![](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/03\/Sophos-News-banner-4-march-1200x628-1.png\"\/)
<\/p>\n<\/p>\n
Introduction<\/h3>\n
The ransomware landscape is a complex, crowded and rapidly evolving ecosystem. New and rebranded groups appear and disappear continuously, while the operators behind them share, rent, steal, or copy each other\u2019s attack tools, playbooks and even infrastructure.<\/p>\n
Sophos has been monitoring and reporting on the ransomware landscape for years, building an unrivalled library of insight and analysis. The Ransomware Threat Intelligence Center<\/strong> brings together a curated list of the most important research articles and reports published by Sophos on prevalent, new, and emerging ransomware threats, including their tools, techniques, and behaviors, from 2018 to the present. The content will be updated regularly as new material becomes available.<\/p>\n For further information on ransomware, including advice on security best practice and the latest State of Ransomware<\/a> report, visit Sophos’ Resources to Stop Ransomware.<\/a><\/p>\n Sophos MTR in real time: What is Astro Locker team?<\/a><\/p>\n March 31, 2021 \u2013 A Sophos incident response investigation uncovers similarities between Astro Locker and Mount Locker ransomware<\/p>\n Avos Locker remotely accesses boxes, even running in Safe Mode<\/a><\/p>\n Dec. 22, 2021 \u2013 Sophos reports how the relatively new ransomware-as-a-service (RaaS), Avos Locker boots target computers into Safe Mode to execute the ransomware and tries to disable security software<\/p>\n Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack \u00a0 <\/a><\/p>\n Oct. 4, 2021 \u2013 Sophos reports on an attack by the relatively new ransomware group Atom Silo that leveraged a recent vulnerability in Atlassian\u2019s Confluence collaboration software and tried to disrupt endpoint protection software. The Confluence vulnerability was also exploited by a crypto miner<\/p>\n What to expect when you\u2019ve been hit with Avaddon ransomware<\/a><\/p>\n May 24, 2021 \u2013 Part of a series designed to help IT administrators facing the impact of an attack involving a particular ransomware family<\/p>\n Black Kingdom ransomware begins appearing on Exchange servers<\/a><\/p>\n March 23, 2021 \u2013 Sophos reports on a novel, if fairly basic ransomware targeting Microsoft Exchange servers that haven\u2019t been patched against the ProxyLogon<\/a> exploit<\/p>\n BlackMatter ransomware emerges from the shadow of DarkSide<\/a><\/p>\n Aug. 9, 2021 \u2013 Sophos reports on a new RaaS that calls itself BlackMatter and adopts tools and techniques from REvil, DarkSide and LockBit 2.0<\/p>\n Sophos has reported extensively on the prolific Conti RaaS operation. Researchers will continue to track the evolution of this high profile threat following the events of early March 2022, when Conti\u2019s stance on the Russia Ukraine war<\/a> led to a series of public leaks<\/a> of its attack playbook<\/a>, toolset, internal communications, source code and more.<\/p>\n Sophos analysis and insight on Conti ransomware include:<\/p>\n What to expect when you\u2019ve been hit with Conti ransomware<\/a><\/p>\n Feb. 16, 2021 \u2013 Part of a series designed to help IT administrators facing the impact of an attack involving a particular ransomware family<\/p>\n Conti ransomware: Evasive by nature<\/a><\/p>\n Feb. 16, 2021 \u2013 Sophos reports on how the attackers spreading Conti have switched gears to a completely fileless attack method<\/p>\n A Conti ransomware attack day-by-day<\/a><\/p>\n Feb. 16, 2021 \u2013 Sophos reports on the unfolding of a Conti ransomware incident<\/p>\n Conti affiliates use ProxyShell Exchange exploit in ransomware attacks<\/a><\/p>\n