{ "type": "bundle", "id": "bundle--07978c56-9742-441a-b9b0-1c387f4da0e8", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5", "created": "2020-01-01T00:00:00.000Z", "definition_type": "statement", "definition": { "statement": "This object was created using: https://github.com/muchdogesec/ransomware_kb" }, "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb" ] }, { "type": "identity", "spec_version": "2.1", "id": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5", "created": "2020-01-01T00:00:00.000Z", "modified": "2020-01-01T00:00:00.000Z", "name": "Ransomware Knowledgebase", "description": "https://github.com/muchdogsec/ransomware_kb", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "marking-definition--97ba4e8b-04f6-57e8-8f6e-3a0f0a7dc0fb" ], "identity_class": "system", "sectors": [ "technology" ], "contact_information": "https://www.dogesec.com/contact/" }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--8ce2cdf7-a36d-54df-978c-f49e318e1eb3", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Karakurt", "description": "Karakurt is a cyber extortion group known for focusing on data theft and extortion rather than traditional ransomware attacks. Instead of encrypting files, Karakurt steals sensitive data from targeted organizations and threatens to release it publicly unless a ransom is paid. The group is notorious for quick and aggressive operations, often targeting organizations with weak cybersecurity defenses.", "aliases": [ "Karakurt Lair" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0002" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--7f461804-9e54-5c7f-b6d3-cbf6438edd35", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Scattered Spider", "description": "Scattered Spider, also known as UNC3944, is a sophisticated cybercriminal group that uses advanced social engineering tactics and spear-phishing campaigns to infiltrate organizations. While not exclusively a ransomware group, they have been associated with ransomware attacks, particularly through facilitating access for other ransomware operators. They target various sectors, including telecommunications and technology.", "aliases": [ "Storm-0875", "Roasted 0ktapus", "Octo Tempest" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0003" }, { "source_name": "mitre-attack", "external_id": "G1015" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--07150f20-ec46-595b-a001-6bf335f0f398", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Vice Society", "description": "Vice Society is a ransomware group known for targeting the education and healthcare sectors. They are recognized for using double extortion tactics, where they exfiltrate data before encrypting systems and threaten to leak the data if the ransom isn't paid. Vice Society is relatively new but has quickly become a significant threat due to its focus on vulnerable sectors.", "aliases": [ "DEV-0832", "Vanilla Tempest" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0004" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Akira", "description": "Akira is a newer ransomware group that emerged in 2023, known for its targeted attacks on organizations and demanding high ransom payments. The group uses a Ransomware-as-a-Service (RaaS) model, allowing affiliates to use their ransomware to conduct attacks. Akira typically employs double extortion tactics, threatening to release stolen data if the ransom isn't paid.", "aliases": [ "GOLD SAHARA", "PUNK SPIDER" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0005" }, { "source_name": "mitre-attack", "external_id": "G1024" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--6a8875b5-fb7b-5af4-915a-01652d336850", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "RIDDLE SPIDER", "description": "RIDDLE SPIDER is a cybercriminal group associated with the development and deployment of ransomware strains, including the infamous Sodinokibi (REvil). They are known for their sophisticated tactics and infrastructure, often using advanced methods to evade detection and maximize the impact of their attacks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0006" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--52918eb2-1019-5fc1-81e4-f456961ad2d7", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Wizard Spider", "description": "Wizard Spider is a highly sophisticated cybercrime group believed to be behind some of the most notorious ransomware attacks, including Ryuk, Conti, and TrickBot. The group is well-resourced and operates a Ransomware-as-a-Service (RaaS) platform, targeting large organizations worldwide. Wizard Spider is known for its advanced tactics, techniques, and procedures (TTPs), including the use of double extortion and extensive reconnaissance before attacks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0007" }, { "source_name": "mitre-attack", "external_id": "G0102" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--e38d9368-1fc5-5272-9a84-bbd1687754b1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Sandworm Team", "description": "Sandworm Team, also known as Unit 74455, is a Russian cyber espionage group linked to the GRU, Russia's military intelligence agency. They are infamous for their involvement in some of the most disruptive cyberattacks, including the NotPetya ransomware attack and attacks on Ukrainian infrastructure. Sandworm Team is known for using highly destructive malware and ransomware in geopolitical cyber operations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0008" }, { "source_name": "mitre-attack", "external_id": "G0034" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--99b03a7c-0d44-50b8-95c4-17b65a432131", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Indrik Spider", "description": "Indrik Spider is a cybercrime group known for developing the Dridex banking Trojan and BitPaymer ransomware. The group has evolved over time, shifting from banking malware to more lucrative ransomware operations. Indrik Spider is well-organized and operates on a large scale, targeting businesses and critical infrastructure across various industries.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0009" }, { "source_name": "mitre-attack", "external_id": "G0119" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--ba5c38a7-90b3-56b8-9679-d81657c27e71", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TA505", "description": "TA505 is a prolific cybercrime group that has been active since at least 2014. They are known for distributing banking Trojans, including Dridex, and later shifting to ransomware operations with strains like Locky, Jaff, and Clop. TA505 is known for their large-scale phishing campaigns and targeting of financial institutions, healthcare, and retail sectors.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0010" }, { "source_name": "mitre-attack", "external_id": "G0092" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--db376406-b801-5ece-9a25-a7d48047a48b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Andariel", "description": "Andariel is a sub-group of the larger Lazarus Group, linked to North Korea's intelligence agency. Andariel specializes in cyber espionage and financially motivated cyberattacks, including ransomware. They are known for targeting South Korean businesses and government entities, as well as international financial institutions, to generate revenue for the North Korean regime.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0011" }, { "source_name": "mitre-attack", "external_id": "G0138" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--c12b22b6-e5bf-597f-ad05-c218456a3913", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "GOLD DUPONT", "description": "GOLD DUPONT is a threat actor group associated with the development and deployment of the DoppelPaymer ransomware. The group is known for targeting large organizations, especially in the healthcare and public sectors, using double extortion tactics. GOLD DUPONT operates as a Ransomware-as-a-Service (RaaS), allowing affiliates to use their malware in exchange for a share of the ransom payments.", "aliases": [ "SPRITE SPIDER" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0012" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--83e21d94-4b24-53f8-a468-b3584473ba60", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "FIN7", "description": "FIN7, also known as Carbanak Group, is a financially motivated cybercrime group that has targeted the hospitality, retail, and financial sectors globally. They are known for their sophisticated phishing campaigns and the use of advanced malware, including Carbanak and Cobalt Strike. Although FIN7 is primarily focused on financial theft, they have also been linked to ransomware operations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0013" }, { "source_name": "mitre-attack", "external_id": "G0046" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--81226d95-5a39-5102-92e8-fda05fa4abb2", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "GOLD SOUTHFIELD", "description": "GOLD SOUTHFIELD is a cybercriminal group associated with the development and distribution of the Conti ransomware. The group is known for its highly organized and professional operations, targeting large organizations and critical infrastructure. GOLD SOUTHFIELD has been involved in numerous high-profile ransomware attacks, often demanding multimillion-dollar ransoms.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0014" }, { "source_name": "mitre-attack", "external_id": "G0115" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--87a1b7a6-46ea-564b-88e0-27349eeb221d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "FIN6", "description": "FIN6 is a cybercrime group known for its focus on financial gain through point-of-sale (POS) system breaches and ransomware attacks. They are responsible for the distribution of the LockerGoga and Ryuk ransomware strains. FIN6 is particularly dangerous due to its ability to carry out both ransomware attacks and large-scale financial fraud.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0015" }, { "source_name": "mitre-attack", "external_id": "G0037" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--84c4e006-a361-53a9-92a7-d03743acf737", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BOSS SPIDER", "description": "BOSS SPIDER, also known as the group behind LockBit ransomware, is a highly organized and professional cybercrime group. They operate a Ransomware-as-a-Service (RaaS) platform, allowing affiliates to conduct attacks using the LockBit ransomware in exchange for a share of the ransom. BOSS SPIDER is known for its relentless targeting of organizations across various industries.", "aliases": [ "GOLD LOWELL" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0016" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--dccc0a9e-ccee-50bf-9b4b-7105bea57f49", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Lazarus Group", "description": "Lazarus Group is a North Korean state-sponsored cybercrime group known for its involvement in a wide range of cyberattacks, including ransomware, cyber espionage, and financial theft. The group has been linked to the WannaCry ransomware attack and the theft of millions of dollars from financial institutions. Lazarus Group is highly sophisticated and operates on a global scale, often with geopolitical motivations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0017" }, { "source_name": "mitre-attack", "external_id": "G0032" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--b66dc49e-5b78-53a6-a3a8-a17b12041d3c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "FIN8", "description": "FIN8 is a financially motivated cybercrime group known for targeting the hospitality and retail sectors. They are responsible for the deployment of the Sardonic backdoor and have been linked to various ransomware operations. FIN8 is known for its stealthy operations, often lying dormant on victims' networks for extended periods before launching attacks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0018" }, { "source_name": "mitre-attack", "external_id": "G0061" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--82f760f9-3e58-5426-a14e-80a6d70af200", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "EXOTIC LILY\n", "description": "EXOTIC LILY is a threat actor group known for its role as an initial access broker, working with various ransomware groups to provide access to compromised networks. They use spear-phishing campaigns to infiltrate organizations, selling access to ransomware operators. EXOTIC LILY is known for its sophisticated phishing techniques and its role in facilitating ransomware attacks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0020" }, { "source_name": "mitre-attack", "external_id": "G1011" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--53ba95a2-5c9b-5f48-80d0-6b8146a15a9e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Cinnamon Tempest", "description": "Cinnamon Tempest is a lesser-known cybercrime group believed to be involved in ransomware and other financially motivated cyber activities. The group's operations are not as well-documented as others, but they are known for targeting organizations with sophisticated malware and extortion tactics. They may also be associated with other more prominent ransomware groups.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "G0021" }, { "source_name": "mitre-attack", "external_id": "G1021" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--f43c7909-278b-5c13-9361-4bd59e8181a4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Akira", "description": "A newer strain of ransomware known for iT targeted attacks on organizations, often demanding high ransom amounT.