Thread ---> With #Ryuk bearing down on the computer networks of U.S. hospitals, security companies and the feds are releasing a lot of data on the ransomware and the criminals behind it. Here& #39;s a list of public intel that I& #39;ll update as more is released.
RiskIQ published a bunch of Ryuk-related domains and IP addresses: https://community.riskiq.com/article/0bcefe76">https://community.riskiq.com/article/0...
FireEye published a slew of indicators related to UNC1878, the criminal gang behind some of the latest Ryuk activity on hospital networks: https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456">https://gist.github.com/aaronst/6...
The FBI, CISA and HHS updated their advisory with more information on the BazarLoader used to deploy Ryuk: https://us-cert.cisa.gov/ncas/alerts/aa20-302a">https://us-cert.cisa.gov/ncas/aler...
There& #39;s also this webcast from @Wanna_VanTa & @x04steve on UNC1878 that is a window into the threat actor& #39;s recent history. UNC1878 makes ransom demands in the tens of millions of dollars and accounts for a big chunk of Ryuk deployments, per the analysts: https://www.youtube.com/watch?v=BhjQ6zsCVSc">https://www.youtube.com/watch...
You can follow @snlyngaas.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: