Adversary Emulation

AttackIQ presents the second volume of Ransom Tales, an initiative focused on emulating the Tactics, Techniques, and Procedures (TTPs) exhibited by sophisticated and prominent ransomware families with the objective of empowering defenders to rigorously challenge their security controls and enhance resilience against disruptive and extortive threats. In this release, AttackIQ presents three new attack graphs that emulate the behaviors exhibited by the Gunra, Anubis and DevMan ransomware families.

AttackIQ has released two new attack graphs in response to the CISA Advisory (AA25-203A) published on July 22, 2025, which disseminates known Interlock ransomware Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) identified through FBI investigations as recently as June 2025.

AttackIQ introduces Ransom Tales, an initiative designed to emulate the Tactics, Techniques, and Procedures (TTPs) exhibited by sophisticated and prominent ransomware families with the objective of empowering defenders to rigorously challenge their security controls and enhance resilience against disruptive and extortive threats. In this release, AttackIQ presents three new attack graphs that emulate the behaviors exhibited by the BlackLock, Embargo and Mamona ransomware families.

Amid rising tensions after Israeli and U.S. strikes on Iranian nuclear sites, experts warn of increased Iranian cyber retaliation. With limited conventional options, Iran is expected to rely on cyberattacks against U.S. infrastructure and defense sectors. DHS has issued alerts on threats from state-backed hackers and proxies. AttackIQ continues to help organizations test and strengthen their defenses.

In response to the recently published CISA Advisory (AA25-163A) which highlights ransomware actors exploiting unpatched SimpleHelp Remote Monitoring and Management (RMM) tool, AttackIQ has provided actionable recommendations to help organizations emulate such attacks. These recommendations enable organizations to emulate tactics and techniques, helping to assess and improve their defenses against similar adversarial behaviors.

AttackIQ has released an updated attack graph in response to the recently revised CISA Advisory (AA23-352A) which disseminates Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the Play Ransomware group, identified through FBI investigations as recently as May 2025.

AttackIQ has released a new assessment template that contains a curated list of Tools and Malware samples associated with Scattered Spider to help defenders improve their security posture against this sophisticated and persistent threat.

AttackIQ has released two new attack graphs that emulate the behaviors exhibited by DragonForce ransomware since its emergence in August 2023. Initially based entirely on the leaked LockBit 3.0 (Black) builder, it evolved with the introduction of a customized variant derived from the Conti V3 codebase. DragonForce operators may potentially be behind the recent cyber attacks that involved Marks & Spencer, Co-Op, and Harrods.

AttackIQ has updated an existing assessment template in response to the CISA Advisory (AA25-141B) published on May 21, 2025, which disseminates Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs), associated with threat actors deploying the LummaC2 information stealer malware, identified through FBI investigations as recent as May 2025.

AttackIQ has released a new assessment template in response to the CISA Advisory (AA25-141A) published on May 21, 2025. The CSA highlights a cyber espionage-oriented campaign carried out by cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (Unit 26165), targeting Western logistics entities and technology companies.

AttackIQ has released a new attack graph emulating the behaviors exhibited by VanHelsing ransomware, a new and rapidly growing ransomware-as-a-service (RaaS) affiliate program that emerged in March 2025. This emulation enables defenders to test and validate their detection and response capabilities against this new threat.

AttackIQ has released a new attack graph emulating the behaviors exhibited by Termite ransomware since its emergence in November 2024. Termite is widely believed to be based on Babuk Ransomware, a defunct strain whose source code was leaked in 2021. While Babuk’s influence remains evident, particularly in encryption routines and general behavior, Termite distinguishes itself by aggressively targeting environment-specific vulnerabilities.