diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d728975d..873add90 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -27030,7 +27030,8 @@ "description": "BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations. The group has displayed signs of being new to the practical business aspects of ransomware and associated logistics. Generally they seemed to be experiencing the growing pains of a group of talented hackers new to this aspect of criminal extortion.\n\nInfrastructure associated with the BianLian group first appeared online in December 2021 and their toolset appears to have been under active development since then. Finally, we have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.", "meta": { "links": [ - "http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion/" + "http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion/", + "http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion/" ], "ransomnotes": [ "Your network systems were attacked and encrypted. Contact us in order to restore your data. Don't make any changes in your file structure: touch no files, don't try to recover by yourself, that may lead to it's complete loss.\n\nTo contact us you have to download \"tox\" messenger: https://qtox.github.io/\n\nAdd user with the following ID to get your instructions: \nA4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC\n\nAlternative way: swikipedia@onionmail.org\n\nYour ID: wU1VC460GC \n\nYou should know that we have been downloading data from your network for a significant time before the attack: financial, client, business, post, technical and personal files.\nIn 10 days — it will be posted at our site http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion with links send to your clients, partners, competitors and news agencies, that will lead to a negative impact on your company: potential financial, business and reputational loses." @@ -27380,7 +27381,8 @@ "description": "", "meta": { "links": [ - "http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/" + "http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/", + "http://ransomoefralti2zh5nrv7iqybp3d5b4a2eeecz5yjosp7ggbepj7iyd.onion" ], "refs": [ "https://www.reuters.com/article/us-usa-products-colonial-pipeline-ransom/more-ransomware-websites-disappear-in-aftermath-of-colonial-pipeline-hack-idUSKCN2CX0KT", @@ -27569,7 +27571,8 @@ "http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion", "http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion", "http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion", - "http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion" + "http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion", + "http://ofj3oaltwaf67qtd7oafk5r44upm6wkc2jurpsdyih2c7mbrbshuwayd.onion" ], "refs": [ "https://threatpost.com/lockbit-ransomware-proliferates-globally/168746", @@ -27623,7 +27626,8 @@ { "meta": { "links": [ - "http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion" + "http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion", + "http://wtyafjyizleuw4yhepmdsrcfjwmtiysunos6ixchw3r5d7eeimw2rrid.onion" ], "refs": [ "https://www.ransomlook.io/group/mallox" @@ -28869,7 +28873,8 @@ "meta": { "links": [ "http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion", - "http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion" + "http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion", + "http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion" ], "refs": [ "https://www.ransomlook.io/group/play", @@ -29299,7 +29304,8 @@ { "meta": { "links": [ - "http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion/" + "http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion/", + "http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion/" ], "refs": [ "https://www.ransomlook.io/group/brain cipher" @@ -29319,7 +29325,59 @@ }, "uuid": "5403ebcb-2468-5280-8b70-b43ed33b0b46", "value": "synapse" + }, + { + "meta": { + "links": [ + "http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/cicada3301" + ] + }, + "uuid": "30273fce-be34-5518-a1fa-183ec12e1474", + "value": "cicada3301" + }, + { + "meta": { + "links": [ + "http://47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd.onion/" + ], + "refs": [ + "https://www.ransomlook.io/group/good day" + ] + }, + "uuid": "025cf965-bb4b-50d6-8511-c8747e2bebee", + "value": "good day" + }, + { + "meta": { + "links": [ + "http://cloak.su/indexo.php" + ], + "refs": [ + "https://www.ransomlook.io/group/cloak.su (locker leak)" + ], + "synonyms": [ + "locker leak" + ] + }, + "uuid": "87a3c85c-0c98-5e8f-80c4-9e8b6e640916", + "value": "cloak.su" + }, + { + "meta": { + "links": [ + "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion", + "http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/b/" + ], + "refs": [ + "https://www.ransomlook.io/group/pyrx" + ] + }, + "uuid": "ed692e27-c3ab-5ed8-ae4a-e436c4c5b454", + "value": "pyrx" } ], - "version": 125 + "version": 127 }