Microsoft 365\r\nDefender, whose comprehensive security capabilities help protect customers by detecting RaaS-related attack\r\nattempts.\r\nThe RaaS affiliate model explained\r\nThe cybercriminal economy—a connected ecosystem of many players with different techniques, goals, and\r\nskillsets—is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such\r\nas Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This\r\nmeans that the impact of a successful ransomware and extortion attack remains the same regardless of the\r\nattacker’s skills.\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 3 of 21\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools\r\nto power the ransomware operations, including the builders that produce the ransomware payloads and payment\r\nportals for communicating with victims. The RaaS program may also include a leak site to share snippets of data\r\nexfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many\r\nRaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and\r\nintegration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction\r\nservices\r\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of\r\nattackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an\r\naffiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the\r\nactual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might\r\nalso use the payload for profit, sell it, and run their campaigns with other ransomware payloads—further\r\nmuddying the waters when it comes to tracking the criminals behind these actions.\r\nFigure 1. How the RaaS affiliate model enables ransomware attacks\r\nAccess for sale and mercurial targeting\r\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes,\r\nincluding ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell\r\nthem as a “load”. A load is designed to install other malware or backdoors onto the infected systems for other\r\ncriminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol\r\n(RDP) systems with weak passwords or unpatched systems, and then compromise them en masse to “bank” for\r\nlater profit. Some advertisements for the sale of initial access specifically cite that a system isn’t managed by an\r\nantivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain\r\nAdministrator associated with it to fetch higher prices.\r\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some\r\nattackers prioritize organizations with higher revenues, while some target specific industries for the shock value or\r\ntype of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 4 of 21\n\ncompanies). In many cases, the targeting doesn’t manifest itself as specifically attacking the target’s network,\r\ninstead, the purchase of access from an access broker or the use of existing malware infection to pivot to\r\nransomware activities.\r\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the\r\nsystem was compromised in the first place and are just using it as a “jump server” to perform other actions in a\r\nnetwork. Access brokers often list the network details for the access they are selling, but affiliates aren’t usually\r\ninterested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to\r\na specific industry might simply be a case of affiliates purchasing access based on the number of systems they\r\ncould deploy ransomware to and the perceived potential for profit.\r\n“Human-operated” means human decisions\r\nMicrosoft coined the term “human-operated ransomware” to clearly define a class of attacks driven by expert\r\nhuman intelligence at every step of the attack chain and culminate in intentional business disruption and extortion.\r\nHuman-operated ransomware attacks share commonalities in the security misconfigurations of which they take\r\nadvantage and the manual techniques used for lateral movement and persistence. However, the human-operated\r\nnature of these actions means that variations in attacks—including objectives and pre-ransom activity—evolve\r\ndepending on the environment and the unique opportunities identified by the attackers.\r\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and\r\nknow what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that\r\nprovide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in\r\nthe first few minutes of an attack.\r\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge\r\ncan vary, depending on the tools that come with the RaaS and the operator’s skill. Frequently attackers query for\r\nthe currently running security tools, privileged users, and security settings such as those defined in Group Policy\r\nbefore continuing their attack. The data discovered via this reconnaissance phase informs the attacker’s next steps.\r\nIf there’s minimal security hardening to complicate the attack and a highly privileged account can be gained\r\nimmediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note\r\nof security products in the environment and attempt to tamper with and disable these, sometimes using scripts or\r\ntools provided with RaaS purchase that try to disable multiple security products at once, other times using specific\r\ncommands or techniques performed by the attacker.  \r\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target’s security\r\nsolutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can\r\nuse other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many\r\ninstances, attackers test their attacks “in production” from an undetected location in their target’s environment,\r\ndeploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an\r\nantivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security\r\nproducts they encounter. Such detections could give SOCs a false sense of security that their existing solutions are\r\nworking. