{ "id": "8b7bc856-330b-48d7-8825-52e5d972e4b3", "created_at": "2026-04-06T01:29:42.237907Z", "updated_at": "2026-04-10T03:36:36.761072Z", "deleted_at": null, "sha1_hash": "eee214d0504d04b71ebdc4bf7dfa74580bd0a9a9", "title": "Ransomware Double Extortion and Beyond: REvil, Clop, and Conti", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 353321, "plain_text": "Ransomware Double Extortion and Beyond: REvil, Clop, and Conti\r\nArchived: 2026-04-06 01:09:40 UTC\r\nBut in late 2019, Maze pioneered the double extortion technique with a demand that was harder to ignore: Pay up, or the\r\nransomware operators would publicly release the victims’ data.\r\nTo date, we have spotted 35 ransomware families that have employed double extortion — and the list just keeps growing.\r\nIt’s not difficult to see why: While loss of access to files alone already puts heavy pressure on affected organizations to yield\r\nto ransom demands, the added threat of public exposure further tightens the noose, especially if classified information is on\r\nthe line.\r\nAgeLocker CryLock Hades NetWalker REvil/Sodinokibi\r\nAko/MedusaLocker DarkSide LockBit Pay2Key Ryuk\r\nAlumniLocker DoppelPaymer Maze ProLock Sekhmet\r\nAvaddon Egregor Mespinoza/Pysa RagnarLocker Snatch\r\nBabuk Locker Ekans MountLocker/AstroLocker Ragnarok SunCrypt\r\nClop Everest Nefilim RansomExx Thanos\r\nConti Exx/Defray777 Nemty RanzyLocker/ ThunderX Xinof\r\nTable 1. The ransomware families we spotted employing double extortion from November 2019 to March 2021\r\nSource: Trend Micro™ Smart Protection Network™ infrastructure\r\nAs if such a scheme isn’t bad enough, ransomware operators are now adding multilevel extortion techniques such as\r\nlaunching distributed denial-of-service (DDoS) attacks and/or hounding customers and stakeholders of victim organizations.\r\nIn this article, we analyze extortion techniques used with ransomware beyond encryption, lending a preview of how this\r\nthreat will continue to mutate. We examine three major ransomware families that employ these schemes: REvil (aka\r\nSodinokibi), Clopcybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware, and Conti.\r\nWe handpicked these three since they are currently active, feature new techniques, target big companies, and perform\r\ndifferent levels of extortion. Notably, all three also operate under a ransomware-as-a-service (RaaS)news- cybercrime-and-digital-threats scheme, which means that they are propagated more easily and more quickly through affiliates. The three are\r\nalso reportedly the successors of notorious ransomware families.\r\nThe phases of ransomware extortion\r\nBefore delving into the attack phases of the campaigns involving the three ransomware families under consideration, it’s\r\nonly fitting to examine how ransomware extortion has developed over time. Here are the phases of ransomware extortion as\r\nseen in various campaigns.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 1 of 13\n\nFigure 1. The four phases of ransomware extortion\r\nSingle extortion\r\nSingle extortion involves deploying the ransomware, which then encrypts and bars access to files. The operators then\r\ndemand payment from the affected organization in exchange for decrypting the files. This had been the case even in the\r\nearly days of ransomware.\r\nDouble extortion\r\nWith double extortion, malicious actors go beyond just encryption by also exfiltrating (sometimes through weaponized\r\nlegitimate toolsnews- cybercrime-and-digital-threats) and threatening to publicize an affected organization’s data. These\r\nransomware operators usually have dedicated data leak sites, but they can also release the stolen information in underground\r\nforums and blog sites.\r\nMazenews- cybercrime-and-digital-threats was the first ransomware family associated with this. Its so-called successor, the\r\n2020 newcomer Egregor, also makes use of this technique, as discussed in our annual cybersecurity roundup report.