Sep. 3, 2021 \u2013 Sophos reports on an investigation into a Conti ransomware attack where the attackers used a ProxyShell<\/a> exploit<\/p>\n Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits<\/a><\/p>\n March 2, 2022 \u2013 Sophos reports on a rare, dual ransomware attack, where both Karma and Conti ransomware operators were in the network of a healthcare operator at the same time<\/p>\n Cring ransomware group exploits ancient ColdFusion server<\/a><\/p>\n Sep. 21, 2021 \u2013 Sophos reports on an unknown threat actor exploiting a vulnerability in an 11-year-old installation of Adobe ColdFusion 9 and deploying rarely seen Cring ransomware<\/p>\n DearCry ransomware attacks exploit Exchange server vulnerabilities<\/a><\/p>\n March15, 2021 \u2013 Sophos reports on an unsophisticated, \u201cbeginner\u201d ransomware called DearCry, which mimics the notorious WannaCry ransomware<\/p>\n Color by numbers: inside a Dharma ransomware-as-a-service attack<\/a><\/p>\n Aug.12, 2020 \u2013 Sophos reports on the Dharma RaaS that targets smaller businesses and provides affiliates with detailed, step-by-step attack scripts<\/p>\n A defender\u2019s view inside a DarkSide ransomware attack<\/a><\/p>\n May 11, 2021 \u2013 A Sophos deep dive into the attack methods of the DarkSide ransomware group<\/p>\n Egregor ransomware: Maze\u2019s heir apparent<\/a><\/p>\n Dec. 8, 2020 \u2013 Sophos reports on a new RaaS variant of Sekhmet ransomware that appears to have picked up where Maze left off<\/p>\n Dridex bots deliver Entropy ransomware in recent attacks<\/a><\/p>\n Feb. 23, 2022 \u2013 Sophos reports on how code used in Entropy ransomware bears a resemblance to code used in Dridex malware, suggesting a possible common origin<\/p>\n A new ransomware enters the fray: Epsilon Red<\/a><\/p>\n May 28, 2021 \u2013 Sophos reports on a new, bare-bones ransomware that offloads most of its functionality to a series of PowerShell scripts<\/p>\n GandCrab 101: All about the most widely distributed ransomware of the moment<\/a><\/p>\n March 5, 2019 \u2013 A deep dive into a ransomware that dominated the landscape in 2019<\/p>\n Directed attacks against MySQL servers deliver ransomware<\/a><\/p>\n May 24, 2019 \u2013 Sophos reports on an unknown adversary attacking internet-facing Windows database servers with GandCrab ransomware<\/p>\n Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits<\/a><\/p>\n March 2, 2022 \u2013 Sophos reports on a rare, dual ransomware attack, where both Karma and Conti ransomware operators were in the network of a healthcare operator at the same time<\/p>\n LockBit ransomware borrows tricks to keep up with REvil and Maze<\/a><\/p>\n April 24, 2020 \u2013 Sophos reports on how LockBit is implementing techniques and behaviors from other high profile ransomware groups<\/p>\n LockBit uses automated attack tools to identify tasty targets<\/a><\/p>\n Oct. 21, 2021 \u2013 Sophos reports on how the operators behind LockBit ransomware are using renamed copies of PowerShell and other automated tools to searched for systems with valuable data<\/p>\n LockFile ransomware\u2019s box of tricks: intermittent encryption and evasion<\/a><\/p>\n Aug. 27, 2021 \u2013 Sophos discovers a new ransomware family leveraging ProxyShell and using intermittent encryption of files to evade detection by anti-ransomware tools<\/p>\n Matrix: Targeted, small scale, canary in the coalmine ransomware<\/a><\/p>\n Jan. 30, 2019 \u2013 Sophos reports on how the unsophisticated Matrix ransomware succeeds by leveraging vulnerable remote desktops to breach networks and disrupt targets<\/p>\n Maze ransomware: extorting victims for 1 year and counting<\/a><\/p>\n May 12, 2020 \u2013 Sophos reports on how the Maze ransomware operators