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 5 of 21\n\nchain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting\r\nbackups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would\r\nlikely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs\r\nresponding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and\r\nperforming swift remediation actions and incident response (IR) procedures are critical for containing a human\r\nadversary before the ransomware deployment stage.\r\nExfiltration and double extortion\r\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime.\r\nAlthough that simple technique often motivates victims to pay, it is not the only way attackers can monetize their\r\naccess to compromised networks. Exfiltration of data and “double extortion,” which refers to attackers threatening\r\nto leak data if a ransom hasn’t been paid, has also become a common tactic among many RaaS affiliate programs\r\n—many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to\r\nexfiltrate data and demand ransom without deploying a payload.\r\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or\r\nconsidering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a\r\nnetwork vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware\r\ndeployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up\r\nemail transport rules, or uploading files to cloud services. With double extortion, attackers don’t need to deploy\r\nransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy\r\nransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their\r\nattacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as\r\nLAPSUS$), which is profiled below.  \r\nPersistent and sneaky access methods\r\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund\r\ncybercriminals. Giving in to the attackers’ demands doesn’t guarantee that attackers ever “pack their bags” and\r\nleave a network. Attackers are more determined to stay on a network once they gain access and sometimes\r\nrepeatedly monetize attacks using different malware or ransomware payloads if they aren’t successfully evicted.\r\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple\r\nattackers may retain persistence in a compromised environment using an entirely different set of tools from those\r\nused in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike\r\ndeployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access\r\ntool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns.\r\nUsing legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique\r\namong ransomware attackers to avoid detection and remain resident in a network for longer.\r\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used\r\ninclude:\r\nAnyDesk\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 6 of 21\n\nAtera Remote Management\r\nngrok.io\r\nRemote Manipulator System\r\nSplashtop\r\nTeamViewer\r\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user\r\naccounts, whether local or in Active Directory. These newly created accounts can then be added to remote access\r\ntools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that\r\nappear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems\r\nto enable Remote Desktop, reduce the protocol’s security, and add new users to the Remote Desktop Users group.\r\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and\r\ntheir workloads or motivations. Some activity groups can access thousands of potential targets and work through\r\nthese as their staffing allows, prioritizing based on potential ransom payment over several months. While some\r\nactivity groups may have access to large and highly resourced companies, they prefer to attack smaller companies\r\nfor less overall ransom because they can execute the attack within hours or days. In addition, the return on\r\ninvestment is higher from companies that can’t respond to a major incident. Ransoms of tens of millions of dollars\r\nreceive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets\r\nin a month because the success rate at receiving payment is higher in these targets. Smaller organizations that\r\ncan’t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization\r\nworth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice\r\nagainst paying. In some instances, a ransomware associate threat actor may have an implant on a network and\r\nnever convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access\r\nbroker to a RaaS affiliate) takes less than an hour.\r\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of\r\nMicrosoft data over six months between 2021 and 2022\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 7 of 21\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and\r\nprevent these attacks in their early stages.\r\nThreat actors and campaigns deep dive: Threat intelligence-driven response to\r\nhuman-operated ransomware attacks\r\nFor organizations to successfully respond to evict an active attacker, it’s important to understand the active stage\r\nof an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts\r\nlike isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the\r\nattacker performs reconnaissance activities and exfiltration, it’s important to implement an incident response\r\nprocess that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology\r\nfor understanding attacks can assist in determining incidents that need additional scoping.