Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/d4rk-d4nph3/Ransomware-Reports

This repo is a collection of Ransomware reports from vendors, researchers, etc.
https://github.com/d4rk-d4nph3/Ransomware-Reports
ransomware ransomware-detection ransomware-maze ransomware-resources ryuk-ransomware
Last synced: 2 days ago
JSON representation
This repo is a collection of Ransomware reports from vendors, researchers, etc.
Host: GitHub
URL: https://github.com/d4rk-d4nph3/Ransomware-Reports
Owner: d4rk-d4nph3
Created: 2020-08-07T05:28:54.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2022-09-09T16:38:51.000Z (about 2 years ago)
Last Synced: 2024-08-03T22:07:09.162Z (4 months ago)
Topics: ransomware, ransomware-detection, ransomware-maze, ransomware-resources, ryuk-ransomware
Homepage:
Size: 30.3 KB
Stars: 110
Watchers: 11
Forks: 34
Open Issues: 0
Metadata Files:
- Readme: README.md
Awesome Lists containing this project

awesome-ransomware - Ransomware Reports
README

        # Ransomware-Reports

[![Made with](https://img.shields.io/static/v1?label=Ransomware&message=Reports&color=blueviolet)](https://github.com/d4rk-d4nph3/Ransomware-Reports)

[![Made with](https://img.shields.io/static/v1?label=Contribution&message=Welcomed&color=green)](https://github.com/d4rk-d4nph3/Ransomware-Reports)







![image](https://user-images.githubusercontent.com/61026070/101016029-599dab00-3590-11eb-81e5-1426d770da1d.png)

![image](https://user-images.githubusercontent.com/61026070/111995083-a22da400-8b40-11eb-8af0-5ccdf0c9350e.png)



VirusTotal's RANSOMWARE IN A GLOBAL CONTEXT, Oct 2021


![image](https://user-images.githubusercontent.com/61026070/100091146-57469d00-2e7c-11eb-82f9-f05ff269aab8.png)





![image](https://user-images.githubusercontent.com/61026070/117789715-5659ca00-b268-11eb-9f2b-ce94ff93bab2.png)

![image](https://user-images.githubusercontent.com/61026070/117790096-be101500-b268-11eb-99af-060c043d4824.png)



![image](https://user-images.githubusercontent.com/61026070/109959042-0e21a700-7d0f-11eb-9262-5775c4230779.png)

![image](https://user-images.githubusercontent.com/61026070/109959086-21cd0d80-7d0f-11eb-9337-65dbe61cd270.png)

![image](https://user-images.githubusercontent.com/61026070/109959097-24c7fe00-7d0f-11eb-945e-0928b31128d5.png)

![image](https://user-images.githubusercontent.com/61026070/101498365-1ed2b300-3994-11eb-9cc1-c79dc2ee9a56.png)

This repository serves as an archive of publicly available reports/whitepapers/articles related to Ransomware. This might be useful for researchers as a reference as I didn't find a central repository containing these reports.

This repo is inspired from [threat-INTel](https://github.com/fdiskyou/threat-INTel) and [APTnotes](https://github.com/kbandla/APTnotes).

## Disclaimer

The content in this repository contains detailed analysis of the ransomware and not non-technical blogs about the ransomware like from Zdnet, Dark Reading, etc.

Special thanks to [Group-IB](https://www.group-ib.com/) whose pictures are extensively used here.

## Generic

- [AGCS - RANSOMWARE TRENDS: RISKS AND RESILIENCE](https://www.agcs.allianz.com/content/dam/onemarketing/agcs/agcs/reports/agcs-ransomware-trends-risks-and-resilience.pdf)

- [VirusTotal - RANSOMWARE IN A GLOBAL CONTEXT - Oct 2021](https://storage.googleapis.com/vtpublic/vt-ransomware-report-2021.pdf)

- [McAfee -  Advanced Threat Research Report: October 2021 - Oct 2021](https://www.mcafee.com/enterprise/en-us/lp/threats-reports/oct-2021.html)

- [Sophos - The State of Ransomware 2021 - 2021](https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf)

- [Analyst1 - RANSOM MAFIA. ANALYSIS OF THE WORLD’S FIRST RANSOMWARE CARTEL - Apr 2021](https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf)

- [Darktracer - Intelligence Report on Ransomware Gangs on the Dark Web](https://drive.google.com/file/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3/view)

- [FSecure - Attack landscape update: Ransomware 2.0, automated recon, and supply chain attacks - Mar 2021](https://blog.f-secure.com/attack-landscape-update-h1-2021)

- [Emisoft - Ransomware statistics for 2020: Year in summary - Mar 2021](https://blog.emsisoft.com/en/38259/ransomware-statistics-for-2020-year-in-summary/)

- [Threatpost - 2021: The Evolution of Ransomware - Apr 2021](https://threatpost.com/ebooks/2021-the-evolution-of-ransomware)

- [Trend Micro - THE STATE OF RANSOMWARE 2020’s Catch-22 - Feb 2021](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-state-of-ransomware-2020-s-catch-22)

- [Group-IB - Ransomware Uncovered 2020/2021 - Mar 2021](https://www.group-ib.com/resources/threat-research/ransomware-2021.html)

- [Hunters after ransomwares - Jul 2020](https://forensixchange.com/posts/20_07_13_ransomware/)

- [FireEye - The Evolving Maturity in Ransomware Operations: A Black Hat Europe 2020 Whitepaper - Dec 2020](https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf)

- [FireEye - It's not FINished - The Evolving Maturity in Ransomware Operations - 2020](https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf)

- [Datto - Global State of the Channel Ransomware Report - Nov 2020](https://www.datto.com/resource-downloads/Datto-State-of-the-Channel-Ransomware-Report-v2-1.pdf)

- [Group-IB the evolution of ransomware and its distribution methods](https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf?mkt_tok=eyJpIjoiTURRd09XRXhZVFpsTXpJMiIsInQiOiJveklIclN0d0dYWXl2ZFQ3XC9ZYVE3VEtcL3lJV0k0WkYzdXNyQkZoajFNWUpnN0FaTTJhaUhBaklDazdhQjRkWVJFVUxqeFhXRzlIZkpZQ2V5bkJzc1hSbkxxa0xXUHFaM2tsUW5CTE85V0JJT0g5NWw5eEFnR2t1TEprVDRcL2s2SCJ9)

- [Sophos - THE STATE OF RANSOMWARE 2020 - May 2020](https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf)

- [BitDefender - Ransomware A Victim’s Perspective: A study on US and European Internet Users - Jan 2016](https://download.bitdefender.com/resources/files/News/CaseStudies/study/59/Bitdefender-Ransomware-A-Victim-Perspective.pdf)

- [Sophos - How Ransomware Attacks](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-ransomware-behavior-report.pdf)

- [FireEye - Ransomware Protection and Containment Strategies Whitepaper](https://raw.githubusercontent.com/browninfosecguy/Malware-Reports/master/wp-ransomware-protection-and-containment-strategies.pdf)

- [TrendLabs - Ransomware Past, Present, and Future](https://altcomp.mx/wp-content/uploads/2017/06/ransomware-presente-pasado-y-futuro-trend-micro.pdf)

- [ESET - TRENDS IN ANDROID RANSOMWARE - 2017](https://www.welivesecurity.com/wp-content/uploads/2017/02/ESET_Trends_2017_in_Android_Ransomware.pdf)

- [SentinelOne - RANSOMWARE RESEARCH DATA SUMMARY - 2016](https://go.sentinelone.com/rs/327-MNM-087/images/Data%20Summary%20-%20English.pdf)

- [Malwarebytes - CYBERCRIME TACTICS AND TECHNIQUES: Ransomware Retrospective - Aug 2019](https://resources.malwarebytes.com/files/2019/08/CTNT-2019-Ransomware_August_FINAL.pdf)

- [McAfee - Targeted Ransomware No Longer a Future Threat - Feb 2016](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-targeted-ransomware.pdf)

- [Ransomware And Data Leak Site Publication Time Analysis - Apr 2021](https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/)

- [PwC - Responding to the growing threat of human-operated ransomware attack - 2020](https://www.pwc.fr/fr/assets/files/pdf/2021/02/en-france-pwc-ransomware-livre-blanc-2021.pdf)

****

## BlackCat

- [Microsoft - The many lives of BlackCat ransomware - Jul 2022](https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/)

- [TrendMicro - An Investigation of the BlackCat Ransomware via Trend Micro Vision One - Apr 2022](https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html)