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0004" }, { "source_name": "mitre-attack", "external_id": "S1129" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa24-109a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--910b8e6b-9f86-51b5-8678-6e152dbfc6ef", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "AvosLocker", "description": "A ransomware strain that emerged in 2021, known for encrypting files and leaking data of non-paying victims on a dark web site.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0007" }, { "source_name": "mitre-attack", "external_id": "S1053" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-284a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ac8c4e21-aecf-5507-855f-32d0fe5717bf", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BianLian", "description": "A ransomware strain known for targeting large organizations and often threatening to leak stolen data if the ransom isn't paid.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0009" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-136a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux", "android" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--f50225d5-d606-5816-90ff-f14e57794a29", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Black Basta", "description": "A double extortion ransomware that not only encrypT files but also exfiltrates sensitive data to pressure victims into paying.", "is_family": true, "aliases": [ "no_name_software" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0010" }, { "source_name": "mitre-attack", "external_id": "S1070" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa24-131a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--da77cbf3-7dcc-559e-a6a3-7f629b05d61a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BlackCat", "description": "Also known as ALPHV, this ransomware is notable for being one of the first written in Rust, a programming language, making it harder to detect.", "is_family": true, "aliases": [ "ALPHV", "Noberus" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0013" }, { "source_name": "mitre-attack", "external_id": "S1068" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-353a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--cdf2ebae-9553-521f-954e-a126cb0b7ebc", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "DarkSide", "description": "A ransomware group known for iT attack on Colonial Pipeline in 2021, which caused significant disruption to the fuel supply in the U.S.", "is_family": true, "aliases": [ "BlackMatter" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0033" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa21-131a,\nhttps://www.cisa.gov/news-evenT/cybersecurity-advisories/aa21-291a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--93860b6e-f463-5530-b6b9-f50f84217f2b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Royal", "description": "A ransomware group that emerged in 2022, known for iT attacks on healthcare and critical infrastructure sectors.", "is_family": true, "aliases": [ "BlackSuit" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0017" }, { "source_name": "mitre-attack", "external_id": "S1073" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-061a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--32ba22c1-3caa-5360-874f-6e3b71b62b6f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Clop", "description": "A ransomware group known for targeting large organizations and leaking stolen data on their dark web site if the ransom isn't paid.", "is_family": true, "aliases": [ "Cl0p" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0021" }, { "source_name": "mitre-attack", "external_id": "S0611" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-158a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--0391cf2f-1777-5bc1-9b11-dbd3b5f2cea2", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Conti", "description": "A notorious ransomware group involved in high-profile attacks, known for iT fast encryption process and use of double extortion.", "is_family": true, "aliases": [ "Conti Locker" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0023" }, { "source_name": "mitre-attack", "external_id": "S0575" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/alerT/2021/09/22/conti-ransomware" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e9ed9ed6-7c11-56de-b3d0-c10da5465833", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "DeadBolt", "description": "A ransomware specifically targeting NAS devices, encrypting files and demanding Bitcoin for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0034" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--77d9a4ae-9ae0-5ff8-aea1-35e72e397995", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "HelloKitty", "description": "A ransomware group known for high-profile attacks, including one on a video game company, using double extortion tactics.", "is_family": true, "aliases": [ "KittyCrypt" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0053" }, { "source_name": "mitre-attack", "external_id": "S0617" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--f02a7978-96f0-5bad-8615-a2a908353181", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Hive", "description": "A ransomware-as-a-service operation, known for encrypting files and stealing data to extort victims, often targeting healthcare and critical infrastructure.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0054" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa22-321a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--caac40c7-41f4-5abf-b252-7cc124ae30e6", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "LockBit", "description": "A ransomware family that uses a double extortion tactic, encrypting files and threatening to publish stolen data if the ransom isn't paid.", "is_family": true, "aliases": [ "ABCD Ransomware" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0059" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-075a,\nhttps://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-165a,\nhttps://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-325a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux", "macos" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--485575ee-9a92-5be8-a032-0afef967089c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Ragnar Locker", "description": "A ransomware strain that targeT large organizations, using virtualization to hide iT activities from detection tools.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0080" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--07d05a66-01e8-5a11-8677-fda25641d543", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "RansomEXX", "description": "A ransomware group known for targeting large organizations, often using double extortion tactics to pressure victims into paying.", "is_family": true, "aliases": [ "Ransom X", "Defray777" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0081" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--3e855f81-45bf-5bcf-95e7-5e3b432e4122", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "REvil", "description": "Also known as Sodinokibi, a ransomware group responsible for numerous high-profile attacks, known for demanding high ransoms and leaking data of non-paying victims.", "is_family": true, "aliases": [ "Sodinokibi", "Sodin", "Revix" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0084" }, { "source_name": "mitre-attack", "external_id": "S0496" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--f13696e7-0134-59e5-9525-1b2c0f4164f3", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Rhysida", "description": "A ransomware strain that targeT corporate networks, using strong encryption to lock files and demanding ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0085" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-319a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows", "linux" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--8ce2cdf7-a36d-54df-978c-f49e318e1eb3", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Karakurt", "description": "A cybercriminal group known for data exfiltration and extortion, sometimes without encryption, focusing on stealing and leaking data.", "is_family": true, "aliases": [ "Karakurt Lair" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0056" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--78aeedcc-1ac9-59e3-bca3-cc11bd14946b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Avaddon", "description": "A ransomware-as-a-service (RaaS) operation that encrypT files and threatens to publish stolen data if the ransom isn't paid.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0006" }, { "source_name": "mitre-attack", "external_id": "S0640" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--38b2127d-0277-5596-acc9-871d5dd99114", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BlackByte", "description": "A ransomware that emerged in 2021, known for targeting corporate networks and using a double extortion tactic.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0012" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c6c05539-ddfa-5e40-9b80-98ff7f0081eb", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BlackKingdom Ransomware", "description": "Ransomware that was used in attacks exploiting vulnerabilities in Microsoft Exchange servers, encrypting files and demanding Bitcoin for decryption.", "is_family": true, "aliases": [ "Black Kingdom", "DEMON" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0014" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b80cd4d6-0098-5ac7-b870-8f29b66b2f94", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BlackRouter", "description": "A ransomware variant that spreads through phishing emails and encrypT files, demanding a ransom for their recovery.", "is_family": true, "aliases": [ "BLACKHEART" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0015" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--3ffb3cd2-8493-5f73-ad4c-ea473ed077d9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Blackruby", "description": "A ransomware that encrypT files and installs a cryptocurrency miner on infected systems.", "is_family": true, "aliases": [ "Black Ruby" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0016" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2070cb18-0244-5276-b308-7be265486b5b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Chimera", "description": "A ransomware that encrypT files and threatens to release victims' personal data online if the ransom isn't paid.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0019" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--5f45b46d-0749-577b-858d-3b2ca4a4b005", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ComradeCircle", "description": "A lesser-known ransomware, likely used in small-scale attacks, encrypting files and demanding a ransom.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0022" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--6230e13a-5451-5336-ad7f-2d8694386165", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "CryptoLocker", "description": "One of the most well-known ransomware strains, which started the trend of encrypting files and demanding Bitcoin ransoms in 2013.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0026" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7e05dd92-719d-50dd-8afa-9a9664ecdd39", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Cryptowall", "description": "A widely spread ransomware that encrypT files and demands Bitcoin for decryption, known for iT advanced evasion techniques.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0028" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--a266c381-30e9-5301-b223-04a1c51a8f91", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "CryptXXX", "description": "A ransomware family that not only encrypT files but also steals data from infected systems.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0029" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--555a7bc9-293a-5a0a-9d67-e809ab4f9405", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Cuba", "description": "A ransomware group that targeT critical infrastructure and large organizations, using double extortion tactics.", "is_family": true, "aliases": [ "COLDDRAW" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0031" }, { "source_name": "mitre-attack", "external_id": "S0625" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa22-335a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--de52245d-bc30-5ac4-acf3-75abe2d34505", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Diavol", "description": "A ransomware strain linked to the TrickBot group, using advanced encryption methods and targeting large organizations.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0036" }, { "source_name": "mitre-attack", "external_id": "S0659" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1844e508-5555-53b6-8114-31521537dc4b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "DMA Locker", "description": "A ransomware variant that spread through compromised Remote Desktop Protocol (RDP) servers, encrypting files and demanding ransom.", "is_family": true, "aliases": [ "DMALocker" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0037" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--a56146fb-b4a5-54a1-a0aa-01d96b557edb", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "EDA2", "description": "An open-source ransomware project that was misused by attackers to create ransomware strains.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0039" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--234131ba-21c6-5f00-83f5-8c7710dfbf9f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Egregor", "description": "A ransomware group known for high-profile attacks and the rapid encryption of files, often using double extortion tactics.