{ "type": "bundle", "id": "bundle--218b3b46-6e56-4c6e-bb82-3800d3fedc90", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--058d93c8-baa2-46fb-b620-29d0fb2da0b5", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--e7ae412f-ec1b-4c9a-8216-cd81cf1b4193", "start_refs": [ "attack-action--94742c71-532b-4aa9-b437-41a9bb8f38d7", "attack-action--f0cc9e44-bcff-4902-94ee-1579a13d8d88", "attack-action--0941f1e9-24bd-43ab-b54b-ae01df08b989" ], "name": "REvil", "description": "Profile of a ransomware group", "scope": "malware", "external_references": [ { "source_name": "Bleeping Computer", "description": "Article", "url": "https://www.bleepingcomputer.com/news/security/healthcare-giant-grupo-fleury-hit-by-revil-ransomware-attack/" }, { "source_name": "Checkpoint", "description": "article", "url": "https://blog.checkpoint.com/2020/10/29/hospitals-targeted-in-rising-wave-of-ryuk-ransomware-attacks/" }, { "source_name": "Health IT Security", "description": "article", "url": "https://healthitsecurity.com/news/ransomware-hits-another-it-vendor-impacting-100-dental-providers" }, { "source_name": "HHS Cybersecurity Program", "description": "PPT Briefing", "url": "https://www.hhs.gov/sites/default/files/ransomware-trends-2021.pdf" }, { "source_name": "Secureworks", "description": "article", "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" }, { "source_name": "TechTarget", "description": "article", "url": "https://www.techtarget.com/searchsecurity/news/252481164/Microsoft-warns-hospitals-of-impending-ransomware-attacks" }, { "source_name": "BBC", "description": "article", "url": "https://www.bbc.com/news/technology-55439190" } ] }, { "type": "identity", "id": "identity--e7ae412f-ec1b-4c9a-8216-cd81cf1b4193", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "name": "Jackie Lasky", "identity_class": "individual", "contact_information": "jlasky@mitre.org" }, { "type": "malware", "id": "malware--2f794d5d-9480-441a-b9a3-7e8249da8b59", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "name": "REvil", "description": "ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.", "is_family": false, "aliases": [ "Sodin", "Sodinokibi" ], "first_seen": "2019-04-01T00:00:00.000Z" }, { "type": "attack-action", "id": "attack-action--94742c71-532b-4aa9-b437-41a9bb8f38d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Drive-by Compromise", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1189", "technique_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6", "description": "Watering hole attacks on forum websites that download REvil onto the victim devices.", "effect_refs": [ "attack-action--817870ea-bc9d-4734-a36d-8e3d966b2bc7" ] }, { "type": "attack-action", "id": "attack-action--f0cc9e44-bcff-4902-94ee-1579a13d8d88", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Spearphishing Attachment", "description": "Spam emails with attached\nMS Office Word documents\nincluding malicious macro\nto download ransomware to\ntarget system.", "effect_refs": [ "attack-operator--f2b2f246-acf4-4169-b0d5-d492f9a6deb2" ] }, { "type": "attack-action", "id": "attack-action--1ec51403-5eeb-4d38-97b8-cf3b426303f9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Deobfuscate/Decode Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1140", "technique_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "description": "REvil deobfuscates and decodes its own data and configuration", "effect_refs": [ "attack-action--a8243150-f0db-47dd-b715-3fe09d331981" ] }, { "type": "attack-action", "id": "attack-action--a8243150-f0db-47dd-b715-3fe09d331981", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Create Process with Token", "description": "Verifies that it is running with administrative rights via making sure that TokenElevationType is set to TokenElevationTypeFull and its integrity level is set to a minimum level of High.