Ransomware Attacks and News
by Year

June 24, 2021


July 7th – Managed service provider Kaseya was recently affected by the REvil ransomware attack

On Friday, July 2, REvil ransomware operators managed to compromise the Kaseya VSA software, used to monitor and manage Kaseya customer’s infrastructure. REvil ransomware operators used zero-day vulnerabilities to deliver a malicious update, compromising an estimated 60 Kaseya customers and fewer than 1,500 companies, according to Kaseya’s public statement. Read>

June 28th – New Ransomware Variant Uses Golang Packer

CrowdStrike recently observed a ransomware sample borrowing implementations from previous HelloKitty and FiveHands variants and using a Golang packer compiled with the most recent version of Golang (Go1.16, released mid-February 2021). Read>

June 18th – Ransomware Actors Evolved Their Operations in 2020

In 2020, CrowdStrike Services observed the evolution of eCrime adversaries engaging in big game hunting ransomware tactics. Read>

June 8th – How eCrime Groups Leverage SonicWall VPN Vulnerability

CrowdStrike has identified big game hunting (BGH) ransomware actors leveraging this vulnerability against these older SonicWall SRA 4600 VPN devices during various incident response investigations. Read>

May 18th – Darkside Ransomware: How Falcon Protects Customers

DarkSide is a ransomware as a service (RaaS) associated with an eCrime group tracked by CrowdStrike as CARBON SPIDER. Read> 

May 13th – New Cybersecurity Executive Order: What It Means for the Public Sector

Learn how the mandates outlined in the new Cybersecurity Executive Order can strengthen the security posture of the U.S. and the public sector. Read>

April 21st – The Pernicious Effects of Ransomware

Ransomware is not just a persistent threat, it’s also a growing global security problem — one that governments and organizations must address immediately. Read>

March 17th – INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware

CrowdStrike Intelligence has identified Hades ransomware as INDRIK SPIDER’s successor to WastedLocker. Discover how the team identified this adversary evolution. Read>

February 26th – CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware

By deploying ransomware on ESXi hosts, adversaries quickly increased the scope of affected systems, further pressuring victims to pay the ransom demands. Read>

February 11th – A Look Into eCrime Menu-style Toolkits

The year 2020 has seen an accelerated uptick in eCrime activity, as well as an obvious shift in eCrime adversaries engaging in big game hunting (BGH) operations that involve interactive deployment of ransomware as a popular means to monetize intrusions, prioritizing critical enterprise infrastructure (domain controllers, file servers, backup servers, etc.) over workstations. Read>


Maze Ransomware Analysis

Maze ransomware is a malware targeting organizations worldwide across many industries. It is believed that Maze operates via an affiliated network where Maze developers share their proceeds with various groups that deploy Maze in organizational networks. Read>

Double Trouble: Ransomware with Data Leak Extortion, Part 2

Part 2 of this series explores operators of Ako ransomware, PINCHY SPIDER’s auctioning of stolen data, and TWISTED SPIDER’s creation of the “Maze Cartel.” Read>

Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques

Throughout 2019 and 2020, CrowdStrike has identified ongoing attempts by criminal actors to install Dharma ransomware across organizations worldwide. Read>

WIZARD SPIDER Update: Resilient, Reactive and Resolute

Over recent months, WIZARD SPIDER has demonstrated their resilience and dedication to criminal operations by operating multiple ransomware families with differing modi operandi, using TrickBot and BazarLoader to infiltrate victim environments and reacting to attempts to stop them in their tracks. Read>


Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware

WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER. This actor is a Russia-based criminal group known for the operation of the TrickBot banking malware that had focused primarily on wire fraud in the past. Read>

Meet DoppelPaymer Ransomware and Dridex 2.0

CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture. Read>

Ransomware Attacks Increase During Back-to-School

School districts have seen an uptick in ransomware attacks as they begin the new year. Discover why cybercriminals have their eyes on the back-to-school season. Read>

PINCHY SPIDER Affiliates Adopt “Big Game Hunting” Tactics to Distribute GandCrab Ransomware

CrowdStrike® Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. Read>

WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN

CrowdStrike® Intelligence analyzed variants of Ryuk (a ransomware family distributed by WIZARD SPIDER) with new functionality for identifying and encrypting files on hosts in a local area network (LAN). These features target systems that have recently been placed in a standby power state, as well as online systems on the LAN. Read>

eCrime Innovations: New Trends Increasing Profitability of Attacks

One of the major trends featured in the recent CrowdStrike® Services Cyber Intrusion Casebook notes attackers’ increased use of remote access tools that deliver real-time monitoring capabilities, an innovative tactic that provides criminals with more power and insight into the systems of their victims. Read>


An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER

This analysis provides an in-depth view of the Samsam ransomware, which is developed and operated by the actor tracked by CrowdStrike® Falcon Intelligence™ as BOSS SPIDER. The infection chain and the execution flow vary according to the variant of the malware, both of which are detailed in this writeup. Read>

Operators of SamSam Continue to Receive Significant Ransom Payments

The SamSam (Samas) ransomware attack on Atlanta will not be the last of these targeted, enterprise attacks, according to CrowdStrike security experts. Read>

Arrests Put New Focus on CARBON SPIDER Adversary Group

In an indictment unsealed by the U.S. Department of Justice (DoJ) on Aug. 1, 2018, three Ukrainian nationals have been charged with conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, are suspected to be key members within CARBON SPIDER’s point of sale (POS) subgroup. Read>

The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware

New tactics of selectively targeting organizations for high ransomware payouts have signaled a shift in the adversary group INDRIK SPIDER’s operations with a new focus on targeted, low-volume, high-return criminal activity referred to as big game hunting. Read>