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0040" }, { "source_name": "mitre-attack", "external_id": "S0554" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--87cdd78c-c77f-5bc8-8b32-a03c50e8313c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NotPetya", "description": "A wiper malware disguised as ransomware, causing widespread damage in 2017 by rendering systems inoperable even if the ransom was paid.", "is_family": true, "aliases": [ "ExPetr", "Pnyetya", "Petna", "EternalPetya", "Nyetya", "NonPetya", "nPetya", "Diskcoder.C", "BadRabbit" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0042" }, { "source_name": "mitre-attack", "external_id": "S0368" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ddd18fe3-7625-5a41-a9c1-bf2b6fd4d05f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BitPaymer", "description": "A ransomware that primarily targeT large organizations, using strong encryption and demanding high ransoms.", "is_family": true, "aliases": [ "DoppelPaymer", "IEncrypt", "Pay OR Grief", "FriedEx" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0046" }, { "source_name": "mitre-attack", "external_id": "S0570" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b271a24f-258a-52ea-831d-1fa9a7b0cabe", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Globe", "description": "A ransomware family known for encrypting files and demanding a ransom, with several varianT like GlobeImposter.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0047" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--293ce5e2-6c85-55be-bec6-acb7da097ebe", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "GlobeImposter", "description": "A ransomware variant of the Globe family, known for pretending to be a legitimate program to trick users into executing it.", "is_family": true, "aliases": [ "Fake Globe" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0048" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--a90dd142-0624-5a1e-a485-36e5aa11de54", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "GoGoogle", "description": "A ransomware that appends \".goog\" to encrypted files, demanding ransom for decryption.", "is_family": true, "aliases": [ "BossiTossi" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0050" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--32f3a1ad-3c98-5c5f-868a-9b9d81da4697", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Jigsaw", "description": "A ransomware that deletes files progressively the longer the ransom isn't paid, using psychological pressure tactics.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0055" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2d75eb22-d2e3-59fa-a6d9-c5054fe3a467", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Locky", "description": "A well-known ransomware that encrypT files and demands payment in Bitcoin, often spreading through email attachmenT.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0061" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7129519b-1314-58a0-9603-9acf1d59b81b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Mailto", "description": "Also known as Netwalker, a ransomware variant that targeT corporate networks, encrypting files and demanding ransom in Bitcoin.", "is_family": true, "aliases": [ "Koko Ransomware", "NetWalker" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0062" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--02d176ba-5e53-5cde-90c2-8f076313d519", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Makop Ransomware", "description": "A ransomware strain that appends a unique extension to encrypted files and demands payment in cryptocurrency for decryption.", "is_family": true, "aliases": [ "Makop" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0063" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--88971142-22b6-5ba8-8bc8-134520374892", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ManameCrypt", "description": "A ransomware variant that encrypT files and appends a \".manamecrypt\" extension, demanding a ransom for decryption.", "is_family": true, "aliases": [ "CryptoHost" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0064" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2b453d9c-ab10-5237-a3b9-89d4bacf1430", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Maui Ransomware", "description": "A ransomware used in attacks against healthcare organizations, encrypting files and demanding ransom in Bitcoin.", "is_family": true, "aliases": [ "Maui" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0065" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2b8e55ff-ad22-5d3c-b4b7-47d9ced6ef2d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "MedusaLocker", "description": "A ransomware strain that targeT organizations, encrypting files and demanding payment for their recovery.", "is_family": true, "aliases": [ "AKO", "AKO Ransomware", "AKO Doxware", "MedusaReborn" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0066" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa22-181a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--85ccb9f4-61db-5016-878c-1a582485ace4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PYSA", "description": "A ransomware group, also known as Mespinoza, known for targeting educational institutions and healthcare, using double extortion tactics.", "is_family": true, "aliases": [ "Mespinoza" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0067" }, { "source_name": "mitre-attack", "external_id": "S0583" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c852be24-a838-52a7-b1e2-6f7508167356", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Mount Locker", "description": "A ransomware that targeT corporate networks, encrypting files and stealing data to extort victims.", "is_family": true, "aliases": [ "DagonLocker", "MountLocker", "QuantumLocker" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0068" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--8f1d7685-6a11-55ff-936f-44a380adc5a1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Nokoyawa", "description": "A ransomware strain that targeT Windows systems, using strong encryption and demanding a ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0069" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--4b81183d-06c8-5081-bb5a-007b1cb0df2e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Phobos", "description": "A ransomware family that targeT small to medium-sized businesses, often spreading through insecure RDP connections.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0073" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa24-060a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c5df669a-392c-5ab8-ac49-c71871f8b06c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PLAY", "description": "A ransomware group that emerged in 2022, known for iT attacks on large organizations and using double extortion tactics.", "is_family": true, "aliases": [ "PlayCrypt" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0075" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-352a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--cb570ef4-1e1c-5db0-8e4a-f2cd6ccac0ea", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Popcorn Time", "description": "A ransomware that allows victims to infect others to potentially avoid paying the ransom themselves, using an unusual pyramid scheme-like model.", "is_family": true, "aliases": [ "PopCornTime" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0076" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--aeb1b2bf-48f2-55f6-a299-56d5c7a59645", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Razy", "description": "A ransomware strain that encrypT files and demands a ransom for their recovery, often spreading through malicious websites.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0083" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--60127783-e788-5ff4-80cb-6bcc68cedfec", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Ryuk", "description": "A ransomware strain that typically targeT large organizations, using manual infection methods and demanding high ransoms.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0086" }, { "source_name": "mitre-attack", "external_id": "S0446" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--68c3b37a-b520-54ff-b13d-14b3a13ac35d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SamSam", "description": "A ransomware strain that targeT organizations, often spreading through RDP and demanding large ransom paymenT in Bitcoin.", "is_family": true, "aliases": [ "Samas" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0087" }, { "source_name": "mitre-attack", "external_id": "S0370" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2dc940c1-aad1-57d4-8770-d7ee6679dd59", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Snatch", "description": "A ransomware strain that rebooT the infected system into Safe Mode to avoid detection by security software during encryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0088" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa23-263a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--06f10ae6-b804-574b-bbea-f701bc8d06be", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Spora", "description": "A ransomware strain that offers various ransom options to victims, including paying for immunity from future attacks.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0089" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7b07b7fe-5ddb-593a-847a-5cbf6e42a613", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SunCrypt", "description": "A ransomware group known for double extortion tactics, encrypting files and threatening to leak stolen data if the ransom isn't paid.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0091" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--6f49a46e-5af3-56b7-ba8c-08d0c7c080f1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SynAck", "description": "A ransomware strain that uses Process Doppelg\u00e4nging to evade detection by antivirus software, targeting large organizations.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0092" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2f8ba9bc-437d-5644-89c4-faf86dd25a74", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TargetCompany", "description": "A ransomware strain that specifically targeT certain industries or companies, using strong encryption and demanding high ransoms.", "is_family": true, "aliases": [ "Fargo", "Mallox", "Tohnichi" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0093" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--56268de9-fbb4-5141-bbd1-3c5b1f5d850b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TeslaCrypt", "description": "A ransomware that targeted gamers, encrypting game files and demanding ransom for their recovery, active from 2015 to 2016.", "is_family": true, "aliases": [ "cryptesla" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0095" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--6b231866-e095-55cb-aacc-c7de837657ff", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ThunderX", "description": "A ransomware strain that encrypT files and appends \".thunderx\" to the extension, demanding a ransom for decryption.", "is_family": true, "aliases": [ "Ranzy Locker" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0096" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--bf6fa419-7fb7-575b-8dc6-c66c370985c6", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Trigona", "description": "A ransomware strain that encrypT files and appends \".trigona\" to the extension, demanding payment in cryptocurrency.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0098" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ad74fa87-042f-53c1-94f5-a5541cb001a5", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "VegaLocker", "description": "A ransomware strain that encrypT files and demands payment in cryptocurrency, often targeting small to medium-sized businesses.", "is_family": true, "aliases": [ "Buran", "Vega" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0100" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e666ab80-a467-5831-a684-cf4511cb6e7c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "WannaCry", "description": "One of the most infamous ransomware attacks, exploiting a vulnerability in Windows to spread rapidly and causing widespread damage globally in 2017.", "is_family": true, "aliases": [ "Wana Decrypt0r", "WannaCryptor", "WannaCrypt", "Wcry" ], "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0103" }, { "source_name": "mitre-attack", "external_id": "S0366" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b3164d6d-1130-57da-aede-0718e957946b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "WannaRen", "description": "A ransomware variant similar to WannaCry, encrypting files and demanding payment for their recovery.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0104" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--78049206-d171-5159-9aff-bbf29050470c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Xorist", "description": "A ransomware family that spreads through spam emails, encrypting files and demanding a ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0108" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ed0fc5c8-52f0-5c9c-b99c-b19a09985673", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Zeppelin", "description": "A ransomware strain that targeT businesses, encrypting files and demanding high ransom paymenT for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0110" }, { "source_name": "cisa", "description": "https://www.cisa.gov/news-evenT/cybersecurity-advisories/aa22-223a" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--d9e8384b-4bd6-551c-8efe-9f18d5423669", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "7ev3n", "description": "A ransomware that encrypT files and demands a ransom in Bitcoin. It is known for iT long and complicated ransom note.