\nHowever, if it is running with low integrity, it will use the RunAs command to relaunch a new instance of itself with administrative rights.", "effect_refs": [ "attack-action--cbc2c498-0f40-4fba-bfd0-dbfeae60d993" ] }, { "type": "attack-action", "id": "attack-action--817870ea-bc9d-4734-a36d-8e3d966b2bc7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploitation for Privilege Escalation", "tactic_id": "TA0004", "tactic_ref": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", "technique_id": "T1068", "technique_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "description": "Attempts to run with elevated privileges by exploiting CVE-2018-8453 vulnerability to gain SYSTEM privileges on host.", "effect_refs": [ "attack-operator--f2b2f246-acf4-4169-b0d5-d492f9a6deb2" ] }, { "type": "attack-action", "id": "attack-action--523ac20c-e73d-4899-a233-cd2c3fde4d08", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "File and Directory Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1083", "technique_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", "description": "REvil has iterated through all folders and files residing on local fixed drives and verifies they are not included in config lists and has an exclude list as well.", "effect_refs": [ "attack-condition--9b7f41f6-e24d-4db8-bcf5-f3b71fde83b9", "attack-condition--99955aa5-f418-42af-a69a-059600fdc68d" ] }, { "type": "attack-action", "id": "attack-action--72266354-eb09-4f29-9704-2a6117285354", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Encrypted for Impact", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1486", "technique_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", "description": "REvil has used multithreading I/O completion ports and encrypt files It will encrypt the flagged files and drop a ransom note in each folder", "effect_refs": [ "attack-condition--ec339915-3ebf-4f76-920d-4845ceaee0c1" ] }, { "type": "attack-action", "id": "attack-action--9bdfeccc-64f3-4338-b58d-62b528437dac", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Internal Defacement", "description": "After encrypting all the files, REvil will\ncreate a bitmap image of the desktop in runtime with the text that comes with the config file prepared with the random extension and set this and the ransom note to the desktop background. The text will read \"You are infected!\" and it will explain where the user can go to read. instructions in the text file on the system.", "effect_refs": [ "attack-action--c922e4f2-57ae-4e23-9d09-8c70edf725ae" ] }, { "type": "attack-action", "id": "attack-action--611913ef-15ce-44cb-a885-2dda47cf134b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exfiltration Over C2 Channel", "tactic_id": "TA0010", "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "technique_id": "T1041", "technique_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "description": "REvil will take the data out of the victim’s environment" }, { "type": "attack-action", "id": "attack-action--f5f61076-5c5d-43f8-ac93-bd72e76fc4bc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Asymmetric Cryptography", "description": "If flag is set, it will conceal C2 communications using an asymmetric key\nscheduling algorithm", "effect_refs": [ "attack-action--611913ef-15ce-44cb-a885-2dda47cf134b" ] }, { "type": "attack-action", "id": "attack-action--3cf7cc87-39df-481b-b31a-c253d405502f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Web Protocols", "description": "if the \"net\" key is set to \"true\" then it will\ncommunicate with the C2 server via POST messages (to a list of domains in the config file) to send information using the HTTPS protocol", "effect_refs": [ "attack-action--611913ef-15ce-44cb-a885-2dda47cf134b" ] }, { "type": "attack-action", "id": "attack-action--c922e4f2-57ae-4e23-9d09-8c70edf725ae", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Query Registry", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1012", "technique_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", "description": "REvil queries the net configuration key value to determine if C2 communication should take place.", "effect_refs": [ "attack-condition--571e759e-0d01-4085-a240-395a3a0f5a0a" ] }, { "type": "attack-action", "id": "attack-action--b7bb4f4c-a1ce-4968-8887-0eb6516ec60e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Service Stop", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1489", "technique_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b", "description": "REvil will stop and delete services if name matches list of service in JavaScript\nObject Notation (JSON) config list and has terminated