#stopransomware — Public Fediverse posts

Good day everyone!

As you know I am a big advocate for threat hunting and I like to post the articles that I read related to it but there is a bigger picture that I normally leave out because of my perspective. As a threat hunter I like to look at behaviors and artifacts (Indicators of Attack) and the MITRE ATT&CK Matrix but something I should probably start talking more about is the overall picture of the Threat Hunting Life-cycle. Really, this was brought about because of the joint advisory from Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation (FBI) as well as the Australian Government they released on the #Play Ransomware. This isn't the first time that I have read it and hopefully wont be the last simply because of these couple of lines:

"June 4, 2025: The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as provide current IOCs/remove outdated IOCs for effective threat hunting." Above it they mention that the original advisory was published in December 18, 2023 but the fact that they are returning to the these and updating them with new TTPs and providing new IOCs is a GREAT example of the Threat Hunting Life-cycle.

So if you do have a threat hunting program in your environment, maybe implement something similar to your hunts if you haven't do so already. Revisit the hunts that have been conducted already in your environment and see if the information within is still current and if not, update it accordingly! Have a wonderful day and Happy Hunting!

#StopRansomware: Play Ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #ransomware #readoftheday

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to contact the group via a Tor URL. Affiliates typically gain initial access through phishing, exploiting vulnerabilities, and password spraying. They use tools like Mimikatz for credential theft and privilege escalation, and move laterally using RDP, PsExec, and other methods. Data exfiltration varies by affiliate but may involve tools like PuTTY and AWS S3 buckets. The ransomware uses Curve 25519 encryption and implements intermittent encryption. It targets user files and networked shares, leaving a ransom note and deleting volume shadow copies.

Pulse ID: 66d204f1d658869764c07d47
Pulse Link: https://otx.alienvault.com/pulse/66d204f1d658869764c07d47
Pulse Author: AlienVault
Created: 2024-08-30 17:44:17

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #CyberSecurity #Encryption #Extortion #InfoSec #OTX #OpenThreatExchange #Password #Phishing #PsExec #RAT #RDP #RansomWare #RansomwareAsAService #StopRansomware #Word #bot #AlienVault

Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta – Source: securityboulevard.com https://ciso2ciso.com/response-to-cisa-advisory-aa24-131a-stopransomware-black-basta-source-securityboulevard-com/ #IndicatorsofCompromise(IOCs) #rssfeedpostgeneratorecho #SecurityBloggersNetwork #criticalinfrastructure #adversaryemulation #Broad-BasedAttacks #CyberSecurityNews #SecurityBoulevard #blackbasta #healthcare #ransomware #CISAAlert #TTPs