{ "id": "12e38c6a-ef46-46e0-87f6-2a142b889a44", "created_at": "2026-04-06T00:13:45.354135Z", "updated_at": "2026-04-10T13:12:29.385741Z", "deleted_at": null, "sha1_hash": "fc525d8fe25d0504b760e8c65f1cd08a668f670d", "title": "LockBit (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 395402, "plain_text": "LockBit (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:32:54 UTC\r\nThere is no description at this point.\r\n2026-01-30 ⋅ LevelBlue ⋅ Evgeny Ananin, Mark Tsipershtein, Nikita Kazymirskyi\r\n19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware: Part 1\r\nLockBit LockBit 2025-09-25 ⋅ Trend Micro ⋅\r\nNew LockBit 5.0 Targets Windows, Linux, ESXi\r\nLockBit LockBit 2025-07-31 ⋅ Intrinsec ⋅ CTI Intrinsec\r\nShadow syndicate infrastructure illumination\r\nAMOS BlackCat Cactus Cicada3301 Clop LockBit PLAY RansomHub Royal Ransom Silence 2025-06-09 ⋅ The\r\nRecord ⋅ Daryna Antoniuk\r\nNew hacker group uses LockBit ransomware variant to target Russian companies\r\nLockBit DarkGaboon 2025-05-13 ⋅ CSA ⋅ Ahmad Abdillah\r\nIntrusion Insights Straight from Leaked Operator Chats\r\nLockBit LockBit LockBit 2025-04-24 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2025 Report\r\nAkira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit\r\nRansomHub SystemBC Pink Sandstorm 2025-03-13 ⋅ Forescout ⋅ Forescout Research, Sai Molige\r\nNew Ransomware Operator Exploits Fortinet Vulnerability Duo\r\nBlackMatter LockBit Mora_001 2025-02-19 ⋅ 0x0d4y ⋅ 0x0d4y\r\nTechnical Analysis of Lockbit4.0 Evasion Tales\r\nLockBit 2025-01-27 ⋅ The DFIR Report ⋅ MittenSec, MyDFIR, r3nzsec\r\nCobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware\r\nGhostSocks LockBit SystemBC 2025-01-17 ⋅ Google Cloud Security ⋅ Office of the CISO\r\nThreat Horizons - H1 2025 Threat Horizons Report\r\nFAKEUPDATES Conti Hades LockBit Phoenix Locker RansomHub TRIPLESTRENGTH 2024-12-18 ⋅ Kaspersky\r\nLabs ⋅ Kaspersky\r\nAnalysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations\r\nBabuk LockBit Revenge RAT SparkRAT Cyber Alliance Ukrainian Cyber Alliance 2024-07-16 ⋅ Sentinel LABS ⋅ Jim\r\nWalter\r\nNullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI\r\nAsyncRAT LockBit XWorm Nullbulge 2024-06-05 ⋅ S-RM ⋅ David Broom, Gavin Hull\r\nExmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data\r\ntargeting\r\nBlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk 2024-05-07 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nU.S. Charges Russian Man as Boss of LockBit Ransomware Group\r\nLockBit 2024-05-07 ⋅ Twitter (@fs0c131y) ⋅ Baptiste Robert\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 1 of 10\n\nTweets on LockBitSupp\r\nLockBit 2024-05-02 ⋅ calif.io ⋅ Hoang Nguyen, Nhan Huynh, Thai Duong\r\nDissecting LOCKBIT v3 ransomware\r\nLockBit 2024-04-03 ⋅ Trend Micro ⋅ Christopher Boyton\r\nUnveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption\r\nLockBit 2024-02-29 ⋅ ANALYST1 ⋅ Anastasia Sentsova, Jon DiMaggio\r\nLockBit Takedown \u0026 Operation Cronos: A Long-Awaited PsyOps Against Ransomware\r\nLockBit LockBit LockBit 2024-02-20 ⋅ National Crime Agency ⋅ National Crime Agency (NCA)\r\nInternational investigation disrupts the world’s most harmful cyber crime group\r\nLockBit LockBit LockBit 2024-02-20 ⋅ Europol ⋅ Europol\r\nLaw enforcement disrupt world’s biggest ransomware operation\r\nLockBit LockBit LockBit 2024-02-20 ⋅ Washington Post ⋅ Leo Sands\r\n‘World’s most harmful’ cybercriminal group disrupted in 11-nation operation\r\nLockBit LockBit LockBit 2024-02-08 ⋅ ANALYST1 ⋅ Anastasia Sentsova, Jon DiMaggio\r\n“This Forum is a Bunch of Communists and They Set Me Up”, LockBit Spills the Tea Regarding Their Recent\r\nBan on Russian-Speaking Forums\r\nLockBit 2023-12-22 ⋅ PRODAFT ⋅ PRODAFT\r\nSmoke and Mirrors: Understanding The Workings of Wazawaka\r\nConti Monti Babuk Hive LockBit RagnarLocker Trigona 2023-12-20 ⋅ Sophos X-Ops ⋅ Mark Loman, Matt Wixey\r\nCryptoGuard: An asymmetric approach to the ransomware battle\r\nAkira LockBit Storm-1567 2023-11-30 ⋅ EchoCTI ⋅ Bilal BAKARTEPE, bixploit\r\nLockBit 3.0 Technical Analysis Report\r\nLockBit 2023-10-03 ⋅ Luca Mella\r\nLighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)\r\nLockBit LockBit Conti LockBit 2023-09-07 ⋅ PRODAFT ⋅ PRODAFT\r\nPTI-257 (ex-Wizard Spider) - IOCs\r\nLockBit LockBit 2023-07-26 ⋅ Talos ⋅ Nicole Hoffman\r\nIncident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical\r\nBianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom\r\n2023-06-22 ⋅ Kaspersky Labs ⋅ GReAT\r\nLockBit Green and phishing that targets organizations\r\nLockBit LockBit 2023-06-17 ⋅ Github (EmissarySpider) ⋅ EmissarySpider\r\nransomware-descendants\r\nBabuk Conti LockBit 2023-06-14 ⋅ CISA ⋅ ANSSI, Australian Cyber Security Centre (ACSC), Bundesamt für Sicherheit in der\r\nInformationstechnik (BSI), Canadian Centre for Cyber Security (CCCS), CERT NZ, FBI, MS-ISAC, NCSC UK, New Zealand National\r\nCyber Security Centre (NZ NCSC)\r\nUnderstanding Ransomware Threat Actors: Lockbit\r\nLockBit 2023-05-23 ⋅ loginsoft ⋅ Saharsh Agrawal\r\nTaming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350\r\nClop LockBit Silence 2023-05-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nRussian Hacker “Wazawaka” Indicted for Ransomware\r\nBabuk Hive LockBit LockBit Babuk Hive LockBit 2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 2 of 10\n\nMarch 2023 broke ransomware attack records with 459 incidents\r\nClop WhiteRabbit BianLian Black Basta BlackCat LockBit Medusa PLAY Royal Ransom 2023-04-18 ⋅ Mandiant ⋅\r\nMandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate 2023-04-14 ⋅ ⋅ GLIMPS ⋅ GLIMPS\r\nLockbit changes color\r\nLockBit 2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft\r\nCracked Cobalt Strike (1:23-cv-02447)\r\nBlack Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit\r\nMount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader 2023-02-28 ⋅ Fortinet ⋅ Eliran Voronovitch\r\nCan You See It Now? An Emerging LockBit Campaign\r\nLockBit 2023-02-01 ⋅ Security Affairs ⋅ Pierluigi Paganini\r\nNew LockBit Green ransomware variant borrows code from Conti ransomware\r\nConti LockBit 2023-02-01 ⋅ Seqrite ⋅ Sathwik Ram Prakki\r\nUncovering LockBit Black’s Attack Chain and Anti-forensic activity\r\nLockBit 2023-01-16 ⋅ ANALYST1 ⋅ Jon DiMaggio\r\nUnlocking Lockbit: A Ransomware Story\r\nLockBit LockBit 2022-11-30 ⋅ Sophos ⋅ Andrew Brandt\r\nLockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling\r\nLockBit 2022-11-08 ⋅ AhnLab ⋅ ASEC\r\nLockBit 3.0 Being Distributed via Amadey Bot\r\nAmadey Gandcrab LockBit 2022-10-18 ⋅ Logpoint ⋅ Anish Bogati, Nilaa Maharjan\r\nHunting Lockbit Variation\r\nLockBit 2022-10-15 ⋅ vmware ⋅ Dana Behling\r\nLockBit 3.0 Ransomware Unlocked\r\nLockBit 2022-10-11 