\r\nMembers of the Egregor ransomware cartel were recently arrested with the help of private-public sector partnerships,\r\nincluding Trend Micro.\r\nDarkSide, another ransomware family that emerged in 2020, also used double extortion techniques in a recent high-profile\r\nattack on Colonial Pipeline, a major fuel supplier in the US.\r\nWhat makes double extortion tricky to deal with is that even when a victim company could restore all lost data, the threat of\r\nhaving sensitive information publicized remains. This was the case with a video game development company that was able\r\nto restore its data from backup but still had to struggle with the theft of source codes and other sensitive information, which\r\nwere later released on a site associated with Babuk Locker.\r\nTriple extortion\r\nTriple extortion follows a straightforward formula: adding DDoS attacks to the aforementioned encryption and data\r\nexposure threats. These attacks could overwhelm a server or a network with traffic, which in turn could halt and further\r\ndisrupt operations.\r\nThis was first performednews article by SunCrypt and RagnarLocker operators in the latter half of 2020. Avaddonnews-cybercrime-and-digital-threats soon followed suitnews article. Malicious actors behind REvil are also looking into including\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 2 of 13\n\nDDoS attacks in their extortion strategy.\r\nQuadruple extortion\r\nAll the preceding phases mainly affect only the targets. With quadruple extortion, ransomware operators reach out directly to\r\na victim’s customers and stakeholders, thereby adding more pressure to the victim.\r\nDarkSide operators employ the quadruple extortion scheme in some of their attacks by launching DDoS attacks and directly\r\ncontacting customers through designated call centers.\r\nRecently, malicious actors behind Clop emailed customers, informing them that their private information would be\r\npublished on a website, and urged them to contact the affected company. REvil operators also recently announced that they\r\nwould be reaching outnews article not just to a victim’s customers but also to business partners and the media through voice-scrambled VoIP calls.\r\nDifferent ransomware families use different levels of extortion; some implement only the first phase, while others are\r\ndabbling in fourth-phase strategies. Also, these levels are not always performed in order, as in the case of Clop, which went\r\nstraight from double extortion to quadruple extortion.\r\nHaving defined the phases, we now home in on the three ransomware families in question: REvil, Clop, and Conti. Their\r\nactivities are summarized here based on several attacks that have been observed and documented in our own monitoring and\r\nin external research.\r\nREvil\r\nFirst known as the alleged successor of the notorious GandCrab, REvil has since stepped out of its predecessor’s shadow,\r\nhaving adopted more advanced techniques such as double extortionnews article. The ransomware’s use of double extortion\r\ncontinues to this day, issuing exorbitant million-dollar demands to organizations that have fallen prey to its operators’\r\ncampaigns. REvil was recently used in a ransomware attack on JBS, the largest meat processor in the world.\r\nExtortion schemeFor double extortion, REvil has a dedicated data leak site, but its operators also post data on underground\r\nforums and blog sites. The ransomware’s operators seem determined to go all out with extortion: Besides considering DDoS\r\nand directly contacting customers, business partners, and the media, they are now also auctioning off stolen datanews article.\r\nAttack chain and tactics\r\nThe following figure shows a typical REvil attack chain.