- [Unit42 - Threat Assessment: BlackCat Ransomware - Jan 2022](https://unit42.paloaltonetworks.com/blackcat-ransomware/)

- [Security Scorecard -  A Deep Dive Into ALPHV/BlackCat Ransomware](https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware)

## Hive

- [Microsoft -  Hive ransomware gets upgrades in Rust - Jul 2022](https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/)

- [Group-IB - Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples - Sep 2021](https://blog.group-ib.com/hive)

- [SentinelOne - Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare - Aug 2021](https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/)

## Vice Society

- [Cisco Talos -  Vice Society leverages PrintNightmare in ransomware attacks - Aug 2021](https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html)

## Quantum

- [The DFIR Report - Quantum Ransomware - Apr 2022](https://thedfirreport.com/2022/04/25/quantum-ransomware/)

## Monti

- [BlackBerry - The Curious Case of “Monti” Ransomware: A Real-World Doppelganger - Sep 2022](https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger)

## BlackByte

- [ZScaler - Analysis of BlackByte Ransomware's Go-Based Variants - May 2022](https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants)

- [Picus - TTPs used by BlackByte Ransomware Targeting Critical Infrastructure - Feb 2022](https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure)

- [FBI Alert - Indicators of Compromise Associated with BlackByte Ransomware - Feb 2022](https://www.ic3.gov/Media/News/2022/220211.pdf)

- [Red Canary - ProxyShell exploitation leads to BlackByte ransomware - Nov 2021](https://redcanary.com/blog/blackbyte-ransomware/)

- [Trustwave - BlackByte Ransomware – Pt. 1 In-depth Analysis - Oct 2021](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/)

## DarkSide

- [CISA – Malware Analysis Report (AR21-189A)](https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-189a)

- [Acronis – Threat analysis: DarkSide Ransomware](https://www.acronis.com/en-us/articles/darkside-ransomware/)

- [Qualys – DarkSide Ransomware – Jun 2021](https://blog.qualys.com/vulnerabilities-threat-research/2021/06/09/darkside-ransomware)

- [Cyber Geeks – A STEP-BY-STEP ANALYSIS OF A NEW VERSION OF DARKSIDE RANSOMWARE (V. 2.1.2.3) – Jun 2021](https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/)

- [PICUS - Illuminating Darkside - Jun 2021](https://media-exp1.licdn.com/dms/document/C4E1FAQH7qgjCN8BUeg/feedshare-document-pdf-analyzed/0/1624643470048?e=1624942800&v=beta&t=wOZeGbu1HE66QHj1tNRsBQ_OhWcWUyw53J5H9wc9JHY)

- [FireEye - Shining a Light on DARKSIDE Ransomware Operations - May 2021](https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html)

- [Zawadi Done - DarkSide ransomware analysis - Oct 2020](https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html)

- [DarkSide Hand-Ransomware - Aug 2020](https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html)

- [Varonis - Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign - Mar 2021](https://www.varonis.com/blog/darkside-ransomware/)

## BlackMatter [Previously DarkSide]

- [CISA - Alert AA21-291A: BlackMatter Ransomware – Oct 2021](https://www.cisa.gov/uscert/ncas/alerts/aa21-291a)

- [Varonis - BlackMatter Ransomware: In-Depth Analysis & Recommendations - Nov 2021](https://www.varonis.com/blog/blackmatter-ransomware)

- [McAfee - BlackMatter Ransomware Analysis; The Dark Side Returns - Sep 2021](https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/blackmatter-ransomware-analysis-the-dark-side-returns/)

- [Nozomi - BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs - Sep 2021](https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/)

- [Cyble - Dissecting BlackMatter Ransomware - Aug 2021](https://blog.cyble.com/2021/08/05/dissecting-blackmatter-ransomware/)

## Avaddon

- [Acronis - Avaddon ransomware cleans the bin for you](https://www.acronis.com/en-us/articles/avaddon-ransomware/)

- [AWAKE - Threat Hunting for Avaddon Ransomware](https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/)

- [Cybereason - Cybereason vs. Avaddon Ransomware - Apr 2021](https://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware)

- [SUBEX - Avaddon Ransomware - Jun 2020](https://www.subexsecure.com/pdf/malware-reports/June-2020/Avaddon_Ransomware.pdf)