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team\r\nFrom Exchange Server vulnerability to ransomware infection in just 7 days\r\nLockBit MimiKatz 2022-09-22 ⋅ Cyber Geeks ⋅ Vlad Pasca\r\nA Technical Analysis Of The Leaked LOCKBIT 3.0 Builder\r\nLockBit 2022-09-22 ⋅ Medium s2wlab ⋅ Jeong Hyunsik, Yang HuiSeong\r\nQuick Overview of Leaked LockBit 3.0 (Black) builder program\r\nLockBit 2022-08-28 ⋅ BleepingComputer ⋅ Ionut Ilascu\r\nLockBit ransomware gang gets aggressive with triple-extortion tactic\r\nLockBit 2022-08-19 ⋅ nccgroup ⋅ Ross Inman\r\nBack in Black: Unlocking a LockBit 3.0 Ransomware Attack\r\nFAKEUPDATES Cobalt Strike LockBit 2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames\r\nThe Increase in Ransomware Attacks on Local Governments\r\nBlackCat BlackCat Cobalt Strike LockBit 2022-08-10 ⋅ Quick Heal ⋅ Sathwik Ram Prakki\r\nIndian Power Sector targeted with latest LockBit 3.0 variant\r\nLockBit 2022-08-04 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 3 of 10\n\nLockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool\r\nCobalt Strike LockBit 2022-07-28 ⋅ SentinelOne ⋅ James Haughom, Julien Reisdorffer, Júlio Dantas\r\nLiving Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool\r\nCobalt Strike LockBit 2022-07-25 ⋅ Trend Micro ⋅ Byron Gelera, Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona,\r\nNathaniel Gregory Ragasa, Nathaniel Morales\r\nLockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities\r\nBlackMatter LockBit 2022-07-21 ⋅ Sentinel LABS ⋅ Aleksandar Milenkoski, Jim Walter\r\nLockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques\r\nLockBit 2022-07-20 ⋅ Symantec ⋅ Lahu Khatal, Vishal Kamble\r\nLockBit: Ransomware Puts Servers in the Crosshairs\r\nLockBit 2022-07-18 ⋅ Fortinet ⋅ FortiGuard Labs\r\nRansomware Roundup: Protecting Against New Variants\r\nLockBit LockBit 2022-07-13 ⋅ ⋅ GLIMPS ⋅ GLIMPS\r\nLockbit 3.0\r\nBlackMatter DarkSide LockBit 2022-07-10 ⋅ Minerva Labs ⋅ Natalie Zargarov\r\nLockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?\r\nLockBit 2022-07-07 ⋅ Cybereason ⋅ Cybereason Global SOC Team\r\nTHREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom\r\nLockBit 2022-07-06 ⋅ Cluster25 ⋅ Cluster25\r\nLockBit 3.0: “Making The Ransomware Great Again”\r\nLockBit 2022-07-05 ⋅ cyble ⋅ Cyble Research Labs\r\nLockbit 3.0 – Ransomware Group Launches New Version\r\nLockBit 2022-06-24 ⋅ AhnLab ⋅ ASEC\r\nLockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed\r\nLockBit 2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev\r\nThe hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)\r\nBlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker 2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov,\r\nNatalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev\r\nThe hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs\r\nConti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok 2022-06-09 ⋅ Palo Alto Networks Unit 42 ⋅ Abigail\r\nBarr, Amer Elsad, JR Gumarin\r\nLockBit 2.0: How This RaaS Operates and How to Protect Against It\r\nLockBit 2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nTo HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions\r\nFAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix\r\nLocker WastedLocker 2022-06-02 ⋅ Packt ⋅ packtsecurity\r\nA SecPro Super Issue: Understanding LockBit\r\nLockBit LockBit BITWISE SPIDER 2022-05-23 ⋅ Trend Micro ⋅ Matsugaya Shingo\r\nLockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1\r\n2022\r\nBlackCat Conti LockBit 2022-05-23 ⋅ Trend Micro ⋅ Trend Micro Research\r\nLockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 4 of 10\n\n2022 (PDF)\r\nBlackCat Conti LockBit 2022-05-11 ⋅ Kaspersky ⋅ GReAT\r\nNew ransomware trends in 2022\r\nBlackCat Conti DEADBOLT DoubleZero LockBit PartyTicket StealBit 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender\r\nThreat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-05-09 ⋅\r\nMicrosoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nGriffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot 2022-05-06\r\n⋅ ⋅ LeMagIT ⋅ Valéry Rieß-Marchive\r\nRansomware: LockBit 3.0 Starts Using in Cyberattacks\r\nLockBit 2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence\r\nTwitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader,\r\nCobaltStrike, Lockbit and followed by Hands On Keyboard activity\r\nFAKEUPDATES Blister Cobalt Strike LockBit 2022-05-05 ⋅ Intel 471 ⋅ Intel 471\r\nCybercrime loves company: Conti cooperated with other ransomware gangs\r\nLockBit Maze RagnarLocker Ryuk 2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Jim Walter, Júlio Dantas\r\nLockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility\r\nCobalt Strike LockBit 2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Jim Walter, Júlio Dantas\r\nLockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility\r\nCobalt Strike LockBit BRONZE STARLIGHT 2022-04-12 ⋅ ConnectWise ⋅ ConnectWise CRU\r\nThreat Profile: LockBit\r\nLockBit 2022-04-12 ⋅ Sophos ⋅ Andrew Brandt, Angela Gunn, Ferenc László Nagy, Johnathan Fern, Linda Smith, Matthew Everts,\r\nMauricio Valdivieso, Melissa Kelly, Peter Mackenzie, Sergio Bestulic\r\nAttackers linger on government agency computers before deploying Lockbit ransomware\r\nLockBit 2022-04-06 ⋅ SOCRadar ⋅ SOCRadar\r\nLockbit 3.0: Another Upgrade to World’s Most Active Ransomware\r\nLockBit LockBit BITWISE SPIDER 2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick,\r\nLucas Silva, Mohamed Fahmy, Ryan Maglaque\r\nThwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)\r\nFAKEUPDATES Blister LockBit 2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick, Lucas\r\nSilva, Mohamed Fahmy, Ryan Maglaque\r\nThwarting Loaders: From SocGholish to BLISTER’s LockBit Payload\r\nFAKEUPDATES Blister LockBit 2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Earnshaw, Ian Kenefick, Lucas Silva,\r\nMohamed Fahmy, Ryan Maglaque\r\nThwarting Loaders: From SocGholish to BLISTER’s LockBit Payload\r\nBlister LockBit 2022-04-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nThe Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 5 of 10\n\nHive Dharma LockBit STOP SunCrypt 2022-03-31 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nLockBit victim estimates cost of ransomware attack to be $42 million\r\nLockBit LockBit 2022-03-31 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker\r\nConti Leaks: Examining the Panama Papers of Ransomware\r\nLockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot 2022-03-23 ⋅ splunk ⋅ Shannon\r\nDavis\r\nGone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-03-19 ⋅ Chuongdong blog ⋅\r\nChuong Dong\r\nLockBit Ransomware v2.0\r\nLockBit 2022-03-17 ⋅ Sophos ⋅ Tilly Travers\r\nThe Ransomware Threat Intelligence