\r\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their\r\ncampaigns to increase community understanding of these attacks and enable organizations to better protect\r\nthemselves:\r\nDEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today  \r\nELBRUS: (Un)arrested development\r\nDEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\r\nDEV-0237: Prolific collaborator\r\nDEV-0450 and DEV-0464: Distributing Qakbot for ransomware deployment\r\nDEV-0206 and DEV-0243: An “evil” partnership\r\nDEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\r\nDEV-0537: From extortion to destruction\r\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and\r\nprotect customers. Microsoft 365 Defender customers should prioritize alerts titled “Ransomware-linked emerging\r\nthreat activity group detected”. We also add the note “Ongoing hands-on-keyboard attack” to alerts that indicate a\r\nhuman attacker is in the network. When these alerts are raised, it’s highly recommended to initiate an incident\r\nresponse process to scope the attack, isolate systems, and regain control of credentials attackers may be in control\r\nof.\r\nA note on threat actor naming: as part of Microsoft’s ongoing commitment to track both nation-state and\r\ncybercriminal threat actors, we refer to the unidentified threat actors as a “development group”. We use a naming\r\nstructure with a prefix of “DEV” to indicate an emerging threat group or unique activity during investigation.\r\nWhen a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHORUS\r\nand NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or\r\ncybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships\r\nbetween groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use\r\n“contractors,” who provide gig economy-style work on a limited time basis and may not rejoin the group. This\r\nshifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete\r\nunderstanding of the nature of the activity group.\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 8 of 21\n\nDEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\r\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many\r\ndifferent payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk\r\nRaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol. Microsoft\r\nhas been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from\r\ndeveloping and distributing the Trickbot malware to becoming the most prolific ransomware-associated\r\ncybercriminal activity group active today. \r\nDEV-0193’s actions and use of the cybercriminal gig economy means they often add new members and projects\r\nand utilize contractors to perform various parts of their intrusions. As other malware operations have shut down\r\nfor various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are\r\nthe acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\r\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure as a service for\r\ncybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon as a service. These DEV-0365 Beacons\r\nhave replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been\r\nimplicated in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \r\nThe leaked chat files from a group publicly labeled as the “Conti Group” in February 2022 confirm the wide scale\r\nof DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of\r\nthe most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload—even as other\r\nRaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution\r\nmeant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group,”\r\neven though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates\r\nperformed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long\r\noperations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific\r\nand successful Conti affiliates—and the one responsible for developing the “Conti Manual” leaked in August 2021\r\n—is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty\r\nransomware payloads and often gained access to an organization via DEV-0193’s BazaLoader infrastructure.\r\nMicrosoft hasn’t observed a Conti deployment in our data since April 19, 2022, suggesting that the Conti program\r\nhas shut down or gone on hiatus, potentially in response to the visibility of DEV-0230’s deployment of Conti in\r\nhigh-profile incidents or FBI’s announcement of a reward for information related to Conti. As can be expected\r\nwhen a RaaS program shuts down, the gig economy nature of the ransomware ecosystem means that affiliates can\r\neasily shift between payloads. Conti affiliates who had previously deployed Conti have moved on to other RaaS\r\npayloads. For example, DEV-0506 was deploying BlackBasta part-time before the Conti shutdown and is now\r\ndeploying it regularly. Similarly, DEV-0230 shifted to deploying QuantumLocker around April 23, 2022.\r\nELBRUS: (Un)arrested development\r\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns\r\ntargeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 9 of 21\n\nto collect payment card information from in-store checkout terminals. They have also targeted corporate personnel\r\nwho have access to sensitive financial data, including individuals involved in SEC filings.\r\nIn 2018, this activity group made headlines when three of its members were arrested. In May 2020, another arrest\r\nwas made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions\r\nagainst suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group\r\nitself during these periods.\r\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence,\r\nincluding JSSLoader and Griffon. ELBRUS has also created fake security companies called “Combi Security” and\r\n“Bastion Security” to facilitate the recruitment of employees to their operations under the pretense of working as\r\npenetration testers.\r\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially\r\nmotivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their\r\nown RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited\r\nand managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents\r\nbased on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers,\r\nwhich is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments\r\nwasn’t performed by ELBRUS but by a ransomware as a service affiliate Microsoft tracks as DEV-0289.