{
	"id": "bad4588e-a9a6-44d0-8bda-25c8c4c22dc2",
	"created_at": "2026-04-06T00:16:49.052986Z",
	"updated_at": "2026-04-10T03:24:50.360775Z",
	"deleted_at": null,
	"sha1_hash": "d974b6cba36591d9fec58fbca1c0a67311121ab5",
	"title": "New ransomware trends in 2022",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1055122,
	"plain_text": "New ransomware trends in 2022\r\nBy GReAT\r\nPublished: 2022-05-11 · Archived: 2026-04-05 21:46:34 UTC\r\nAhead of the Anti-Ransomware Day, we summarized the tendencies that characterize ransomware landscape in\r\n2022. This year, ransomware is no less active than before: cybercriminals continue to threaten nationwide retailers\r\nand enterprises, old variants of malware return while the new ones develop. Watching and assessing these\r\ntendencies not only provides us with threat intelligence to fight cybercrime today, but also helps us deduce what\r\ntrends may see in the months to come and prepare for them better.\r\nIn the report, we analyze what happened in late 2021 and 2022 on both the technological and geopolitical levels\r\nand what caused the new ransomware trends to emerge. First, we will review the trend of cross-platform\r\nransomware development that is becoming more and more widespread among threat actors. Next, we will\r\nconcentrate on how the ransomware gangs continue to industrialize and evolve into real businesses by adopting\r\ntechniques of benign software companies. Last, we will delve into how ransomware gangs put on a political hat\r\nand engaged in the conflict between Russia and Ukraine.\r\nTrend #1: Threat actors are trying to develop cross-platform ransomware to be as\r\nadaptive as possible\r\nAs a consequence of the Big Game Hunting (BGH) scheme that has become increasingly popular over the years,\r\ncybercriminals have been penetrating more and more complex environments where a wide variety of systems are\r\nrunning. In order to cause as much damage as possible and to make recovery very difficult (if not impossible),\r\nthey try to encrypt as many systems as possible. This means that their ransomware should be able to run on\r\ndifferent combinations of architectures and operation systems.\r\nOne way to overcome this is to write the ransomware in a “cross-platform programming language” such as Rust\r\nor Golang. There are a few other reasons to use a cross-platform language. For example, even though the\r\nransomware might be aimed at one platform at the moment, writing it in a cross platform makes it easier to port it\r\nto other platforms. Another reason is that analysis of cross-platform binaries is a bit harder than that of malware\r\nwritten in plain C.\r\nIn our crimeware reporting section on the Threat Intelligence Platform we cover some of these ransomware\r\nvariants that work on different platforms. The following are the most important highlights from these reports.\r\nConti cross-platform functionality\r\nConti is a group conducting BGH, targeting a wide variety of organizations across the globe. Just like many other\r\nBGH groups, it uses the double extortion technique as well as an affiliate-based structure.\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 1 of 14\n\nWe noticed that only certain affiliates have access to a Linux variant of the Conti ransomware, targeting ESXi\r\nsystems. It supports a variety of different command-line arguments that can be used by the affiliate to customize\r\nthe execution. The version for Linux supports the following parameters:\r\nParameter Description\r\n–detach The sample is executed in the background and it is detached from the terminal\r\n–log For debugging purposes, with a filename specified, Conti will write the actions to a log file\r\n–path\r\nConti needs this path to encrypt the system. With the selected path, the ransomware will\r\nencrypt the entire folder structure recursively\r\n–prockiller\r\nThis flag allows the ransomware to kill those processes that have the selected files for\r\nencryption\r\n–size Function not implemented\r\n–vmlist Flag used to skip virtual machines during the encryption process\r\n–vmkiller It will terminate all the virtual machines for the ESXi ecosystem\r\nConti parameters (Linux ESXi)\r\nBlackCat cross-platform functionality\r\nBlackCat started offering their services in December 2021 on the dark web. Although the malware is written in\r\nRust from scratch, we found some links to the BlackMatter group as the actor used the same custom exfiltration\r\ntool that had been observed earlier in BlackMatter activities. Due to Rust cross-compilation capabilities, it did not\r\ntake long time for us to find BlackCat samples that work on Linux as well.