Recommended Sources for Ransomware Information
By Katie Nickels and Ryan Chapman
There are a lot of great free resources out there to help cybersecurity professionals prevent and detect ransomware - but you have to know where to look! In our recent SANS Threat Analysis Rundown (STAR) livestream, we talked about many sources we use to track the ransomware ecosystem. Here are some of the key resources we covered. Of course, make sure to vet all sources yourself - especially before uploading any data!
General Sources
- https://thedfirreport.com/
- They have a Patreon account too: https://www.patreon.com/thedfirreport
- https://otx.alienvault.com/dashboard/new
- https://id-ransomware.blogspot.com/
- https://id-ransomware.malwarehunterteam.com/ (make a risk assessment before uploading any data!)
- Florian Roth’s spreadsheet for historical data (not currently updated)
https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
- https://www.virustotal.com (just research, don't upload sensitive samples!)
Leak Sites
Several sources scrape dark web sites where ransomware operators post names of victims as well as exfiltrated data. It's useful for researchers to be aware if their organization is listed on one of these sites. Before accessing these sites, and particularly before downloading any stolen data directly from them, talk to your lawyers!
Here's an example of how this could be integrated into Slack:
Darknet/Tor Research
If you are interested in setting up your own TOR browser to access these sites themselves, here is a video that shows you how to do this in a more secure way:
For more information on the TorBrowser project, please see:
- https://tb-manual.torproject.org/about/
- And for downloads:
And finally, learn about Tails, the operating system designed for anonymity and built with Tor enabled at all times:
Twitter is an excellent source of information about ransomware itself as well as the many ransomware precursor malware families. TweetDeck (https://tweetdeck.twitter.com/) can help organize various accounts and hashtags of interest, and Twitter lists can also help with this. Like all of these sources, you will need to curate the accounts you follow and determine which ones work for your needs. There are so many good accounts that we can't possibly list all of them here, but if you start with this list, Twitter will recommend other similar accounts to you.
- https://twitter.com/search?q=%23ransomware
- https://twitter.com/darktracer_int
- https://twitter.com/cobaltstrikebot
- https://twitter.com/RdpSnitch
- https://twitter.com/malwrhunterteam
- https://twitter.com/malware_traffic
- https://twitter.com/vxunderground
- https://twitter.com/JAMESWT_MHT
- https://twitter.com/ffforward
- https://twitter.com/demonslay335
- https://twitter.com/GossiTheDog
- https://twitter.com/BushidoToken
- https://twitter.com/stvemillertime/
- https://twitter.com/bryceabdo
- https://twitter.com/VK_Intel
- https://twitter.com/uuallan
- https://twitter.com/BleepinComputer
- https://twitter.com/selenalarson
- https://twitter.com/cyb3rops
Blogs
We recommend setting up an RSS feed with the blog posts from various organizations in the community. There are many RSS feed options, including a free version of Feedly. You may also want to follow these companies on Twitter.
Many of these blogs are maintained by vendors, who regularly share information about incidents they observe. Again, there are far too many sources for us to list here, so this is just a sample of what's out there. Remember the different companies see different parts of the ransomware ecosystem, so it can be helpful to track many perspectives.
BlackBerry
- Threat Research blog landing page: https://blogs.blackberry.com/en/author/the-blackberry-research-and-intelligence-team
- https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat
- https://blogs.blackberry.com/en/2021/05/threat-thursday-conti-ransoms-over-400-organizations-worldwide
- https://blogs.blackberry.com/en/2019/12/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe
Red Canary
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://redcanary.com/threat-detection-report/
- https://redcanary.com/blog/rclone-mega-extortion/
https://www.secureworks.com/research/lv-ransomware
https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/
https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/
https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf
https://adversary.crowdstrike.com/en-US/adversary/pinchy-spider/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0211.pdf
https://www.digitalshadows.com/blog-and-research/q1-ransomware-roundup/
https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf
https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/
https://news.sophos.com/en-us/2021/05/28/epsilonred/
Related decoder script as noted in live cast: https://github.com/rj-chap/random_scripts/blob/main/python/epsilon_red_powershell_decoder.py
https://blogs.vmware.com/secur...
https://pan-unit42.github.io/playbook_viewer/?pb=maze-ransomware
https://www.proofpoint.com/us/blog/threat-insight/bazaflix-bazaloader-fakes-movie-streaming-service
Watch the STAR Live Stream Episode on Ransomware.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