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 3 of 13\n\nFigure 2. REvil’s attack chain\r\nRecent variants of the ransomware also use the IcedID banking trojan, which is known for campaigns that steal real email\r\nconversations and repurpose them for malicious spam. This then leads to the downloading of Cobalt Strike Beacon for\r\nvarious purposes and, eventually, REvil. Safe bootnews article then forces the system to reboot into safe mode before\r\nencryption.\r\nFigure 3. REvil’s attack chain (newer variant)\r\nInitial access\r\nREvil has various means for initial access, including:\r\nMalicious spam emails with spear-phishing links or attachments\r\nRemote Desktop Protocol (RDP) access or valid accounts\r\nCompromised websites\r\nVulnerability exploits\r\nIn more targeted approaches, REvil can also be spread using RDP and PsExec to take control of the network and then deploy\r\nthe payload.\r\nDownload and execution\r\nREvil can be downloaded and executed in the system through:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 4 of 13\n\nMacros from malicious spam emails\r\nDrive-by compromise, which directly leads to the downloading of REvil\r\nLoading in PowerShell memory via reflective loading instead of executing a binary\r\nExploiting CVE-2019-2725, which leads to the remote code execution of Certutil/PowerShell for downloading and\r\nexecuting REvil\r\nExploiting CVE-2018-13379, CVE-2019-11510, and valid accounts, which leads to the abuse of RDP and PsExec,\r\nand then the dropping of tools that disable antimalware, exfiltration tools, and, finally, REvil.\r\nExecuting IcedID (from malicious spam), which leads to the downloading of Cobalt Strike Beacon to deploy REvil.\r\n(This is seen in recent variants.)\r\nLateral movement, discovery, and defense evasion\r\nIn more targeted attacks, operators can use RDP and PsExec for lateral movement and for dropping and executing\r\nother components and the ransomware itself.\r\nOperators can abuse the legitimate toolsnews- cybercrime-and-digital-threats PC Hunter and Process Hacker to\r\ndisable antimalware solutions by discovering and terminating associated services or processes.\r\nOperators can also use the custom binary KillAV, which is designed to uninstall antimalware solutions.\r\nCommand and control\r\nREvil sends a report, which includes system information, to its command-and-control (C\u0026C) server.\r\nExfiltration\r\nREvil drops various exfiltration tools.\r\nImpact\r\nAfter execution, REvil can perform several steps, including:\r\nAttempting to escalate its privilege via CVE-2018-8453, or token impersonation and creating a mutex\r\nDecrypting its JSON configuration file to identify elements that will dictate how it will proceed with its routines,\r\nsuch as which processes to terminate, which C\u0026C server to report to, and which extension to use\r\nProceeding with its encryption routine\r\nClop\r\nClopcybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware (sometimes stylized as\r\n“Cl0p”) was first known as a variant of the CryptoMix ransomware family. It got on the double extortion bandwagon in\r\n2020, when Clop operators publicized the data of a pharmaceutical company. Since then, the ransomware’s extortion\r\nstrategies have become progressively devastating.\r\nExtortion schemeOperators pressure a targeted organization by sending out emails to initiate negotiations. If these\r\nmessages are ignored, they will threaten to publicize and auction off stolen data on the data leak site “Cl0p^_-Leaks”.\r\nBeyond this, Clop ransomware operators also wield other extortion techniques, such as going after top executives and\r\ncustomers.\r\nAttack chain and tactics\r\nClop has changed tactics numerous times. Upon the ransomware’s emergence, the threat actor group TA505 used spear-phishing emails in delivering Clop. These were sent to as many employees as possible to increase the chances of infection.