SOCRadar® Cyber Intelligence Inc. | Tracking Down Notorious Ransomware Actors with CTI 2.0


Jun 24, 2024
6 Mins Read

Tracking Down Notorious Ransomware Actors with CTI 2.0

Alex was talking to his security team when his boss called him into his office one day. News about ransomware attacks across the industry has been pretty popular lately, and his manager wanted to make sure that their firm would not join their competitors in those news reports. The responsibility to protect their systems and ensure that their data does not end up behind a paywall was Alex’s.

Alex’s boss, generated by DALL-E

Alex’s boss, generated by DALL-E

Alex did plan certain operations before but enhancing the security structure for the whole company against ransomware gangs was a different type of task. He had never done that before. Unfortunately, there was nobody to ask for help in his organization. Since his company operated in an industry that required discretion, he could not comfortably ask questions in online forums either. He was experienced in the information security field but he still desperately wanted something to guide him. The first step was very important, and at this point, he didn’t know where to start.

He realized his boss kept talking about how terrible it would be to pay a ransom, mentioning the legal and financial consequences, but since his mind was filled with thoughts, Alex missed half of what was said.

After reaching his desk, he started doing research on how to find a solution to this new task. Trying to understand ransomware gangs is a complicated task, and creating a long-term plan to strengthen the security structure of a company is even harder. However, during the research, he came across Dark Web Profile articles from SOCRadar. They were extremely detailed and showed useful information that he could benefit from. After checking their website, Alex saw that SOCRadar announced their new version lately, something called 2.0. He saw the enhanced Ransomware Intelligence and Threat Actor Intelligence modules they were advertising. Maybe that could help.

The IT room where Alex works, generated by DALL-E

The IT room where Alex works, generated by DALL-E

A Fresh Look at Ransomware Threats

After certain discussions within the company, they decided to try SOCRadar for free. After a while Alex returned to his desk he launched SOCRadar XTI, a tool designed to provide comprehensive intelligence about the latest threats in the cyber landscape.

Main dashboard of SOCRadar XTI

Main dashboard of SOCRadar XTI

While he was exploring the tool to find those advertised modules, he couldn’t help but think about the possibility of turning on his computer one day only to see a ransom message. He had a mortgage to pay.

“There you are!” he said, eagerly clicking on the Ransomware Intelligence button. He was welcomed with several dashboards and cards giving detailed information about the ransomware gangs, such as the malware they use and the vulnerabilities they abuse. That was a good start. He could utilize this information to find a starting point and plan his operation.

Ransomware Intelligence Module

Ransomware Intelligence Module

Afterward, he realized that he could filter out all the data available to narrow the target. This way, he could detect the most important threats to their industry. He searched for the necessary details about their country and the industry they operate in to see the ransomware threats. The module highlighted that 6 threat actors can target them. Their target countries and sectors were an exact match for Alex’s situation. Also, his boss was right about being concerned because of the news. The lines on the dashboard have been pretty steep lately. He had to create a plan to protect his company from 6 ransomware gangs now. “Better than 7!” he said.

After reaching out to this information, Alex decided to dive deep into these threat actors. Without the need to go to another platform, he was able to collect all the necessary information about these ransomware gangs from SOCRadar’s tools.

Detailed Threat Actor Intelligence Module

After this preliminary information collection, he just moved to the Threat Actor Intelligence module. Here, he saw even more detailed information about each threat actor. He collected information related to the vulnerabilities these criminals abuse. Some of the CVEs he saw there belonged to the products they use. Since they were not specific to their industry, he was not able to see them in the Ransomware Intelligence module when he filtered the data. He thought this additional module was pretty useful.

With this knowledge in hand, Alex quickly scheduled vulnerability assessments and updates for the company’s systems, focusing on high-risk CVEs. Since some of these CVEs were newly discovered, he made sure to patch those vulnerabilities right away. Thanks to the Ransomware Intelligence module, he was able to see them quickly.

He also had access to extensive intelligence on the malware employed by these threat actors, along with the corresponding ATT&CK IDs for each. Therefore, he checked each ATT&CK ID to identify the specific techniques that could be utilized by these adversaries. He directed the security team’s focus toward these techniques, ensuring that there were no misconfigured devices within the network that could be exploited.

Leveraging the advanced intelligence on the malware employed by these threat actors, he implemented several critical cybersecurity measures such as configuring Endpoint Detection and Response (EDR) systems to enhance threat visibility and responsiveness, as well as deploying customized YARA rules to identify and mitigate specific threats effectively. This way he significantly bolstered the defenses against ransom gangs that might target them.

Alex set up automated alerts to get the latest intelligence on those ransomware threats, ensuring that the company’s defenses will evolve alongside the threats. He knew SOCRadar would immediately notify him if any of these threat actors took action, enabling him to promptly protect his systems.

Servers Alex trying to protect, generated by DALL-E

Servers Alex trying to protect, generated by DALL-E


Ransomware threats have evolved into one of the most significant cybersecurity challenges facing organizations and individuals today. Taking swift action and cooperation is vital against those criminals. And this can’t be done only once. Security is not a one time thing and you need a product that gives accurate intelligence swiftly. You can utilize SOCRadar XTI to protect your company. Try our new release for a better experience and accurate intelligence.