Thread ---> With #Ryuk bearing down on the computer networks of U.S. hospitals, security companies and the feds are releasing a lot of data on the ransomware and the criminals behind it. Here& #39;s a list of public intel that I& #39;ll update as more is released.
RiskIQ published a bunch of Ryuk-related domains and IP addresses: https://community.riskiq.com/article/0bcefe76">https://community.riskiq.com/article/0...
Unit42 broke down the Anchor module, a derivation of TrickBot that has been involved in Ryuk deployments: https://unit42.paloaltonetworks.com/ryuk-ransomware/">https://unit42.paloaltonetworks.com/ryuk-rans...
Red Canary said it worked with incident responder Kroll to thwart an attempted Ryuk attack on a medical center: https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/">https://redcanary.com/blog/how-...
FireEye published a slew of indicators related to UNC1878, the criminal gang behind some of the latest Ryuk activity on hospital networks: https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456">https://gist.github.com/aaronst/6...
The FBI, CISA and HHS updated their advisory with more information on the BazarLoader used to deploy Ryuk: https://us-cert.cisa.gov/ncas/alerts/aa20-302a">https://us-cert.cisa.gov/ncas/aler...
More on Anchor from SentinelLabs: https://labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/">https://labs.sentinelone.com/anchor-pr...
There& #39;s also this webcast from @Wanna_VanTa & @x04steve on UNC1878 that is a window into the threat actor& #39;s recent history. UNC1878 makes ransom demands in the tens of millions of dollars and accounts for a big chunk of Ryuk deployments, per the analysts: https://www.youtube.com/watch?v=BhjQ6zsCVSc">https://www.youtube.com/watch...