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0001" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--3e22eaf5-5479-59b7-b8a4-82fdce7913b1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "8BASE", "description": "A ransomware targeting Windows systems, using encryption to lock files and demanding ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0002" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "windows" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--93091f7d-85be-55d4-89fc-95ce9770a871", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "AES-NI", "description": "This ransomware uses the AES-NI cryptography library to encrypt files and appends \".aes256\" to encrypted files.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0003" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b7d417b4-734a-566b-ae83-2adfa671f0d9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "AlbDecryptor", "description": "A lesser-known ransomware that encrypT files, likely related to Albanian cybercrime groups.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0005" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--82ec979f-b1c2-5c0d-8a55-c7594361cf5e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Bagli", "description": "A lesser-known ransomware variant that encrypT files and demands a ransom, often seen targeting small businesses.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0008" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7cae6082-58cb-5660-99ad-089db2201ab9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Black Mamba", "description": "A ransomware that encrypT files and appends \".blackmamba\" to file extensions, demanding a ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0011" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--365caeab-ab53-5d0a-b983-5ec09110e571", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Bucbi", "description": "A ransomware variant that primarily targeT businesses, using strong encryption to lock files.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0018" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e2853a7a-be04-5de1-ac3b-84bdf11b9132", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ChupaCabra", "description": "A ransomware strain that targeT Windows systems, encrypting files and demanding ransom in cryptocurrency.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0020" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e9e1206a-6c00-54bf-b646-5126283054e9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "CryptConsole", "description": "A ransomware that uses PowerShell scripT to encrypt files on a victim's computer, often spread through phishing emails.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0024" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7714ce69-cf20-5474-be31-92209f01da0c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Cryptohitman", "description": "A variant of CryptoLocker ransomware, using similar tactics to encrypt files and demand ransom.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0025" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1f7e9e35-e58c-5416-86a9-1cd1420b1b67", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "CryptoTorLocker2015", "description": "A ransomware variant that encrypT files and was first seen in 2015, spreading through exploit kiT.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0027" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--9f141d7c-6e66-55de-9d9c-068cd7cb2029", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "CTB-Locker", "description": "A ransomware variant that uses asymmetric encryption and often spreads through email attachmenT.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0030" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1aa8a4e9-3812-5bb9-b2a6-67981be224fd", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "darkangels", "description": "A ransomware strain that uses sophisticated encryption methods, targeting businesses and demanding large ransoms.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0032" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ad1ff898-7f54-52cc-9e1c-777c5d4fa7fe", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "DecryptIomega", "description": "A ransomware targeting Iomega network storage devices, encrypting files and demanding a ransom.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0035" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1cf04ca4-897a-588a-8ee2-1b701392b794", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Ecovector", "description": "A lesser-known ransomware variant that encrypT files and appends a unique extension to the files.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0038" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--7bafbf5d-12bf-5441-8c4f-2b778923094a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Encrpt3d", "description": "A ransomware strain that targeT Windows systems, encrypting files and demanding payment in cryptocurrency.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0041" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--366e0cd5-fa93-5a43-b1d5-29300418cd3b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Exotic", "description": "A lesser-known ransomware strain, likely used in smaller scale attacks targeting individual users and businesses.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0043" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--a07ef650-591f-5035-92c6-fb345cda9ff5", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "File-Locker", "description": "A ransomware variant that locks files on a victim's computer and demands a ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0044" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c99a2838-3b9a-5bcd-9a51-2125d5e264a4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Flyper", "description": "A ransomware strain that encrypT files and appends a unique extension, demanding a ransom for the decryption key.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0045" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--79fc659c-0519-5dbe-99c0-f5cc7730198f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Globev3", "description": "A version of the Globe ransomware, using similar encryption techniques and ransom demands.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0049" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--714fb88d-e898-5b51-86c3-80e9c6952fe2", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Gula", "description": "A lesser-known ransomware, likely used in targeted attacks against small organizations.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0051" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--640a3a24-6d65-52bd-b2e2-d364020f371b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "HC6/HC7", "description": "A ransomware variant that uses strong encryption to lock files and demands a ransom for their decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0052" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--06043bb0-ef1e-555b-9876-8f41a5cf5b4a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Kelly", "description": "A ransomware strain targeting Windows systems, known for iT simple but effective encryption methods.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0057" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--beea4c96-0463-5e43-a3ba-8f2fea38aaa3", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "LamdaLocker", "description": "A ransomware variant that encrypT files and demands payment in Bitcoin for their recovery.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0058" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--9d918979-48ad-5b69-a6a7-53e2912a5310", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "LockOn", "description": "A ransomware strain that encrypT files and appends a unique extension, often spreading through phishing emails.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0060" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--bd9f0fe9-7819-5e23-a58e-c25e19c5b1be", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NoobCrypt", "description": "A ransomware strain that locks files and demands a ransom, often spread through phishing emails.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0070" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--684e3425-67ad-5955-aea1-14298a10367b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NotNevada", "description": "A ransomware strain that encrypT files and demands payment in cryptocurrency, likely targeting small to medium-sized businesses.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0071" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--8ea94a96-3384-578d-b143-f9d28e89b46f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NullByte", "description": "A ransomware variant that encrypT files and appends \".nullbyte\" to the extension, demanding ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0072" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--96902a17-770a-5c50-a7f1-33a679dbbc80", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Phoenix", "description": "A ransomware strain known for targeting businesses, using strong encryption and demanding high ransom paymenT.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0074" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "x_mitre_platforms": [ "android" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1f8a6e8b-9078-555a-a64d-063a93149d3f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Predator", "description": "A ransomware strain that encrypT files and demands payment for their recovery, often targeting small businesses.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0077" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--cf8954c6-27b1-5608-bbae-98916b57ae9a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Qlocker", "description": "A ransomware that specifically targeT QNAP NAS devices, encrypting files and demanding ransom in Bitcoin for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0078" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--158e4852-cbac-5abd-a03a-a3e3e526edb4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Qweuirtksd", "description": "A lesser-known ransomware strain, likely used in targeted attacks on small organizations, encrypting files and demanding ransom.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0079" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--f72b6164-2c40-5ba5-b086-30f9dd46aabd", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Ransomnix", "description": "A ransomware variant that targeT Linux-based systems, encrypting files and demanding a ransom.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0082" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c897d43f-689a-5a4d-9298-a18d1827bd25", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "StorageCrypter", "description": "A ransomware strain that encrypT files and demands payment in Bitcoin for their recovery, often targeting individual users.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0090" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--25093c98-b7f8-52f0-9937-668ea55ff7c8", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Tejodes", "description": "A ransomware variant that encrypT files and demands a ransom, likely spread through phishing emails.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0094" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1f689db3-d5b5-50e8-b836-555f5027120d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TowerWeb", "description": "A ransomware strain that encrypT files and demands payment for their recovery, often targeting small businesses.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0097" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--0c5f1445-b184-5367-ac37-a5dfa14ea8ec", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TripleM", "description": "A lesser-known ransomware strain that encrypT files and demands a ransom, often spread through phishing emails.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0099" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--23d45d71-1810-56c8-8514-b0f6597b88bb", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "VenusLocker", "description": "A ransomware strain that targeT organizations, using strong encryption and demanding ransom for decryption.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0101" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--8dda796d-047f-52dd-962b-115ebf25dbc2", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Vevolocker", "description": "A lesser-known ransomware variant that encrypT files and demands a ransom for their recovery.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0102" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e49a373f-f913-5cf9-a388-f764fad0aa05", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "WannaSmile", "description": "A lesser-known ransomware strain, likely a variant of WannaCry, encrypting files and demanding ransom.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0105" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--493bd5f0-8935-5995-ab7e-718b7014f6b4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "XingLocker", "description": "A ransomware strain that encrypT files and demands payment for their recovery, often spread through phishing emails.