Center\r\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker\r\nRagnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker 2022-03-11 ⋅ Bleeping Computer ⋅\r\nIonut Ilascu\r\nLockBit ransomware gang claims attack on Bridgestone Americas\r\nLockBit 2022-03-11 ⋅ Microsoft ⋅ Microsoft Detection and Response Team (DART)\r\nPart 1: LockBit 2.0 ransomware bugs and database recovery attempts\r\nLockBit 2022-03-11 ⋅ Microsoft ⋅ Microsoft Detection and Response Team (DART)\r\nPart 2: LockBit 2.0 ransomware bugs and database recovery attempts\r\nLockBit 2022-02-27 ⋅ The Record ⋅ Catalin Cimpanu\r\nConti ransomware gang chats leaked by pro-Ukraine member\r\nConti LockBit 2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe\r\nAn Empirically Comparative Analysis of Ransomware Binaries\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-02-14 ⋅ ⋅ DR.DK ⋅ Allan\r\nNisgaard, Ingeborg Munk Toft, Kenrik Moltke, Marcel Mirzaei-Fard\r\nVar tæt på at slukke tusindvis af vindmøller: Nu fortæller Vestas om cyberangreb\r\nLockBit 2022-02-14 ⋅ LIFARS ⋅ Vlad Pasca\r\nA Detailed Analysis of The LockBit Ransomware\r\nLockBit LockBit 2022-02-09 ⋅ Dragos ⋅ Anna Skelton\r\nDragos ICS/OT Ransomware Analysis: Q4 2021\r\nLockBit Conti LockBit 2022-02-08 ⋅ Trend Micro ⋅ Trend Micro Research\r\nRansomware Spotlight: LockBit\r\nLockBit BITWISE SPIDER 2022-02-08 ⋅ Intel 471 ⋅ Intel 471\r\nPrivateLoader: The first step in many malware schemes\r\nDridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos\r\nSmokeLoader STOP Tofsee TrickBot Vidar 2022-02-07 ⋅ FBI ⋅ FBI\r\nCU-000162-MW: Indicators of Compromise Associated with LockBit 2.0 Ransomware\r\nLockBit LockBit 2022-01-27 ⋅ CoveWare\r\nRansomware as a Service Innovation Curve\r\nConti LockBit 2022-01-26 ⋅ Intrinsec ⋅ Intrinsec\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 6 of 10\n\nALPHV ransomware gang analysis\r\nBlackCat LockBit 2022-01-24 ⋅ Trend Micro ⋅ Junestherry Dela Cruz\r\nAnalysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant\r\nLockBit LockBit 2022-01-21 ⋅ CrowdStrike ⋅ Falcon OverWatch Team\r\nBetter Together: The Power of Managed Cybersecurity Services in the Face of Pressing Global Security\r\nChallenges\r\nLockBit LockBit BITWISE SPIDER 2021-12-16 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Kotaro Ogino\r\nInside the LockBit Arsenal - The StealBit Exfiltration Tool\r\nLockBit StealBit 2021-11-23 ⋅ Morphisec ⋅ Arnold Osipov, Hido Cohen\r\nBabadeda Crypter targeting crypto, NFT, and DeFi communities\r\nBabadeda BitRAT LockBit Remcos 2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team\r\nIntelligence Insights: November 2021\r\nAndromeda Conti LockBit QakBot Squirrelwaffle 2021-11-18 ⋅ Cisco ⋅ Josh Pyorre\r\nBlackMatter, LockBit, and THOR\r\nBlackMatter LockBit PlugX 2021-11-17 ⋅ CrowdStrike ⋅ Liviu Arsene, Sarang Sonawane, Thomas Moses\r\nRansomware (R)evolution Plagues Organizations, But CrowdStrike Protection Never Wavers\r\nLockBit 2021-11-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nBlackMatter ransomware moves victims to LockBit after shutdown\r\nBlackMatter BlackMatter LockBit 2021-10-27 ⋅ ⋅ MBSD ⋅ MBSD\r\nランサムウェア「LockBit2.0」の内部構造を紐\r\nLockBit 2021-10-15 ⋅ skyblue.team blog ⋅ skyblue team\r\nRecovering registry hives encrypted by LockBit 2.0\r\nLockBit 2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity\r\nBabuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil 2021-10-05 ⋅\r\nSeguranca