_ransomware - RunkIntel

# Ransomware > Ransomware e criptovirus que sequestram dados e sistemas para extorsao financeira. Categoria de maior impacto operacional documentado contra organizacoes brasileiras e latino-americanas. > [!danger] Ameaça Critica para o Brasil > O Brasil e consistentemente um dos paises mais afetados por ransomware na América Latina. Grupos como LockBit, Akira e BlackCat (ALPHV) realizaram ataques confirmados contra hospitais, empresas de energia e orgaos governamentais brasileiros. ## Como Funciona O ransomware moderno segue um modelo de **dupla extorsao** (Double Extortion): alem de criptografar os dados da vitima, os operadores exfiltram informações sensiveis e ameaçam pública-las em "leak sites" caso o resgate nao seja pago. Grupos mais agressivos adotam **tripla extorsao**, incluindo ataques DDoS como pressao adicional. ```mermaid graph TB A["🎯 Acesso Inicial Phishing / VPN vuln / RDP"] --> B["🔍 Reconhecimento BloodHound / Netscan"] B --> C["⬆️ Escalada de Privilegios Mimikatz / PrintNightmare"] C --> D["🔀 Movimento Lateral PsExec / Impacket / WMI"] D --> E["📤 Exfiltracao Rclone / MegaSync"] E --> F["💥 Impacto Ransomware payload"] F --> G["💰 Extorsao Leak site + negociacao"] style A fill:#e74c3c,color:#fff style B fill:#e67e22,color:#fff style C fill:#f39c12,color:#fff style D fill:#d35400,color:#fff style E fill:#8e44ad,color:#fff style F fill:#c0392b,color:#fff style G fill:#922b21,color:#fff ``` **Modelos de operação:** - **RaaS (Ransomware-as-a-Service)** - Desenvolvedores alugam o ransomware para afiliados que realizam os ataques. Ex: LockBit, BlackCat, Hive. - **Grupos independentes** - Desenvolvem e operam o proprio ransomware. Ex: Conti (encerrado), WannaCry. - **Wiper disfarado** - Malware que se apresenta como ransomware mas nao oferece decriptacao. Ex: NotPetya, WhisperGate. ## Familias Catalogadas %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", used-by AS "Grupos Operadores" FROM "cti/software/malware/ransomware" WHERE type = "malware" SORT title ASC ``` %%   | Nome | Status | Grupos Operadores | | ---------------------------------------------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [[s1129-akira\|Akira]] | active | <ul><li>[[akira-group\|Akira RaaS Group]]</li></ul> | | [[s1194-akira-v2\|Akira _v2]] | active | <ul><li>[[cti/groups/g1024-akira.md\|Akira]]</li></ul> | | [[s0640-avaddon\|Avaddon]] | active | <ul><li>\-</li></ul> | | [[s1053-avoslocker\|AvosLocker]] | inactive | <ul><li>\-</li></ul> | | [[s0638-babuk\|Babuk]] | inactive | <ul><li>\-</li></ul> | | [[bitpaymer\|BitPaymer]] | active | <ul><li>[[g0119-indrik-spider\|Indrik Spider]]</li></ul> | | [[black-basta\|Black Basta]] | active | <ul><li>[[g1046-storm-1811\|Storm-1811]]</li><li>[[g0046-fin7\|FIN7]]</li><li>[[water-curupira\|Water Curupira]]</li></ul> | | [[s1181-blackbyte-20-ransomware\|BlackByte 2.0 Ransomware]] | active | <ul><li>[[g1043-blackbyte\|BlackByte]]</li></ul> | | [[s1180-blackbyte-ransomware\|BlackByte Ransomware]] | active | <ul><li>[[g1043-blackbyte\|BlackByte]]</li></ul> | | [[blackcat\|BlackCat]] | inactive | <ul><li>[[g1015-scattered-spider\|Scattered Spider]]</li><li>[[alphv-blackcat-group\|ALPHV/BlackCat Group]]</li></ul> | | [[s1096-cheerscrypt\|Cheerscrypt]] | active | <ul><li>[[g1021-cinnamon-tempest\|Cinnamon Tempest]]</li></ul> | | [[conti\|Conti]] | inactive | <ul><li>[[g0102-conti-group\|Wizard Spider]]</li></ul> | | [[crypt0l0cker\|Crypt0L0cker]] | inactive | <ul><li>\-</li></ul> | | [[cubaransomware\|Cuba Ransomware]] | active | <ul><li>[[tropical-scorpius\|Tropical Scorpius]]</li></ul> | | [[s0616-deathransom\|DEATHRANSOM]] | active | <ul><li>\-</li></ul> | | [[dharma\|Dharma]] | active | <ul><li>\-</li></ul> | | [[djvu-stop\|DJVU/STOP Ransomware]] | active | <ul><li>\-</li></ul> | | [[doppelpaymer\|DoppelPaymer]] | inactive | <ul><li>[[g0119-indrik-spider\|Evil Corp]]</li></ul> | | [[cti/software/malware/ransomware/dragonforce-ransomware.md\|DragonForce Ransomware]] | active | <ul><li>\-</li></ul> | | [[s0605-ekans\|EKANS]] | active | <ul><li>\-</li></ul> | | [[cti/software/malware/ransomware/exitium-ransomware.md\|Exitium Ransomware]] | active | <ul><li>\-</li></ul> | | [[s0618-fivehands\|FIVEHANDS]] | active | <ul><li>\-</li></ul> | | [[globe-ransomware\|Globe Ransomware]] | active | <ul><li>\-</li></ul> | | [[hellokitty\|HELLOKITTY]] | active | <ul><li>\-</li></ul> | | [[hiddensoul\|HiddenSoul]] | active | <ul><li>\-</li></ul> | | [[hive-ransomware\|Hive Ransomware]] | inactive | <ul><li>[[cti/groups/hunters-international.md\|Hunters International]]</li></ul> | | [[s1139-inc-ransomware\|INC Ransomware]] | active | <ul><li>[[g1032-inc-ransom\|INC Ransom]]</li></ul> | | [[cti/software/malware/ransomware/interlock-ransomware.md\|Interlock Ransomware]] | active | <ul><li>\-</li></ul> | | [[s0389-jcry\|JCry]] | active | <ul><li>\-</li></ul> | | [[s1199-lockbit-20\|LockBit 2.0]] | inactive | <ul><li>[[lockbit-group\|LockBit Group]]</li></ul> | | [[s1202-lockbit-30\|LockBit 3.0]] | active | <ul><li>[[lockbit-operators\|LockBit Operators]]</li><li>[[g0046-fin7\|FIN7]]</li><li>[[g0119-indrik-spider\|Evil Corp]]</li></ul> | | [[maze\|Maze]] | inactive | <ul><li>[[g0037-fin6\|FIN6]]</li><li>[[ta2101\|TA2101]]</li></ul> | | [[s0576-megacortex\|MegaCortex]] | active | <ul><li>\-</li></ul> | | [[s1191-megazord\|Megazord]] | active | <ul><li>[[cti/groups/g1024-akira.md\|Akira]]</li></ul> | | [[s0457-netwalker\|Netwalker]] | inactive | <ul><li>\-</li></ul> | | [[s0556-pay2key\|Pay2Key]] | active | <ul><li>[[g0117-fox-kitten\|Fox Kitten]]</li></ul> | | [[play\|Play Ransomware]] | active | <ul><li>[[play-ransomware-group\|Play Ransomware Group]]</li></ul> | | [[s1162-playcrypt\|Playcrypt]] | active | <ul><li>[[g1040-play\|Play]]</li></ul> | | [[s1058-prestige\|Prestige]] | active | <ul><li>[[g0034-sandworm\|Sandworm Team]]</li></ul> | | [[s0654-prolock\|ProLock]] | inactive | <ul><li>\-</li></ul> | | [[s0583-pysa\|Pysa]] | inactive | <ul><li>\-</li></ul> | | [[s0481-ragnar-locker\|Ragnar Locker]] | inactive | <ul><li>[[g0061-fin8\|FIN8]]</li></ul> | | [[s0496-revil\|REvil]] | inactive | <ul><li>[[g0046-fin7\|FIN7]]</li><li>[[g0115-gold-southfield\|GOLD SOUTHFIELD]]</li></ul> | | [[cti/software/malware/ransomware/rhysida.md\|Rhysida]] | active | <ul><li>[[cti/groups/vice-society.md\|vice-society]]</li></ul> | | [[s1150-roadsweep\|ROADSWEEP]] | active | <ul><li>\-</li></ul> | | [[s0400-robbinhood\|RobbinHood]] | active | <ul><li>\-</li></ul> | | [[s1073-royal-blacksuit\|Royal / BlackSuit]] | active | <ul><li>[[conti\|ex-Conti operators]]</li></ul> | | [[s0446-ryuk\|Ryuk]] | inactive | <ul><li>[[g0102-conti-group\|WIZARD SPIDER]]</li></ul> | | [[s0612-wastedlocker\|WastedLocker]] | active | <ul><li>[[g0119-indrik-spider\|Indrik Spider]]</li></ul> |  > [!info] Estatisticas > **18 familias** catalogadas - **8 ativas** - Modelo RaaS dominante desde 2020 - Double extortion adotado por 90% dos grupos ativos ## Defesas e Mitigacoes - [[m1053-data-backup|M1053 - Data Backup]] - Backups imutaveis, offline, testados regularmente - [[m1026-privileged-account-management|M1026 - Privileged Account Management]] - Limitar privilegios administrativos - [[m1049-antivirus-antimalware|M1049 - Antivirus/Antimalware]] - EDR com detecção comportamental - [[m1030-network-segmentation|M1030 - Network Segmentation]] - Isolar sistemas criticos - [[ir-ransomware-akira|Playbook - Resposta a Ransomware Akira]] ## Relacionados [[_malware]] - [[_groups]] - [[_campaigns]] - [[t1486-data-encrypted-for-impact|T1486 - Data Encrypted for Impact]] - [[t1490-inhibit-system-recovery|T1490 - Inhibit System Recovery]]