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0106" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--9b73d603-09e9-5350-a53f-f56881b7eff9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "XLocker", "description": "A ransomware variant that encrypT files and demands a ransom, often spread through malicious downloads.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0107" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e0cd3d95-5191-521e-aaf3-acaac27070df", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "XTPLocker", "description": "A lesser-known ransomware strain that encrypT files and demands ransom, likely targeting individual users or small businesses.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0109" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--dd01729e-2713-587b-81af-63a9b6a694fc", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "WastedLocker", "description": "WastedLocker is a sophisticated ransomware strain developed by the cybercriminal group known as Evil Corp. It emerged in 2020 and is known for its highly targeted attacks on large organizations, particularly in the United States. WastedLocker encrypts files on infected systems and appends the \".wasted\" extension to them. It is particularly dangerous because it doesn't exfiltrate data; instead, it relies on the encryption of critical files to compel victims to pay substantial ransoms. Evil Corp's extensive history of cybercrime has led to significant attention from law enforcement agencies, making WastedLocker one of the more infamous ransomware variants.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0111" }, { "source_name": "mitre-attack", "external_id": "S0612" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--aeb15a98-a3ee-58c5-a6ca-20dfb1a46825", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Cheerscrypt", "description": "Cheerscrypt is a relatively new ransomware strain that surfaced in 2022. It operates as a Ransomware-as-a-Service (RaaS), meaning that the ransomware developers lease their software to affiliates who carry out the attacks. Cheerscrypt is known for targeting VMware ESXi servers, a popular virtualization platform, making it a threat to environments where virtual machines are heavily used. The ransomware encrypts files on the victim's system and demands a ransom in cryptocurrency for decryption. Cheerscrypt uses double extortion tactics, threatening to publish stolen data if the ransom is not paid, which adds additional pressure on victims.", "is_family": true, "external_references": [ { "source_name": "ransomware-kb", "external_id": "R0112" }, { "source_name": "mitre-attack", "external_id": "S1096" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7ef768e2-e0be-5676-8fe7-7b45872add0a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Action1", "description": "A cloud-based remote monitoring and management (RMM) platform designed for IT teams to manage endpoints, automate tasks, and ensure compliance across distributed environments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0001" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--cecbedc3-68bd-5f30-9e29-4523bea13fe2", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "AnyDesk", "description": "A remote desktop application that allows users to connect to and control other computers over the internet, known for its low latency and ease of use.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0002" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--4404bbd3-5120-5c42-8be5-de9b7c96e83a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Atera", "description": "An all-in-one RMM and Professional Services Automation (PSA) platform for IT professionals, enabling remote support, monitoring, and management of IT infrastructure.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0003" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--ed1d9e7a-6003-568e-b3e2-99785075011a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "FixMeIt", "description": "A remote desktop tool designed for providing on-demand remote support and unattended access to client computers, popular among IT support teams.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0004" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--93fc5b29-cb23-5573-b614-5ddd13e72d4c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Fleetdeck", "description": "A remote desktop and management platform that focuses on providing secure and scalable remote operations for IT teams managing large fleets of devices.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0005" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--998437fb-1b39-5944-ba27-e79a371f1fdb", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Level.io", "description": "A software tool or platform related to IT management or monitoring, though specific details may vary.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0006" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--3af079e3-4292-5e95-a828-12b2718a284d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "LogMeIn", "description": "A remote access and management tool that allows users to connect to and control remote computers, commonly used for IT support and remote work solutions.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0007" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d40a2b1f-4049-5d9b-8115-1f8c90ce1c46", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "MobaXterm", "description": "A comprehensive remote access software that provides an all-in-one solution for remote computing, including SSH, RDP, and file transfer capabilities.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0008" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--173a4038-3036-5d96-8fd8-53a2a664e6bf", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NeTupport", "description": "Likely a misspelling or lesser-known tool, possibly related to network support or remote management, though specific details are not widely available.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0009" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--9791d6e3-2372-53c6-82d8-b8f1de543e04", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Pulseway", "description": "A remote monitoring and management platform for IT professionals, allowing real-time monitoring, control, and automation of IT environments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0010" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--6285d600-2563-5cc1-b008-bb0f15c3d843", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "RSAT", "description": "Remote Server Administration Tools (RSAT) allows IT administrators to manage Windows servers remotely, providing access to various management tools on client machines.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0011" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--f08f9b9d-70e5-55c1-b6df-4b058863be45", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "RustDesk", "description": "An open-source remote desktop software that provides secure and simple remote access solutions, allowing users to control computers remotely over the internet.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0012" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--721fbb3a-ac7a-5fa6-9416-2b9ece10e0ca", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ScreenConnect", "description": "Now rebranded as ConnectWise Control, this tool provides remote support, access, and meeting solutions, widely used in IT support environments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0013" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--6458acc2-4cb8-587f-af17-4ede56d74f15", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SimpleHelp", "description": "A self-hosted remote support and access tool that provides IT professionals with the ability to remotely manage and support client systems.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0014" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a0f12044-0fed-5a84-b4c6-9ee6d9e07eda", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Splashtop", "description": "A remote desktop and remote support solution that offers high-performance remote access to computers, tablets, and mobile devices, commonly used in education and IT support.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0015" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--76e66118-2e98-5f28-b6dd-233257fc3da5", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TacticalRMM", "description": "An open-source remote monitoring and management tool that enables IT professionals to manage and support systems remotely with customizable automation and scripting.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0016" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--04965184-336b-5eb4-9a19-55b7987a9370", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TeamViewer", "description": "A widely-used remote desktop application that allows users to connect to and control other computers or mobile devices remotely, popular in both personal and business settings.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0017" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--cfb21556-4021-53d8-bf08-18f542329209", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ZohoAssist", "description": "A cloud-based remote support and access tool that allows IT professionals to provide remote assistance to clients, including unattended access and file transfer capabilities.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0018" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--ddcf5086-8277-51ef-b577-5235bbf36a9e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Cobalt Strike", "description": "A commercial penetration testing tool that provides advanced threat emulation and red team operations, widely used by cybersecurity professionals and sometimes by malicious actors.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0019" }, { "source_name": "mitre-attack", "external_id": "S0154" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--68f8d202-f699-57ec-938c-3a7d60256b84", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Brute Ratel C4", "description": "An advanced red team and adversarial attack simulation tool designed to mimic real-world threat actors' behavior, providing stealthy command and control capabilities.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0020" }, { "source_name": "mitre-attack", "external_id": "S1063" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--69eb454b-a8ed-5a24-949c-244b7f86b34a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Evilginx2", "description": "A man-in-the-middle attack framework used to bypass two-factor authentication by phishing for session cookies, often used in red teaming and ethical hacking exercises.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0021" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--0f0155da-4030-5d39-8776-fa084a3c403d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Impacket", "description": "A collection of Python classes for working with network protocols, used by penetration testers to perform a variety of network-based attacks, including SMB relay attacks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0022" }, { "source_name": "mitre-attack", "external_id": "S0357" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--4fd26583-cbd4-57a3-997f-f2549e90967e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Koadic", "description": "A post-exploitation framework similar to Meterpreter and Powershell Empire, used by attackers and red teams for command and control over compromised systems.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0023" }, { "source_name": "mitre-attack", "external_id": "S0250" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--835f0f1b-c599-54f0-a07d-b2dfa0248b59", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Metasploit", "description": "A widely-used penetration testing framework that provides tools for developing and executing exploit code against a target machine, commonly used by security professionals and ethical hackers.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0024" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--6a9985dc-20a9-518a-8f5e-968ef94fb90f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Meterpreter", "description": "A payload within the Metasploit framework that provides an advanced command-line interface for interacting with a compromised system, often used for post-exploitation tasks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0025" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--0fdfb990-04f4-5ad4-9a05-53d594ad5d1b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PowerShell Empire", "description": "A post-exploitation framework that uses PowerShell for command and control, known for its stealth and integration with other tools, used in red teaming and penetration testing.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0026" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b57dfc5a-aa7f-5ff9-bd45-8aa206c5f705", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PowerSploit", "description": "A collection of PowerShell scripts designed for penetration testing and post-exploitation tasks, allowing attackers to perform reconnaissance, privilege escalation, and more.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0027" }, { "source_name": "mitre-attack", "external_id": "S0194" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7a1ef8bb-5e67-5502-aa2d-893d5186537b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PowerView", "description": "A PowerShell tool used for network situational awareness in Windows domains, providing reconnaissance capabilities to map out an Active Directory environment.