Vitali Kremez’s Tweets

Aug 9

🎁Gift for the community: Post-#Conti #ransomware operation mindmap world. Enjoy!

130

347

Oct 21

The Week in Ransomware - October 21st 2022 - Stop the Presses -

The Week in Ransomware - October 21st 2022 - Stop the Presses

Cybersecurity researchers did not disappoint, with reports linking RansomCartel to REvil, on OldGremlin hackers targeting Russia with ransomware, a new data exfiltration tool used by BlackByte, a...

#Royal ransomware operation in action.

Quote Tweet

Germán Fernández

@1ZRR4H

Sep 29

1/ So, site impersonating @Fortinet downloads signed MSI that uses Powershell to run #BatLoader, if the user is connected to a domain (corporate network) it deploys: 1) #Ursnif (Bot) 2) #Vidar (Stealer) 3) #Syncro RMM (C2) 4) #CobaltStrike And possibly 5) #Ransomware

Show this thread

Sep 29

New Royal Ransomware emerges in multi-million dollar attacks -

New Royal Ransomware emerges in multi-million dollar attacks

A new ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million.

Offsecurity: First time flying as a private pilot single engine land from east -> west coast of Florida. Aircraft: Cessna 172N IFR training and rotorcraft add-on next!

0:05

2.4K views

Sep 16

The Week in Ransomware - September 16th 2022 - Iranian Sanctions -

The Week in Ransomware - September 16th 2022 - Iranian Sanctions

It has been a fairly quiet week on the ransomware front, with the biggest news being US sanctions on Iranians linked to ransomware attacks.

🔥Breaking Blog: AdvIntel's State of #Emotet aka "#SpmTools" Displays Over Million 🌎Compromised Machines Through 2⃣0⃣2⃣2⃣ Insight: *⃣Emotet infection chain is currently attributed to #Quantum & #BlackCat ransomware chains. advintel.io/post/advintel-

Sep 9

The Week in Ransomware - September 9th 2022 - Schools under fire -

The Week in Ransomware - September 9th 2022 - Schools under fire

Ransomware gangs have been busy this week, launching attacks against NAS devices, one of the largest hotel groups, IHG, and LAUSD, the second largest school district in the USA.

Sep 7

Someone is hitting Cobalt Strike servers used by former members of the Conti ransomware gang with messages urging to stop Russia's war: “Stop the war!” “15000+ dead Russian soldiers!” “Be a Russian patriot!” "Stop Putin!"

📌We have observed the "Anti-Putin" messages from Cobalt Strike flooding activities mapped to ex-Conti cybercrime enterprise members.

Quote Tweet

Sep 7

Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages - @Ionut_Ilascu bleepingcomputer.com/news/security/

Show this thread

Sep 6

Insight:⚡️#Emotet loader-as-a-service infection metrics globally for 2022 of ~1,300,000 unique bot_ids / top targeted infected by loader (including honeypot activity). Still alive but on a general decline. The public report is incoming.

Catalin Cimpanu

@campuscodi

Aug 23

Me and Vitali had a longer talk about his prediction on the impending death of the RaaS ecosystem, or at least of its major players. risky.biz/RBTALKS3/

Quote Tweet

Aug 15

Prediction: Expect less ransomware locker deployment but a prolong phase of corporate espionage/exfiltration by cybercrime enterprises. The ransomware-as-a-service (RaaS) as well as targeted ransomware deployment model is almost dead for the following reasons 1/n

Show this thread

Aug 22

Callback phishing was the tactic that enabled a widespread shift in the approach to ransomware deployment. This is what made the approach so unique and effective 👇

⚡️2022 Trend: Call-back phishing campaigns aka "BazarCall" are the de-facto top method of getting a backdoor on the protected corporate networks. 1⃣Ransomware and extortionists want to talk to the corporate employees over ☎️. 2⃣Targets are just larger & phishing is more complex

Patrick Gray

@riskybusiness

Aug 22

We're publishing so much great stuff in coming days. There's another Between Two Nerds episode with

and

, plus

interviews

about his call that Ransomware as a Service is dying. Risky Biz News RSS risky.biz/subscribe

Oh my API, abusing TYK cloud API management to hide your malicious C2 traffic - Shells.Systems

Aug 19

⚡️Timely report on the latest Cobalt Strike domain fronting technique leveraging tyk[.]io. Many ex-Conti groups leverage this domain fronting technique for Cobalt Strike beacon resolver/traffic. Watch out for tyk[.]io traffic.

shells.systems

Estimated Reading Time: 10 minutes Hiding your malicious C2 traffic through legitimate channels is challenging nowadays, especially while CDN providers block all known techniques to use domain...

121

Aug 15

Bonus prediction***as it already had started to happen*** Incident response business & negotiation business or any biz tied directly to ransomware will decease to exist as orgs will build internal capabilities & would not hire external consultants in limited data breach cases.

⚡️2022 would be the largest year with unreported data breach events shadow figure with the data exfiltration as the primary stage of the intrusion. La Fin. 3 / 3

👇 1 - overt and shadow sanctions/ban of Russia affected cryptocurrency brokers procuring money for data recovery services 2 - evolution of backup soft/services with physical backup implemenations made the effect of ransomware less impactful than before 2 / 3

🤔Prediction: Expect less ransomware locker deployment but a prolong phase of corporate espionage/exfiltration by cybercrime enterprises. The ransomware-as-a-service (RaaS) as well as targeted ransomware deployment model is almost dead for the following reasons 1/n

211

Advanced Intel's

has published a BazarCall advisory. The “BazarCall” style attack, or call back phishing, is an attack vector that utilizes targeted phishing methodology and first emerged in 2020/2021 as a tool of Ryuk (later rebranded Conti). advintel.io/post/bazarcall

Lawrence Abrams

Aug 10

These three ex-Conti extortion gangs are responsible for the surge of 'BazarCall' callback phishing schemes.

Ransomware gangs move to 'callback' social engineering attacks

At least three groups split from the Conti ransomware operation have adopted BazarCall phishing tactics as the primary method to gain initial access to a victim's network.

⚡️Published "#BazarCall Advisory: Essential Guide to Attack Vector that Revolutionized Data Breaches" 📌Post-#Conti targeted phishing tactics derived from the call back phishing method for #ransomware & exfil 1⃣Silent Ransom 2⃣Quantum 3⃣Roy/Zeon 👇 advintel.io/post/bazarcall

Aug 8

😍Team, I will be in Las Vegas this year. Excited to meet *you* in person. Ping me via DM during Aug 8-13

An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent...

Florian Roth

@cyb3rops

Jul 12, 2021

An Empirical Assessment of Endpoint Detection and Response (#EDR) Systems against Advanced Persistent Threats Attack Vectors

mdpi.com

Advanced persistent threats pose a significant challenge for blue teams as they apply various attacks over prolonged periods, impeding event correlation and their detection. In this work, we leverage...

251

571

🔥Breaking Blog: Anatomy of Attack: Truth Behind the Costa Rica Government [#Conti] #Ransomware 5-Day Intrusion ➡️From initial access to ransomware deployment --> more than 10+ #CobaltStrike sessions with #AteraRMM deployed part of intrusion w/ Rclone advintel.io/post/anatomy-o

100

189

Jul 6

Last week, AdvIntel's

also told BleepingComputer that ex-Conti members are using Brute Ratel in their ransomware attacks in what is believed to be a seperate, unrelated incident. Kremez says the threat actors created a fake US company to use when purchasing the license

Jul 1

The Week in Ransomware - July 1st 2022 - Bug Bounties -

The Week in Ransomware - July 1st 2022 - Bug Bounties

It has been relatively busy this week with new ransomware attacks unveiled, a bug bounty program introduced, and new tactics used by the threat actors to distribute their encryptors.

144

Advanced malware analysis training, at affordable prices, with lifetime access.

0verfl0w

@0verfl0w_

Jun 17

It's been a while since our last discount, so time for another! Until June 20th you can grab the Zero2Automated course for 15% off, using code "BAZAR", giving you lifetime access to all 25+ hours of course content, the course discord community, and more!

courses.zero2auto.com

Zero2Automated

127

Jun 17

The Week in Ransomware - June 17th 2022 - Have I Been Ransomed? -

The Week in Ransomware - June 17th 2022 - Have I Been Ransomed?

Ransomware operations are constantly evolving their tactics to pressure victims to pay. For example, this week, we saw a new extortion tactic come into play with the creation of dedicated websites to...

ISMG Network News

@ISMG_News

Jun 17

In this interview with

@AdvIntel

Conti Ransomware Group Explores Post-Encryption Future

, discusses the future of ransomware as a criminal enterprise, as well as the benefits and drawbacks of Conti's internal communications leaks. Watch his full interview: tinyurl.com/nhekmtm3 #ISMGatRSAC #RSAC2022 #CyberSecurity

databreachtoday.com

Ransomware groups such as Conti are beginning to move away from encrypting systems. Instead, they are stealing data, especially from public companies, and

Jun 10

The Week in Ransomware - June 10th 2022 - Targeting Linux -

The Week in Ransomware - June 10th 2022 - Targeting Linux

It has been relatively quiet this week with many companies and researchers at the RSA conference. However, we still had some interesting ransomware reports released this week.

🔥Breaking Blog:🆕 "#BlackCat aka #ALPHAV [#Ransomware] — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive" Rust binary provides plethora ("runneradmin" alias) of insights + #YARA signature advintel.io/post/blackcat-

Jun 7

Incoming tech dive into the BlackCat/AlphaV ransomware binary in Win x64 and Lin/Deb x64 ESXI fersion (in one hour) with a plethora of tech insights (h/t to Rust compiler binary) + YARA signatures

Jun 7

🤔LockBit retaliated for Mandiant link of them to the sanctioned entity. LockBit RaaS days are ticking away just like Conti's did. By & large, the OFAC sanctions work well enough to deter cryptotraders & brokers to stop transacting w/ ransomware ops suspected of OFAC violation

Büşra Yenidoğan

@ereborlugimli

May 19

I have passed the advanced malware analysis #Zero2Automated course 🥳 Thanks to

@0verfl0w_

and

for this awesome malware analysis course 🌸

May 23

Conti's blog last swan song leaking: all of the previous failed extortion data from SFTP server in the same format CREDS.csv / HOSTS.csv to 100% (most of them) are released. Waiting until the blog (last piece) goes offline / before suspended.

May 17

📚"Breaking Blog: 🐍Hydra with Three Heads: #BlackByte & The Future of #Ransomware Subsidiary Groups" #DFIR Case Study ⤵️ San Francisco 49ers Intrusion | Adversarial Insight from Cobalt Strike -> BlackByte Story advintel.io/post/hydra-wit

121

May 6

Just a bit better phrased: Conti (as Ryuk reborn with successor) ransomware is officially dead with no new builds for a while. RIP Conti.