\r\nThe Linux sample of BlackCat is very similar to the Windows one. In terms of functionality, it has slightly more,\r\nas it is capable of shutting down the machine and deleting ESXi VMs. Naturally, typical Windows functionality\r\n(e.g., executing commands through cmd.exe) was removed and replaced with the Linux equivalent so the\r\nransomware still holds the same functionality on the different platforms it operates on.\r\nDeadbolt cross-platform functionality\r\nDeadbolt is an example of ransomware written in a cross-platform language, but currently aimed at only one target\r\n– QNAP NAS systems.  It is also an interesting combination of Bash, HTML and Golang. Deadbolt itself is\r\nwritten in Golang, the ransom note is an HTML file that replaces the standard index file used by the QNAP NAS,\r\nand the Bash script is used to start the decryption process if the provided decryption key is correct. There is\r\nanother peculiar thing about the ransomware: it doesn’t need any interaction with attackers because a decryption\r\nkey is provided in a Bitcoin transaction OP_RETURN field. The Bash file is shown below.\r\n1 #!/bin/sh\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 2 of 14\n\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\necho \"Content-Type: text/html\"\r\necho \"\"\r\nget_value () {\r\necho \"$1\" | awk -F \"${2}=\" '{ print $2 }' | awk -F '\u0026' '{ print $1 }'\r\n}\r\nnot_running() { echo '{\"status\":\"not_running\"}'; exit; }\r\nPID_FILENAME=/tmp/deadbolt.pid\r\nSTATUS_FILENAME=/tmp/deadbolt.status\r\nFINISH_FILENAME=/tmp/deadbolt.finish\r\nTOOL=/mnt/HDA_ROOT/722\r\nCRYPTDIR=/share\r\nif [ \"$REQUEST_METHOD\" = \"POST\" ]; then\r\n    DATA=`dd count=$CONTENT_LENGTH bs=1 2\u003e /dev/null`'\u0026'\r\n    ACTION=$(get_value \"$DATA\" \"action\")\r\n    if [ \"$ACTION\" = \"decrypt\" ]; then\r\n        KEY=$(get_value \"$DATA\" \"key\")\r\n     if [ \"${#KEY}\" != 32 ]; then\r\n            echo \"invalid key len\"\r\n            exit    \r\n        fi\r\n        K=/tmp/k-$RANDOM\r\n        echo -n \u003e $K\r\n        for i in `seq 0 2 30`; do\r\n            printf \"\\x\"${KEY:$i:2} \u003e\u003e $K\r\n     done\r\n        SUM=$(sha256sum $K | awk '{ print $1 }')\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 3 of 14\n\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n        rm $K\r\n        if [ \"$SUM\" = \"915767a56cb58349b1e34c765b82be6b117db7e784c3efb801f327ff00355d15\" ];\r\nthen\r\n            echo \"correct key\"\r\n         exec \u003e\u0026-\r\n            exec 2\u003e\u0026-\r\n            ${TOOL} -d \"$KEY\" \"$CRYPTDIR\"  \r\n        elif [ \"$SUM\" = \"93f21756aeeb5a9547cc62dea8d58581b0da4f23286f14d10559e6f89b078052\" ];\r\nthen\r\n         echo \"correct master key\"\r\n         exec \u003e\u0026-\r\n         exec 2\u003e\u0026-\r\n         ${TOOL} -d \"$KEY\" \"$CRYPTDIR\"\r\n     else\r\n         echo \"wrong key.\"\r\n     fi\r\n    elif [ \"$ACTION\" = \"status\" ]; then\r\n        if [ -f \"$FINISH_FILENAME\" ]; then\r\n            echo '{\"status\":\"finished\"}'\r\n         exit\r\n     fi\r\n        if [ -f \"$PID_FILENAME\" ]; then\r\n            PID=$(cat \"$PID_FILENAME\")\r\n            if [ \"$PID\" = \"\" ]; then\r\n                not_running\r\n            fi\r\n            if [ ! -d \"/proc/$PID\" ]; then\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 4 of 14\n\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n                not_running\r\n            fi\r\n        fi\r\n        if [ -f \"$STATUS_FILENAME\" ]; then\r\n         COUNT=$(cat \"$STATUS_FILENAME\")\r\n         echo '{\"status\":\"running\",\"count\":\"'${COUNT}'\"}'\r\n        else\r\n            not_running\r\n        fi\r\n    else\r\n        echo \"invalid action\"\r\n    fi\r\nelse\r\n    echo\r\nTrend #2: The ransomware ecosystem is evolving and becoming even more\r\n“industrialized”\r\nJust like legitimate software companies, cybercriminal groups are continually developing their tool kit for\r\nthemselves and their customers – for example, to make the process of data exfiltration quicker and easier. Another\r\ntrick that threat actors sometimes pull off is rebranding their ransomware, changing bits and pieces in the process.