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0028" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--9fc94b33-8b6e-5054-a706-8766ee7ac48c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Rubeus", "description": "A post-exploitation tool that focuses on Kerberos ticket manipulation, allowing attackers to perform attacks such as Pass-the-Ticket and Kerberoasting in Windows environments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0029" }, { "source_name": "mitre-attack", "external_id": "S1071" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c010f1a9-b285-5b89-9e9d-061cb4587070", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TinyMet", "description": "A lightweight version of the Meterpreter payload, used in scenarios where stealth and minimizing detection are critical during post-exploitation.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0030" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--8f58f110-953b-595c-847a-d9d79f736072", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ThunderShell", "description": "A post-exploitation framework written in PowerShell, allowing attackers to maintain persistence and execute commands on compromised systems remotely.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0031" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--fa3e3274-5566-5ca9-82a0-e804dbd86dab", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "WinPEAS", "description": "A Windows Privilege Escalation tool that automates the process of checking for common misconfigurations and vulnerabilities that could allow privilege escalation on Windows systems.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0032" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--0368089b-75b6-5ea4-9ea2-ea0a3a1f66bd", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Chisel", "description": "A fast TCP/UDP tunnel over HTTP, allowing penetration testers to bypass firewalls and route traffic through compromised systems, often used for creating reverse tunnels.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0033" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--70e73cd9-2dc5-5076-96a4-762f6deac319", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Cloudflared", "description": "A tunneling tool provided by Cloudflare, allowing users to securely expose a local server to the internet through Cloudflare's network, often used for remote access and troubleshooting.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0034" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--dffe73e7-fdb4-5639-b8c8-2208f2be3e92", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "OpenSSH", "description": "A suite of secure networking utilities based on the SSH protocol, widely used for secure remote login, file transfers, and network tunneling.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0035" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a235bf40-1487-5a7b-be77-e1676cb01dcb", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Ligolo", "description": "A reverse tunneling tool for pentesters and red teams, allowing them to establish a secure tunnel from a compromised system back to their attacker's machine.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0036" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b8b4651f-76ca-55ea-8292-255920df84cc", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ngrok", "description": "A tunneling tool that allows users to expose a local server to the internet by creating a secure tunnel, commonly used for web development, testing, and remote access.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0037" }, { "source_name": "mitre-attack", "external_id": "S0508" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--11fd64d7-28f3-5ce4-93c4-3a18e33d160a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Plink", "description": "A command-line connection tool for Windows, used for connecting to SSH servers, often as part of PuTTY, commonly used in scripting and automated remote tasks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0038" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--ea7eb9ad-386d-58e2-b48a-836ff15c9e7d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Tailscale", "description": "A mesh VPN tool that uses the WireGuard protocol to create secure, private networks, allowing for easy remote access to resources without exposing them to the public internet.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0039" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--23dafa13-40a0-516e-bd2c-129cd2352364", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Termite", "description": "A lightweight terminal emulator for Windows, used to interact with serial ports, often used in networking and hardware configuration tasks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0040" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--14870752-0457-56c1-a1a3-bf5bf978a60c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PsExec", "description": "A lightweight telnet-replacement tool that allows for remote execution of processes on other systems, widely used in both legitimate administrative tasks and by attackers for lateral movement.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0041" }, { "source_name": "mitre-attack", "external_id": "S0029" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--3ff2025a-c9ef-56d3-8c57-9077bea67c3f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BITAdmin", "description": "A command-line tool used to manage and interact with Windows Background Intelligent Transfer Service (BITS), often used by attackers for covert file transfers.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0042" }, { "source_name": "mitre-attack", "external_id": "S0190" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--6897d98b-de0b-52fb-b64e-086a279df29c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Windows Event Utility", "description": "Tools and utilities that allow for the viewing, management, and monitoring of Windows Event Logs, often used in forensic investigations and system monitoring.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0043" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a1830136-eac7-519e-8870-7167128304ac", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NTDS Utility", "description": "A command-line tool used to manage and interact with Active Directory databases (NTDS.dit), commonly used in domain controller maintenance and recovery tasks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0044" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--09b56a35-467f-5abe-bcb9-baa48717410b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "BCDEdit", "description": "A command-line tool used to manage Boot Configuration Data (BCD) stores in Windows, allowing administrators to configure how Windows boots, often used in system troubleshooting.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0045" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7a10daa6-d9c5-5111-a061-05309ee6f94b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "WMIC", "description": "Windows Management Instrumentation Command-line (WMIC) is a command-line tool that provides a powerful interface for managing Windows systems, often used in system administration and by attackers for reconnaissance.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0046" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--01eb88ff-13b1-5b99-892e-671cb6897a8a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Dropbox", "description": "A cloud storage service that allows users to store and share files across multiple devices, commonly used for personal and business file management.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0047" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b9932ee0-4c82-50da-bebf-0271388948de", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "FileZilla", "description": "An open-source FTP client that supports FTP, SFTP, and FTPS protocols, widely used for file transfers between local and remote systems.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0048" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d17ce308-14e6-5f72-bda9-cd2190d2cb22", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "FreeFileSync", "description": "An open-source file synchronization and backup software that allows users to synchronize files and folders between different locations, often used for data backup and mirroring.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0049" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--0018e3ba-39d9-52a3-8d43-cecf49f86870", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "MEGA", "description": "A cloud storage and file hosting service known for its end-to-end encryption, allowing users to store and share files securely across multiple devices.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0050" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--772dd097-5963-5c48-90dc-58739fefa3be", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PrivatLab", "description": "Likely refers to a tool or service associated with privacy or secure file storage, though specific details may vary.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0051" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--6d8daab6-b3a4-5c93-9d82-dbcc57c908f0", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "RClone", "description": "A command-line program to manage files on cloud storage, providing capabilities for syncing files to and from various cloud providers, often used in data migration and backup tasks.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0052" }, { "source_name": "mitre-attack", "external_id": "S1040" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--52e36793-770b-577a-8415-7704edd8f011", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Sendspace", "description": "A file hosting service that allows users to upload, share, and store files, commonly used for temporary file transfers.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0053" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--803d3cf5-0c33-539f-bfd2-ed60b6dc7d71", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "UFile", "description": "A lesser-known or specific file storage or transfer service, likely used for secure file uploads and sharing, though specific details may vary.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0054" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a74e5a20-67ea-50cf-9069-2587ab92042a", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "WinSCP", "description": "A free and open-source SFTP, SCP, and FTP client for Windows, allowing secure file transfers between a local and a remote computer, widely used in IT and web development.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0055" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--dcbb3916-426e-5602-a461-a1696dc53520", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "AdFind", "description": "A command-line tool used for querying Active Directory, often used by attackers to enumerate domain information and gather reconnaissance data.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0056" }, { "source_name": "mitre-attack", "external_id": "S0552" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--58e417d3-e697-580b-97fb-53bc96205931", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Advanced IP Scanner", "description": "A network scanner that allows users to scan and detect devices on a local network, providing information about IP addresses, MAC addresses, and device types.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0057" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b5a1257a-b16a-5ed4-8e0f-a255297987bd", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Advanced Port Scanner", "description": "A fast and reliable network scanner for detecting open ports on network devices, often used for network troubleshooting and security assessments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0058" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--69f25f5e-a75a-526b-a7bb-2e8c02005448", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Angry IP Scanner", "description": "An open-source network scanner that pings IP addresses and resolves hostnames, widely used for network inventory, managing services, and troubleshooting.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0059" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--705af713-8075-5456-9c18-819014d39b3e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "AWS Systems Manager Inventory", "description": "A tool that collects and stores information about your managed instances, helping administrators track and manage software and configurations across AWS environments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0060" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c7de9a3c-a985-5462-9a77-c23972b683f1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Bloodhound", "description": "A tool used to analyze Active Directory security, mapping out relationships and permissions that can be exploited for privilege escalation, commonly used in red teaming.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0061" }, { "source_name": "mitre-attack", "external_id": "S0521" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--24918b65-de3c-5e71-86a3-96db2d921d3e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NbTcan", "description": "Likely refers to a network scanning or enumeration tool, though specific details are not widely available, possibly related to NetBIOS or network scanning.