#stopransomware — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #stopransomware, aggregated by home.social.
-
13 Nov. CISA: "in collaboration with the Federal Bureau of Investigation, Dept of Defense Cyber Crime Center, Dept of Health & Human Services, & international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware" www.cisa.gov/news-events/... #cybersec #tech
CISA and Partners Release Advi... -
Alert (AA23-040A) #StopRansomware: Ransomware Activities Related to DPRK https://fortiguard.fortinet.com/threat-signal-report/5017
-
Updated Response to CISA Advisory (AA23-352A): #StopRansomware: Play Ransomware – Source: securityboulevard.com https://ciso2ciso.com/updated-response-to-cisa-advisory-aa23-352a-stopransomware-play-ransomware-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #ransomwareasaservice #adversaryemulation #BroadBasedAttacks #CyberSecurityNews #SecurityBoulevard #StopRansomware #ransomware #Playcrypt #Play
-
Good day everyone!
As you know I am a big advocate for threat hunting and I like to post the articles that I read related to it but there is a bigger picture that I normally leave out because of my perspective. As a threat hunter I like to look at behaviors and artifacts (Indicators of Attack) and the MITRE ATT&CK Matrix but something I should probably start talking more about is the overall picture of the Threat Hunting Life-cycle. Really, this was brought about because of the joint advisory from Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) as well as the Australian Government they released on the #Play Ransomware. This isn't the first time that I have read it and hopefully wont be the last simply because of these couple of lines:
"June 4, 2025: The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as provide current IOCs/remove outdated IOCs for effective threat hunting." Above it they mention that the original advisory was published in December 18, 2023 but the fact that they are returning to the these and updating them with new TTPs and providing new IOCs is a GREAT example of the Threat Hunting Life-cycle.
So if you do have a threat hunting program in your environment, maybe implement something similar to your hunts if you haven't do so already. Revisit the hunts that have been conducted already in your environment and see if the information within is still current and if not, update it accordingly! Have a wonderful day and Happy Hunting!
#StopRansomware: Play Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352aIntel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #ransomware #readoftheday
-
Nuovo report FBI: Medusa Ransomware colpisce 300 vittime in pochi mesi!
Il presente articolo si basa su un documento congiunto pubblicato da FBI, CISA e MS-ISAC nel marzo 2025, nell’ambito della campagna #StopRansomware. Il report fornisce dettagli sulle tattiche, tecniche e procedure (TTP) utilizzate dal ransomware Medusa, insieme agli indicatori di compromissione (IoC) e alle raccomandazioni per la mitigazione. La finalità di questa analisi è sensibilizzare le organizzazioni sulle minacce emergenti e fornire strumenti concreti per la protezione delle infrastrutture critiche.
Medusa Ransomware
Medusa Ransomware si conferma come una delle minacce più attive nel panorama cybercriminale globale. Identificato per la prima volta nel giugno 2021, Medusa ha adottato un modello di Ransomware-as-a-Service (RaaS), evolvendosi in una rete distribuita di affiliati che colpiscono settori critici come sanitario, educativo, legale, assicurativo, tecnologico e manifatturiero. La recente analisi condotta da FBI, CISA e MS-ISAC rivela che, a febbraio 2025, il ransomware ha già colpito oltre 300 organizzazioni a livello internazionale.Medusa Ransomware si distingue per l’impiego di tecniche avanzate per ottenere l’accesso iniziale, muoversi lateralmente nei sistemi infetti ed esfiltrare dati sensibili. Il suo schema di attacco segue il modello della doppia estorsione: non solo i file vengono criptati, ma i dati sottratti vengono minacciati di pubblicazione nel dark web in caso di mancato pagamento del riscatto.
Tecniche di Attacco
Gli attori di Medusa si avvalgono di:- Phishing e vulnerabilità non patchate: sfruttano vulnerabilità note come CVE-2024-1709 e CVE-2023-48788 per ottenere accesso ai sistemi.
- Strumenti LOTL (Living Off The Land): software legittimi come PowerShell, WMI e Advanced IP Scanner vengono utilizzati per la persistenza ed evasione.
- Movimento laterale e esecuzione remota: impiegano strumenti come PsExec, RDP e software di accesso remoto come AnyDesk, ConnectWise, Splashtop.
- Cancellazione delle tracce: eliminano i log di PowerShell e utilizzano tecniche di offuscamento per evitare il rilevamento.