\r\nLet’s delve into the new tools and “business” strategies ransomware gangs are employing these days.\r\nEvolution of Lockbit, one of the most successful RaaS since 2019\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 5 of 14\n\nLockbit started in 2019, and then in 2020, its affiliate program was announced. Over time, the group has been\r\ndeveloping actively, as can be seen in the figure below:\r\nWhen the group started with its malicious activities, it did not have any leak portal, was not doing double\r\nextortion, and there was no data exfiltration before data encryption.\r\nThe infrastructure was also improved over time. Like other ransomware families, Lockbit’s infrastructure suffered\r\nseveral attacks that forced the group to implement some countermeasures to protect its assets. These attacks\r\nincluded hacking of the Lockbit’s administration panels and DDOS-attacks to force the group to shut down its\r\nactivity.\r\nThe latest security addition made by the Lockbit developers is a “waiting page” that redirects users to one of the\r\navailable mirrors.\r\nStealBIT: custom data exfiltration tool utilized by Lockbit ransomware\r\nData exfiltration, which is used when groups apply double extortion, is possible in many different ways. Initially\r\ncybercriminals used publicly available tools such as Filezilla, and then later replaced them with their own custom\r\ntools such as StealBIT. There are a few reasons for this:\r\nPublicly available tools are not always known for their speed. For ransomware operators speed is\r\nimportant, because the longer it takes to exfiltrate data, the greater the chance that ransomware operators\r\nwill be caught,\r\nFlexibility is another reason. Standard tools are not designed with the requirements for ransomware\r\noperators in mind. For example, with most tools it is possible to upload the data only to one host. If that\r\nhost is down, another host must be specified manually. There is always the chance that criminal\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 6 of 14\n\ninfrastructure will be taken down or fall into the hands of LEAs. To provide more flexibility and overcome\r\nthese limitations, StealBIT has a list of hardcoded hosts the data can be exfiltrated to. If the first one is\r\ndown for some reason, the second host is tried.\r\nRansomware operators have requirements that are not met with publicly available tools. One such\r\nrequirement is to exfiltrate not all the data, but only the interesting data. In StealBIT this is implemented by\r\nhaving a hardcoded list of extensions that should be extracted. Another functionality is that the affiliate ID\r\nis sent when data is uploaded.\r\nIn the figure below, the data exfiltration is compared (by the authors) to that of other tools:\r\nSoftShade deploys Fendr exfiltration client\r\nFendr, also known as Exmatter, is a malicious data exfiltration tool used by several ransomware groups such as\r\nBlackMatter, Conti and BlackCat. Fendr was not seen in all the BlackMatter and Conti incidents we observed, but\r\nwe did see them in all BlackCat-related incidents. Therefore, we believe that Fendr was used by a crimeware\r\ngroup that participated in a few affiliate schemes.\r\nInternally, SoftShade developers called it “file_sender” and “sender2”. The malware is written in C# .Net, and was\r\nfrequently deployed alongside BlackMatter and Conti malware as a packed .Net executable, but most samples\r\ndeployed alongside Conti and BlackCat ransomware were not packed (except for one Conti incident in November\r\n2021). It is designed to efficiently manage large amounts of selective file collection and upload activity on a\r\nvictim system and then remove itself from the system. Fendr is built with several open-source libraries, and its\r\ndesign is clearly the result of maturing, professionalised experience in the ransomware space, handling arbitrary\r\nlarge file volumes across various Windows systems and networks.