\r\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in\r\nJuly 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS\r\nprogram for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\r\nWhile they aren’t currently publicly observed to be running a RaaS program, ELBRUS is very active in\r\ncompromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since\r\n2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor\r\nin the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing\r\nand exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise\r\norganizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the\r\nProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the\r\nunauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into\r\nhighly privileged access as SYSTEM on an Exchange Server.  \r\nDEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\r\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the\r\nthreat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with\r\nmany of their attacks becoming high-profile incidents attributed to the “REvil gang” or “BlackCat ransomware\r\ngroup”. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other\r\nREvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and\r\noverinflated the impact that a single RaaS program shutdown can have on the threat environment.  \r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 10 of 21\n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and June 2022\r\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and\r\nBlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren’t\r\nunique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme\r\nbehavior where RaaS affiliates switch to older “fully owned” ransomware payloads like Phobos, which they can\r\nbuy when a RaaS isn’t available, or they don’t want to pay the fees associated with RaaS programs.\r\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly\r\npurchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their\r\npayloads. Their techniques require them to have compromised elevated credentials, and they frequently disable\r\nantivirus products that aren’t protected with tamper protection.\r\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January\r\n2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion,\r\ntobacco, IT, and manufacturing industries, among others. BlackCat remains DEV-0504’s primary payload as of\r\nJune 2022.\r\nDEV-0237: Prolific collaborator\r\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their\r\noperations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can\r\nbe traced back to DEV-0237.\r\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch\r\nto the BlackCat RaaS in March 2022 is suspected to be due to public discourse around Hive decryption\r\nmethodologies; that is, DEV-0237 may have switched to BlackCat because they didn’t want Hive’s decryptors to\r\ninterrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on\r\nlower-value targets. They have been observed to experiment with some payloads only to abandon them later.\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 11 of 21\n\nFigure 4. Ransomware payloads distributed by DEV-0237 between 2020 and June 2022\r\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks.\r\nDEV-0237’s proliferation and success rate come in part from their willingness to leverage the network intrusion\r\nwork and malware implants of other groups versus performing their own initial compromise and malware\r\ndevelopment.\r\nFigure 5. Examples of DEV-0237’s relationships with other cybercriminal activity groups\r\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security\r\nweaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they\r\nhave purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin\r\n/transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the\r\nransomware payload xxx.exe, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying,\r\nas most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new\r\nversion of Hive again.\r\nIn May 2022, DEV-0237 started to routinely deploy Nokoyawa, a payload that we observed the group previously\r\nexperimenting with when they weren’t using Hive. While the group used other payloads such as BlackCat in the\r\nsame timeframe, Nokoyawa became a more regular part of their toolkits. By June 2022, DEV-0237 was still\r\nprimarily deploying Hive and sometimes Nokoyawa but was seen experimenting with other ransomware payloads,\r\nincluding Agenda and Mindware.\r\nDEV-0237 is also one of several actors observed introducing other tools into their attacks to replace Cobalt Strike.\r\nCobalt Strike’s ubiquity and visible impact has led to improved detections and heightened awareness in security\r\norganizations, leading to observed decreased use by actors. DEV-0237 now uses the SystemBC RAT and the\r\npenetration testing framework Sliver in their attacks, replacing Cobalt Strike.\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 12 of 21\n\nDEV-0450 and DEV-0464: Distributing Qakbot for ransomware deployment\r\nThe evolution of prevalent trojans from being commodity malware to serving as footholds for ransomware is well\r\ndocumented via the impact of Emotet, Trickbot, and BazaLoader. Another widely distributed malware, Qakbot,\r\nalso leads to handoffs to RaaS affiliates. Qakbot is delivered via email, often downloaded by malicious macros in\r\nan Office document. Qakbot’s initial actions include profiling the system and the network, and exfiltrating emails\r\n(.eml files) for later use as templates in its malware distribution campaigns.