all processes specified by prc value.", "effect_refs": [ "attack-action--813a31a7-9924-4088-86d8-526f14fffc05", "attack-action--b8777ca1-4cf7-449c-8cd5-545d5e98693a" ] }, { "type": "attack-action", "id": "attack-action--b8777ca1-4cf7-449c-8cd5-545d5e98693a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "PowerShell", "description": "REvil has used PowerShell\nto perform inhibit system\nrecovery technique.", "effect_refs": [ "attack-operator--791f3d02-c199-4b1f-a529-cc9d9049a26f" ] }, { "type": "attack-action", "id": "attack-action--813a31a7-9924-4088-86d8-526f14fffc05", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Windows Command Shell", "description": "REvil has used cmd.exe\nto perform inhibit system\nrecovery technique.", "effect_refs": [ "attack-operator--791f3d02-c199-4b1f-a529-cc9d9049a26f" ] }, { "type": "attack-action", "id": "attack-action--d65fcb15-abb0-4bc5-a97e-0ee5a1e7548c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Inhibit System Recovery", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1490", "technique_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "description": "REvil will destroy all shadow volumes\nof the victim machine and\ndisable protection of the\nrecovery boot", "effect_refs": [ "attack-action--9e2b0afb-d172-4686-b453-64ad4ffec914" ], "command_ref": "process--e33fe116-5d8a-4ebd-b9c7-ddd07d7a8c17" }, { "type": "attack-action", "id": "attack-action--9e2b0afb-d172-4686-b453-64ad4ffec914", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Data Destruction", "tactic_id": "TA0040", "tactic_ref": "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8", "technique_id": "T1485", "technique_ref": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "description": "All the files and folders listed will be zeroed out and deleted with random trash or NULL values.", "effect_refs": [ "attack-action--523ac20c-e73d-4899-a233-cd2c3fde4d08" ] }, { "type": "attack-action", "id": "attack-action--37cc493d-eefc-4a85-a78d-8160d4007a5d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Owner/User Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1033", "technique_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "description": "REvil will collect the current username from the victim's machine.", "effect_refs": [ "attack-operator--4e9c4886-42d1-4799-be98-f24e9bdf4b50" ] }, { "type": "attack-action", "id": "attack-action--30e17d35-9f5e-4e65-b2c1-6ea8ac7c3f54", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "System Information Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1082", "technique_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "description": "REvil will continue to profile and search for hostname, fixed drive details, central processing unit (CPU) architecture, keyboard layout information, volume serial number for system drive, and the operating system product name.", "effect_refs": [ "attack-operator--4e9c4886-42d1-4799-be98-f24e9bdf4b50" ] }, { "type": "attack-action", "id": "attack-action--b1025067-bb3b-446f-aa45-d97591c24ef0", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Obfuscated Files or Information", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "technique_id": "T1027", "technique_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "description": "Has obfuscated user profile\ninformation, modules/functions, and will encrypt components from the configuration data stored in the Registry. All strings have also been encrypted\nwith RC4 before use.", "effect_refs": [ "attack-action--a85199ff-3207-4c2c-828e-c7f56244e5ef" ] }, { "type": "attack-action", "id": "attack-action--a85199ff-3207-4c2c-828e-c7f56244e5ef", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Modify Registry", "description": "REvil stores encrypted system information added to the Registry. It will check if it is already generated and stored the session encryption keys in the victim’s Registry.", "effect_refs": [ "attack-action--b7bb4f4c-a1ce-4968-8887-0eb6516ec60e" ] }, { "type": "attack-action", "id": "attack-action--57f02194-5e28-4c95-a7d8-716317f2b081", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Domain Groups", "description": "REvil will search the workgroup to collect\ndomain group information.", "effect_refs": [ "attack-operator--4e9c4886-42d1-4799-be98-f24e9bdf4b50" ] }, { "type": "attack-action", "id": "attack-action--cbc2c498-0f40-4fba-bfd0-dbfeae60d993", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Query Registry", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1012", "technique_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", "description": "Checks the Registry to see\nif it has already generated\nand stored session\nencryption keys.", "effect_refs": [ "attack-action--57f02194-5e28-4c95-a7d8-716317f2b081", "attack-action--37cc493d-eefc-4a85-a78d-8160d4007a5d", "attack-action--30e17d35-9f5e-4e65-b2c1-6ea8ac7c3f54" ] }, { "type": "attack-action", "id": "attack-action--0941f1e9-24bd-43ab-b54b-ae01df08b989", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Malicious File", "description": "Lures victim into clicking\nto enable content that\nlaunches the code hidden\nin macros.", "effect_refs": [ "attack-operator--f2b2f246-acf4-4169-b0d5-d492f9a6deb2" ] }, { "type": "attack-condition", "id": "attack-condition--99955aa5-f418-42af-a69a-059600fdc68d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "File or folder is whitelisted" }, { "type": "tool", "id": "tool--8c5286e7-67a4-4950-bc2d-9087da482eed", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "name": "Salsa20 Stream Cipher", "description": "Encrypts files simultaneously with the Salsa2.0 algorithm", "tool_types": [ "Algorithm" ] }, { "type": "file", "id": "file--771a56bf-dad7-4ba1-bfae-547348bdee18", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "name": "9781xsd4-HOW-TO-DECRYPT.txt" }, { "type": "attack-condition", "id": "attack-condition--ec339915-3ebf-4f76-920d-4845ceaee0c1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "encryption is successful" }, { "type": "attack-condition", "id": "attack-condition--9b7f41f6-e24d-4db8-bcf5-f3b71fde83b9", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "-nolan switch was passed to binary when launched" }, { "type": "attack-action", "id": "attack-action--446454d9-1612-41b5-8f6a-d282e06b52af", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Network Share Discovery", "tactic_id": "TA0007", "tactic_ref": "x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9", "technique_id": "T1135", "technique_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", "description": "REvil attempts to identify attached network shares and encrypt their contents", "effect_refs": [ "attack-action--72266354-eb09-4f29-9704-2a6117285354" ] }, { "type": "attack-condition", "id": "attack-condition--571e759e-0d01-4085-a240-395a3a0f5a0a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Check if network configuration key is set to True" }, { "type": "attack-operator", "id": "attack-operator--f2b2f246-acf4-4169-b0d5-d492f9a6deb2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "OR", "effect_refs": [ "attack-action--1ec51403-5eeb-4d38-97b8-cf3b426303f9" ] }, { "type": "windows-registry-key", "id": "windows-registry-key--f4978309-1523-4c05-b2b5-4d46d3bb6502", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\recfg\\stat" }, { "type": "attack-operator", "id": "attack-operator--791f3d02-c199-4b1f-a529-cc9d9049a26f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "OR", "effect_refs": [ "attack-action--d65fcb15-abb0-4bc5-a97e-0ee5a1e7548c" ] }, { "type": "process", "id": "process--e33fe116-5d8a-4ebd-b9c7-ddd07d7a8c17", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "command_line": "cmd.exe /c vssadmin.exe Delete Shadows / All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures" }, { "type": "tool", "id": "tool--c852c2b1-e8ef-40ae-910c-ff5aba6cd35f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "name": "Batch Script", "description": "kill.bat", "tool_types": [ "impact" ] }, { "type": "tool", "id": "tool--325c268a-4f1f-490c-a68a-5009bf4d54a8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "name": "ECIES algorithm and AES-256-CTR", "tool_types": [ "Algorithm" ] }, { "type": "vulnerability", "id": "vulnerability--5ea98d86-c33b-4f93-8488-e60cf6692ce1", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "name": "CVE-2018-8453", "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \"Win32k Elevation of