TA505

Threat Actor updated 6 months ago (2024-05-04T20:17:40.039Z)

Download STIX

Preview STIX

TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersecurity and Infrastructure Agency (CISA) estimated that TA505 had compromised more than 3,000 US-based organizations and approximately 8,000 victims globally. This group has leveraged CL0P ransomware in its attacks and has exploited zero-day vulnerabilities such as the MOVEit exploit, emphasizing the need for enhanced cybersecurity measures. The group's recent campaigns have involved the use of Get2, a new downloader malware written in C++, and SDBbot, a new remote access Trojan (RAT) also written in C++ and delivered by the Get2 downloader. These campaigns culminated with the deployment of Get2 and SDBbot in September and October of 2019. Furthermore, TA505 has been linked to other criminal hacking groups like BeagleBoyz, potentially contracting them for initial access development. In addition to its own activities, TA505 has been associated with Raspberry Robin, a popular initial access option for threat actors contributing to major breaches of public and private sector organizations. Other crime groups associated with Raspberry Robin include EvilCorp, among others. This malware acts as an initial access broker for these groups, continually shifting its delivery methods and improving its stealthiness. Therefore, understanding TA505's operations and affiliations is crucial for developing effective defenses against this significant cyber threat.

Description last updated: 2024-05-04T16:08:43.607Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Clop is a possible alias for TA505. Clop, also known as Cl0p, is a ransomware group primarily targeting financial gain by holding data or services hostage. This Russian-speaking cybercriminal organization began exploiting a zero-day vulnerability, CVE-2023-34362, in Progress Software's MOVEit secure file transfer software on May 27, 2	9
fin11 is a possible alias for TA505. FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste	5
CVE-2023-34362 is a possible alias for TA505. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it	4
Truebot is a possible alias for TA505. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow	3
cl0p is a possible alias for TA505. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at	3
Lace Tempest is a possible alias for TA505. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi	3
Snakefly is a possible alias for TA505. Snakefly, also known as FIN11 and TA505, is a threat actor known for its malicious activities primarily aimed at organizations in North America and Europe. The group is financially motivated and has been active since at least early 2019. Snakefly is particularly associated with the deployment of Cl0	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Clop

Ransomware

Malware

exploitation

Moveit

Zero Day

Exploit

Payload

Phishing

Mft

Cybercrime

Microsoft

Trojan

Vulnerability

Cobalt Strike

CISA

exploited

Extortion

Rat

Backdoor

Web Shell

Ransom

Papercut

Exploits

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Get2 Malware is associated with TA505. Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos	Unspecified	4
The FlawedGrace Malware is associated with TA505. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo	Unspecified	4
The Dridex Malware is associated with TA505. Dridex is a notorious malware, specifically a banking Trojan, designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software was primarily used by the Russian cybercriminal group, Evil Corp, founded in 2014. The group ta	Unspecified	4
The Lobshot Malware is associated with TA505. Lobshot is a stealthy remote access malware that has been used by cybercriminals, notably Russian threat actors, in various malicious campaigns. It was featured alongside other well-known malware samples like DarkGate infostealer, Ducktail, and Redline in deceptive campaigns where it was embedded in	Unspecified	3
The truebot malware Malware is associated with TA505. Truebot malware is a malicious software that infiltrates computer systems, often without the user's knowledge, to exploit and damage the device. It was primarily delivered by cyber threat actors via malicious phishing email attachments, but newer versions observed in 2023 also gained initial access	Unspecified	2
The Dewmode Malware is associated with TA505. DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerab	Unspecified	2
The Sdbot Malware is associated with TA505. SDBot is a malicious software, or malware, that has been leveraged by threat actors known as TA505 and CL0P to exploit vulnerabilities in computer systems. It is used as a backdoor to enable the execution of commands and functions in the compromised computer, often without the user's knowledge. The	Unspecified	2
The Raspberry Robin Malware is associated with TA505. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obs	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Evil Corp Threat Actor is associated with TA505. Evil Corp, a threat actor based in Russia, has been identified as a significant cybersecurity threat due to its involvement in various malicious activities, including the deployment of Dridex malware. The group is led by Maksim Yakubets and has been sanctioned by the Treasury Department for its cybe	Unspecified	4
The FIN7 Threat Actor is associated with TA505. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2023-27351 is associated with TA505.	Unspecified	2
The CVE-2023-27350 Vulnerability is associated with TA505. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first upda	Unspecified	2

Source Document References

Information about the TA505 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 months ago	Raspberry Robin Jumps on 1-Day Bugs to Nest Deep in Windows Networks
Checkpoint	8 months ago	Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research
Checkpoint	8 months ago	12th February – Threat Intelligence Report - Check Point Research
Unit42	9 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU	9 months ago	The Top 10 Ransomware Groups of 2023
InfoSecurity-magazine	10 months ago	2023 Cyber Threats: 26,000+ Vulnerabilities, 97 Beyond CISA List
CERT-EU	10 months ago	CyberTalk with Ray Canzanese
CERT-EU	a year ago	Threat Spotlight: Data Extortion Ransomware: Key Trends in 2023
CERT-EU	a year ago	Cyber Security Week In Review: November 17, 2023
CERT-EU	a year ago	SysAid Zero-Day Vulnerability Exploited by Threat Actors
CERT-EU	a year ago	Clop ransomware gang targets SysAid server bug
CERT-EU	a year ago	CVE-2023-47246: SysAid Flaw Used in Clop Ransomware Attacks
InfoSecurity-magazine	a year ago	MOVEit Gang Targets SysAid Customers With Zero-Day Attacks
CERT-EU	a year ago	Netskope Threat Labs report says highest percentage of cybercrime activity originates in Russia
CERT-EU	a year ago	Criminal groups focus on Australia and US
CERT-EU	a year ago	TA505 Hacker's Sneaky RMS Tool Phishing Campaign Detected
CERT-EU	a year ago	Clop at the top – but for how long? \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Clop at the top – but for how long?
CERT-EU	a year ago	Cyber Security Week in Review: September 8, 2023
CERT-EU	a year ago	Illinois a victim of CL0P's MOVEit ransomware attack \| #ransomware \| #cybercrime \| National Cyber Security Consulting