\r\nAlso interesting is the deployment and packaging of Fendr and their chosen ransomware. Across each affiliate\r\nscheme (except for one Conti incident), the ransomware and Fendr are delivered simultaneously across a network\r\nto many systems as “v2.exe” and “v2c.exe”, or as “v2.exe” and “sender2.exe”. This simultaneous push seems to\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 7 of 14\n\nprioritize coordination and efficiency over raising risk of detection. In a Conti-related exception, it appears that a\r\nFendr variant was pushed across the network to many systems as “\\\\hostname\\$temp\\sender2.exe”.\r\nTrend #3 Ransomware gangs take sides in geopolitical conflicts\r\nCybercriminals use news headlines to achieve their malicious goals. We saw this during the initial phase of the\r\nglobal Covid-19 pandemic, when there was a surge of Covid-19-related spam and phishing e-mails. The same\r\nhappened with the geopolitical conflict in Ukraine in 2022.\r\nThere is, however, one big difference. The usage of the pandemic wasn’t personal because it was just another topic\r\nfrom a long list of holidays, events, incidents, etc. In the case of the conflict, threat actors decided to choose sides,\r\nand this makes the topic much more personal.\r\nTypically in a geopolitical conflict such as this one, one would associate the source of the cyberattacks with state-sponsored threat actors. This is not always true, as we have noted a new type of engagement in this conflict:\r\ncybercrime forums and ransomware groups reacting to the situation and taking action.\r\nThere have been consequences: for example, the disclosure of the Conti-related information. We also see this in\r\nmalware variants that have been recently deployed. Specific variants that are exclusively found in Ukraine or in\r\nRussia often choose sides, either against Ukraine or against Russia. Let’s look at the most notable ransomware\r\ngang activity around the conflict.\r\nRansomware gangs taking sides\r\nThe most significant reaction of all is likely the Conti ransomware group. On February 25, Conti published a\r\nmessage on its news site with a statement that it would retaliate with full capabilities against any “enemy’s”\r\ncritical infrastructure if Russia became a target of cyberattacks. This is probably a rare example of a cybercriminal\r\ngroup supporting a nation-state publicly. As a result, an allegedly Ukrainian member shared chats and other\r\ninternal Conti-related information online.\r\nConti ransomware group posting a warning message on its news site\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 8 of 14\n\nOn the other side there are other communities such as Anonymous, IT Army of Ukraine and Belarusian Cyber\r\nPartisans openly supporting Ukraine.\r\nThe table below highlights the position of several groups and forums during the beginning of the conflict.\r\nOpen UA support Open RU support Neutral\r\nRaidForums Conti Lockbit\r\nAnonymous collective CoomingProject\r\nIT Army of Ukraine Stormous\r\nBelarusian Cyber Partisans\r\nFreeud: brand-new ransomware with wiper capabilities\r\nKaspersky recently discovered Freeud, a brand-new ransomware variant that supports Ukraine. The Freeud’s\r\nransom note says — not very subtly — that Russian troops should leave Ukraine. The choice of words and how\r\nthe note is written suggest that it is written by a native Russian speaker. Other language artifacts that we found\r\nsuggest the authors are non-native English speakers. For example, the word “lending” was found several times in\r\nplaces where the writers should have used “landing”.\r\nThe political view of the malware authors is expressed not only through the ransom note but also through the\r\nmalware features. One of them is wiping functionality. If the malware contains a list of files, instead of encrypting,\r\nthe malware wipes them from the system.\r\nAnother property that stands out is the high quality of the malware, highlighted by the encryption methods applied\r\nand the way multithreading is used.