Informatica ⋅ Pedro Tavares\r\nMalware analysis: Details on LockBit ransomware\r\nLockBit 2021-09-24 ⋅ Yoroi ⋅ Luca Mella, Luigi Martire\r\nHunting the LockBit Gang's Exfiltration Infrastructures\r\nLockBit StealBit 2021-09-09 ⋅ IBM ⋅ Megan Roddie\r\nLockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment\r\nLockBit 2021-08-26 ⋅ Advanced Intelligence ⋅ Anastasia Sentsova\r\nFrom Russia With… LockBit Ransomware: Inside Look \u0026 Preventive Solutions\r\nLockBit 2021-08-24 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos, Ruchna Nigam\r\nRansomware Groups to Watch: Emerging Threats\r\nHelloKitty AvosLocker HelloKitty Hive LockBit 2021-08-24 ⋅ KELA ⋅ KELA Cyber Intelligence Center\r\nLockBit 2.0 Interview with Russian OSINT\r\nLockBit 2021-08-17 ⋅ Amged Wagih\r\nLockBit Ransomware - Technical Anlysis\r\nLockBit 2021-08-17 ⋅ Medium amgedwageh ⋅ Amged Wageh\r\nLockBit Ransomware Analysis Notes\r\nLockBit 2021-08-16 ⋅ Trend Micro ⋅ Byron Gelera, Cris Tomboc, Jayson Chong, Jett Paulo Bernardo, Mark Marti, Nikki Madayag,\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 7 of 10\n\nSean Torre\r\nLockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK\r\nLockBit 2021-08-16 ⋅ cyble ⋅ Cyble\r\nA Deep-dive Analysis of LOCKBIT 2.0\r\nLockBit 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-12 ⋅ Netskope ⋅ Gustavo Palazolo\r\nNetskope Threat Coverage: LockBit\r\nLockBit 2021-08-11 ⋅ Cybereason ⋅ Tony Bradley\r\nThe Rising Threat from LockBit Ransomware\r\nLockBit 2021-08-06 ⋅ The Record ⋅ Catalin Cimpanu\r\nAustralian cybersecurity agency warns of spike in LockBit ransomware attacks\r\nLockBit 2021-08-04 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nEnergy group ERG reports minor disruptions after ransomware attack\r\nLockBit 2021-08-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nLockBit ransomware recruiting insiders to breach corporate networks\r\nLockBit 2021-08-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nRansomware attack hits Italy's Lazio region, affects COVID-19 site\r\nLockBit RansomEXX 2021-08-02 ⋅ The Record ⋅ Dmitry Smilyanets\r\nAn interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and\r\nREvil\r\nDarkSide LockBit REvil 2021-07-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nLockBit ransomware now encrypts Windows domains using group policies\r\nEgregor LockBit 2021-07-27 ⋅ Recorded Future ⋅ Insikt Group®\r\nBlackMatter Ransomware Emerges As Successor to DarkSide, REvil\r\nDarkSide LockBit REvil 2021-07-22 ⋅ S2W LAB Inc. ⋅ Denise Dasom Kim, Jungyeon Lim, Sujin Lim, Yeonghyeon Jeong\r\nW4 July | EN | Story of the week: Ransomware on the Darkweb\r\nLockBit SunCrypt 2021-06-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT\r\nLockBit RaaS In-Depth Analysis\r\nLockBit 2021-05-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nPopular Russian hacking forum XSS bans all ransomware topics\r\nDarkSide DarkSide LockBit REvil 2021-05-10 ⋅ DarkTracer ⋅ DarkTracer\r\nIntelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware\r\ngangs released on the DarkWeb\r\nRansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze\r\nMedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok\r\nRansomEXX REvil Sekhmet SunCrypt ThunderX 2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker\r\nRansomware: Hunting for Inhibiting System Backup or Recovery\r\nAvaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX\r\nREvil