were one of the first ransomware operations to use data theft as a way of coercing victims to pay the ransom demand<\/p>\n Maze attackers adopt Ragnar Locker virtual machine technique<\/a><\/p>\n Sep. 17, 2020 \u2013 Sophos reports on how Maze operators adopted a cumbersome ransomware delivery technique<\/a> from Ragnar Locker after several failed attempts to deploy the ransomware<\/p>\n MTR Casebook: Blocking a $15 million Maze ransomware attack<\/a><\/p>\n Sep. 22, 2020 \u2013 A day-by-day account of the unfolding of a major Maze ransomware attack<\/p>\n \u201cMegaCortex\u201d ransomware wants to be The One<\/a><\/p>\n May 3, 2019 \u2013 Sophos reports on a new, sophisticated ransomware group leveraging both automated and manual components<\/p>\n MegaCortex, deconstructed: mysteries mount as analysis continues<\/a><\/p>\n May 10, 2019 \u2013 A follow on research article including new insight on the ransomware group\u2019s tools, techniques, and misdirection tactics<\/p>\n New ransomware actor uses password protected archives to bypass encryption protection<\/a><\/p>\n Nov. 18, 2021 \u2013 Sophos reports on an incident involving the new ransomware group, Memento, that failed to encrypt files so instead copied them into password-protected archives<\/p>\n Windows services lay the groundwork for a Midas ransomware attack<\/a><\/p>\n Jan. 25, 2022 \u2013 Sophos reports on a ransomware attack that made extensive use of vulnerable remote access services and PowerShell scripts<\/p>\n Nefilim Ransomware Attack Uses \u201cGhost\u201d Credentials<\/a><\/p>\n Jan. 26, 202 \u2013 Sophos reports on an incident where the attackers gained access to the target using the account credentials of a deceased employee<\/p>\n Netwalker ransomware tools give insight into threat actor<\/a><\/p>\n May 27, 2020 \u2013 Sophos details the tactics, techniques, and procedures (TTPs) used by Netwalker after discovering a trove of malware and related files<\/p>\n ProLock ransomware gives you the first 8 kilobytes of decryption for free<\/a><\/p>\n July 27, 2020 \u2013 Sophos reports on the attack chain and TTPs of this new ransomware<\/p>\n Python ransomware script targets ESXi server for encryption<\/a><\/p>\n Oct. 5, 2021 \u2013 Sophos reports one of the fastest ransomware attacks it has seen, where a Python script on the target\u2019s virtual machine hypervisor encrypted all virtual disks<\/p>\n Ragnar Locker ransomware deploys virtual machine to dodge security<\/a><\/p>\n May 21, 2020 \u2013 Sophos reports on an incident where the attackers deployed a full virtual machine on each targeted device to hide the ransomware from view<\/p>\n Asnar\u00f6k attackers twice modified attack midstream<\/a><\/p>\n May 21, 2021 \u2013 Sophos reports on how Asnarok attackers try to deploy Ragnarok ransomware through an unpatched firewall<\/p>\n Relentless REvil, revealed: RaaS as variable as the criminals who use it<\/a><\/p>\n June 11, 2021 \u2013 Sophos details the different TTPs seen among the affiliate customers of the REvil RaaS<\/p>\n What to expect when you\u2019ve been hit with REvil ransomware<\/a><\/p>\n June 30, 2021 \u2013 Part of a series designed to help IT administrators facing the impact of an attack involving a particular ransomware family<\/p>\n Independence Day: REvil uses supply chain exploit to attack hundreds of businesses<\/a><\/p>\n July 4, 2021 \u2013 Sophos details the crypto-extortion attack launched by a REvil affiliate using a malicious update to exploit Kaseya\u2019s VSA remote management service<\/p>\n Living off another land: Ransomware borrows vulnerable driver to remove security software<\/a><\/p>\n Feb. 6, 2020 \u2013 Sophos reports on attacks where attackers deployed a legitimate, digitally signed hardware