Ransomware-Reports
VirusTotal's RANSOMWARE IN A GLOBAL CONTEXT, Oct 2021
This repository serves as an archive of publicly available reports/whitepapers/articles related to Ransomware. This might be useful for researchers as a reference as I didn't find a central repository containing these reports.
This repo is inspired from threat-INTel and APTnotes.
Disclaimer
The content in this repository contains detailed analysis of the ransomware and not non-technical blogs about the ransomware like from Zdnet, Dark Reading, etc.
Special thanks to Group-IB whose pictures are extensively used here.
Generic
- AGCS - RANSOMWARE TRENDS: RISKS AND RESILIENCE
- VirusTotal - RANSOMWARE IN A GLOBAL CONTEXT - Oct 2021
- McAfee - Advanced Threat Research Report: October 2021 - Oct 2021
- Sophos - The State of Ransomware 2021 - 2021
- Analyst1 - RANSOM MAFIA. ANALYSIS OF THE WORLD’S FIRST RANSOMWARE CARTEL - Apr 2021
- Darktracer - Intelligence Report on Ransomware Gangs on the Dark Web
- FSecure - Attack landscape update: Ransomware 2.0, automated recon, and supply chain attacks - Mar 2021
- Emisoft - Ransomware statistics for 2020: Year in summary - Mar 2021
- Threatpost - 2021: The Evolution of Ransomware - Apr 2021
- Trend Micro - THE STATE OF RANSOMWARE 2020’s Catch-22 - Feb 2021
- Group-IB - Ransomware Uncovered 2020/2021 - Mar 2021
- Hunters after ransomwares - Jul 2020
- FireEye - The Evolving Maturity in Ransomware Operations: A Black Hat Europe 2020 Whitepaper - Dec 2020
- FireEye - It's not FINished - The Evolving Maturity in Ransomware Operations - 2020
- Datto - Global State of the Channel Ransomware Report - Nov 2020
- Group-IB the evolution of ransomware and its distribution methods
- Sophos - THE STATE OF RANSOMWARE 2020 - May 2020
- BitDefender - Ransomware A Victim’s Perspective: A study on US and European Internet Users - Jan 2016
- Sophos - How Ransomware Attacks
- FireEye - Ransomware Protection and Containment Strategies Whitepaper
- TrendLabs - Ransomware Past, Present, and Future
- ESET - TRENDS IN ANDROID RANSOMWARE - 2017
- SentinelOne - RANSOMWARE RESEARCH DATA SUMMARY - 2016
- Malwarebytes - CYBERCRIME TACTICS AND TECHNIQUES: Ransomware Retrospective - Aug 2019
- McAfee - Targeted Ransomware No Longer a Future Threat - Feb 2016
- Ransomware And Data Leak Site Publication Time Analysis - Apr 2021
- PwC - Responding to the growing threat of human-operated ransomware attack - 2020
BlackByte
- ZScaler - Analysis of BlackByte Ransomware's Go-Based Variants - May 2022
- Picus - TTPs used by BlackByte Ransomware Targeting Critical Infrastructure - Feb 2022
- FBI Alert - Indicators of Compromise Associated with BlackByte Ransomware - Feb 2022
- Red Canary - ProxyShell exploitation leads to BlackByte ransomware - Nov 2021
- Trustwave - BlackByte Ransomware – Pt. 1 In-depth Analysis - Oct 2021
DarkSide
- CISA – Malware Analysis Report (AR21-189A)
- Acronis – Threat analysis: DarkSide Ransomware
- Qualys – DarkSide Ransomware – Jun 2021
- Cyber Geeks – A STEP-BY-STEP ANALYSIS OF A NEW VERSION OF DARKSIDE RANSOMWARE (V. 2.1.2.3) – Jun 2021
- PICUS - Illuminating Darkside - Jun 2021
- FireEye - Shining a Light on DARKSIDE Ransomware Operations - May 2021
- Zawadi Done - DarkSide ransomware analysis - Oct 2020
- DarkSide Hand-Ransomware - Aug 2020