Ryuk Snatch ThunderX 2021-04-28 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 8 of 10\n\nUK rail network Merseyrail likely hit by Lockbit ransomware\r\nLockBit 2021-04-26 ⋅ CoveWare ⋅ CoveWare\r\nRansomware Attack Vectors Shift as New Software Vulnerability Exploits Abound\r\nAvaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt 2021-04-07 ⋅ ANALYST1 ⋅ Jon\r\nDiMaggio\r\nRansom Mafia Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER 2021-04-07 ⋅ ANALYST1 ⋅\r\nJon DiMaggio\r\nRansom Mafia - Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER 2021-03-17 ⋅ The Record ⋅ Catalin Cimpanu\r\nMissed opportunity: Bug in LockBit ransomware allowed free decryptions\r\nLockBit 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-01-26 ⋅ Medium s2wlab ⋅ Hyunmin Suh\r\nW4 Jan | EN | Story of the week: Ransomware on the Darkweb\r\nAvaddon Babuk LockBit 2021-01-04 ⋅ Cisco Talos ⋅ Azim Khodjibaev, Dmytro Korzhevin, Kendall McKay\r\nInterview with a LockBit ransomware operator\r\nLockBit 2020-12-05 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nRansomware hits helicopter maker Kopter\r\nLockBit 2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich\r\nZooming into Darknet Threats Targeting Japanese Organizations\r\nConti DoppelPaymer Egregor LockBit Maze REvil Snake 2020-10-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher\r\nLockBit uses automated attack tools to identify tasty targets\r\nLockBit 2020-10-02 ⋅ Lexfo ⋅ Lexfo\r\nLockbit analysis\r\nLockBit 2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 1\r\nDoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker\r\nMIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER 2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 1\r\nDoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER\r\nOVERLORD SPIDER 2020-09-17 ⋅ CRYPSIS ⋅ Drew Schmitt\r\nRansomware’s New Trend: Exfiltration and Extortion\r\nLockBit 2020-09-01 ⋅ Cisco Talos ⋅ Caitlin Huey, David Liebenberg\r\nQuarterly Report: Incident Response trends in Summer 2020\r\nCobalt Strike LockBit Mailto Maze Ryuk 2020-07-29 ⋅ ESET Research ⋅ welivesecurity\r\nTHREAT REPORT Q2 2020\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 9 of 10\n\nDEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB\r\nLocker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin\r\nNemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor 2020-04-28 ⋅ Microsoft ⋅\r\nMicrosoft Threat Protection Intelligence Team\r\nRansomware groups continue to target healthcare, critical services; here’s how to reduce risk\r\nLockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood 2020-04-24 ⋅ Github (albertzsigovits) ⋅\r\nAlbert Zsigovits\r\nLockBit ransomware IoCs\r\nLockBit 2020-04-24 ⋅ Sophos Labs ⋅ Albert Zsigovits\r\nLockBit ransomware borrows tricks to keep up with REvil and Maze\r\nLockBit\r\n[TLP:WHITE] win_lockbit_auto (20251219 | Detects win.lockbit.