Thread ---> With #Ryuk bearing down on the computer networks of U.S. hospitals, security companies and the feds are releasing a lot of data on the ransomware and the criminals behind it. Here's a list of public intel that I'll update as more is released.
RiskIQ published a bunch of Ryuk-related domains and IP addresses: https://community.riskiq.com/article/0bcefe76
Unit42 broke down the Anchor module, a derivation of TrickBot that has been involved in Ryuk deployments: https://unit42.paloaltonetworks.com/ryuk-ransomware/
Red Canary said it worked with incident responder Kroll to thwart an attempted Ryuk attack on a medical center: https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
FireEye published a slew of indicators related to UNC1878, the criminal gang behind some of the latest Ryuk activity on hospital networks: https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456
The FBI, CISA and HHS updated their advisory with more information on the BazarLoader used to deploy Ryuk: https://us-cert.cisa.gov/ncas/alerts/aa20-302a
More on Anchor from SentinelLabs: https://labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/
There's also this webcast from @Wanna_VanTa & @x04steve on UNC1878 that is a window into the threat actor's recent history. UNC1878 makes ransom demands in the tens of millions of dollars and accounts for a big chunk of Ryuk deployments, per the analysts: