@BushidoToken Threat Intel

  Introduction This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups. The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent ransomware as a service (RaaS) operation run by Russian-speaking cybercriminals. These two threat groups have been linked together through cooperation on intrusions and IOCs and TTPs shared by multiple CTI sources. The implication of this link is critical due to RansomHub being the most active ransomware gang and is working with a well-known sanctioned affiliate. Who is RansomHub? Active since February 2024, RansomHub is a RaaS operation formerly known as Cyclops and Knight and is run by Russian-speaking adversaries. It  is currently used by more and more cybercriminals that are ex-affiliates of other RaaS operations. This includes the ALPHV/BlackCat RaaS an...

The BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to be a treasure trove of intelligence on the cybercrime enterprise. The BlackBasta gang consists of former Conti ransomware members and it should come as no surprise that their operations are similar in nature and structure. Ransomware researchers have several valuable resources to conduct investigations with nowadays. This includes ransomware.live , which contains several resources including ransomch.at , a collection of negotiation chats between ransomware gangs and their victims, as well as the ransomware tool matrix and ransomware vulnerability matrix . These resources allow to deeply understand the capabilities and motivations of these ransomware gangs. However, leaked...