Skip to content

Incidents attributed to:

TA505

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years.

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

Also known as

SectorJ04, SectorJ04 Group, GRACEFUL SPIDER, GOLD TAHOE, Dudear, G0092, ATK103, Hive0065, CHIMBORAZO, Spandex Tempest, Lace Tempest, DEV-0950, FIN11, MONTY SPIDER.

References


Actor metadata imported from Malpedia (Fraunhofer FKIE).

Related incidents

RansomwareResolved

INA Group ransomware attack

Clop ransomware encrypted backend servers at INA Group, Croatia's largest oil company and petrol-station chain, knocking out invoicing, loyalty cards, e-vignettes, mobile vouchers and utility-bill payments while fuel sales continued.

Victim
INA Group
RansomwareRansom paid

Maastricht University Clop ransomware (Netherlands, 2019)

TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15–16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin β€” later seized from a money mule β€” was returned and had appreciated, leaving the university ahead by ~$300,000.

Victim
Maastricht University
Loss
$220.0K