\r\nQakbot is prevalent across a wide range of networks, building upon successful infections to continue spreading\r\nand expanding. Microsoft tracks DEV-0450 and DEV-0464 as  Qakbot distributors that result in observed\r\nransomware attacks. DEV-0450 distributes the “presidents”-themed Qakbot, using American presidents’ names in\r\ntheir malware campaigns. Meanwhile, DEV-0464 distributes the “TR” Qakbot and other malware such as\r\nSquirrelWaffle. DEV-0464 also rapidly adopted the Microsoft Support Diagnostic Tool (MSDT) vulnerability\r\n(CVE-2022-30190) in their campaigns. The abuse of malicious macros and MSDT can be blocked by preventing\r\nOffice from creating child processes, which we detail in the hardening guidance below.\r\nHistorically, Qakbot infections typically lead to hands-on-keyboard activity and ransomware deployments by\r\nDEV-0216, DEV-0506, and DEV-0826. DEV-0506 previously deployed Conti but switched to deploying Black\r\nBasta around April 8, 2022. This group uses DEV-0365’s Cobalt Strike Beacon infrastructure instead of\r\nmaintaining their own. In late September 2022, Microsoft observed DEV-0506 adding Brute Ratel as a tool to\r\nfacilitate their hands-on-keyboard access as well as Cobalt Strike Beacons.\r\nAnother RaaS affiliate that acquired access from Qakbot infections was DEV-0216, which maintains their own\r\nCobalt Strike Beacon infrastructure and has operated as an affiliate for Egregor, Maze, Lockbit, REvil, and Conti\r\nin numerous high-impact incidents. Microsoft no longer sees DEV-0216 ransomware incidents initiating from\r\nDEV-0464 and DEV-0450 infections, indicating they may no longer be acquiring access via Qakbot.\r\nDEV-0206 and DEV-0243: An “evil” partnership\r\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many\r\ncampaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain\r\naccess to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software\r\npackage, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in\r\nmost environments runs when double-clicked. Organizations that have changed the settings such that script files\r\nopen with a text editor by default instead of a script handler are largely immune from this threat, even if a user\r\ndouble clicks the script.\r\nOnce successfully executed, the JavaScript framework, also referred to SocGholish, acts as a loader for other\r\nmalware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These\r\npayloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243\r\nfalls under activities tracked by the cyber intelligence industry as “EvilCorp,”  The custom Cobalt Strike loaders\r\nare similar to those seen in publicly documented Blister malware’s inner payloads. In DEV-0243’s initial\r\npartnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 13 of 21\n\nthen expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and\r\nMacaw.\r\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of\r\na RaaS payload by the “EvilCorp” activity group is likely an attempt by DEV-0243 to avoid attribution to their\r\ngroup, which could discourage payment due to their sanctioned status.\r\nFigure 6. The handover from DEV-0206 to DEV-0243\r\nOn July 26, 2022, Microsoft researchers discovered the FakeUpdates malware being delivered via existing\r\nRaspberry Robin infections. Raspberry Robin is a USB-based worm first publicly discussed by Red Canary. The\r\nDEV-0206-associated FakeUpdates activity on affected systems has since led to follow-on actions resembling\r\nDEV-0243 pre-ransomware behavior.\r\nDEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\r\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an\r\nactivity group involved in all stages of their attack lifecycle, from initial access to ransomware development.\r\nDespite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of\r\ntheir ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 is confirmed to be a China-based activity group.\r\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or\r\nexposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks,\r\nincluding vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j 2. Due to the\r\nnature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their\r\nattack.\r\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral\r\nmovement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons\r\nare frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI\r\nlateral movement, they use a customized version of the wmiexec.py module of the tool that creates renamed output\r\nfiles, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a\r\nshare and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the\r\nattackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 14 of 21\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\r\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as\r\ndifferent groups in payload-driven reporting and evade detections and actions against them. Their payloads are\r\nsometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the\r\nBabuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware\r\nfamily, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228\r\nvulnerability.\r\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay,\r\nhowever their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak\r\nsite sometimes leading to default web server landing pages when victims attempt to pay.  In a notable shift—\r\npossibly related to victim payment issues—DEV-0401 started deploying LockBit 2.0 ransomware payloads in\r\nApril 2022. Around June 6, 2022, it began replacing Cobalt Strike with the Sliver framework in their attacks.