- [FBI Flash - CU-000145-MW - May 2021](https://agileblue.com/wp-content/uploads/2021/05/flash_avaddon_ransomware.pdf)

- [TrendMicro - Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted - Jul 2020](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted)

- [Avaddon ransomware: an in-depth analysis and decryption of infected systems - Feb 2021](https://arxiv.org/pdf/2102.04796.pdf)

## Conti

- [THE DFIR REPORT – CONTInuing the Bazar Ransomware Story](https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story)

- [THE DFIR REPORT - BazarLoader and the Conti Leaks - Oct 2021](https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/)

- [THE DFIR REPORT - BazarLoader to Conti Ransomware in 32 Hours - Sep 2021](https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/)

- [THE DFIR REPORT - BazarCall to Conti Ransomware via Trickbot and Cobalt Strike - Aug 2021](https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/)

- [Sophos - Conti affiliates use ProxyShell Exchange exploit in ransomware attacks - Sep 2021](https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/?cmp=30728)

- [THE DFIR REPORT - Conti Ransomware - May 2021](https://thedfirreport.com/2021/05/12/conti-ransomware/)

- [Malware News - Conti Ransomware - May 2021](https://malware.news/t/conti-ransomware/49008)

- [NCSC - Ransomware Attack on Health Sector - May 2021](https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf)

- [TrendMicro - Trend Micro Vision One: Tracking Conti Ransomware - Mar 2021](https://www.trendmicro.com/en_us/research/21/c/vision-one-tracking-conti-ransomware.html)

- [Carbon Black - TAU Threat Discovery: Conti Ransomware - Jul 2020](https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/)

- [Vipre - How Conti Ransomware Works and Our Analysis - Mar 2021](https://labs.vipre.com/how-conti-ransomware-works-and-our-analysis)

- [ClearSky - CONTI Modus Operndi and Bitcoin Tracking - Feb 2021](https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf)

- [Cyber Geeks - DISSECTING THE LAST VERSION OF CONTI RANSOMWARE USING A STEP-BY-STEP APPROACH - Jul 2021](https://cybergeeks.tech/dissecting-the-last-version-of-conti-ransomware-using-a-step-by-step-approach/)

## Clop

- [Sequretek - CLOP RANSOMWARE - Oct 2020](https://sequretek.com/wp-content/uploads/2018/10/Sequretek-Advisory-Clop-Ransomware_.pdf)

- [McAfee - Clop Ransomware - Aug 2019](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/)

- [Ahnlab - CLOP Ransomware that Attacked Korean Distribution Giant - Jan 2021](https://asec.ahnlab.com/en/19542/)

- [Cybereason - Cybereason vs. Clop Ransomware - Dec 2020](https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware)

- [Hornet Security - Clop, Clop! It’s a TA505 HTML malspam analysis - Jul 2020](https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/)

- [NCCGroup - TA505: A Brief History Of Their Time - Nov 2020](https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/)

- [ProofPoint - TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader - Oct 2019](https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader)

## Diavol

- [THE DFIR REPORT – Diavol Ransomware – Dec 2021](https://thedfirreport.com/2021/12/13/diavol-ransomware/)

- [Fortinet – Diavol - A New Ransomware Used By Wizard Spider? – Jul 2021](https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider)

- [Security Intelligence – Analysis of Diavol Ransomware Reveals Possible Link to TrickBot Gang – Aug 2021](https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/)

## ProLock

- [Group-IB - Lock like a Pro: How Qakbot fuels enterprise ransomware campaigns](https://www.group-ib.com/whitepapers/prolock.html)

## Netwalker

- [DFIR Report - NetWalker Ransomware in 1 Hour - Aug 2020](https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/)

- [TrendMicro - Reflective Loading Runs Netwalker Fileless Ransomware - May 2020](https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html)

## Babuk

- [McAfee - Technical Analysis of Babuk Ransomware - Feb 2021](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf)

## Egregor

- [Group-IB – Egregor ransomware: The legacy of Maze lives on – Nov 2020](https://www.group-ib.com/whitepapers/egregor-ransomware.html?utm_source=group-ib&utm_medium=blog&utm_content=eng)

- [Cybereason – Cybereason vs. Egregor Ransomware – Nov 2020](https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware)