- Varonis - Return of the Darkside: Analysis of a Large-Scale Data Theft Campaign - Mar 2021
BlackMatter [Previously DarkSide]
- CISA - Alert AA21-291A: BlackMatter Ransomware – Oct 2021
- Varonis - BlackMatter Ransomware: In-Depth Analysis & Recommendations - Nov 2021
- McAfee - BlackMatter Ransomware Analysis; The Dark Side Returns - Sep 2021
- Nozomi - BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs - Sep 2021
- Cyble - Dissecting BlackMatter Ransomware - Aug 2021
Avaddon
- Acronis - Avaddon ransomware cleans the bin for you
- AWAKE - Threat Hunting for Avaddon Ransomware
- Cybereason - Cybereason vs. Avaddon Ransomware - Apr 2021
- SUBEX - Avaddon Ransomware - Jun 2020
- FBI Flash - CU-000145-MW - May 2021
- TrendMicro - Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector Targeted - Jul 2020
- Avaddon ransomware: an in-depth analysis and decryption of infected systems - Feb 2021
Conti
- THE DFIR REPORT – CONTInuing the Bazar Ransomware Story
- THE DFIR REPORT - BazarLoader and the Conti Leaks - Oct 2021
- THE DFIR REPORT - BazarLoader to Conti Ransomware in 32 Hours - Sep 2021
- THE DFIR REPORT - BazarCall to Conti Ransomware via Trickbot and Cobalt Strike - Aug 2021
- Sophos - Conti affiliates use ProxyShell Exchange exploit in ransomware attacks - Sep 2021
- THE DFIR REPORT - Conti Ransomware - May 2021
- Malware News - Conti Ransomware - May 2021
- NCSC - Ransomware Attack on Health Sector - May 2021
- TrendMicro - Trend Micro Vision One: Tracking Conti Ransomware - Mar 2021
- Carbon Black - TAU Threat Discovery: Conti Ransomware - Jul 2020
- Vipre - How Conti Ransomware Works and Our Analysis - Mar 2021
- ClearSky - CONTI Modus Operndi and Bitcoin Tracking - Feb 2021
- Cyber Geeks - DISSECTING THE LAST VERSION OF CONTI RANSOMWARE USING A STEP-BY-STEP APPROACH - Jul 2021
Clop
- Sequretek - CLOP RANSOMWARE - Oct 2020
- McAfee - Clop Ransomware - Aug 2019
- Ahnlab - CLOP Ransomware that Attacked Korean Distribution Giant - Jan 2021
- Cybereason - Cybereason vs. Clop Ransomware - Dec 2020
- Hornet Security - Clop, Clop! It’s a TA505 HTML malspam analysis - Jul 2020
- NCCGroup - TA505: A Brief History Of Their Time - Nov 2020
- ProofPoint - TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader - Oct 2019
Diavol
- THE DFIR REPORT – Diavol Ransomware – Dec 2021
- Fortinet – Diavol - A New Ransomware Used By Wizard Spider? – Jul 2021
- Security Intelligence – Analysis of Diavol Ransomware Reveals Possible Link to TrickBot Gang – Aug 2021
ProLock
Netwalker
- DFIR Report - NetWalker Ransomware in 1 Hour - Aug 2020
- TrendMicro - Reflective Loading Runs Netwalker Fileless Ransomware - May 2020
Babuk
Egregor
- Group-IB – Egregor ransomware: The legacy of Maze lives on – Nov 2020
- Cybereason – Cybereason vs. Egregor Ransomware – Nov 2020
- Cyble – EGREGOR RANSOMWARE – A DEEP DIVE INTO ITS ACTIVITIES AND TECHNIQUES – Oct 2020
Maze
- FireEye Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents - May 2020
- BitDefender - A Technical Look into Maze Ransomware Whitepaper
- McAfee - Ransomware Maze - Mar 2020
- Preempt - Maze Ransomware Analysis and Protection
- IronNet Blog - Navigating Maze ransomware
- Crowdstrike - The Many Paths Through Maze - May 2020
- HHS Cybersecurity Program - 06/04/2020
- The National Cyber-Forensics and Training Alliance Whitepaper - December 02, 2019