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0062" }, { "source_name": "mitre-attack", "external_id": "S0590" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--8152f2a0-6da7-5943-8c35-e2bd1412ae34", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Net", "description": "A set of command-line networking tools in Windows used for managing network resources, user accounts, and services, often used by administrators and attackers alike.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0063" }, { "source_name": "mitre-attack", "external_id": "S0039" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--9389f8cb-3df0-5dc1-b8c1-075c6aedc56d", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Nltest", "description": "A command-line tool used to check trust relationships, domain controller status, and other domain-related information, often used in Active Directory environments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0064" }, { "source_name": "mitre-attack", "external_id": "S0359" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c93127fd-b800-59b6-b8f5-333343909049", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PingCastle", "description": "A security assessment tool for Active Directory that identifies potential vulnerabilities and misconfigurations, providing a report on the overall security posture.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0065" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--bf503b37-6bf1-5afe-9bc3-4accf989097c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Seabelt", "description": "A security tool designed to audit and analyze Active Directory environments for potential vulnerabilities, often used in red teaming and penetration testing.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0067" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c644ff24-7ce6-5dab-9f78-278b2d41536f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ServiceControl (sc.exe)", "description": "A command-line tool in Windows used to communicate with and control services, allowing administrators to start, stop, and configure services on local or remote machines.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0068" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--18685606-c90f-5daa-9ceb-84ca14e40572", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SharpShares", "description": "A C# tool used to enumerate and analyze shared folders and files across a Windows network, often used by attackers to identify sensitive data and potential attack vectors.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0069" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--32aa2caa-9f66-53be-91ab-dfa72d259cd4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ShareFinder", "description": "A tool used to discover and enumerate shared resources in a network, helping to identify accessible files and folders that could be targeted by attackers.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0070" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c81eccb2-7f44-5962-b569-6b332550e33c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SharpView", "description": "A C# implementation of PowerView, providing similar functionality for network reconnaissance and enumeration in Windows environments, often used in penetration testing.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0071" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--fe1f7f85-b823-5013-abb2-9b6e449a3a9b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SoftPerfect NeTcan", "description": "Likely refers to a network scanning or monitoring tool, though specific details may vary, possibly related to the SoftPerfect suite of network tools.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0072" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a8b8bbce-d45d-5741-9130-93e01d981dc9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Backstab", "description": "A post-exploitation tool used to maintain access on compromised systems, often through covert backdoors or persistence mechanisms.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0073" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a0a42094-32c2-527a-9421-5b7228624fe1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Defender Control", "description": "A tool used to disable or control Windows Defender, often used by attackers to bypass security measures on Windows systems.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0074" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--97e999ef-b661-52bc-98ac-9e7daeb36efb", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Eraser", "description": "A secure data wiping tool that allows users to permanently delete files from their hard drive, ensuring that they cannot be recovered by forensic tools.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0075" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--74f91b62-d3dd-5bd4-86cd-ccbf330ae553", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "GMER", "description": "A tool used to detect and remove rootkits on Windows systems, often used by security professionals to identify hidden malware and unauthorized kernel modifications.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0076" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--bd2b9e55-6cd5-5cdf-9595-59751761c9d4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "IOBit", "description": "Likely refers to software from IOBit, a company known for its system optimization and security tools, which are sometimes used to remove malware and improve system performance.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0077" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--112a2814-2685-5455-a9e6-3e3784439530", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "KillAV", "description": "A tool or script used to disable or terminate antivirus software, often used by malware and attackers to neutralize security defenses on a compromised system.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0078" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--ff75929f-ea45-5975-9aa4-0a1bb75b4bac", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PCHunter", "description": "A system monitoring tool used to detect and remove rootkits, hidden processes, and other forms of malware that operate at a low level within the Windows operating system.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0079" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--124cdf04-5496-5f79-b802-04c2617b391e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PowerTool", "description": "A system diagnostic tool used to analyze and identify hidden processes, drivers, and hooks within the Windows operating system, often used for rootkit detection and removal.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0080" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--5bc05c87-8fd3-5ae4-877d-79e930966391", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ProcessHacker", "description": "An open-source process viewer and system monitoring tool that provides advanced features for analyzing and managing running processes, often used by both administrators and attackers.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0081" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c03480e4-cd41-5421-98d1-da6d4685bc93", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "TDSSKiller", "description": "A rootkit removal tool developed by Kaspersky Lab, designed to detect and remove the TDSS family of rootkits as well as other rootkits and malware.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0082" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c005aee0-3be9-543a-966c-e5f8a31e4b76", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Universal Virus Sniffer", "description": "A portable antivirus tool that detects and removes malware, often used as a secondary scanner to complement other security solutions.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0083" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7b34f648-686e-558a-8117-c8e3df9c7101", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "LaZagne", "description": "A post-exploitation tool used to retrieve stored passwords from a variety of applications on Windows, Linux, and macOS, commonly used by attackers for credential harvesting.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0084" }, { "source_name": "mitre-attack", "external_id": "S0349" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--542d773d-d448-52f0-a500-a01350b35868", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "LostMyPassword", "description": "Likely refers to a password recovery service or tool designed to help users regain access to lost or forgotten passwords, though specific details may vary.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0085" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a0eff05b-f20e-5d1d-b564-c0455a87e171", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Mimikatz", "description": "A widely-used post-exploitation tool that allows attackers to extract plaintext passwords, hashes, and Kerberos tickets from memory, commonly used in Windows environments.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0086" }, { "source_name": "mitre-attack", "external_id": "S0002" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--8b0d87b1-dadf-592b-b687-828d90717c36", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft BulleTPassView", "description": "A tool from NirSoft used to retrieve and view stored passwords from the BulletProof FTP client, often used in forensic investigations and by attackers for credential harvesting.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0087" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--f6ffb541-dab3-5675-9c27-ed1f7aef855f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft ChromePass", "description": "A tool from NirSoft that retrieves and displays passwords stored by the Google Chrome web browser, commonly used in password recovery and forensic investigations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0088" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--af415fc3-162a-5eff-982c-10b95606fd92", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft Dialupass", "description": "A tool from NirSoft that retrieves and displays the usernames and passwords stored by the Windows Dial-Up Networking utility, often used in forensic investigations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0089" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--4807a4ae-5b6f-5ee8-9933-fc4e44f01053", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft ExtPassword", "description": "A tool from NirSoft used to recover passwords stored by various external programs and devices, though specific details may vary.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0090" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c90ed888-d677-5478-bb04-5fe254c47a8e", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft IEPassView (iepv)", "description": "A tool from NirSoft that retrieves and displays passwords stored by Internet Explorer, commonly used in password recovery and forensic investigations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0091" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--4b1c9e4c-a58a-5192-86b5-0ff3928c7e71", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft MailPassView", "description": "A tool from NirSoft that retrieves and displays the email account passwords stored by email clients such as Outlook, Thunderbird, and others, commonly used in password recovery.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0092" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d4cb96b8-d7fb-5718-85d5-54e6a44a67c3", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft Netpass", "description": "A tool from NirSoft that retrieves network passwords stored by the Windows operating system, often used by attackers to gain access to network resources.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0093" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--c9968509-bfac-53ac-b4b2-bca7cef4b3cf", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft OperaPassView", "description": "A tool from NirSoft that retrieves and displays passwords stored by the Opera web browser, often used in password recovery and forensic investigations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0094" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--b7e8a2f6-1855-5063-b4ec-9a20f089f8f8", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft RouterPassView", "description": "A tool from NirSoft that retrieves and displays passwords stored in router backup files, often used by attackers to gain unauthorized access to network devices.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0095" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--d6ff27fd-1181-539a-ac30-ab2f52cb8beb", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft RemoteDesktopPassView (rdpv)", "description": "A tool from NirSoft that retrieves and displays passwords stored by the Windows Remote Desktop utility, often used in forensic investigations and by attackers.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0096" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--8daa0ad5-ffc2-5713-8371-6e7d53132002", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft SniffPass", "description": "A tool from NirSoft that captures and displays passwords sent over the network using various protocols, commonly used in network analysis and penetration testing.