{ "enterprise-attack": { "techniques": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [ { "type": "attack-pattern", "id": "attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:49:05.467000+00:00", "modified": "2020-10-05 02:15:01.325000+00:00", "name": "Botnet", "description": "Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1583/005", "external_id": "T1583.005" }, { "source_name": "Norton Botnet", "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.", "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html" }, { "source_name": "Imperva DDoS for Hire", "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.", "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/" }, { "source_name": "Krebs-Anna", "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", "url": "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" }, { "source_name": "Krebs-Bazaar", "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", "url": "https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/" }, { "source_name": "Krebs-Booter", "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.", "url": "https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems\\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)\", \"old_value\": \"Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems\\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stressor service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)\"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Before compromising a victim, adversaries may buy, lease, ort1Before compromising a victim, adversaries may buy, lease, or
> rent a network of compromised systems\u00a0that can be used duri> rent a network of compromised systems\u00a0that can be used duri
>ng targeting. A botnet is a network of compromised systems t>ng targeting. A botnet is a network of compromised systems t
>hat can be instructed to perform coordinated tasks.(Citation>hat can be instructed to perform coordinated tasks.(Citation
>: Norton Botnet) Adversaries may purchase a subscription to >: Norton Botnet) Adversaries may purchase a subscription to 
>use an existing botnet from a booter/stressor service. With >use an existing botnet from a booter/stresser service. With 
>a botnet at their disposal, adversaries may perform follow-o>a botnet at their disposal, adversaries may perform follow-o
>n activity such as large-scale [Phishing](https://attack.mit>n activity such as large-scale [Phishing](https://attack.mit
>re.org/techniques/T1566) or Distributed Denial of Service (D>re.org/techniques/T1566) or Distributed Denial of Service (D
>DoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)>DoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)
>(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)>(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)
", "changelog_mitigations": { "shared": [ "M1056: Pre-compromise" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } }, { "type": "attack-pattern", "id": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-10-01 00:58:35.269000+00:00", "modified": "2020-10-22 18:03:23.751000+00:00", "name": "Botnet", "description": "Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1584/005", "external_id": "T1584.005" }, { "source_name": "Norton Botnet", "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.", "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html" }, { "source_name": "Imperva DDoS for Hire", "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.", "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/" }, { "source_name": "Dell Dridex Oct 2015", "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.", "url": "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "PRE" ], "x_mitre_version": "1.0", "detailed_diff": "{\"values_changed\": {\"root['description']\": {\"new_value\": \"Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet\\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).\", \"old_value\": \"Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet\\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stressor service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).\"}}}", "previous_version": "1.0", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1Before compromising a victim, adversaries may compromise numt1Before compromising a victim, adversaries may compromise num
>erous third-party systems to form a botnet\u00a0that can be used >erous third-party systems to form a botnet\u00a0that can be used 
>during targeting. A botnet is a network of compromised syste>during targeting. A botnet is a network of compromised syste
>ms that can be instructed to perform coordinated tasks.(Cita>ms that can be instructed to perform coordinated tasks.(Cita
>tion: Norton Botnet) Instead of purchasing/renting a botnet >tion: Norton Botnet) Instead of purchasing/renting a botnet 
>from a booter/stressor service(Citation: Imperva DDoS for Hi>from a booter/stresser service(Citation: Imperva DDoS for Hi
>re), adversaries may build their own botnet by compromising >re), adversaries may build their own botnet by compromising 
>numerous third-party systems. Adversaries may also conduct a>numerous third-party systems. Adversaries may also conduct a
> takeover of an existing botnet, such as redirecting bots to> takeover of an existing botnet, such as redirecting bots to
> adversary-controlled C2 servers.(Citation: Dell Dridex Oct > adversary-controlled C2 servers.(Citation: Dell Dridex Oct 
>2015) With a botnet at their disposal, adversaries may perfo>2015) With a botnet at their disposal, adversaries may perfo
>rm follow-on activity such as large-scale [Phishing](https:/>rm follow-on activity such as large-scale [Phishing](https:/
>/attack.mitre.org/techniques/T1566) or Distributed Denial of>/attack.mitre.org/techniques/T1566) or Distributed Denial of
> Service (DDoS).> Service (DDoS).