- Maze Ransomware Campaign Spoofs Italian Revenue Agency Correspondence - Oct 2019
- ShieldX Maze Ransomware: Try Not to Be A’Maze’d - Nov 2018
- McAfee Labs Threat Advisory Ransomware-Maze - Feb 2020
- DSCI MAZE RANSOMWARE TECHNICAL REPORT - 2020
- Threat Actor TA2101 (ProofPoint) using Maze Ransomware to target Government and Commercial Entities - Jan 2020
- Cyberinit Cognizant Hit by MAZE Ransomware - Apr 2020
- Ransomware Attackers Use Your Cloud Backups Against You
Ryuk
- Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021 - Apr 2021
- Abdallah Elshinbary - Deep Analysis of Ryuk Ransomware
- Malwation - RYUK Ransomware Technical Analysis Report - 2020
- LogPoint – Comprehensive Detection of Ryuk Ransomware - Nov 2020
- Red Canary - A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak - Nov 2020
- Sophos - They’re back: inside a new Ryuk ransomware attack - Oct 2020
- DFIR Report - Ryuk's Return - Oct 2020
- DFIR Report - Ryuk in 5 hours - Oct 2020
- VMware Carbon Black TAU: Ryuk Ransomware Technical Analysis - Feb 2020
- Red Canary - The Third Amigo: detecting Ryuk ransomware - Feb 2020
- FortiGuard Labs: Ryuk Revisited - Analysis of Recent Ryuk Attack - Mar 2020
- Checkpoint Research - Ryuk Ransomware: A Targeted Campaign Break-Down - Aug 2018
- Malware News - Analysis of Ryuk Ransomware - Dec 2019
- CISA Alert (TA17-132A) - Indicators Associated With WannaCry Ransomware - May 2017
- Security Literate - REVERSING RYUK: A TECHNICAL ANALYSIS OF RYUK RANSOMWARE - Apr 2020
- ZScaler - Examining the Ryuk Ransomware - Oct 2019
- Crowdstrike - Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware - Jan 2019
- HHS Cybersecurity Program - Ryuk Update - Jan 2020
- FBI Flash - Indicators of Compromise Associated with Ryuk Ransomware - May 2019
- Homeland Security and Emergency Services - Threat Report: Emotet, TrickBot, and Ryuk
- RANSOMWARE PLAYBOOK A Special Incident Response Guide for Handling Ryuk Ransomware (Triple-Threat) Attacks - Oct 2019
- Securonix Threat Research - Securonix Threat Research: Detecting High-Impact Targeted Cloud/MSP $14M+ Ryuk and REvil Ransomware Attacks - Jan 2020
- CIS - Security Primer – Ryuk
REvil (Sodinokibi)
- REvil Ransomware Malware Analysis
- Group-IB - REvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs - Jun 2021
- Cybereason - Sodinokibi: The Crown Prince of Ransomware - Aug 2019
- Secureworks - REvil/Sodinokibi Ransomware - Sep 2019
- REvil -SodinokibiTechnical analysis andThreat IntelligenceReport - 2019
- DarkTrace - Post-mortem of a targeted Sodinokibi ransomware attack - Feb 2020
- McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us - Oct 2019
- BlackBerry ThreatVector Blog - Threat Spotlight: Sodinokibi Ransomware - Jul 2019
- A brief history and further technical analysis of Sodinokibi Ransomware - Jan 2020
- Acronis - Taking Deep Dive into Sodinokibi Ransomware
- Cisco Talos - Sodinokibi ransomware exploits WebLogic Server vulnerability - Apr 2019
- Sodinokibi Analysis Process
- Cynet Labs - Ransomware Never Dies – Analysis of New Sodinokibi Ransomware Variant - Jul 2019
- KPN - Tracking REvil
- Intel471 - REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation - Mar 2020
- SISA - REvil RANSOMWARE - May 2020
- Tesorion - A connection between the Sodinokibi and GandCrab ransomware families?
- Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike - Jun 2020
- McAfee Labs Threat Advisory Ransomware-Sodinokibi - Apr 2020
- Arete - Sodinokibi Ransomware 2020
- Securonix Threat Research:Detecting High-Impact Targeted Cloud/MSP $14M+ Ryuk and REvil Ransomware Attacks - Jan 2020
- Zdnet - REvil ransomware gang launches auction site to sell stolen data - 2020
GrandCrab
- Acronis - Evolution of GandCrab Ransomware
- VMRay - The Evolution of GandCrab Ransomware - Jun 2018
- Securonix Threat Research - GANDCRAB RANSOMWARE ATTACK
- FortiNet - GandCrab V4.0 Analysis: New Shell, Same Old Menace - Jul 2018
- CheckPoint - The GandCrab Ransomware Mindset - Mar 2018
- Tesorion - A connection between the Sodinokibi and GandCrab ransomware families?
- BitDefender - GandCrab: The Most Popular Multi-Million Dollar Ransomware of the Year - Oct 2018
- Unpacking GandCrab Ransomware
WannaCry
- LogRhythm - A Technical Analysis of WannaCry Ransomware - May 2017
- FireEye - WannaCry Malware Profile - May 2017
- Cisco Talos - Player 3 Has Entered the Game: Say Hello to 'WannaCry' - May 2017
- Antiy Labs - IN-DEPTH ANALYSIS REPORT ON WANNACRY RANSOMWARE - Jul 2017
- Secureworks - WCry Ransomware Analysis - May 2017)
- Sophos - WannaCry Aftershock
- McAfee Labs - Further Analysis of WannaCry Ransomware - May 2017
- ThaiCERT - WannaCry Ransomware - May 2017
- WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms
- Recorded Future - What Is WannaCry? Analyzing the Global Ransomware Attack - May 2017
- "WannaCry" ransomware attack: Technical intelligence analysis - May 2017
- Tripwire - WANNACRY RANSOMWARE
- Elastic - WCry/WanaCry ransomware technical analysis - May 2017
- CRITICAL ALERT - Wannacry / WannaCryptRansomware
- CERT-MU THE WANNACRY RANSOMWARE - May 2017
- Analyzing WannaCry RansomwareConsidering the Weapons and Exploits Whitepaper
- Intezer - WannaCry Ransomware: Potential Link to North Korea
- Department of Health: Investigation: WannaCry cyber attack and the NHS
- Applying Diamond Model on WannaCry Ransomware Incident
Dharma
- Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools - Jul 2018
- Panda Security - Ransomware from the Crysis/Dharma family Report - Nov 2017
- Comodo - Dharma 2.0 ransomware continues to wreak havoc with new variant - Mar 2020
- DarkTrace - Old but still dangerous – Dharma ransomware via RDP intrusion - May 2020
- Crowdstrike - Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques - Apr 2020
- FortiNet - Dharma Ransomware: What It’s Teaching Us - Nov 2018
- Cymulate - Immediate Threat Analysis – New Dharma Ransomware Strain Found in the Wild - Aug 2019
- Quick Heal - An analysis of the Dharma ransomware outbreak by Quick Heal Security Labs - May 2018
- Quick Heal - Dharma Ransomware Variant Malspam Targeting COVID-19 - Apr 2020
- Dharma ransomware. 36 Variants listed. 2020 removal instructions - Aug 2020
Samsam
- Crowdstrike - An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER - May 2018
- Sophos - SamSam Ransomware Chooses Its Targets Carefully - Apr 2018
- Secureworks - SamSam Ransomware Campaigns - Feb 2018
- Malwarebytes - SamSam ransomware: controlled distribution for an elusive malware - Jun 2018
- Sophos - SamSam: The (Almost) Six Million Dollar Ransomware
- CISA Alert (AA18-337A) SamSam Ransomware - Dec 2018
- Healthcare Cybersecurity and Communications Integration Center - Report on Ongoing SamSam Ransomware Campaigns - Mar 2018