- [Cyble – EGREGOR RANSOMWARE – A DEEP DIVE INTO ITS ACTIVITIES AND TECHNIQUES – Oct 2020](https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/)

## Maze

- [FireEye Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents - May 2020](https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html)

- [BitDefender - A Technical Look into Maze Ransomware Whitepaper](https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf)

- [McAfee - Ransomware Maze - Mar 2020](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/)

- [Preempt - Maze Ransomware Analysis and Protection](https://www.preempt.com/blog/maze-ransomware-protection/)

- [IronNet Blog - Navigating Maze ransomware](https://www.ironnet.com/blog/tracking-maze-ransomware)

- [Crowdstrike - The Many Paths Through Maze - May 2020](https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/)

- [HHS Cybersecurity Program - 06/04/2020](https://www.hhs.gov/sites/default/files/maze-ransomware.pdf)

- [The National Cyber-Forensics and Training Alliance Whitepaper - December 02, 2019](https://1f3r982zgpjh2wuihs3suki9-wpengine.netdna-ssl.com/wp-content/uploads/2019/12/Maze_Whitepaper.pdf)

- [Maze Ransomware Campaign Spoofs Italian Revenue Agency Correspondence - Oct 2019](https://www.infoblox.com/wp-content/uploads/threat-intelligence-report-maze-ransomware-campaign-spoofs-Italian-revenue-agency-correspondence.pdf)

- [ShieldX Maze Ransomware: Try Not to Be A’Maze’d - Nov 2018](https://www.shieldx.com/wp-content/uploads/2020/05/ShieldX-Maze-Ransomware-Blog.pdf)

- [McAfee Labs Threat Advisory Ransomware-Maze - Feb 2020](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/92000/KB92415/en_US/McAfee_Labs_Threat_Advisory_Maze.pdf)

- [DSCI MAZE RANSOMWARE TECHNICAL REPORT - 2020](https://www.dsci.in/sites/default/files/Maze_Ransomware_Technical_Report.pdf)

- [Threat Actor TA2101 (ProofPoint) using Maze Ransomware to target Government and Commercial Entities - Jan 2020](https://www.fipco.com/solutions/it-audit-security/cyber-security-resources-links/CISAActivityAlert_AA20-017A_TA2101-Maze_Ransomware.pdf)

- [Cyberinit Cognizant Hit by MAZE Ransomware - Apr 2020](https://e.cyberint.com/hubfs/Cognizant%20Hit%20by%20MAZE%20Ransomware-%20Report/Cyberint-Cognizant%20Hit%20by%20MAZE%20Ransomware-Report.pdf)

- [Ransomware Attackers Use Your Cloud Backups Against You](https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/)

## Ryuk

- [Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021 - Apr 2021](https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021)

- [Abdallah Elshinbary - Deep Analysis of Ryuk Ransomware](https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware)

- [Malwation - RYUK Ransomware Technical Analysis Report - 2020](https://malwation.com/wp-content/uploads/2020/11/RYUK-EN.pdf)

- [LogPoint – Comprehensive Detection of Ryuk Ransomware - Nov 2020](https://www.logpoint.com/en/blog/ryuk-ransomware/)

- [Red Canary - A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak - Nov 2020](https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/)

- [Sophos - They’re back: inside a new Ryuk ransomware attack - Oct 2020](https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/)

- [DFIR Report - Ryuk's Return - Oct 2020](https://thedfirreport.com/2020/10/08/ryuks-return/)

- [DFIR Report - Ryuk in 5 hours - Oct 2020](https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/)

- [VMware Carbon Black TAU: Ryuk Ransomware Technical Analysis - Feb 2020](https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/)

- [Red Canary - The Third Amigo: detecting Ryuk ransomware - Feb 2020](https://redcanary.com/blog/ryuk-ransomware-attack/)

- [FortiGuard Labs: Ryuk Revisited - Analysis of Recent Ryuk Attack - Mar 2020](https://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack)

- [Checkpoint Research - Ryuk Ransomware: A Targeted Campaign Break-Down - Aug 2018](https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/)

- [Malware News - Analysis of Ryuk Ransomware - Dec 2019](https://malware.news/t/analysis-of-ryuk-ransomware/35355)

