threatintel
actor tracker
All actors
MITRE ATT&CK technique

T1133

View the official technique description on attack.mitre.org

Tracked actors using this technique · 12

8Base

8base

Russian-speaking ransomware-as-a-service operation that emerged in 2022 as a Phobos affiliate, deploying a modified Phobos encryptor with double-extortion tactics. Targeted small and medium-sized bus…

RU · RussiaRansomwareHigh confidence
1 aliases4 TTPs1 event

Akira

akira

Ransomware-as-a-service operation active since March 2023, characterized by an unusually retro 1980s-terminal-styled leak site. CISA estimated $42M+ in extracted ransoms across 250+ organizations wit…

?? · UnknownRansomwareModerate confidence
1 aliases4 TTPs5 events

APT10

apt10

PRC state-sponsored intrusion set publicly attributed by the U.S. DOJ to the Ministry of State Security's Tianjin State Security Bureau, operating through Huaying Haitai. Best known for the Cloud Hop…

CN · ChinaAPTHigh confidence
6 aliases4 TTPs1 event

APT28

apt28

Russian military-intelligence (GRU Unit 26165) intrusion set. Long-running espionage operations against military, government, political, and media targets, including the 2016 DNC intrusion and sustai…

RU · RussiaAPTHigh confidence
4 aliases4 TTPs3 events

APT31

apt31

PRC state-sponsored intrusion set publicly attributed to the Ministry of State Security's Hubei State Security Department, operating through the front company Wuhan Xiaoruizhi Science and Technology…

CN · ChinaAPTHigh confidence
4 aliases4 TTPs5 events

APT33

apt33

Iranian state-sponsored actor with strategic intelligence interest in the global energy supply chain. Long-running password-spray and credential-theft campaigns against aviation and defense industria…

IR · IranAPTModerate confidence
4 aliases4 TTPs1 event

APT40

apt40

Chinese state-sponsored cyberespionage actor publicly attributed to the Ministry of State Security (MSS) Hainan State Security Department. Targets maritime industries, defense, government, and resear…

CN · ChinaAPTHigh confidence
5 aliases4 TTPs2 events

Hive

hive

Russian-speaking ransomware-as-a-service operation active from mid-2021 through January 2023. Best known publicly for the May 2022 compromise of the Costa Rican government — which prompted Costa Rica…

?? · UnknownRansomwareModerate confidence
0 aliases4 TTPs2 events

Pioneer Kitten

pioneer-kitten

Iranian state-affiliated intrusion set publicly attributed by FBI, CISA, and DC3 in joint advisory AA24-241A as connected to the Government of Iran and operating partly through an Iranian IT-services…

IR · IranAPTHigh confidence
5 aliases4 TTPs1 event

Play

play

Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…

?? · UnknownRansomwareModerate confidence
2 aliases4 TTPs6 events

Qilin

qilin

Russian-speaking ransomware-as-a-service operation tracked by vendors as Qilin (and earlier as Agenda). Best known publicly for the 3 June 2024 compromise of Synnovis — the pathology-services provide…

?? · UnknownRansomwareLow confidence
1 aliases4 TTPs2 events

RansomHub

ransomhub

Russian-speaking ransomware-as-a-service operation announced via RAMP forum on 2 February 2024 by a user 'koley', widely assessed as the primary destination for displaced ALPHV/BlackCat and LockBit a…

?? · UnknownRansomwareModerate confidence
2 aliases4 TTPs1 event