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0097" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--e256d79c-d245-528a-afc8-fb70cd868a9f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft VNCPassView", "description": "A tool from NirSoft that retrieves and displays the passwords stored by VNC (Virtual Network Computing) clients, often used in password recovery and forensic investigations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0098" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--78621090-d82a-5e35-a1e7-37b63f54a767", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft WebBrowserPassView", "description": "A tool from NirSoft that retrieves and displays passwords stored by various web browsers, including Chrome, Firefox, and Internet Explorer, often used in password recovery.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0099" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--3cf06808-586d-52f7-b4af-76ccb7f327f1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "NirSoft WirelessKeyView", "description": "A tool from NirSoft that retrieves and displays wireless network keys (WEP/WPA) stored by the Windows operating system, commonly used in network analysis and forensic investigations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0100" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7e312e0f-bda6-5188-be09-8f745a65c29c", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "PasswordFox", "description": "A tool from NirSoft that retrieves and displays the usernames and passwords stored by the Firefox web browser, often used in password recovery and forensic investigations.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0101" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--59a478be-4617-58fb-8faa-48428a6159ea", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "ProcDump", "description": "A command-line tool used to monitor applications for CPU spikes and generate crash dumps, often used in debugging and forensic investigations to analyze application behavior.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0102" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--8c8fb1d0-4896-5b4a-a78c-826222e675fd", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "RDP Recognizer", "description": "A tool used to detect and manage remote desktop connections, often used by administrators to monitor RDP sessions and by attackers to exploit RDP vulnerabilities.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0103" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--0bf72554-d7c2-5d06-a97f-a8b95412faa6", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "Router Scan", "description": "A tool used to scan for and exploit vulnerabilities in routers and network devices, often used by attackers to gain unauthorized access to network infrastructure.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0104" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--2862e16b-6c7f-5b3b-9382-1fc4fd30b8ff", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SecreTDump", "description": "A post-exploitation tool used to dump secrets (such as password hashes and Kerberos tickets) from memory or registry, commonly used in penetration testing and red teaming.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0105" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7cdb6bba-c287-5c96-8a57-9e75b8c82ffa", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "name": "SharpChrome", "description": "A C# tool used to extract credentials and cookies stored by the Google Chrome browser, often used in penetration testing and red teaming to gain unauthorized access to accounts.", "external_references": [ { "source_name": "ransomware-kb", "external_id": "T0106" } ], "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--add5caf8-0c58-580e-b858-ad3eb79eb908", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Karakurt uses Karakurt", "source_ref": "intrusion-set--8ce2cdf7-a36d-54df-978c-f49e318e1eb3", "target_ref": "malware--8ce2cdf7-a36d-54df-978c-f49e318e1eb3", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb543266-191b-5c73-86c0-1823374b3523", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Scattered Spider uses BlackCat", "source_ref": "intrusion-set--7f461804-9e54-5c7f-b6d3-cbf6438edd35", "target_ref": "malware--da77cbf3-7dcc-559e-a6a3-7f629b05d61a", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--93798e04-6c7b-5ccb-ab5e-9f9667e0cf56", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Vice Society uses Rhysida", "source_ref": "intrusion-set--07150f20-ec46-595b-a001-6bf335f0f398", "target_ref": "malware--f13696e7-0134-59e5-9525-1b2c0f4164f3", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--385cf902-657e-58d2-8551-e9459065b8d9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses Akira", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "malware--f43c7909-278b-5c13-9361-4bd59e8181a4", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f5b849c3-cd32-52fc-9047-61c375c91f11", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses Advanced IP Scanner", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--58e417d3-e697-580b-97fb-53bc96205931", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a9379640-91e4-5d6c-bb06-d784c723dff4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses AnyDesk", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--cecbedc3-68bd-5f30-9e29-4523bea13fe2", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--047b37a6-f86d-589e-aeca-61baff5cb006", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses MobaXterm", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--d40a2b1f-4049-5d9b-8115-1f8c90ce1c46", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fa195d9e-d87a-5a43-8bcd-ffea67e01610", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses RustDesk", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--f08f9b9d-70e5-55c1-b6df-4b058863be45", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--030f6be4-5ce9-54ef-9108-7f4013ce557f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses PowerTool", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--124cdf04-5496-5f79-b802-04c2617b391e", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a9e4375c-1901-50e9-a936-df6fa83d9103", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses Mimikatz", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--a0eff05b-f20e-5d1d-b564-c0455a87e171", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f1c9fdf2-51ba-5110-a1c1-808d5d258d00", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses LaZagne", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--7b34f648-686e-558a-8117-c8e3df9c7101", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c9c16102-a7db-5e56-b31b-b14ba22599a1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses Impacket", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--0f0155da-4030-5d39-8776-fa084a3c403d", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1d94b71e-8c0f-5251-bdae-cf788ebcbc17", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses Cloudflared", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--70e73cd9-2dc5-5076-96a4-762f6deac319", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--98caf5bf-fd1f-5826-a678-935ea617a672", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses OpenSSH", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--dffe73e7-fdb4-5639-b8c8-2208f2be3e92", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--511f9876-4032-5888-88db-3c17e05d86b1", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Akira uses ngrok", "source_ref": "intrusion-set--f43c7909-278b-5c13-9361-4bd59e8181a4", "target_ref": "tool--b8b4651f-76ca-55ea-8292-255920df84cc", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8140af33-7e4e-59c2-b57f-aceea8f8b171", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group RIDDLE SPIDER uses Avaddon", "source_ref": "intrusion-set--6a8875b5-fb7b-5af4-915a-01652d336850", "target_ref": "malware--78aeedcc-1ac9-59e3-bca3-cc11bd14946b", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c6cc64b7-9b66-5feb-8e3f-6d486da699b9", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Wizard Spider uses Conti", "source_ref": "intrusion-set--52918eb2-1019-5fc1-81e4-f456961ad2d7", "target_ref": "malware--0391cf2f-1777-5bc1-9b11-dbd3b5f2cea2", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b73cca0b-4d3b-52a4-8023-6c5fa198aff7", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Wizard Spider uses Diavol", "source_ref": "intrusion-set--52918eb2-1019-5fc1-81e4-f456961ad2d7", "target_ref": "malware--de52245d-bc30-5ac4-acf3-75abe2d34505", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1f587893-b26b-5e88-8b02-690e94cd1ae4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Wizard Spider uses Ryuk", "source_ref": "intrusion-set--52918eb2-1019-5fc1-81e4-f456961ad2d7", "target_ref": "malware--60127783-e788-5ff4-80cb-6bcc68cedfec", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--115abb30-092d-5165-8215-8c37d96c60af", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Sandworm Team uses NotPetya", "source_ref": "intrusion-set--e38d9368-1fc5-5272-9a84-bbd1687754b1", "target_ref": "malware--87cdd78c-c77f-5bc8-8b32-a03c50e8313c", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c3860e72-d87a-5a05-bf67-fc5ed29a4e6f", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Indrik Spider uses BitPaymer", "source_ref": "intrusion-set--99b03a7c-0d44-50b8-95c4-17b65a432131", "target_ref": "malware--ddd18fe3-7625-5a41-a9c1-bf2b6fd4d05f", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2c51a2ef-5841-5644-b012-16d8a44c3059", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Indrik Spider uses WastedLocker", "source_ref": "intrusion-set--99b03a7c-0d44-50b8-95c4-17b65a432131", "target_ref": "malware--dd01729e-2713-587b-81af-63a9b6a694fc", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e0b4329b-44cc-5483-9918-b69e13974836", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group TA505 uses Clop", "source_ref": "intrusion-set--ba5c38a7-90b3-56b8-9679-d81657c27e71", "target_ref": "malware--32ba22c1-3caa-5360-874f-6e3b71b62b6f", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8139f1cd-f977-590f-82fd-18e7a21f0f45", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group TA505 uses Locky", "source_ref": "intrusion-set--ba5c38a7-90b3-56b8-9679-d81657c27e71", "target_ref": "malware--2d75eb22-d2e3-59fa-a6d9-c5054fe3a467", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a2dfefec-7964-572c-9b0a-14abac760d4b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Andariel uses Maui Ransomware", "source_ref": "intrusion-set--db376406-b801-5ece-9a25-a7d48047a48b", "target_ref": "malware--2b453d9c-ab10-5237-a3b9-89d4bacf1430", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae14ce3b-f4ca-5f5d-8837-d9b79c1ccea4", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group GOLD DUPONT uses RansomEXX", "source_ref": "intrusion-set--c12b22b6-e5bf-597f-ad05-c218456a3913", "target_ref": "malware--07d05a66-01e8-5a11-8677-fda25641d543", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9bf88cce-018e-5601-a370-b5a893ab5bdc", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group FIN7 uses REvil", "source_ref": "intrusion-set--83e21d94-4b24-53f8-a468-b3584473ba60", "target_ref": "malware--3e855f81-45bf-5bcf-95e7-5e3b432e4122", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ebdec8d4-f824-5dcf-af9f-161dc726f02b", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group GOLD SOUTHFIELD uses REvil", "source_ref": "intrusion-set--81226d95-5a39-5102-92e8-fda05fa4abb2", "target_ref": "malware--3e855f81-45bf-5bcf-95e7-5e3b432e4122", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb1c8eec-6da0-524a-ba0d-e6a0fd928196", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group FIN6 uses Ryuk", "source_ref": "intrusion-set--87a1b7a6-46ea-564b-88e0-27349eeb221d", "target_ref": "malware--60127783-e788-5ff4-80cb-6bcc68cedfec", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ab1c2687-e8e0-5335-b044-22e3064b0605", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group BOSS SPIDER uses SamSam", "source_ref": "intrusion-set--84c4e006-a361-53a9-92a7-d03743acf737", "target_ref": "malware--68c3b37a-b520-54ff-b13d-14b3a13ac35d", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--89e3c078-2680-583b-bda8-92d8a566a1e2", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Lazarus Group uses WannaCry", "source_ref": "intrusion-set--dccc0a9e-ccee-50bf-9b4b-7105bea57f49", "target_ref": "malware--e666ab80-a467-5831-a684-cf4511cb6e7c", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--34e64bf7-be32-5dc8-9b76-3fc06d3e5a08", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group FIN8 uses Ragnar Locker", "source_ref": "intrusion-set--b66dc49e-5b78-53a6-a3a8-a17b12041d3c", "target_ref": "malware--485575ee-9a92-5be8-a032-0afef967089c", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8baabe79-4acf-562d-a235-f55862ba2d42", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group EXOTIC LILY\n uses Conti", "source_ref": "intrusion-set--82f760f9-3e58-5426-a14e-80a6d70af200", "target_ref": "malware--0391cf2f-1777-5bc1-9b11-dbd3b5f2cea2", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6ac93f83-7de7-5e26-9633-ba73bbafdf23", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group EXOTIC LILY\n uses Diavol", "source_ref": "intrusion-set--82f760f9-3e58-5426-a14e-80a6d70af200", "target_ref": "malware--de52245d-bc30-5ac4-acf3-75abe2d34505", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76d43c43-7070-5d51-a63f-a9db3b6cc2ef", "created_by_ref": "identity--221c1248-e62e-56e5-bbfb-7d5efc477271", "created": "2024-08-22T00:00:00.000Z", "modified": "2024-08-22T00:00:00.000Z", "relationship_type": "uses", "description": "The group Cinnamon Tempest uses Cheerscrypt", "source_ref": "intrusion-set--53ba95a2-5c9b-5f48-80d0-6b8146a15a9e", "target_ref": "malware--aeb15a98-a3ee-58c5-a6ca-20dfb1a46825", "object_marking_refs": [ "marking-definition--221c1248-e62e-56e5-bbfb-7d5efc477271", "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] } ] }