\r\nDEV-0537: From extortion to destruction\r\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying\r\nransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft\r\nhas detailed DEV-0537 actions taken in early 2022 in this blog. DEV-0537 started targeting organizations mainly\r\nin Latin America but expanded to global targeting, including government entities, technology, telecom, retailers,\r\nand healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their\r\ninitial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public\r\ncode repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that\r\nDEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase\r\nin the cybercriminal economy. The group also buys credentials from underground forums which were gathered by\r\nother password-stealing malware.\r\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate\r\nprivileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn’t\r\npossess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator\r\naccounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud\r\nenvironments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server\r\ninfrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they\r\nremove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 15 of 21\n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to\r\ntrack incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join\r\nincident response calls, not just observing the response to inform their attack but unmuting to demand ransom and\r\nsharing their screens while they delete their victim’s data and resources.\r\nDefending against ransomware: Moving beyond protection by detection\r\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of\r\nattacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they\r\ncould easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by\r\nlooking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then\r\nmitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats\r\ncan reduce alert volume and stop many attackers before they get access to networks. \r\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed\r\nin system administration and try to blend in as much as possible. However, while attacks have continued steadily\r\nand with increased impact, the attack techniques attackers use haven’t changed much over the years. Therefore, a\r\nrenewed focus on prevention is needed to curb the tide.\r\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in\r\ndisrupting the cybercriminal economy.\r\nBuilding credential hygiene\r\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware\r\ndeployment was successful, the attackers had access to a domain admin-level account or local administrator\r\npasswords that were consistent throughout the environment. Deployment then can be done through Group Policy\r\nor tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide\r\nadministrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers.\r\nCompromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a\r\nnetwork, in many instances, the price includes a guaranteed administrator account to start with.\r\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and\r\ntheir capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools\r\naccessing the LSASS process in most security products. However, the risk of credential exposure isn’t just limited\r\nto a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored\r\nmany networks during their attacks, they have a deep knowledge of common network configurations and use it to\r\ntheir advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly\r\nprivileged service accounts.\r\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost\r\npermissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear\r\nthey might break applications. This configuration is especially dangerous as it leaves highly privileged credentials\r\nexposed in the LSA Secrets portion of the registry, which users with administrative access can access. In\r\norganizations where the local administrator rights haven’t been removed from end users, attackers can be one hop\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 16 of 21\n\naway from domain admin just from an initial attack like a banking trojan. Building credential hygiene is\r\ndeveloping a logical segmentation of the network, based on privileges, that can be implemented alongside network\r\nsegmentation to limit lateral movement.\r\nHere are some steps organizations can take to build credential hygiene:\r\nAim to run services as Local System when administrative privileges are needed, as this allows applications\r\nto have high privileges locally but can’t be used to move laterally. Run services as Network Service when\r\naccessing other resources.\r\nUse tools like LUA Buglight to determine the privileges that applications really need.\r\nLook for events with EventID 4624 where the logon type is 2, 4, 5, or 10 and the account is highly\r\nprivileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via\r\nLSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn’t be exposed\r\non member servers or workstations.\r\nMonitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts\r\nfrom privileged groups. Adding them to the local administrator group on a limited set of machines to keep\r\nan application running still reduces the scope of an attack as against running them as Domain Admin.\r\nRandomize Local Administrator passwords with a tool like Local Administrator Password Solution (LAPS)\r\nto prevent lateral movement using local accounts with shared passwords.