Vitali Kremez

almost 4 years ago

🎁Gift for the community: Post-#Conti #ransomware operation mindmap world. Enjoy!

15

363

104

69

0

VK_Intel retweeted

over 3 years ago

The Week in Ransomware - October 21st 2022 - Stop the Presses - @LawrenceAbrams https://t.co/rgk5VkKWhd

4

40

30

7

0

over 3 years ago

#Royal ransomware operation in action.

Germán Fernández

@1ZRR4H

over 3 years ago

1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys: 1) #Ursnif (Bot) 2) #Vidar (Stealer) 3) #Syncro RMM (C2) 4) #CobaltStrike And possibly 5) #Ransomware 💥

1ZRR4H's tweet photo. 1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys:

1) #Ursnif (Bot)
2) #Vidar (Stealer)
3) #Syncro RMM (C2)
4) #CobaltStrike
And possibly
5) #Ransomware 💥 https://t.co/XhMBDcX4S8

6

249

97

46

0

8

102

23

21

0

VK_Intel retweeted

Official MHT Twitter account. Check out ID Ransomware (created by @demonslay335). More photos & gifs, less malware.

over 3 years ago

New Royal Ransomware emerges in multi-million dollar attacks - @LawrenceAbrams https://t.co/lO6AuID9Bo

3

42

24

4

0

Who to follow

MalwareHunterTeam

@malwrhunterteam

ATT&CK

@MITREattack

MITRE ATT&CK® - A knowledge base for describing the behavior of adversaries. Replying/Following/Re-tweeting ≠ endorsement. @ https://t.co/wt46ArkZVt

Breaking cybersecurity and technology news, guides, and tutorials that help you get the most from your computer. DMs are open, so send us those tips!

over 3 years ago

Offsecurity: First time flying as a private pilot single engine land from east -> west coast of Florida. Aircraft: Cessna 172N IFR training and rotorcraft add-on next!

3

21

1

0

VK_Intel retweeted

over 3 years ago

The Week in Ransomware - September 16th 2022 - Iranian Sanctions - @LawrenceAbrams https://t.co/nZTvaR8MAn

1

32

18

1

0

over 3 years ago

@peterbaurichter @campuscodi Exactly that. Less need for "restorative" IR work in exfil cases

0

1

0

over 3 years ago

@campuscodi @MaD_c4t Well it is

0

2

1

0

over 3 years ago

🔥Breaking Blog: AdvIntel's State of #Emotet aka "#SpmTools" Displays Over Million 🌎Compromised Machines Through 2⃣0⃣2⃣2⃣ Insight: *⃣Emotet infection chain is currently attributed to #Quantum & #BlackCat ransomware chains. https://t.co/soPGhn6MSI

VK_Intel's tweet photo. 🔥Breaking Blog: AdvIntel's State of #Emotet aka "#SpmTools" Displays Over Million 🌎Compromised Machines Through 2⃣0⃣2⃣2⃣
Insight:

*⃣Emotet infection chain is currently attributed to #Quantum & #BlackCat ransomware chains.

https://t.co/soPGhn6MSI https://t.co/qTb8dgCAQX

2

88

44

10

0

VK_Intel retweeted

over 3 years ago

The Week in Ransomware - September 9th 2022 - Schools under fire - @LawrenceAbrams https://t.co/xjxQ0QKbf2

1

32

20

3

0

over 3 years ago

@AlyssaM_InfoSec Amazing. Congratulations! I have gotten my private pilot license lately well. Finished with 60hrs on Cessna 172N. Again, congratulations! I want to get a low-wing Cherokee too as I am not a fan of Cessna. Probably, will get after I finish IFR and helicopter PPL endorsement

0

4

1

0

VK_Intel retweeted

over 3 years ago

@Ionut_Ilascu Someone is hitting Cobalt Strike servers used by former members of the Conti ransomware gang with messages urging to stop Russia's war: “Stop the war!” “15000+ dead Russian soldiers!” “Be a Russian patriot!” "Stop Putin!"

BleepinComputer's tweet photo. @Ionut_Ilascu Someone is hitting Cobalt Strike servers used by former members of the Conti ransomware gang with messages urging to stop Russia's war:

“Stop the war!”
“15000+ dead Russian soldiers!”
“Be a Russian patriot!”
"Stop Putin!" https://t.co/c8KFYWLpJa

1

28

13

4

0

over 3 years ago

@SwitHak @AdvIntel @y_advintel Emotet first then Brute Ratel C4 Anatomy of Attack :)

0

4

0

over 3 years ago

📌We have observed the "Anti-Putin" messages from Cobalt Strike flooding activities mapped to ex-Conti cybercrime enterprise members.

over 3 years ago

Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages - @Ionut_Ilascu https://t.co/n2xpdEv9Hd

3

89

47

6

0

1

9

1

0

over 3 years ago

Insight:⚡️#Emotet loader-as-a-service infection metrics globally for 2022 of ~1,300,000 unique bot_ids / top targeted infected by loader (including honeypot activity). Still alive but on a general decline. The public report is incoming.

VK_Intel's tweet photo. Insight:⚡️#Emotet loader-as-a-service infection metrics globally for 2022 of ~1,300,000 unique bot_ids / top targeted infected by loader (including honeypot activity). Still alive but on a general decline.

The public report is incoming. https://t.co/9jV13X8cRa

2

61

30

6

0

almost 4 years ago

@james_vinocur @campuscodi Thank you, James :) Great to see you here!

0

2

0

almost 4 years ago

Callback phishing was the tactic that enabled a widespread shift in the approach to ransomware deployment. This is what made the approach so unique and effective 👇

VK_Intel's tweet photo. Callback phishing was the tactic that enabled a widespread shift in the approach to ransomware deployment. This is what made the approach so unique and effective 👇 https://t.co/Lni9yhOnXm

0

13

2

1

0

almost 4 years ago

⚡️2022 Trend: Call-back phishing campaigns aka "BazarCall" are the de-facto top method of getting a backdoor on the protected corporate networks. 1⃣Ransomware and extortionists want to talk to the corporate employees over ☎️. 2⃣Targets are just larger & phishing is more complex

VK_Intel's tweet photo. ⚡️2022 Trend: Call-back phishing campaigns aka "BazarCall" are the de-facto top method of getting a backdoor on the protected corporate networks.

1⃣Ransomware and extortionists want to talk to the corporate employees over ☎️.
2⃣Targets are just larger & phishing is more complex https://t.co/I1Rh8rugXs

2

42

16

10

0

almost 4 years ago

@LawrenceAbrams @MsftSecIntel @demonslay335 @malwrhunterteam There are quite a few current "noname" ransomware payloads used by the related group. The graph is missing quite a few including Diavol & BlackByte and others.

0

12

3

0