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 5 of 13\n\nFigure 4. Clop’s attack chain (2019)\r\nAround a year later, TA505 used SDBot as its only tool for collecting and exfiltrating data.\r\nFigure 5. Clop’s attack chain (early 2020)\r\nRecently, a threat actor group exploited four zero-day vulnerabilities found in a legacy file transfer appliance (FTA) product\r\nas the point of entry for its attacks.\r\nFigure 6. Clop’s attack chain (recent)\r\nInitial access\r\nClop can enter a system through any of the following methods:\r\nSpear-phishing emails sent to employees of the target organization\r\nUsing compromised RDP for brute-force attacks\r\nExploiting certain known vulnerabilities\r\nExploiting zero-day vulnerabilities in an FTA product (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and\r\nCVE-2021-27104)\r\nDownload and discovery\r\nClop can use several tools to collect information, including:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 6 of 13\n\nThe FlawedAmmyy remote access trojan (RAT), which gathers information and attempts to communicate with the\r\nC\u0026C server to download additional malware components\r\nCobalt Strike (Cobeacon), which is downloaded as an additional hacking tool\r\nThe SDBot RAT, which is used to study the network, load additional malware, and deactivate security solutions to\r\nprepare for the deployment of Clop\r\nCompromised FTA product\r\nCommand and control\r\nTinyMet can be used to connect the reverse shell to the C\u0026C server.\r\nExfiltration\r\nIn one attack, Dewmode was used to exfiltrate stolen data.\r\nImpact\r\nThe ransomware payload terminates various services and processes, and then proceeds with its encryption routine.\r\nConti\r\nThe Conti ransomware, which was recently used in an attacknews article on Ireland’s Department of Health, also employs\r\ndouble extortion schemes. In some attacks, the ransomware has been distributed via the same methods used to propagate\r\nRyuknews- cybercrime-and-digital-threats, such as the use of Trickbot, Emotet, and BazarLoadernews- cybercrime-and-digital-threats. In an attack in February, operators also exploited vulnerabilitiesnews article of a firewall product. We\r\nrecently showed how Trend Micro Vision One™products was used to track Conti.\r\nExtortion schemeConti employs double extortion schemes. Operators publicize data stolen from nonpaying victims on their\r\ndesignated data leak sitenews article. There are no confirmed reports yet of triple or quadruple extortion schemes involving\r\nConti, but given how swiftly operators adopt different techniques, it’s not impossible for these to be incorporated into Conti\r\ncampaigns as well.\r\nAttack chain and tactics\r\nThe following shows a Conti attack chain based on several campaigns.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 7 of 13\n\nFigure 7. Conti’s attack chain\r\nInitial access\r\nConti operators can use either of the following to gain initial access:\r\nA spear-phishing email that leads to BazarLoader (aka BazarBackdoornews- cybercrime-and-digital-threats) and\r\nCobalt Strike\r\nThe firewall vulnerabilities CVE-2018-13379 and CVE-2018-13374, followed by the use of Cobalt Strike to gain a\r\nfoothold in the system\r\nNetwork discovery and credential access\r\nOperators can perform network discovery tactics to locate targeted assets. Cobalt Strike is also employed for this\r\npurpose.\r\nOperators also gain access to the system by performing credential dumping. In our research, we identified potential\r\ncredential dumping attempts that used ntdsutil to dump ntds.dit, a database that stores Active Directory data. This\r\ndata can be used to gain password hashes offline.\r\nLateral movement and defense evasion\r\nAfter obtaining the necessary credentials and access, operators can perform lateral movement by remotely creating\r\nscheduled tasks of the payload. The payload can include Cobalt Strike, KillAV scripts, and Conti. Operators also\r\nremotely execute these using scheduled tasks and batch files.\r\nTo evade detection, operators use KillAV, which disables security software.\r\nExfiltration\r\nAfter identifying the target systems and gaining access to them, operators use the cloud storage synchronization tool\r\nRclone to upload files to the Mega cloud storage service.\r\nImpact\r\nOperators deploy the ransomware and encrypt files. Distribution and execution of the ransomware are done via the\r\ncreation and execution of scheduled tasks on remote systems.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 8 of 13\n\nHow to prevent ransomware attacks\r\nRansomware may be rapidly evolving in terms of the different extortion techniques used by operators, but the threat is not\r\naltogether unstoppable. To protect systems, organizations can follow security frameworks, such as those set by the Center of\r\nInternet Security and the National Institute of Standards and Technology. Adhering to these frameworks can provide benefits\r\nsuch as reducing risk levels and exposure to threats and vulnerabilities. Organizations can conserve time and effort in\r\nplanning as the frameworks’ specific and established practices show how and where to start and which measures to\r\nprioritize. These frameworks also boost resilience against attacks, since they involve repeatable and flexible measures that\r\ncan help with prevention, mitigation, and recovery.\r\nHere are some of the best practices from these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nAudit logs of events and incidents.\r\nConfigure and monitor\r\nDeliberately manage hardware and software configurations.\r\nOnly grant admin privileges and access when absolutely necessary to an employee’s role.\r\nMonitor the use of network ports, protocols, and services.\r\nImplement security configurations on network infrastructure devices such as firewalls and routers.\r\nHave a software allow list to prevent malicious applications from being executed.\r\nPatch and update\r\nPerform regular vulnerability assessments.\r\nConduct patching or virtual patching for operating systems and applications.\r\nUpdate software and applications to their latest versions.\r\n Protect and recover\r\nEnforce data protection, backup, and recovery measures.\r\nImplement multifactor authentication.\r\nSecure and defend\r\nPerform sandbox analysis to examine and block malicious emails.\r\nEmploy the latest version of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork.\r\nSpot early signs of an attack such as the presence of suspicious toolsnews- cybercrime-and-digital-threats in the\r\nsystem.\r\nEnable advanced detection technologies such as those powered with AI and machine learning.\r\n Train and test\r\nPerform security skills assessment and training regularly.\r\nConduct red-team exercises and penetration tests.\r\nOrganizations would benefit from security solutions that encompass the system’s multiple layers (endpoint, email, web, and\r\nnetwork) not simply for detecting malicious components, but for closely monitoring suspicious behavior in the network.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, spotting questionable behavior\r\nthat might otherwise seem benign when viewed from only a single layer. This allows detecting and blocking ransomware\r\nearly on before it can do any real damage to the system.\r\nWith techniques such as virtual patching and machine learning, Trend Micro Cloud One™ Workload Securityproducts\r\nprotects systems against both known and unknown threats that exploit vulnerabilities. It also takes advantage of the latest in\r\nglobal threat intelligence to provide up-to-date, real-time protection.