", "changelog_mitigations": { "shared": [ "M1056: Pre-compromise" ], "new": [], "dropped": [] }, "changelog_detections": { "shared": [], "new": [], "dropped": [] } } ], "revocations": [], "deprecations": [], "deletions": [] }, "software": { "additions": [ { "type": "malware", "id": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14 16:46:06.044000+00:00", "modified": "2020-09-11 13:33:17.392000+00:00", "name": "Cobalt Strike", "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)", "revoked": false, "labels": [ "malware" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0154", "external_id": "S0154" }, { "source_name": "cobaltstrike manual", "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", "url": "https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Cobalt Strike" ], "x_mitre_contributors": [ "Josh Abraham" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.5" } ], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [ { "type": "tool", "id": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14 16:46:06.044000+00:00", "modified": "2020-09-11 13:33:17.392000+00:00", "name": "Cobalt Strike", "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)", "revoked": false, "labels": [ "tool" ], "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0154", "external_id": "S0154" }, { "source_name": "cobaltstrike manual", "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", "url": "https://cobaltstrike.com/downloads/csmanual38.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_aliases": [ "Cobalt Strike" ], "x_mitre_contributors": [ "Josh Abraham" ], "x_mitre_platforms": [ "Windows" ], "x_mitre_version": "1.4" } ] }, "groups": { "additions": [], "major_version_changes": [], "minor_version_changes": [ { "type": "intrusion-set", "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-12 18:15:29.396000+00:00", "modified": "2020-11-10 19:06:49.687000+00:00", "name": "Wizard Spider", "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider" ], "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0102", "external_id": "G0102" }, { "source_name": "UNC1878", "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" }, { "source_name": "TEMP.MixMaster", "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" }, { "source_name": "Grim Spider", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" }, { "source_name": "CrowdStrike Ryuk January 2019", "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" }, { "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" }, { "source_name": "FireEye KEGTAP SINGLEMALT October 2020", "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" }, { "source_name": "FireEye Ryuk and Trickbot January 2019", "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" }, { "source_name": "CrowdStrike Grim Spider May 2019", "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_contributors": [ "Oleksiy Gayda" ], "x_mitre_version": "1.2", "detailed_diff": "{\"dictionary_item_removed\": {\"root['external_references'][3]['url']\": \"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2020-11-10 19:06:49.687000+00:00\", \"old_value\": \"2020-08-03 18:57:52.513000+00:00\"}, \"root['description']\": {\"new_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)\", \"old_value\": \"[Wizard Spider](https://attack.mitre.org/groups/G0102) is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. (Citation: CrowdStrike Ryuk January 2019)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"UNC1878\", \"old_value\": \"TEMP.MixMaster\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"(Citation: FireEye KEGTAP SINGLEMALT October 2020)\", \"old_value\": \"(Citation: FireEye Ryuk and Trickbot January 2019)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"TEMP.MixMaster\", \"old_value\": \"Grim Spider\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"(Citation: FireEye Ryuk and Trickbot January 2019)\", \"old_value\": \"(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Grim Spider\", \"old_value\": \"CrowdStrike Ryuk January 2019\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)\", \"old_value\": \"Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"CrowdStrike Ryuk January 2019\", \"old_value\": \"FireEye Ryuk and Trickbot January 2019\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.\", \"old_value\": \"Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/\", \"old_value\": \"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"DHS/CISA Ransomware Targeting Healthcare October 2020\", \"old_value\": \"CrowdStrike Grim Spider May 2019\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.\", \"old_value\": \"John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://us-cert.cisa.gov/ncas/alerts/aa20-302a\", \"old_value\": \"https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['aliases'][1]\": \"UNC1878\", \"root['external_references'][6]\": {\"source_name\": \"FireEye KEGTAP SINGLEMALT October 2020\", \"description\": \"Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.\", \"url\": \"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\"}, \"root['external_references'][7]\": {\"source_name\": \"FireEye Ryuk and Trickbot January 2019\", \"description\": \"Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.\", \"url\": \"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html\"}, \"root['external_references'][8]\": {\"source_name\": \"CrowdStrike Grim Spider May 2019\", \"description\": \"John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.\", \"url\": \"https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/\"}}}", "previous_version": "1.1", "version_change": "1.1 \u2192 1.2", "description_change_table": "\n \n \n \n \n \n \n \n \n \n \n \n \n

Old Description
New Description
t1[Wizard Spider](https://attack.mitre.org/groups/G0102) is fit1[Wizard Spider](https://attack.mitre.org/groups/G0102) is a 
>nancially motivated group that has been conducting ransomwar>financially motivated criminal group that has been conductin
>e campaigns since at least August 2018, primarily targeting >g ransomware campaigns since at least August 2018 against a 
>large organizations. (Citation: CrowdStrike Ryuk January 201>variety of organizations, ranging from major corporations to
>9)> hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citatio
 >n: DHS/CISA Ransomware Targeting Healthcare October 2020)
" } ], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "campaigns": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "mitigations": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datasources": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datacomponents": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] } }, "mobile-attack": { "techniques": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "software": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "groups": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "campaigns": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "mitigations": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datasources": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datacomponents": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] } }, "ics-attack": { "techniques": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "software": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "groups": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "campaigns": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "mitigations": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datasources": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] }, "datacomponents": { "additions": [], "major_version_changes": [], "minor_version_changes": [], "other_version_changes": [], "patches": [], "revocations": [], "deprecations": [], "deletions": [] } }, "new-contributors": [ "Daniyal Naeem, @Mrdaniyalnaeem", "Josh Abraham", "Robert Simmons, @MalwareUtkonos" ] }