- [CISA Alert (TA17-132A) - Indicators Associated With WannaCry Ransomware - May 2017](https://us-cert.cisa.gov/ncas/alerts/TA17-132A)

- [Security Literate - REVERSING RYUK: A TECHNICAL ANALYSIS OF RYUK RANSOMWARE - Apr 2020](https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/)

- [ZScaler - Examining the Ryuk Ransomware - Oct 2019](https://www.zscaler.com/blogs/research/examining-ryuk-ransomware)

- [Crowdstrike - Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware - Jan 2019](https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/)

- [HHS Cybersecurity Program - Ryuk Update - Jan 2020](https://www.hhs.gov/sites/default/files/ryuk-update.pdf)

- [FBI Flash - Indicators of Compromise Associated with Ryuk Ransomware - May 2019](https://www.waterisac.org/system/files/articles/FLASH-MC-000103-MW-Ryuk.pdf)

- [Homeland Security and Emergency Services - Threat Report: Emotet, TrickBot, and Ryuk](https://www.nyshfa-nyscal.org/files/2019/08/Notification_101809.pdf)

- [RANSOMWARE PLAYBOOK A Special Incident Response Guide for Handling Ryuk Ransomware (Triple-Threat) Attacks - Oct 2019](https://dragonadvancetech.com/reports/Ransomware%20Playbook_v3.3.pdf)

- [Securonix Threat Research - Securonix Threat Research: Detecting High-Impact Targeted Cloud/MSP $14M+ Ryuk and REvil Ransomware Attacks - Jan 2020](https://www.securonix.com/web/wp-content/uploads/2019/12/Securonix-Threat-Research-Cloud-MSP-Ryuk-REvil-Ransomware-Report.pdf)

- [CIS - Security Primer – Ryuk](https://www.cisecurity.org/white-papers/security-primer-ryuk/)

## REvil (Sodinokibi)

- [REvil Ransomware Malware Analysis](https://www.threatmonit.io/revil-ransomware-malware-analysis/)

- [Group-IB - REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs - Jun 2021](https://blog.group-ib.com/revil_raas)

- [Cybereason - Sodinokibi: The Crown Prince of Ransomware - Aug 2019](https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack)

- [Secureworks - REvil/Sodinokibi Ransomware - Sep 2019](https://www.secureworks.com/research/revil-sodinokibi-ransomware)

- [REvil -SodinokibiTechnical analysis andThreat IntelligenceReport - 2019](https://www.tgsoft.it/immagini/news/20190705Sodinokibi/Sodinokibi_eng.pdf)

- [DarkTrace - Post-mortem of a targeted Sodinokibi ransomware attack - Feb 2020](https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/)

- [McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us - Oct 2019](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/)

- [BlackBerry ThreatVector Blog - Threat Spotlight: Sodinokibi Ransomware - Jul 2019](https://blogs.blackberry.com/en/2019/07/threat-spotlight-sodinokibi-ransomware)

- [A brief history and further technical analysis of Sodinokibi Ransomware - Jan 2020](https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware)

- [Acronis - Taking Deep Dive into Sodinokibi Ransomware](https://www.acronis.com/en-eu/articles/sodinokibi-ransomware/)

- [Cisco Talos - Sodinokibi ransomware exploits WebLogic Server vulnerability - Apr 2019](https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html)

- [Sodinokibi Analysis Process](https://malware.news/t/sodinokibi-analysis-process/36482)

- [Cynet Labs - Ransomware Never Dies – Analysis of New Sodinokibi Ransomware Variant - Jul 2019](https://www.cynet.com/blog/ransomware-never-dies-analysis-of-new-sodinokibi-ransomware-variant/)

- [KPN - Tracking REvil](https://www.kpn.com/security-blogs/tracking-revil.htm)

- [Intel471 - REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation - Mar 2020](https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/)

- [SISA - REvil RANSOMWARE - May 2020](https://www.sisainfosec.com/downloads/Advisory/REvil-Ransomware-Sodinokibi-RaaS.pdf)

- [Tesorion - A connection between the Sodinokibi and GandCrab ransomware families?](https://www.tesorion.nl/aconnection-between-the-sodinokibi-and-gandcrab-ransomware-families/)

- [Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike - Jun 2020](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos)

- [McAfee Labs Threat Advisory Ransomware-Sodinokibi - Apr 2020](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/92000/KB92632/en_US/Threat_Advisory_Sodinokibi-1.pdf)

