Pulse Detail — Threat Intelligence

PULSE NAME

Affiliates Unlocked: Gangs Switch Between Different Ransomware Families

WHITE AlienVault 2021-08-12 Modified: 2021-08-12

IOCs

MEDIUM VOLUME

The shutdown of the Leafroller ransomware gang (aka Sodinokibi/REvil) has resulted in a surge in LockBit activity, as some ex-Sodinokibi affiliates move to that ransomware. Meanwhile, there is also more evidence that some attackers are affiliated to more than one ransomware group and are switching between ransomware families mid-attack if the initial ransomware they attempt to deploy fails to execute.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1021 T1486 T1190 T1003 T1562 T1018

MALWARE FAMILIES

Sodinokibi LockBit PasswordRevealer Conti - S0575 Cobalt Strike - S0154

Indicators of Compromise (33)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	0dd0cb0eda6374e48e6cc403151ac5ba	MD5 of 659ce17fd9d4c6aad952bc5c0ae93a748178e53f8d60e45ba1d0c15632fd3e3f	2021-08-12
FileHash-MD5	3edb6866d654443e063dfb71e9e93776	MD5 of 0a9e09a970e6e0edee2d9120f6e5020f7c1b75ccf7ad1a0c720a63e914099cf5	2021-08-12
FileHash-MD5	597de376b1f80c06d501415dd973dcec	MD5 of f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446	2021-08-12
FileHash-MD5	605d939941c5df2df5dbfb8ad84cfed4	MD5 of 66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a	2021-08-12
FileHash-MD5	79250d0b0749f17d1de0e917c93bc103	MD5 of 36e33eb5280c23cbb57067f18514905e42f949250f95a5554f944180fcd5fe36	2021-08-12
FileHash-SHA1	250875212d58e1d4169b7e7d0cd236d1a19a4b9a	SHA1 of 66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a	2021-08-12
FileHash-SHA1	629c9649ced38fd815124221b80c9d9c59a85e74	SHA1 of f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446	2021-08-12
FileHash-SHA1	a53380ff37c453f2b2f7c92604c851351f7edbb6	SHA1 of 36e33eb5280c23cbb57067f18514905e42f949250f95a5554f944180fcd5fe36	2021-08-12
FileHash-SHA1	af37e573c8420e976430abe4ad52eadfdfc36ad4	SHA1 of 659ce17fd9d4c6aad952bc5c0ae93a748178e53f8d60e45ba1d0c15632fd3e3f	2021-08-12
FileHash-SHA1	c96924053567407dc917d0abb9ed89fd7f99d574	SHA1 of 0a9e09a970e6e0edee2d9120f6e5020f7c1b75ccf7ad1a0c720a63e914099cf5	2021-08-12
FileHash-SHA256	068d94a8ad277637412ae710ab431789a5e6f020b6fb412fc2c06d5c00e5342a	—	2021-08-12
FileHash-SHA256	0a9e09a970e6e0edee2d9120f6e5020f7c1b75ccf7ad1a0c720a63e914099cf5	—	2021-08-12
FileHash-SHA256	2dddfd3ff13f0caf9644e95f93f008590d54b521dcbc4defc9eb37801498dd51	—	2021-08-12
FileHash-SHA256	2e30bdb70372d97f5cd7c7d88d153b14668e78f5dfb868261673855baad08df9	—	2021-08-12
FileHash-SHA256	36e33eb5280c23cbb57067f18514905e42f949250f95a5554f944180fcd5fe36	—	2021-08-12
FileHash-SHA256	5d74efdf9062fe052e8676f9ca9afb4bff770b55ac98f51210e502061e706db8	—	2021-08-12
FileHash-SHA256	659ce17fd9d4c6aad952bc5c0ae93a748178e53f8d60e45ba1d0c15632fd3e3f	—	2021-08-12
FileHash-SHA256	66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a	—	2021-08-12
FileHash-SHA256	6c76c93867b28c070e32e17312b1fd1e01fc7ba2d7dc0ae2a0b96cd615f643f9	—	2021-08-12
FileHash-SHA256	7791490640e6a8fbc1b9df63bceb843c8a14675bfe27024bebb3107288dd3a72	—	2021-08-12
FileHash-SHA256	7e97f617ef7adbb2f1675871402203c245a0570ec35d92603f8f0c9e6347c04a	—	2021-08-12
FileHash-SHA256	8aabffacc45d8f044af81471c63a5f67e463480e1f6d3ab87307756af73ce67b	—	2021-08-12
FileHash-SHA256	8df0c0544c50eae988b87c4e6083adca6753364a2ee55d1265c8a1a93399d3b6	—	2021-08-12
FileHash-SHA256	a398c70a2b3bf8ae8b5ceddf53fcf6daa2b68af2fadb76a8ea6e33b8bbe06f65	—	2021-08-12
FileHash-SHA256	ad9e1593f9d992ddb9d21495f06bd31a7e39ee7746510d66f0596c5dfbc4e8ab	—	2021-08-12
FileHash-SHA256	b3221fa17d52cc4481cbcc7358f54f03bab295815da4428ff518994adc31789f	—	2021-08-12
FileHash-SHA256	bce5c2583c32efc411dddaaee8b63a36fe8010c284ddeb558246e81a62179323	—	2021-08-12
FileHash-SHA256	c4f3f4bd9ebd180388ed1812df0cd48e02a2393bccee822410cf28b44c44a382	—	2021-08-12
FileHash-SHA256	c667c916b44a9d4e4dd06b446984f3177e7317f5f9cff91033d580d0cc617eaa	—	2021-08-12
FileHash-SHA256	dae5fbdaa53b4f08876e567cf661346475ff4ae39063744ca033537d6393639a	—	2021-08-12
FileHash-SHA256	daf7bccd4de5ea2774f31c0d4a55768be5cb11ce2b0b4c8ff45723af2906b62d	—	2021-08-12
FileHash-SHA256	f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446	—	2021-08-12
FileHash-SHA256	f78b7cb4b959617a26308d0da0db61e57333ace1ce58a70ba705994554baf46c	—	2021-08-12

References (1)

↗ https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-trends-lockbit-sodinokibi