\r\nUse a cloud-based identity security solution that leverages on-premises Active Directory signals get\r\nvisibility into identity configurations and to identify and detect threats or compromised identities\r\nAuditing credential exposure\r\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. BloodHound\r\nis a tool that was originally designed to provide network defenders with insight into the number of administrators\r\nin their environment. It can also be a powerful tool in reducing privileges tied to administrative account and\r\nunderstanding your credential exposure. IT security teams and SOCs can work together with the authorized use of\r\nthis tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it\r\ncarefully for malicious use. They can also use this detection guidance to watch for malicious use.\r\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously,\r\nBloodHound allows attackers to see the path of least resistance from the systems they have access, to highly\r\nprivileged accounts like domain admin accounts and global administrator accounts in Azure.\r\nPrioritizing deployment of Active Directory updates\r\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has\r\nwitnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and\r\nas soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly\r\nadopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are\r\nincluded in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate\r\nfrom an entrance vector like email to Domain Admin level privileges.\r\nCloud hardening\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 17 of 21\n\nAs attackers move towards cloud resources, it’s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\r\nCloud identity hardening\r\nImplement the Azure Security Benchmark and general best practices for securing identity infrastructure,\r\nincluding:\r\nPrevent on-premises service accounts from having direct rights to the cloud resources to prevent\r\nlateral movement to the cloud.\r\nEnsure that “break glass” account passwords are stored offline and configure honey-token activity\r\nfor account usage.\r\nImplement Conditional Access policies enforcing Microsoft’s Zero Trust principles.\r\nEnable risk-based user sign-in protection and automate threat response to block high-risk sign-ins from all\r\nlocations and enable MFA for medium-risk ones.\r\nEnsure that VPN access is protected via modern authentication methods.\r\nMultifactor authentication (MFA)\r\nEnforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all\r\ndevices, in all locations, at all times.\r\nEnable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft\r\nAuthenticator) for accounts that support passwordless. For accounts that still require passwords, use\r\nauthenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different\r\nauthentication methods and features.\r\nIdentify and secure workload identities to secure accounts where traditional MFA enforcement does not\r\napply.\r\nEnsure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\r\nFor MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as\r\nmany intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users\r\nclicking “Yes” on the prompt on their phones even when they were not at their computers. Refer to this\r\narticle for an example.\r\nDisable legacy authentication.\r\nCloud admins\r\nEnsure cloud admins/tenant admins are treated with the same level of security and credential hygiene as\r\nDomain Admins.\r\nAddress gaps in authentication coverage.\r\nAddressing security blind spots\r\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured\r\nsecurity product that allowed the attacker to disable protections or evade detection. In many instances, the initial\r\naccess for access brokers is a legacy system that isn’t protected by  antivirus or EDR solutions. It’s important to\r\nunderstand that the lack security controls on these systems that have access to highly privileged credentials act as\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 18 of 21\n\nblind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single\r\nsystem without being detected. In some instances, this is specifically advertised as a feature that access brokers\r\nsell.\r\nOrganizations should review and verify that security tools are running in their most secure configuration and\r\nperform regular network scans to ensure appropriate security products are monitoring and protecting all systems,\r\nincluding servers. If this isn’t possible, make sure that your legacy systems are either physically isolated through a\r\nfirewall or logically isolated by ensuring they have no credential overlap with other systems.\r\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker\r\ntools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules\r\nand tamper protection.\r\nTurn on tamper protection features to prevent attackers from stopping security services.\r\nRun EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when\r\na non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in\r\npassive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat\r\nIntelligence teams.\r\nEnable network protection to prevent applications or users from accessing malicious domains and other\r\nmalicious content on the internet.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to\r\ntake immediate action on alerts to resolve breaches.\r\nUse device discovery to increase visibility into the network by finding unmanaged devices and onboarding\r\nthem to Microsoft Defender for Endpoint.\r\nProtect user identities and credentials using Microsoft Defender for Identity, a cloud-based security\r\nsolution that leverages on-premises Active Directory signals to monitor and analyze user behavior to\r\nidentify suspicious user activities, configuration issues, and active attacks.