- [Arete - Sodinokibi Ransomware 2020](https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodinokibi-Ransomware-Stats_June-2020-1.pdf)

- [Securonix Threat Research:Detecting High-Impact Targeted Cloud/MSP $14M+ Ryuk and REvil Ransomware Attacks - Jan 2020](https://www.securonix.com/web/wp-content/uploads/2019/12/Securonix-Threat-Research-Cloud-MSP-Ryuk-REvil-Ransomware-Report.pdf)

- [Zdnet - REvil ransomware gang launches auction site to sell stolen data - 2020](https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/)

## GrandCrab

- [Acronis - Evolution of GandCrab Ransomware](acronis.com/en-eu/articles/gandcrab/)

- [VMRay - The Evolution of GandCrab Ransomware - Jun 2018](https://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/)

- [Securonix Threat Research - GANDCRAB RANSOMWARE ATTACK](https://www.securonix.com/web/wp-content/uploads/2018/07/Securonix-Threat-Research-GandCrab-Ransomware-Attack.pdf)

- [FortiNet - GandCrab V4.0 Analysis: New Shell, Same Old Menace - Jul 2018](https://www.fortinet.com/blog/threat-research/gandcrab-v4-0-analysis--new-shell--same-old-menace)

- [CheckPoint - The GandCrab Ransomware Mindset - Mar 2018](https://research.checkpoint.com/2018/gandcrab-ransomware-mindset/)

- [Tesorion - A connection between the Sodinokibi and GandCrab ransomware families?](https://www.tesorion.nl/aconnection-between-the-sodinokibi-and-gandcrab-ransomware-families/)

- [BitDefender - GandCrab: The Most Popular Multi-Million Dollar Ransomware of the Year - Oct 2018](https://labs.bitdefender.com/2018/10/gandcrab-the-most-popular-multi-million-dollar-ransomware-of-the-year/)

- [Unpacking GandCrab Ransomware](https://secrary.com/ReversingMalware/UnpackingGandCrab/)

## WannaCry

- [LogRhythm - A Technical Analysis of WannaCry Ransomware - May 2017](https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/)

- [FireEye - WannaCry Malware Profile - May 2017](https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html)

- [Cisco Talos -  Player 3 Has Entered the Game: Say Hello to 'WannaCry' - May 2017](https://blog.talosintelligence.com/2017/05/wannacry.html)

- [Antiy Labs - IN-DEPTH ANALYSIS REPORT ON WANNACRY RANSOMWARE - Jul 2017](https://www.antiy.net/p/in-depth-analysis-report-on-wannacry-ransomware/)

- [Secureworks - WCry Ransomware Analysis - May 2017](https://www.secureworks.com/research/wcry-ransomware-analysis))

- [Sophos - WannaCry Aftershock](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf)

- [McAfee Labs - Further Analysis of WannaCry Ransomware - May 2017](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-wannacry-ransomware/)

- [ThaiCERT - WannaCry Ransomware - May 2017](https://www.nksc.lt/doc/ENISA-WannaCry-v1.0.pdf)

- [WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms](https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf)

- [Recorded Future -  What Is WannaCry? Analyzing the Global Ransomware Attack - May 2017](https://www.recordedfuture.com/wannacry-ransomware-analysis/)

- ["WannaCry" ransomware attack: Technical intelligence analysis - May 2017](https://www.ey.com/Publication/vwLUAssets/ey-wannacry-ransomware-attack/$File/ey-wannacry-ransomware-attack.pdf)

- [Tripwire - WANNACRY RANSOMWARE](https://www.tripwire.com/-/media/tripwiredotcom/files/datasheet/tripwire_wannacry_tech_note.pdf?rev=5f91e2aa13e249a6a1e0189d38d9b2bd)

- [Elastic - WCry/WanaCry ransomware technical analysis - May 2017](https://www.elastic.co/blog/wcrywanacry-ransomware-technical-analysis)

- [CRITICAL ALERT - Wannacry / WannaCryptRansomware](https://www.cyberswachhtakendra.gov.in/documents/WannacryWannaCryptRansomware_CRITICAL_ALERT_CERT-In.pdf)

