Insights

Executive Summary In February 2022, Arete investigated a Surtr ransomware incident where the ransomware author(s) paid tribute to the now defunct REvil (aka Sodinokibi) group by making a registry key change to the infected host. REvil was an infamous Russian-speaking Ransomware-as-a-Service

By Cyber Threat Intelligence Team Arete observed an overlap between a recent BlackMatter case and a Q1 2021 REvil case. In both instances, the actors leveraged the NodeJS-based Gootloader to deliver a CobaltStrike payload. In a March 2021 insight, Arete detailed findings

By Arete Cyber Threat Intelligence Team  PYSA is the newest variant of the Mespinoza Ransomware as a Service (RaaS) family, which was first observed infecting victims in the wild in December 2019. PYSA is likely a reference to the open-source web

By Arete Cyber Threat Intelligence Team  EXECUTIVE SUMMARY From September 2020 to May 2021, the Arete Incident Response (IR) practice responded to nine Avaddon ransomware engagements across varying industry sectors, including the professional services, financial services, healthcare, hospitality, public services, and

On Saturday May 8, US Colonial Pipeline announced that they were victim of a ransomware attack that affected their network on Friday May 7. US Colonial Pipeline is said to be the largest fuel pipeline in the United States and the main

By Arete Cyber Threat Intelligence Team EXECUTIVE SUMMARY  On April 15, Codecov announced a compromise to its Bash Uploader (a software application used in some of its products), whereby a threat actor was able to send sensitive information from the affected environment

On March 2, 2021, Microsoft disclosed and provided security updates for four [4] critical vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — impacting on-premises Microsoft Exchange Servers. While Internet-facing Exchange Servers, such as Outlook Web Access systems, are at particular risk

By Arete Forensics Team REvil, more commonly referred to as Sodinokibi, is one of the most prolific ransomware threat groups currently active in the cyber extortion space. In the past year alone, Arete has responded to countless incidents where REvil has

By Arete Cyber Threat Intelligence Team Executive summary By all appearances, the proprietors of Darkside ransomware mean business. Big business. With their sights set on organizations with US$4M+ in revenue, they’re all about high-value, big-game targets. And they’ve got the skills and experience

On January 27, 2021, Europol announced that it had led a coordinated takedown of the Emotet infrastructure in collaboration with law enforcement authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. According to Europol,

By Adam Brown and Harold Rodriguez, Arete Cyber Threat Intelligence Team Ransomware variants come. Ransomware variants go. And while Egregor may have only recently surfaced, it is by no means a fly-by-night operation. In fact, one could argue that the foundation

Background On the December 5th, 2019 the U.S. Department of Justice announced indictments against 17 individuals including 2 Russian nationals Maksim Yakubets and Igor Turashev that were the primary ring-leaders of the Russian hacking group known as “Evil Corp”. The Treasury

Arete's recommendations for recovering from a malware attack and prevent a future attack 

Ransomware attacks wreak havoc on business operations. Destroying recovery options, instill­ing fear and panic, and most often creating high levels of stress for IT staff, owners, and operators. A simple, but often costly fix is to just pay the Threat

On December 8, 2020, the New York Times reported that FireEye (NASDAQ:FEYE) was hacked. Moments later, almost every major news outlet, security blogger, U.S. government  agency,  and security company released additional articles and opinions on the breaking news. It’s not

Stephen Ramey Arete investigates a lot of ransomware attacks. In fact, 90% of our business is helping organizations big and small, recover from and investigate ransomware attacks. Variants like Maze, Sodinokibi, WastedLocker, Ryuk, Conti, Dopplepaymer, Dharma and countless others are extremely

Arete's updated analysis of the Sodinokibi malware and  observations of the threat actors touting the Black Lives Matter (BLM) movement by saving their configuration data in BLM labeled registry keys.

Arete's response to the CISA,  FBI, and the Department of Health and Human Services  alert: AA20-302A - Ransomware. RYUK Attacking the public health sector 

Executive Summary Since January 2020, Arete’s incident response (IR) team has responded to various AKO ransomware engagements. Recently, we have encountered these specific attacks against the Finance, Healthcare, and Manufacturing sectors. This article is meant to provide information on the ransomware

Arete's analysis into the Conti ransomware variant and suggestion that it came from the same group is RYUK

Ransomware variants like Ryuk, WastedLocker, and Dopplepaymer are also file level encryption. These groups will gain access to the network and perform reconnaissance to identify the victim, understand their business, identify critical sys­tems, and delete backups to force their victims

Ransomware variants like Phobos, Dharma or CryLock are file level encryption. The TA gains access to the system, copies specific encryption executables onto the systems then runs the executables to encrypt the files. The results are files with a new

 Arete's analysis into how threat actors target business that allow employees that remotely access documents

Overview Recently, the threat group behind Sodinokibi ransomware publicly announced the switch from Bitcoin to accepting only Monero payments. The switch was motivated largely by the fact that Monero is inherently more difficult for law enforcement to track payments as well

Arete's analysis into why Maze and other ransomware variants publishing data might be counterproductive