\r\nReducing the attack surface\r\nMicrosoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques\r\nused in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers\r\nand not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from\r\nseveral ransomware-associated activity groups, Microsoft customers who had the following rules enabled were\r\nable to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\r\nCommon entry vectors:\r\nBlock all Office applications from creating child processes\r\nBlock Office communication application from creating child processes\r\nBlock Office applications from creating executable content\r\nBlock Office applications from injecting code into other processes\r\nBlock execution of potentially obfuscated scripts\r\nBlock JavaScript or VBScript from launching downloaded executable content\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 19 of 21\n\nRansomware deployment and lateral movement stage (in order of impact based on the stage in attack they\r\nprevent):\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nBlock process creations originating from PsExec and WMI commands\r\nUse advanced protection against ransomware\r\nIn addition, Microsoft has changed the default behavior of Office applications to block macros in files from the\r\ninternet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\r\nHardening internet-facing assets and understanding your perimeter\r\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public\r\nscanning interfaces, such as RiskIQ, can be used to augment data. Some systems that should be considered of\r\ninterest to attackers and therefore need to be hardened include:\r\nSecure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden\r\nagainst password spray or brute force attacks.\r\nBlock Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System,\r\nAnydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if\r\nnot in use in your environment. If these systems are used in your environment, enforce security settings\r\nwhere possible to implement MFA.\r\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in\r\n2022 because some systems remained unpatched, partially patched, or because access brokers had established\r\npersistence on a previously compromised systems despite it later being patched.\r\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and\r\nmitigate include:\r\nCitrix ADC systems affected by CVE-2019-19781\r\nPulse Secure VPN systems affected by CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, CVE-2021-\r\n22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900\r\nSonicWall SSLVPN affected by CVE-2021-20016\r\nMicrosoft SharePoint servers affected by CVE-2019-0604\r\nUnpatched Microsoft Exchange servers\r\nZoho ManageEngine systems affected by CVE-2020-10189\r\nFortiGate VPN servers affected by CVE-2018-13379\r\nApache log4j CVE-2021-44228\r\nRansomware attackers also rapidly adopt new vulnerabilities. To further reduce organizational exposure,\r\nMicrosoft Defender for Endpoint customers can use the threat and vulnerability management capability to\r\ndiscover, prioritize, and remediate vulnerabilities and misconfigurations.\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 20 of 21\n\nMicrosoft 365 Defender: Deep cross-domain visibility and unified investigation\r\ncapabilities to defend against ransomware attacks\r\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined\r\nabove defend against common attack patterns and will go a long way in preventing ransomware attacks. Microsoft\r\n365 Defender is designed to make it easy for organizations to apply many of these security controls.\r\nMicrosoft 365 Defender’s industry-leading visibility and detection capabilities, demonstrated in the recent MITRE\r\nEngenuity ATT\u0026CK® Evaluations, automatically stop most common threats and attacker techniques. To equip\r\norganizations with the tools to combat human-operated ransomware, which by nature takes a unique path for\r\nevery organization, Microsoft 365 Defender provides rich investigation features that enable defenders to\r\nseamlessly inspect and remediate malicious behavior across domains.\r\nLearn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft\r\nDefender 365.\r\nIn line with the recently announced expansion into a new service category called Microsoft Security Experts,\r\nwe’re introducing the availability of Microsoft Defender Experts for Hunting for public preview. Defender\r\nExperts for Hunting is for customers who have a robust security operations center but want Microsoft to help them\r\nproactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications,\r\nand identity.\r\nJoin our research team at the Microsoft Security Summit digital event on May 12 to learn what developments\r\nMicrosoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of\r\nattacks. Ask your most pressing questions during the live chat Q\u0026A. Register today.\r\nSource: https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-t\r\no-protect-yourself/\r\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "report_names": [ "ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "1998ad13-b343-4409-9a37-b1930d156a28", "created_at": "2023-09-17T02:00:09.948891Z", "updated_at": "2026-04-10T02:00:03.372224Z", "deleted_at": null, "main_name": "Storm-0324", "aliases": [ "DEV-0324", "Sagrid", "TA543" ], "source_name": "MISPGALAXY:Storm-0324", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "76e1fb02-1ceb-4fe5-8a68-456f0d4c62a4", "created_at": "2024-02-02T02:00:04.037062Z", "updated_at": "2026-04-10T02:00:03.535409Z", "deleted_at": null, "main_name": "Velvet Tempest", "aliases": [ "DEV-0504" ], "source_name": "MISPGALAXY:Velvet Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434097, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c167d0223cad7657c00e347f243303fa56bdefb7.pdf", "text": "https://archive.orkl.eu/c167d0223cad7657c00e347f243303fa56bdefb7.txt", "img": "https://archive.orkl.eu/c167d0223cad7657c00e347f243303fa56bdefb7.jpg" } }