driver to delete security products from targeted computers before deploying RobbinHood ransomware<\/p>\n They\u2019re back: inside a new Ryuk ransomware attack<\/a><\/p>\n Oct. 14, 2020 \u2013 Sophos reports on the return of Ryuk after a period of quiet, with evolved tools for compromise and ransomware deployment<\/p>\n MTR in Real Time: Pirates pave way for Ryuk ransomware<\/a><\/p>\n May 6, 2021 \u2013 Sophos reports on an incident where downloading a pirate software program led attackers to breach the network of a research institute and deploy Ryuk ransomware<\/p>\n Sophos releases SamSam ransomware report<\/a><\/p>\n July 31, 2018 \u2013 Sophos releases a deep dive into SamSam ransomware<\/p>\n How a SamSam-like attack happens, and what you can do about it<\/a><\/p>\n Nov. 29, 2018 \u2013 Sophos details a typical SamSam ransomware attack and how to defend against it<\/p>\n Snatch ransomware reboots PCs into Safe Mode to bypass protection<\/a><\/p>\n Dec. 9, 2019 \u2013 Sophos reports on a novel hybrid data theft-ransomware threat that disables security protections by rebooting Windows machines mid-attack<\/p>\n The WannaCry hangover<\/a><\/p>\n Sep. 16, 2019 – Sophos reports how, more than two years on, modified WannaCry variants still cause headaches for IT admins and security analysts<\/p>\n WastedLocker\u2019s techniques point to a familiar heritage<\/a><\/p>\n Aug. 4, 2020 \u2013 Sophos reports on how WastedLocker evades detection by performing most operations in memory, and shares several characteristics with the Bitpaymer ransomware family<\/p>\n How ransomware attacks: What defenders should know about the most prevalent and persistent ransomware families<\/a><\/p>\n The Active Adversary Playbook 2021<\/a><\/p>\n The Sophos 2019 Threat Report<\/a><\/p>\n The Sophos 2020 Threat Report<\/a><\/p>\n The Sophos 2021 Threat Report<\/a><\/p>\n The Sophos 2022 Threat Report<\/a><\/p>\n How the most damaging ransomware evades IT security<\/a><\/p>\n The realities of ransomware: Five signs you\u2019re about to be attacked<\/a><\/p>\n The realities of ransomware: Extortion goes social in 2020<\/a><\/p>\n The realities of ransomware: Why it\u2019s not just a passing fad<\/a><\/p>\n The realities of ransomware: A victim\u2019s eye view of an attack<\/a><\/p>\n The realities of ransomware: The evasion arms race<\/a><\/p>\n Winners and losers in the ransomware turf wars<\/a><\/p>\n The top 10 ways ransomware operators ramp up the pressure to pay<\/a><\/p>\n Ransomware mishaps: Adversaries have their off days too<\/a><\/p>\n <\/p>\n<\/p><\/div>\nSophos Research and Reports on Prevalent and New Ransomware Groups, 2018 to 2022<\/h3>\n
Astro Locker<\/strong><\/h4>\n
Avos Locker<\/strong><\/h4>\n
Atom Silo<\/strong><\/h4>\n
Avaddon<\/strong><\/h4>\n
Black Kingdom<\/strong><\/h4>\n
BlackMatter<\/strong><\/h4>\n
Conti<\/strong><\/h4>\n
Cring<\/strong><\/h4>\n
DearCry<\/strong><\/h4>\n
Dharma<\/strong><\/h4>\n
DarkSide<\/strong><\/h4>\n
Egregor<\/strong><\/h4>\n
Entropy<\/strong><\/h4>\n
Epsilon Red<\/strong><\/h4>\n
GandCrab<\/strong><\/h4>\n
Karma<\/strong><\/h4>\n
LockBit<\/strong><\/h4>\n
LockFile<\/strong><\/h4>\n
Matrix<\/strong><\/h4>\n
Maze<\/strong><\/h4>\n
MegaCortex<\/strong><\/h4>\n
Memento<\/strong><\/h4>\n
Midas<\/strong><\/h4>\n
Nefilim<\/strong><\/h4>\n
Netwalker<\/strong><\/h4>\n
ProLock<\/strong><\/h4>\n
Python<\/strong><\/h4>\n
RagnarLocker<\/strong><\/h4>\n
Ragnarok<\/strong><\/h4>\n
REvil<\/strong><\/h4>\n
RobbinHood<\/strong><\/h4>\n
Ryuk<\/strong><\/h4>\n
SamSam<\/strong><\/h4>\n
Snatch<\/strong><\/h4>\n
WannaCry<\/strong><\/h4>\n
WastedLocker<\/strong><\/h4>\n
Additional Assets<\/strong><\/h3>\n
Collective Reports and Analyses<\/strong><\/h4>\n
Insight and Advisory Articles<\/strong><\/h4>\n