PoseidonCrew Inactive

Ransomware group first observed in 2016. Uses WinSCP for deployment.
PDF Report Back to Groups
0
Total Victims
2016-03-01
First Seen
2017-08-16
Last Seen
15
Known TTPs
29.8d
Avg Delay
0
Negotiations
ONION URLS
inkt4d5aixt6tnczayqlzy4wi6fy6zsfiwx27upbz5bflggpafwrkcq5.onion
TOOLS
WinSCP PowerTool 7-Zip MegaSync ngrok
FILE EXTENSIONS
.locked
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded
Technique ID Technique Name Tactic
T1074.001 Local Data Staging Collection
T1219 Remote Access Software Command and Control
T1572 Protocol Tunneling Command and Control
T1218.011 Rundll32 Defense Evasion
T1562.009 Safe Mode Boot Defense Evasion
T1082 System Information Discovery Discovery
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution
T1041 Exfiltration Over C2 Channel Exfiltration
T1567.002 Exfiltration to Cloud Storage Exfiltration
T1133 External Remote Services Initial Access
T1190 Exploit Public-Facing Application Initial Access
T1566.002 Spearphishing Link Initial Access
T1021.004 SSH Lateral Movement
T1570 Lateral Tool Transfer Lateral Movement

No YARA rules

TypeValueDescriptionCopy
email decrypt926@firemail.cc Contact email observed in PoseidonCrew attacks
ip 29.68.239.198 C2 server IP observed in PoseidonCrew attacks
email info92@keemail.me Infrastructure linked to PoseidonCrew
tox AA81F54881EA5315E3D6F72135293D2F98DD30CD117C2463B3DABD77ECDACAFCA93E1A70F9E4 Tox messenger ID observed in PoseidonCrew attacks
email admin715@keemail.me Contact email observed in PoseidonCrew attacks
ip 148.130.56.25 C2 server IP - PoseidonCrew campaign
sha256 af4dbb6e0af9c642ce72982020c2ba6d49721b48dd6380d8027135c913a6a3b1 Ransomware binary hash observed in PoseidonCrew attacks
md5 665cc4e01881634f2995f260793c7a24 Malware sample hash observed in PoseidonCrew attacks
email info500@cock.li Associated with PoseidonCrew ransomware
email help731@onionmail.org Contact email - PoseidonCrew campaign
ip 70.232.168.150 Associated with PoseidonCrew ransomware
btc bc1quh9z6e82840fuzc6qonc0gy1zw1oyk6ptpa3du Bitcoin ransom address observed in PoseidonCrew attacks

No ransom notes