Thread ---> With #Ryuk bearing down on the computer networks of U.S. hospitals, security companies and the feds are releasing a lot of data on the ransomware and the criminals behind it. Here's a list of public intel that I'll update as more is released.
RiskIQ published a bunch of Ryuk-related domains and IP addresses: https://community.riskiq.com/article/0bcefe76
Unit42 broke down the Anchor module, a derivation of TrickBot that has been involved in Ryuk deployments: https://unit42.paloaltonetworks.com/ryuk-ransomware/
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector

A joint cybersecurity alert warns of Ryuk ransomware and Trickbot targeting U.S. Healthcare and Public Health Sector. We recommend courses of action.

https://unit42.paloaltonetworks.com/ryuk-ransomware/
Red Canary said it worked with incident responder Kroll to thwart an attempted Ryuk attack on a medical center: https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak

We recently helped stop a Ryuk ransomware infection at a hospital. Here are the ten behaviors we detected to prevent this threat.

https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
FireEye published a slew of indicators related to UNC1878, the criminal gang behind some of the latest Ryuk activity on hospital networks: https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456
UNC1878 Indicators

UNC1878 Indicators. GitHub Gist: instantly share code, notes, and snippets.

https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456
The FBI, CISA and HHS updated their advisory with more information on the BazarLoader used to deploy Ryuk: https://us-cert.cisa.gov/ncas/alerts/aa20-302a
More on Anchor from SentinelLabs: https://labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/
Anchor project for Trickbot adds ICMP - SentinelLabs

The team behind Trickbot has been aggressively updating and deploying various modules including Anchor and Bazar Loader targeting high-value targets, including healthcare entities

https://labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/
There's also this webcast from @Wanna_VanTa & @x04steve on UNC1878 that is a window into the threat actor's recent history. UNC1878 makes ransom demands in the tens of millions of dollars and accounts for a big chunk of Ryuk deployments, per the analysts:
You can follow @snlyngaas.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more