Important
- This is a collection of OSINT reports of CVEs being weaponized by various ransomware adversaries, which have been broken down below
- This repository has leveraged resources of researchers shared in the past
- This project, however, has provided additional information such as specifying which ransomware gangs have used the vulnerabilities as well as sources for independent verification
- This Matrix was created as a public knowledge base to be used by CTI analysts researching ransomware groups, TVM teams seeking to prioritise patching, and DFIR teams looking to assess a ransomware victim's exposure
- This project is similar to another collection I created called the Ransomware Tool Matrix
Tip
This repo also contains multiple types of Ransomware adversaries, this includes the ransomware gangs themselves, affiliates, and initial access brokers
- Rasnomware Gangs: In this repo, a vulnerability is associated with a ransomware gang, meaning that the vulnerability was observed exploited in an intrusion which resulted in the deployment of that ransomware family
- Affiliates: A threat group in this repo with an asterisk at the end (e.g. Scattered Spider*), means it is a ransomware affiliate, which has access to one or more ransomware families
- Initial Access Brokers: A threat group in this repo with an asterisk at the start (e.g. *Prophet Spider), means it is an Initial Access Broker (IAB), which sells access to one or more ransomware gangs
- State-sponsored: A threat group in this repo with a plus sign at the end (e.g. DarkBit+), means it is a suspected state-sponosored adversary using ransomware, such as those from Iran, DPRK, Russia, or China