From 36a1466661ff64543d4f6f8615297f596bda31d4 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 23 May 2022 11:29:39 +0200
Subject: [PATCH 1/3] [threat-actors] Add RansomHouse

---
 clusters/threat-actor.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index fd67d7cb..8629386e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9319,6 +9319,19 @@
       },
       "uuid": "7ab283ac-b78f-42db-b564-0550b9637b0b",
       "value": "TA579"
+    },
+    {
+      "description": "This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.",
+      "meta": {
+        "refs": [
+          "https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/"
+        ],
+        "cfr-target-category": [
+          "Private sector"
+        ]
+      },
+      "uuid": "4d522fad-452c-46be-94ea-5803aec9b709",
+      "value": "RansomHouse"
     }
   ],
   "version": 227

From c1cfc19871ffa6a4a367ec21cd3b1572276ee3ea Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 23 May 2022 11:30:04 +0200
Subject: [PATCH 2/3] [threat actors] Remove dead link for sandworm threat
 actor

---
 clusters/threat-actor.json | 1 -
 1 file changed, 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 8629386e..24e26de5 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2689,7 +2689,6 @@
           "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
           "https://www.us-cert.gov/ncas/alerts/TA17-163A",
           "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
-          "https://www.cfr.org/interactive/cyber-operations/black-energy",
           "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
           "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
           "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",

From dca70783bf3e18f0b8818438d982728fca14f22d Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 23 May 2022 11:32:24 +0200
Subject: [PATCH 3/3] [threat-actors] validate file

---
 clusters/threat-actor.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 24e26de5..0f903cef 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9322,11 +9322,11 @@
     {
       "description": "This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.",
       "meta": {
-        "refs": [
-          "https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/"
-        ],
         "cfr-target-category": [
           "Private sector"
+        ],
+        "refs": [
+          "https://webz.io/dwp/new-ransomware-group-ransomhouse-is-it-real-or-fake/"
         ]
       },
       "uuid": "4d522fad-452c-46be-94ea-5803aec9b709",