UNC1878

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
UNC1878, tracked by Mandiant and identified by MITRE, is a notable threat actor involved in various cybercrime enterprises. This group is financially motivated and primarily monetizes network access via the deployment of Ryuk ransomware. A significant proportion of post-compromise activity linked to UNC1878 involves the distribution of this particular ransomware. The group has been associated with multiple brand names and code names including Conti, Gold Blackburn, TrickBot, Trickman, and Wizard Spider. In many instances where Mandiant had visibility into post-compromise Tactics, Techniques, and Procedures (TTPs), these were attributable to UNC1878. The group's activities have been tracked using Purple AI, which gathers telemetry associated with UNC1878 and other linked groups, providing comprehensive data including Indicators of Compromise (IOCs), IP addresses, hashes, and other elements related to UNC1878’s TTPs within the simulated system. Interestingly, some threat actors, potentially unrelated to UNC1878, have been observed gaining access to environments through vulnerable VPN infrastructures before deploying ransomware. Seven Russians were recently sanctioned by the U.S. and U.K., accused of aiding or participating in multiple ransomware and cybercrime enterprises, one of which includes UNC1878. This highlights the global nature of the threat landscape and the necessity for continuous vigilance and effective cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TrickBot
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Wizard Spider
1
Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev
Conti
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Vpn
Cybercrime
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RyukUnspecified
2
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the UNC1878 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
2 months ago
#Infosec2024: Decoding SentinelOne’s AI Threat Hunting Assistant
MITRE
a year ago
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser | Mandiant
CERT-EU
a year ago
No Ransomware Please, We're British | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security