- Cifratura e sabotaggio: disattivano Windows Defender e altre misure di sicurezza prima di criptare i file con AES-256 e cancellare le copie shadow.
Il modello economico di Medusa prevede un portale Tor dedicato dove le vittime possono negoziare il riscatto. In alcuni casi, i criminali hanno richiesto un pagamento aggiuntivo sostenendo che l’importo iniziale era stato sottratto da un altro membro del gruppo, introducendo una forma di tripla estorsione.
Indicatori di Compromissione (IoC)
Alcuni file e hash identificati nelle operazioni di Medusa:- !!!READ_ME_MEDUSA!!!.txt: file contenente la richiesta di riscatto.
- openrdp.bat: script per abilitare RDP e connessioni remote.
- pu.exe (80d852cd199ac923205b61658a9ec5bc): eseguibile per la creazione di shell remote.
Email utilizzate per la negoziazione del riscatto:
Mitigazioni
Per proteggersi da Medusa e da altre minacce ransomware, FBI, CISA e MS-ISAC raccomandano di:- Mantenere aggiornati i sistemi con patch e fix di sicurezza.
- Implementare l’autenticazione multi-fattore su tutti gli account critici.
- Segmentare la rete per limitare il movimento laterale degli attaccanti.
- Monitorare il traffico di rete per individuare comportamenti anomali.
- Eseguire backup offline e testarne la ripristinabilità per garantire la continuità operativa.
Medusa Ransomware rappresenta una minaccia persistente e sofisticata, capace di adattarsi alle difese delle aziende colpite. La consapevolezza e la prevenzione rimangono le armi più efficaci per contrastare questo tipo di attacchi. Per un approfondimento tecnico sui TTP di Medusa, si consiglia di consultare il report completo di FBI, CISA e MS-ISAC.
Resta aggiornato su Red Hot Cyber per ulteriori analisi e aggiornamenti sulle minacce emergenti nel panorama della cybersecurity.
L'articolo Nuovo report FBI: Medusa Ransomware colpisce 300 vittime in pochi mesi! proviene da il blog della sicurezza informatica.
-
Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware – Source: www.techrepublic.com https://ciso2ciso.com/medusa-ransomware-strikes-300-targets-fbi-cisa-urge-immediate-action-to-stopransomware-source-www-techrepublic-com/ #rssfeedpostgeneratorecho #SecurityonTechRepublic #ransomwareasaservice #SecurityTechRepublic #CyberSecurityNews #Cybersecurity #International #ransomware #Phishing #Security #BigData
-
Response to CISA Advisory (AA25-071A): #StopRansomware: Medusa Ransomware – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa25-071a-stopransomware-medusa-ransomware-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #adversaryemulation #BroadBasedAttacks #CyberSecurityNews #SecurityBoulevard #StopRansomware #ransomware #Medusa #CISA
-
Happy Friday everyone!
The Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation (FBI) have released a #cybersecurity advisory focusing on the #Ghost ransomware threat. They provide us with some updates to the TTPs and Behaviors on the groups activity and what we can hunt for!
Behaviors (MITRE ATT&CK):
Initial Access - TA0001
Exploit Public-Facing Application - T1190 - the group exploited many CVEs to gain their initial foothold. They exploited Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE2021-34473, CVE-2021-34523, and CVE-2021-31207.Defense Evasion - TA0005
Impair Defenses: Disable or Modify Tools - T1562.001 - Ghost
frequently runs a command to disable Windows Defender on network connected devices.There are plenty of other technical and behavior artifacts in the report, so go check it out yourself! Enjoy and Happy Hunting!
#StopRansomware: Ghost (Cring) Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050aIntel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
-
#StopRansomware: Ghost (Cring) Ransomware https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
-
StopRansomware: RansomHub Ransomware
RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.