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit" ], "report_names": [ "win.lockbit" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d997a1d5-b410-42c4-a490-90f287ad3034", "created_at": "2024-07-21T02:00:04.751362Z", "updated_at": "2026-04-10T02:00:03.675263Z", "deleted_at": null, "main_name": "Nullbulge", "aliases": [], "source_name": "MISPGALAXY:Nullbulge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b57a3b93-3a22-4889-af28-37cc53e824e7", "created_at": "2023-01-06T13:46:39.24034Z", "updated_at": "2026-04-10T02:00:03.256906Z", "deleted_at": null, "main_name": "MIMIC SPIDER", "aliases": [], "source_name": "MISPGALAXY:MIMIC SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a9db5b93-dd22-4e33-9012-3650745266ee", "created_at": "2023-01-06T13:46:39.234575Z", "updated_at": "2026-04-10T02:00:03.254853Z", "deleted_at": null, "main_name": "OVERLORD SPIDER", "aliases": [], "source_name": "MISPGALAXY:OVERLORD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "3940f08b-39aa-492c-8699-86bfe515fa70", "created_at": "2023-01-06T13:46:39.470535Z", "updated_at": "2026-04-10T02:00:03.339964Z", "deleted_at": null, "main_name": "BITWISE SPIDER", "aliases": [], "source_name": "MISPGALAXY:BITWISE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "4a73cb62-be05-49d2-9dbb-1298606ec0a3", "created_at": "2025-03-07T02:00:03.799095Z", "updated_at": "2026-04-10T02:00:03.827106Z", "deleted_at": null, "main_name": "Ukrainian Cyber Alliance", "aliases": [ "UCA" ], "source_name": "MISPGALAXY:Ukrainian Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fb23d29-6c6c-459b-8985-e11f125cebcf", "created_at": "2025-03-07T02:00:03.805635Z", "updated_at": "2026-04-10T02:00:03.83403Z", "deleted_at": null, "main_name": "TRIPLESTRENGTH", "aliases": [], "source_name": "MISPGALAXY:TRIPLESTRENGTH", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67", "created_at": "2025-05-29T02:00:03.220566Z", "updated_at": "2026-04-10T02:00:03.871851Z", "deleted_at": null, "main_name": "Cyber Alliance", "aliases": [], "source_name": "MISPGALAXY:Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "353d3a83-ce02-44a2-a663-dafdbbb617a0", "created_at": "2025-03-21T02:00:03.842688Z", "updated_at": "2026-04-10T02:00:03.83742Z", "deleted_at": null, "main_name": "Mora_001", "aliases": [], "source_name": "MISPGALAXY:Mora_001", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "4e2776db-982d-4c07-8dd5-3888242aa7bc", "created_at": "2023-01-06T13:46:38.437237Z", "updated_at": "2026-04-10T02:00:02.974399Z", "deleted_at": null, "main_name": "PIZZO SPIDER", "aliases": [ "DD4BC", "Ambiorx" ], "source_name": "MISPGALAXY:PIZZO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c26ba56b-628e-4610-b167-1610efb08459", "created_at": "2024-02-22T02:00:03.77679Z", "updated_at": "2026-04-10T02:00:03.594516Z", "deleted_at": null, "main_name": "Cyber.Anarchy.Squad", "aliases": [ "Cyber Anarchy Squad" ], "source_name": "MISPGALAXY:Cyber.Anarchy.Squad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9639c065-3fa6-432f-9cbd-5708500c4eaa", "created_at": "2022-10-25T16:07:23.255684Z", "updated_at": "2026-04-10T02:00:04.506059Z", "deleted_at": null, "main_name": "Overlord Spider", "aliases": [ "The Dark Overlord" ], "source_name": "ETDA:Overlord Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "17d2b58c-804e-491a-9195-7070d193ef02", "created_at": "2026-01-22T02:00:03.670548Z", "updated_at": "2026-04-10T02:00:03.922129Z", "deleted_at": null, "main_name": "DarkGaboon", "aliases": [ "Vengeful Wolf", "room155" ], "source_name": "MISPGALAXY:DarkGaboon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434425, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc525d8fe25d0504b760e8c65f1cd08a668f670d.pdf", "text": "https://archive.orkl.eu/fc525d8fe25d0504b760e8c65f1cd08a668f670d.txt", "img": "https://archive.orkl.eu/fc525d8fe25d0504b760e8c65f1cd08a668f670d.jpg" } }