\r\nElections GoRansom (HermeticRansom) covering up destructive activity\r\nGoRansom was found at the end of February in Ukraine at the same time the HermeticWiper attack was carried\r\nout. We covered in a post published in March. There are a few things that GoRansom does that are different from\r\nother ransomware variants:\r\nIt creates hundreds of copies of itself and runs them.\r\nThe function naming scheme refers to the US presidential elections.\r\nThere is no obfuscation and it has pretty straightforward functionality.\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 9 of 14\n\nSelf-copies made by HermeticRansom\r\nFor these reasons we believe it was created to boost the effectiveness of cyberoperations in Ukraine.\r\nStormous ransomware joins the Ukraine crisis with a PHP malware\r\nIt is not very often that we come across malware written in PHP. Most of the time when we analyze PHP code it is\r\neither a web shell or some botnet panel code. Stormous is one of the few exceptions. Aside from being a backdoor,\r\nit also contains ransomware functionality. The threat actor hunts for web servers supporting PHP technology and\r\nweaknesses that are vulnerable to web apps.\r\nAn analysis of the malware suggests the threat actor is Arabic speaking from a North African region. Stormous\r\nsides with Russia:\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 10 of 14\n\nThe PHP script provides a web interface for remote interaction over HTTP, where several encryption options are\r\noffered: “OpenSSL”, “Mcrypt” and “Xor”. It is quite possible that these three were developed into the script\r\nbecause of external considerations at the target, like the version of PHP running on the server (some extensions are\r\ndeprecated or unavailable from one version to the next).\r\nDoubleZero wiper targets Ukraine\r\nThe DoubleZero wiper was initially published by the Ukrainian CERT on the March 22. It is a completely new\r\nwiper written in C#; it is not similar to any other known wipers and targets only Ukrainian entities. The binary\r\nitself is heavily obfuscated by an unknown C# obfuscator. Classes and method names are randomly generated.\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 11 of 14\n\nObfuscation\r\nControl flow is organized using a function-flattening mechanism created to slow down analysis of malicious code.\r\nObfuscated decompiled code\r\nWhen all the preparations are over, malware starts its wiping operations. First, it checks for user (nonsystem files)\r\nby comparing folder names with a hardcoded list and starts wiping them using quite an interesting implementation\r\nof NtFsControlFile API.\r\nHardcoded list of folders\r\nFile wiping\r\nThe NtFsControlFile routine sends a control code directly to a specified file system or file system filter driver,\r\ncausing the corresponding driver to perform the specified action. As seen in the screenshot, the control code has\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 12 of 14\n\nthe value of 622792 (0x980C8in hex), which corresponds to the FSCTL_SET_ZERO_DATA control code of the\r\nFCSTL structure. Data in the file will be overwritten by ZERO values that are pointed by intPtr2 variable. If the\r\nfunction fails, the wiper will execute the standard .Net FileStream.Write function for the same purpose. Then\r\nmalware wipes the system files found.\r\nMalware then deletes the Windows registry tree subkeys in HKU, HKLM and kills the “lsass” process to reboot\r\nthe infected machine.\r\nConclusion\r\nAs the saying goes, forewarned is forearmed, and this also applies to cybersecurity. In recent years, ransomware\r\ngroups have come a long way from being scattered gangs to businesses with distinctive traits of full-fledged\r\nindustry. As a result, attacks have become more sophisticated and more targeted, exposing victims to more threats.\r\nMonitoring the activity of ransomware groups and their developments provides us with threat intelligence that\r\nenables better defences.\r\nWe witnessed cross-platform ransomware written in Rust and Golang becoming a weapon of the “new-generation” of ransomware groups. Thanks to the software’s flexibility, the attacks can be conducted on a larger\r\nscale with no regard to what operating system the victim is using. This flexibility allows ransomware gangs to\r\nquickly adapt their strategy when carrying out attacks, diversify their targets and affect more victims.