Pulse ID: 66d204f1d658869764c07d47
Pulse Link: https://otx.alienvault.com/pulse/66d204f1d658869764c07d47
Pulse Author: AlienVault
Created: 2024-08-30 17:44:17Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AWS #CyberSecurity #Encryption #Extortion #InfoSec #OTX #OpenThreatExchange #Password #Phishing #PsExec #RAT #RDP #RansomWare #RansomwareAsAService #StopRansomware #Word #bot #AlienVault
-
How BlackSuit Ransomware is Crippling Businesses: FBI, CISA Sound Alarm https://thecyberexpress.com/blacksuit-ransomware-fbi-cisa-warn/ #FBIandCISARecommendations #BlackSuitransomware #TheCyberExpressNews #FBIandCISAadvisory #CybersecurityNews #TheCyberExpress #RansomwareNews #StopRansomware #FirewallDaily #CISA #FBI
-
How BlackSuit Ransomware is Crippling Businesses: FBI, CISA Sound Alarm https://thecyberexpress.com/blacksuit-ransomware-fbi-cisa-warn/ #FBIandCISARecommendations #BlackSuitransomware #TheCyberExpressNews #FBIandCISAadvisory #CybersecurityNews #TheCyberExpress #RansomwareNews #StopRansomware #FirewallDaily #CISA #FBI
-
How BlackSuit Ransomware is Crippling Businesses: FBI, CISA Sound Alarm https://thecyberexpress.com/blacksuit-ransomware-fbi-cisa-warn/ #FBIandCISARecommendations #BlackSuitransomware #TheCyberExpressNews #FBIandCISAadvisory #CybersecurityNews #TheCyberExpress #RansomwareNews #StopRansomware #FirewallDaily #CISA #FBI
-
How BlackSuit Ransomware is Crippling Businesses: FBI, CISA Sound Alarm https://thecyberexpress.com/blacksuit-ransomware-fbi-cisa-warn/ #FBIandCISARecommendations #BlackSuitransomware #TheCyberExpressNews #FBIandCISAadvisory #CybersecurityNews #TheCyberExpress #RansomwareNews #StopRansomware #FirewallDaily #CISA #FBI
-
Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-131a-stopransomware-black-basta-source-securityboulevard-com/ #IndicatorsofCompromise(IOCs) #rssfeedpostgeneratorecho #SecurityBloggersNetwork #criticalinfrastructure #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #blackbasta #healthcare #ransomware #CISAAlert #TTPs
-
Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-131a-stopransomware-black-basta-source-securityboulevard-com/ #IndicatorsofCompromise(IOCs) #rssfeedpostgeneratorecho #SecurityBloggersNetwork #criticalinfrastructure #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #blackbasta #healthcare #ransomware #CISAAlert #TTPs
-
Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-131a-stopransomware-black-basta-source-securityboulevard-com/ #IndicatorsofCompromise(IOCs) #rssfeedpostgeneratorecho #SecurityBloggersNetwork #criticalinfrastructure #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #blackbasta #healthcare #ransomware #CISAAlert #TTPs
-
Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-131a-stopransomware-black-basta-source-securityboulevard-com/ #IndicatorsofCompromise(IOCs) #rssfeedpostgeneratorecho #SecurityBloggersNetwork #criticalinfrastructure #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #blackbasta #healthcare #ransomware #CISAAlert #TTPs
-
ESET Research reports that AceCryptor use surged in the second half of 2023. This included Remcos RAT campaigns for the first time, using compromised accounts for credibility in phishing emails. AceCryptor + Remcos campaigns targeted Poland, Bulgaria, Spain, and Serbia. Campaigns were described, MITRE ATT&CK TTPs and IOC provided. 🔗 https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/
#AceCryptor #threatintel #IOC #Remcos #RemcosRAT #VidarStealer #Stopransomware #SmokeLoader
-
Response to the Revised CISA Advisory (AA23-353A): #StopRansomware: ALPHV BlackCat – Source: securityboulevard.com https://ciso2ciso.com/response-to-the-revised-cisa-advisory-aa23-353a-stopransomware-alphv-blackcat-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #CISAAlert #BlackCat #alphv
-
Response to the Revised CISA Advisory (AA23-353A): #StopRansomware: ALPHV BlackCat – Source: securityboulevard.com https://ciso2ciso.com/response-to-the-revised-cisa-advisory-aa23-353a-stopransomware-alphv-blackcat-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #CISAAlert #BlackCat #alphv
-
Response to the Revised CISA Advisory (AA23-353A): #StopRansomware: ALPHV BlackCat – Source: securityboulevard.com https://ciso2ciso.com/response-to-the-revised-cisa-advisory-aa23-353a-stopransomware-alphv-blackcat-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #CISAAlert #BlackCat #alphv
-
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-060a-stopransomware-phobos-ransomware-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #ransomwareasaservice #adversaryemulation #CyberSecurityNews #SecurityBoulevard #ransomware #CISAAlert #Phobos
-
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-060a-stopransomware-phobos-ransomware-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #ransomwareasaservice #adversaryemulation #CyberSecurityNews #SecurityBoulevard #ransomware #CISAAlert #Phobos
-
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-060a-stopransomware-phobos-ransomware-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #ransomwareasaservice #adversaryemulation #CyberSecurityNews #SecurityBoulevard #ransomware #CISAAlert #Phobos
-
OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.
