UNC1878UNC1878

Also known as: UNC1878

Known aliases
1

Profile

UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.

Aliases· 1

UNC1878

References

  1. https://twitter.com/anthomsec/status/1321865315513520128
  2. https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
  3. https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456
  4. https://www.youtube.com/watch?v=CgDtm05qApE
  5. https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

Actor
UNC3886
Actor
UNC1860
Actor
UNC3973
Actor
UNC3524
Actor
UNC2447
Actor
UNC6148
Sourced from MISP-Galaxy Threat Actor cluster. Curated by Adam Lundqvist, Founder at SQUR.