\r\nSecond, we witnessed a significant development in how ransomware groups rebuild their inner processes to\r\nfacilitate their activity increasingly resembling legitimate software developers. While their efforts in branding (and\r\nre-branding) aren’t entirely new, the segmentation of their ‘businesses’ as well creation of new exfiltration tools\r\npoint towards maturing Ransomware-as-a-Service industry, where the ransomware owner simplifies the job for the\r\noperators as much as possible.\r\nFinally, ransomware group’s engagement in the conflict between Russia and Ukraine have set a precedent in the\r\nway cybercriminals operate in relation to geopolitics. While it is widely seen that advanced persistent threat (APT)\r\nactors are usually the ones to take on the mission of carrying out advanced attacks in the interest of the state, we\r\nnow see that ransomware actors voluntarily engage in such activities as well, often leading to quite destructive\r\nconsequences.\r\nThese tendencies are already affecting the way we need to defend against ransomware today. Ahead of the Anti-Ransomware Day, Kaspersky encourages organization to follow these best practices that help them safeguard\r\nagainst ransomware:\r\nAlways keep software updated on all the devices you use, to prevent attackers from infiltrating your\r\nnetwork by exploiting vulnerabilities.\r\nFocus your defence strategy on detecting lateral movements and data exfiltration to the internet. Pay\r\nspecial attention to the outgoing traffic to detect cybercriminals’ connections. Set up offline backups that\r\nintruders cannot tamper with. Make sure you can quickly access them in an emergency when needed.\r\nEnable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for\r\nBusiness that shields computers and servers from ransomware and other types of malware, prevent exploits\r\nand is compatible with already installed security solutions.\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 13 of 14\n\nInstall anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection,\r\ninvestigation and timely remediation of incidents. Provide your SOC team with access to the latest threat\r\nintelligence and regularly upskill them with professional training. All of the above is available within\r\nKaspersky Expert Security framework.\r\nProvide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence\r\nPortal is a single point of access for the company’s TI, including crimeware, providing cyberattack data\r\nand insights gathered by Kaspersky spanning over 20 years. To help businesses enable effective defences in\r\nthese turbulent times, Kaspersky announced access to independent, continuously updated and globally-sourced information on ongoing cyberattacks and threats, at no charge. Request your access to this offer\r\nhere: crimewareintel[at]kaspersky.com.\r\nSource: https://securelist.com/new-ransomware-trends-in-2022/106457/\r\nhttps://securelist.com/new-ransomware-trends-in-2022/106457/\r\nPage 14 of 14\n\nAlso interesting scheme (except is the deployment for one Conti incident), and packaging the ransomware of Fendr and and their chosen Fendr are delivered ransomware. simultaneously Across each across affiliate a network\nto many systems as “v2.exe” and “v2c.exe”, or as “v2.exe” and “sender2.exe”. This simultaneous push seems to\n   Page 7 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/new-ransomware-trends-in-2022/106457/"
	],
	"report_names": [
		"106457"
	],
	"threat_actors": [
		{
			"id": "4f472ea8-b147-486d-8533-88f8036343a6",
			"created_at": "2024-01-23T13:22:35.081084Z",
			"updated_at": "2026-04-10T02:00:03.520098Z",
			"deleted_at": null,
			"main_name": "Cyber Partisans",
			"aliases": [],
			"source_name": "MISPGALAXY:Cyber Partisans",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434609,
	"ts_updated_at": 1775791490,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d974b6cba36591d9fec58fbca1c0a67311121ab5.pdf",
		"text": "https://archive.orkl.eu/d974b6cba36591d9fec58fbca1c0a67311121ab5.txt",
		"img": "https://archive.orkl.eu/d974b6cba36591d9fec58fbca1c0a67311121ab5.jpg"
	}
}