-
OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.
-
OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.
-
OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.
-
OK, I confess: I do not understand why CISA / #StopRansomware did an update on #AvosLocker based on what they saw up to May. AvosLocker's leak site went silent in May, he hasn't been on his Jabber since May, and I got no response from him on Tox since May. So is AvosLocker still active? Anyone seen evidence of new victims or anything since May? Ransomlook.io doesn't show anything since that time, either.
-
⚠️ Cuba Ransomware resources drop ⚠️
A new ransomware advisory comes in hot to one of your intelligence channels – what are your next steps? In our latest video, we walk through our approach to a situation like this, which analysts face almost every day amid growing volumes of CTI shared in the community today https://www.youtube.com/watch?v=K1a6Mac1-y4
Link to the latest @CISA @FBI #StopRansomware alert on Cuba Ransomware, published Dec 1 (and updated just yesterday) https://www.cisa.gov/uscert/ncas/alerts/aa22-335a
Past advisories on five other #ransomware highly active in targeting U.S. critical infrastructure – and many other – organizations just this year: https://www.cisa.gov/stopransomware/stopransomware
According to the alert, “Since spring 2022, Cuba ransomware actors have modified their TTPs and tools to interact with compromised networks and extort payments from victims.” We’re likely to see more of this “TTP evolution” theme in 2023. As adversaries continue to evolve their TTPs rapidly and often, we had the chance to write more about this trend on our blog recently: https://www.tidalcyber.com/blog/adversary-ttp-evolution-and-the-value-of-ttp-intelligence
(And here’s another piece covering TTP evolution relative to another top malware, QakBot https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps)
In the walkthrough, we highlight metrics around threats made on ransomware “extortion blogs” as just one public data point around Cuba’s growing threat in recent months. The figures come from this incredible public dataset https://github.com/joshhighet/ransomwatch
The rest of the walkthrough centers on our free Community Edition tool. Jump into it here: https://app.tidalcyber.com/. No registration is required to access a ton of features (including everything shared below) but you know the drill: you’ll ultimately find the most value with a quick email sign-up 📋
#Cuba Ransomware details from #mitreattack https://app.tidalcyber.com/software/095064c6-144e-4935-b878-f82151bc08e4-Cuba
Technique set for Cuba TTPs published in February https://app.tidalcyber.com/share/6fbf994c-d6c9-42fd-8ee9-8954865d6d6f (source: https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware)
Cuba technique set based on CISA’s/FBI’s new alert: https://app.tidalcyber.com/share/11c631bc-be34-463d-9d24-852a6f414b2a
Script to quickly convert techniques & procedures from recent #CTI into a technique “layer” json file: https://github.com/mitre-attack/attack-navigator/blob/master/layers/attack_layers/attack_layers_simple.py
LSASS Memory technique details page, with pivots to aligned defensive capabilities, detection analytics, & tests: https://app.tidalcyber.com/technique/ab0da102-5a14-42b1-969e-5d3daefdf0c5-LSASS%20Memory
Cuba Ransomware report referencing LSASS Memory & Disable or Modify Tools techniques: https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/
Disable or Modify Tools technique details page: https://app.tidalcyber.com/technique/9f290216-b2ab-47b5-b9ae-a94ae6d357c6-Disable%20or%20Modify%20Tools
Final Cuba Ransomware technique time series comparison/overlay: https://app.tidalcyber.com/share/7631b2a7-2c0d-49ee-ac12-ca9c92ad4a72
Dashboard we’re maintaining covering all TTPs from the #StopRansomware alert series, currently spotlighting six high-priority ransomware and updated each time CISA publishes a new alert: https://app.tidalcyber.com/share/9c1f08a2-b823-4e11-a8a5-01335fb0215e
Join the Tidal Community Slack channel to engage with & learn from others throughout the #threatinformeddefense space https://join.slack.com/t/tidalcommunity/shared_invite/zt-1ljrtdtkm-VGi8fa5VYhLma4o1Vu33nA
Catch this and other walkthroughs on the @tidal Cyber YouTube channel https://www.youtube.com/@tidalcyber6071
#cyberthreatintelligence #cybersecurity #OSINT #SharedWithTidal