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 9 of 13\n\nRansomware often gets into the system through phishing emails. Trend Micro™ Deep Discovery™ Email Inspectorproducts\r\nemploys custom sandboxing and advanced analysis techniques to effectively block ransomware before it gets into the\r\nsystem.\r\nFor an even closer inspection of endpoints, Trend Micro Apex One™products offers next-level automated threat detection\r\nand response against advanced concerns such as fileless threats and ransomware.\r\nIndicators of compromise\r\nREvil\r\nSHA-256 Trend Micro pattern detection Note\r\nf4f73a451c1ec493eb3b4395d06de73598fcf5b8f7d13e81418238824d90fda3 \r\n    \r\nRansom.Win32.SODINOKIBI.SMTH\r\nVariant\r\nwith\r\nsafe\r\nboot\r\n939f58c10211a768f664a8f54310dcc42eb672887be61d5d377b5a88be107b9d \r\n \r\nRansom.Win32.SODINOKIBI.THB\r\nVariant\r\nwithout\r\nsafe\r\nboot\r\n55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c PUA.Win32.PCHunter.A\r\nbd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 PUA.Win64.ProHack.AC\r\nade80ac4cc963d28d44b2f63a732d72b101c82803cbf6aea178449c9bf1b58fa Trojan.BAT.KILLAV.BI\r\nClop\r\nSHA-256 Trend Micro pattern detection\r\ne8d98621b4cb45e027785d89770b25be0c323df553274238810872164187a45f Ransom.Win32.CLOP.NV\r\neba8a0fe7b3724c4332fa126ef27daeca32e1dc9265c8bc5ae015b439744e989 Ransom.Win32.CLOP.I\r\naf1d155a0b36c14626b2bf9394c1b460d198c9dd96eb57fac06d38e36b805460 Backdoor.Win32.FLAWEDAMMY.AB\r\n5202e97f1f5080de9e043378717cbaf271a3c5b3e5b568e62a8aa3150f3e1ca8 HackTool.Win32.TinyMet.K\r\n84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6   \r\n               \r\nTrojan.Win32.WUSUB.A\r\n99c76d377e1e37f04f749034f2c2a6f33cb785adee76ac44edb4156b5cbbaa9a Backdoor.Win32.SDBBOT.AA.tmsr\r\n23df383633ba693437d92dbcf98fca62c52697f446913e4f7f81e29dad9e26a0 Trojan.X97M.GETLOADR.THIAOBO\r\n5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b\r\n2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7\r\nBackdoor.PHP.DEWMODE.A\r\nConti\r\nSHA-256 Trend Micro pattern detection\r\n25ef51bb1ec946cce673fbf465f693cea3095e12bccd19a157751913d18946ab   \r\n                  \r\nBackdoor.Win32.COBEACON.THCOCBA\r\nf022d977dd0977052a8590d69982ee8e44f1ca61b01060d235c89c61f466f211 \r\n                  \r\nTrojan.PS1.KILLAV.AA\r\n3c8fc04c1b3c4a9242c2dff03bce0deae7a1fbf8d1735ea7af41c5762b288f14     \r\n                  \r\nRansom.Win32.CONTI.J\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 10 of 13\n\n243408d1fa0c8a7a778d8bb224532c649409d0db76fc0ca2be385d193da22b1e \r\n                  \r\nTrojan.PS1.BAZALOADER.YXAK-A\r\n5381da3db80e524b982cbc9edb795bbe5524c27311a1c36d08d2784a88fa46c5 \r\n                 \r\nTrojan.BAT.RUNNER.AVP\r\na6bb0087b4321af82f6737ba7a87ca96cf59a54427a97e4eed4800bd5426e7f7   \r\n                 \r\nHackTool.BAT.KillAV.AA\r\nMITRE ATT\u0026CK tactics and techniques\r\nREvil\r\nInitial\r\naccess\r\nExecution\r\nPrivilege\r\nescalation\r\nDefense evasion Discovery\r\nLateral\r\nmovement\r\nCollection Exfiltration\r\nT1078 -\r\nValid\r\naccounts\r\nT1059 - \r\nCommand\r\nand\r\nscripting\r\ninterpreter\r\nT1134.001 - \r\nAccess token\r\nmanipulation:\r\ntoken\r\nimpersonation/theft\r\nT1562 - \r\nImpair defenses\r\nT1082 - \r\nSystem\r\ninformation\r\ndiscovery\r\nT1563 - \r\nRemote\r\nservice\r\nsession\r\nhijacking\r\nT1560 - \r\nArchive\r\ncollected\r\ndata\r\nT1041 - \r\nExfiltration\r\nover C\u0026C\r\nchannel\r\nT1190 -\r\nExploit\r\npublic-facing\r\napplication\r\nT1203 - \r\nExploitation\r\nfor client\r\nexecution\r\nT1068 - \r\nExploitation for\r\nprivilege escalation\r\nT1480 - \r\nExecution guardrails\r\nT1057 - \r\nProcess\r\ndiscovery\r\nT1570 - \r\nLateral\r\ntool\r\ntransfer\r\nT1566 -\r\nPhishing\r\nT1140 - \r\nDeobfuscate/Decode\r\nfiles or information\r\nT1012 - \r\nQuery\r\nregistry\r\nT1189 -\r\nDrive-by\r\ncompromise\r\nT1083 -\r\nFile and\r\ndirectory\r\ndiscovery\r\nClop\r\nInitial\r\naccess\r\nExecution\r\nPrivilege\r\nescalation\r\nPersistence Discovery\r\nDefense\r\nevasion\r\nLateral\r\nmovement\r\nCommand\r\nand\r\ncontrol\r\nExfiltration\r\nT1566 - \r\nPhishing\r\nT1106 - \r\nNative\r\nAPI\r\nT1068 - \r\nExploitation\r\nfor\r\nprivilege\r\nescalation\r\nT1543.003\r\n- \r\nCreate or\r\nmodify\r\nsystem\r\nprocess:\r\nWindows\r\nservice\r\nT1082 - \r\nSystem\r\ninformation\r\ndiscovery\r\nT1562 - \r\nImpair\r\ndefenses\r\nT1021 - \r\nRemote\r\nservices:\r\nSMB/Windows\r\nadmin shares\r\nT1071.001\r\n- \r\nApplication\r\nlayer\r\nprotocol:\r\nweb\r\nprotocols\r\nT1041 - \r\nExfiltration\r\nover C\u0026C\r\nchannel\r\nT1078 - \r\nValid\r\naccounts\r\nT1083 - \r\nFile and\r\ndirectory\r\ndiscovery\r\nT1202 - \r\nIndirect\r\ncommand\r\nexecution\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 11 of 13\n\nInitial\r\naccess\r\nExecution\r\nPrivilege\r\nescalation\r\nPersistence Discovery\r\nDefense\r\nevasion\r\nLateral\r\nmovement\r\nCommand\r\nand\r\ncontrol\r\nExfiltration\r\nT1190 - \r\nExploit\r\npublic-facing\r\napplication\r\nT1057 - \r\nProcess\r\ndiscovery\r\nT1018 - \r\nRemote\r\nsystem\r\ndiscovery\r\nConti\r\nInitial access Execution Persistence\r\nPrivilege\r\nescalation\r\nDiscovery\r\nCredential\r\naccess\r\nT1566 - \r\nPhishing\r\nT1106 -\r\nExecution through\r\nAPI\r\nT1053.005 - \r\nScheduled\r\ntask/job:\r\nscheduled task\r\nT1078.002 - \r\nValid\r\naccounts:\r\ndomain\r\naccounts\r\nT1046 - \r\nNetwork service\r\nscanning\r\nT1003 - \r\nOS credential\r\ndumping\r\nT1190 - \r\nExploit\r\npublic-facing\r\napplication\r\nT1059.003 - \r\nCommand and\r\nscripting interpreter:\r\nWindows command\r\nshell\r\nT1165 - \r\nStartup item\r\nT1083 - \r\nFile and directory\r\ndiscovery\r\nT1555 - \r\nCredentials\r\nfrom\r\npassword\r\nstores\r\nT1047 - \r\nWindows\r\nManagement\r\nInstrumentation\r\nT1547.004 - \r\nBoot or logon\r\nautostart\r\nexecution:\r\nWinlogon Helper\r\nDLL\r\nT1018 - \r\nRemote system\r\ndiscovery\r\nT1552 - \r\nUnsecured\r\ncredentials\r\nT1204 - \r\nUser execution\r\nT1057 - \r\nProcess discovery\r\nT1053.005 - \r\nScheduled task/job:\r\nscheduled task\r\nT1016 - \r\nSystem network\r\nconfiguration\r\ndiscovery\r\nT1069.002 - \r\nPermission\r\ngroups discovery:\r\ndomain groups\r\nT1124 - \r\nSystem time\r\ndiscovery\r\nT1082 - \r\nSystem\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 12 of 13\n\nInitial access Execution Persistence\r\nPrivilege\r\nescalation\r\nDiscovery\r\nCredential\r\naccess\r\ninformation\r\ndiscovery \r\nT1033 - \r\nSystem\r\nowner/user\r\ndiscovery\r\nT1012 - \r\nQuery registry\r\nT1063 - \r\nSecurity software\r\ndiscovery\r\nLateral movement Defense evasion\r\nCommand and\r\ncontrol\r\nExfiltration Impact\r\nT1570 - \r\nLateral tool transfer\r\nT1562.001 - \r\nImpair defenses: disable\r\nor modify tools\r\nT1095 -\r\nNon-application\r\nlayer protocol\r\nT1567.002 -\r\nExfiltration over web\r\nservice: exfiltration to\r\ncloud storage\r\nT1486 - \r\nData\r\nencrypted for\r\nimpact\r\nT1021.002 - \r\nRemote services:\r\nSMB/Windows admin\r\nshares\r\nT1140 - \r\nDeobfuscate/Decode files\r\nor information\r\nT1105 - \r\nRemote file\r\ncopy\r\nT1490 - \r\nInhibit system\r\nrecovery\r\nT1055 - \r\nProcess injection\r\nT1055.012 - \r\nProcess injection: process\r\nhollowing\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti" ], "report_names": [ "ransomware-double-extortion-and-beyond-revil-clop-and-conti" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438982, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eee214d0504d04b71ebdc4bf7dfa74580bd0a9a9.pdf", "text": "https://archive.orkl.eu/eee214d0504d04b71ebdc4bf7dfa74580bd0a9a9.txt", "img": "https://archive.orkl.eu/eee214d0504d04b71ebdc4bf7dfa74580bd0a9a9.jpg" } }