Official Alerts & Statements - FBI

Official FBI updates to help stakeholders guard against the ever-evolving ransomware threat environment. These advisories, FBI Flashes, FBI Private Industry Notifications (PINs) and joint statements are designed to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors.  

  • FBI FLASH (CU-000163-MW): RagnarLocker Ransomware Indicators of Compromise
    • The FBI first became aware of RagnarLocker in April 2020 and subsequently produced a FLASH to disseminate known indicators of compromise (IOCs) at that time. This FLASH provides updated and additional IOCs to supplement that report. As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker ransomware actors work as part of a ransomware family1, frequently changing obfuscation techniques to avoid detection and prevention.
  • FBI PIN (20211101-001): Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims
    • The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.
  • FBI FLASH (CU-000154-MW): Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware
    • The FBI first observed Hello Kitty/FiveHands ransomware in January 2021. Hello Kitty/FiveHands actors aggressively apply pressure to victims typically using the double extortion technique. In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company’s public facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker.
  • FBI PIN (20210901-001): Cyber Criminal Actors Targeting the Food and Agriculture Sector with Ransomware Attack
    • Ransomware attacks targeting the Food and Agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain. Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cyber criminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems.
  • FBI Flash (CU-000153-MW): Indicators of Compromise Associated with Ranzy Locker Ransomware
    • The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021.
  • FBI Flash (MC-000150-MW): Indicators of Compromise Associated with Hive Ransomware
    • Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
  • FBI Flash (CU-000149-MW): Indicators of Compromise Associated with OnePercent Group Ransomware
    • The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user.
  • Joint Cybersecurity Advisory: Ransomware Awareness for Holidays and Weekends
    • Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months this year. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.
  • Joint Cybersecurity Advisory: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks 
    • CISA and FBI are aware of a ransomware attack affecting a critical infrastructure (Cl) entity-a pipeline company-in the United States. Malicious cyber actors deployed DarkSide ransomware, a ransomware-as-a-service (RaaS) variant, against the pipeline company's information technology (IT) network. This joint advisory provides technical details on the DarkSide actors, some of their known tactics and preferred targets, and recommended best practices for preventing business disruption from ransomware attacks. 
    • Current Activity: Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware 
      • On May 19, a downloadable STIX file of indicators of compromise (IOCs) was added to the advisory to help network defenders find and mitigate activity associated with DarkSide ransomware. 
  • FBI Flash (CP-000147-MW): Conti Ransomware Attacks Impact Healthcare and First Responder Networks
    • The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities. 
  • FBI Flash (CU-000143-MW): Mamba Ransomware Weaponizing DiscCryptor
    • FBI and CISA coordinating product on Mamba Ransomware provided to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors. 
  • Joint Alert (AA21-076A): TrickBot Malware
    • CISA and FBI have observed continued sophisticated spearphishing campaigns using TrickBot malware in North America. Cybercrime actors are luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot, a Trojan first identified in 2016. Attackers can use TrickBot to drop other malware, such as Ryuk and Conti ransomware, or serve as an Emotet downloader. 
  • FBI Flash (CP-000142-MW): Increase in PYSA Ransomware Targeting Education Institutions
    • Joint FBI and CISA coordinated product on PYSA Ransomware provided to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors. 
  • FBI Private Industry Notification (PIN#: 20210106-001): Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data
    • Joint FBI and CISA coordinated product on Egregor Ransomware provided to help cybersecurity professionals and system administrators' guard against the persistent malicious actions of cyber actors. 
  • FBI Public Service Announcement (I-121520-PSA): Transition to Distance Learning Creates Opportunities for Cyber Actors to Disrupt Instruction and Steal Data
    • Joint FBI and CISA Public Service Announcement (PSA) raising awareness for parents and caregivers of school-age children about potential disruptions to schools and compromises of private information, as cyber actors exploit remote learning vulnerabilities. 
  • Joint Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and Public Health Sector
    • Joint cybersecurity advisory from CISA, the FBI, and the Department of Health and Human Services (HHS), describing the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
  • Joint Alert (AA20-106A): Guidance on the North Korean Cyber Threat
    • This advisory from the U.S. Departments of State, the Treasury, and Homeland Security, and the FBI is a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public, and it provides recommended steps to mitigate the threat. 
  • Joint Alert (AA18-337A): SamSam Ransomware
    • DHS and the FBI issued this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A.