Privilege Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers." }, { "type": "attack-operator", "id": "attack-operator--4e9c4886-42d1-4799-be98-f24e9bdf4b50", "spec_version": "2.1", "created": "2026-06-11T23:57:51.651Z", "modified": "2026-06-11T23:57:51.651Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "OR", "effect_refs": [ "attack-action--b1025067-bb3b-446f-aa45-d97591c24ef0" ] }, { "type": "relationship", "id": "relationship--b3bff374-d21a-4574-b983-7d1744665a26", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "malware--2f794d5d-9480-441a-b9a3-7e8249da8b59", "target_ref": "attack-action--94742c71-532b-4aa9-b437-41a9bb8f38d7" }, { "type": "relationship", "id": "relationship--6ffb7fa0-3ee6-414b-baf0-89cb4eb2dda7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "malware--2f794d5d-9480-441a-b9a3-7e8249da8b59", "target_ref": "attack-action--f0cc9e44-bcff-4902-94ee-1579a13d8d88" }, { "type": "relationship", "id": "relationship--57c99401-b6ac-4a8e-b3ea-ecb134dc398f", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "malware--2f794d5d-9480-441a-b9a3-7e8249da8b59", "target_ref": "attack-action--0941f1e9-24bd-43ab-b54b-ae01df08b989" }, { "type": "relationship", "id": "relationship--5a5afb6b-299a-4e99-9c55-7833b956c1fc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-action--817870ea-bc9d-4734-a36d-8e3d966b2bc7", "target_ref": "vulnerability--5ea98d86-c33b-4f93-8488-e60cf6692ce1" }, { "type": "relationship", "id": "relationship--bb36a37e-35b3-40a6-b711-d80d759a75fc", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-action--72266354-eb09-4f29-9704-2a6117285354", "target_ref": "tool--8c5286e7-67a4-4950-bc2d-9087da482eed" }, { "type": "relationship", "id": "relationship--468ce6b2-7cdc-4160-b228-d4272499570b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-action--9bdfeccc-64f3-4338-b58d-62b528437dac", "target_ref": "file--771a56bf-dad7-4ba1-bfae-547348bdee18" }, { "type": "relationship", "id": "relationship--4f0692c3-2614-4047-9537-5a4c8f8b9b2c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-action--f5f61076-5c5d-43f8-ac93-bd72e76fc4bc", "target_ref": "tool--325c268a-4f1f-490c-a68a-5009bf4d54a8" }, { "type": "relationship", "id": "relationship--949f0df6-c2f8-48dd-a351-7d643b61a996", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-action--b7bb4f4c-a1ce-4968-8887-0eb6516ec60e", "target_ref": "tool--c852c2b1-e8ef-40ae-910c-ff5aba6cd35f" }, { "type": "relationship", "id": "relationship--c93e8c82-7863-4110-a14a-9e8a3b01abba", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-action--a85199ff-3207-4c2c-828e-c7f56244e5ef", "target_ref": "windows-registry-key--f4978309-1523-4c05-b2b5-4d46d3bb6502" }, { "type": "relationship", "id": "relationship--794d76b3-02f0-48bf-b443-517ba5541406", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-condition--99955aa5-f418-42af-a69a-059600fdc68d", "target_ref": "attack-action--72266354-eb09-4f29-9704-2a6117285354" }, { "type": "relationship", "id": "relationship--34bfc6b4-18e2-4812-be2d-cc7674d4d666", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-condition--ec339915-3ebf-4f76-920d-4845ceaee0c1", "target_ref": "attack-action--9bdfeccc-64f3-4338-b58d-62b528437dac" }, { "type": "relationship", "id": "relationship--696a3233-e41a-4609-873a-8709b34a57ca", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-condition--9b7f41f6-e24d-4db8-bcf5-f3b71fde83b9", "target_ref": "attack-action--446454d9-1612-41b5-8f6a-d282e06b52af" }, { "type": "relationship", "id": "relationship--85c38169-efc5-4f85-8f97-e020796b5e9e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-condition--9b7f41f6-e24d-4db8-bcf5-f3b71fde83b9", "target_ref": "attack-action--72266354-eb09-4f29-9704-2a6117285354" }, { "type": "relationship", "id": "relationship--f9e28a3f-5210-47a0-9335-ec35b0b74931", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-condition--571e759e-0d01-4085-a240-395a3a0f5a0a", "target_ref": "attack-action--3cf7cc87-39df-481b-b31a-c253d405502f" }, { "type": "relationship", "id": "relationship--b3a68bca-13b9-4ab2-9735-4ba9962aa4a3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.652Z", "modified": "2026-06-11T23:57:51.652Z", "relationship_type": "related-to", "source_ref": "attack-condition--571e759e-0d01-4085-a240-395a3a0f5a0a", "target_ref": "attack-action--f5f61076-5c5d-43f8-ac93-bd72e76fc4bc" } ] }