UNC1878

Threat Actor updated 23 days ago (2024-11-29T13:35:19.247Z)
Download STIX
Preview STIX
UNC1878, tracked by Mandiant and identified by MITRE, is a notable threat actor involved in various cybercrime enterprises. This group is financially motivated and primarily monetizes network access via the deployment of Ryuk ransomware. A significant proportion of post-compromise activity linked to UNC1878 involves the distribution of this particular ransomware. The group has been associated with multiple brand names and code names including Conti, Gold Blackburn, TrickBot, Trickman, and Wizard Spider. In many instances where Mandiant had visibility into post-compromise Tactics, Techniques, and Procedures (TTPs), these were attributable to UNC1878. The group's activities have been tracked using Purple AI, which gathers telemetry associated with UNC1878 and other linked groups, providing comprehensive data including Indicators of Compromise (IOCs), IP addresses, hashes, and other elements related to UNC1878’s TTPs within the simulated system. Interestingly, some threat actors, potentially unrelated to UNC1878, have been observed gaining access to environments through vulnerable VPN infrastructures before deploying ransomware. Seven Russians were recently sanctioned by the U.S. and U.K., accused of aiding or participating in multiple ransomware and cybercrime enterprises, one of which includes UNC1878. This highlights the global nature of the threat landscape and the necessity for continuous vigilance and effective cybersecurity measures.
Description last updated: 2024-05-29T11:16:16.843Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ryuk Malware is associated with UNC1878. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
Source Document References
Information about the UNC1878 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more