- [CERT-MU THE WANNACRY RANSOMWARE - May 2017](http://cert-mu.govmu.org/English/Documents/White%20Papers/White%20Paper%20-%20The%20WannaCry%20Ransomware%20Attack.pdf)

- [Analyzing WannaCry RansomwareConsidering the Weapons and Exploits Whitepaper](http://icact.org/upload/2018/0708/20180708_finalpaper.pdf)

- [Intezer - WannaCry Ransomware: Potential Link to North Korea](https://www.intezer.com/wp-content/uploads/2017/07/Intezer-WannaCry.pdf)

- [Department of Health: Investigation: WannaCry cyber attack and the NHS](https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf)

- [Applying Diamond Model on WannaCry Ransomware Incident](https://apurvsinghgautam.me/blogfiles/applying_diamond_model_on_wannacry_ransomware_incident.html)

## Dharma

- [Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools - Jul 2018](https://www.carbonblack.com/blog/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/)

- [Panda Security - Ransomware from the Crysis/Dharma family Report - Nov 2017](https://www.pandasecurity.com/mediacenter/src/uploads/2017/11/Ransomware_Crysis-Dharma-en.pdf)

- [Comodo - Dharma 2.0 ransomware continues to wreak havoc with new variant - Mar 2020](https://blog.comodo.com/pc-security/dharma-2-0-ransomware-continues-with-new-variant/)

- [DarkTrace - Old but still dangerous – Dharma ransomware via RDP intrusion - May 2020](https://www.darktrace.com/en/blog/old-but-still-dangerous-dharma-ransomware-via-rdp-intrusion/)

- [Crowdstrike - Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques - Apr 2020](https://www.crowdstrike.com/blog/targeted-dharma-ransomware-intrusions-exhibit-consistent-techniques/)

- [FortiNet - Dharma Ransomware: What It’s Teaching Us - Nov 2018](https://www.fortinet.com/blog/threat-research/dharma-ransomware--what-it-s-teaching-us)

- [Cymulate - Immediate Threat Analysis – New Dharma Ransomware Strain Found in the Wild - Aug 2019](https://blog.cymulate.com/immediate-threat-analysis-new-dharma-ransomware)

- [Quick Heal - An analysis of the Dharma ransomware outbreak by Quick Heal Security Labs - May 2018](https://blogs.quickheal.com/analysis-dharma-ransomware-outbreak-quick-heal-security-labs/)

- [Quick Heal - Dharma Ransomware Variant Malspam Targeting COVID-19 - Apr 2020](https://blogs.quickheal.com/dharma-targeting-covid-19/)

- [Dharma ransomware. 36 Variants listed. 2020 removal instructions - Aug 2020](https://www.2-spyware.com/remove-dharma-ransomware-virus.html)

## Samsam

- [Crowdstrike - An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER - May 2018](https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/)

- [Sophos - SamSam Ransomware Chooses Its Targets Carefully - Apr 2018](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf)

- [Secureworks - SamSam Ransomware Campaigns - Feb 2018](https://cyberriskleaders.com/wp-content/uploads/2018/02/Public-Secureworks-Threat-Analysis-SamSam_FINAL_Feb_19_2018.pdf)

- [Malwarebytes - SamSam ransomware: controlled distribution for an elusive malware - Jun 2018](https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/)

- [Sophos - SamSam: The (Almost) Six Million Dollar Ransomware](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf)

- [CISA Alert (AA18-337A) SamSam Ransomware - Dec 2018](https://us-cert.cisa.gov/ncas/alerts/AA18-337A?mkt_tok=eyJpIjoiTlRNeU5ERm1NVFU1WVRnNSIsInQiOiJGenFMTjhQUG5jc1QxV2NUQmduRDhhVjQySjRvS0xobTh5UVlUTTR6M0ZPRDBiaUdtUjhyXC9FTmtYbFNuMytwQnpWXC9lYzk0K2pVOTVyMmxubnlwNHFFZmZtbHBKNjZpK3BaNk1vSnI3VjdqQkRYMzRJN1E3SmRZREZ2dTQrN1NMIn0%3D)

- [Healthcare Cybersecurity and Communications Integration Center - Report on Ongoing SamSam Ransomware Campaigns - Mar 2018](https://www.aha.org/system/files/2018-04/corrected-HCCIC-2018-002W-SamSam-Ransomware-Campaign.pdf)