███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

ROADSWEEP

ransomware1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

ROADSWEEP

CATEGORY:

RANSOMWARE

DESCRIPTION:

ROADSWEEP is a ransomware family that has been associated with likely Iranian threat actors conducting politically motivated disruptive activities. The malware is designed to encrypt files on victim systems and demand payment for decryption. It has been observed using stolen certificates and employing sophisticated techniques to evade detection.

ALIASES:

ROADSWEEP Ransomware

TAGS:

file_encryptionextortioniranian_threat_actorpolitically_motivatedstolen_certificatesdisruptive_activity

[MUTEX_SIGNATURES](1)

[MUTEX_01]

abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/

https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠HomeLand Justice

FIRST_OBSERVED:

2024

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:1

ALIASES:1

TAGS:6

CATEGORY:RANSOMWARE

Malware profile loaded successfully