Valéry Rieß-Marchive
@valerymarchive.bsky.social
Rédac' chef de LeMagIT (fr)
Accro #cybersécurité #infosec
Collectionneur de #ransomware
follow: https://linktr.ee/valerymarchive
Accro #cybersécurité #infosec
Collectionneur de #ransomware
follow: https://linktr.ee/valerymarchive
🤩 Moi-même utilisateur du couple Headscale/Tailscale pour administrer mes VPS, et faire un filtrage DNS en situation de mobilité, avec le couple Unbound/Pi-Hole, notamment, je cherchais depuis longtemps une entreprise utilisatrice pour recueillir son témoignage.
J'ai trouvé, avec le 🇫🇷 Tixeo.
J'ai trouvé, avec le 🇫🇷 Tixeo.
November 5, 2025 at 6:11 PM
🤩 Moi-même utilisateur du couple Headscale/Tailscale pour administrer mes VPS, et faire un filtrage DNS en situation de mobilité, avec le couple Unbound/Pi-Hole, notamment, je cherchais depuis longtemps une entreprise utilisatrice pour recueillir son témoignage.
J'ai trouvé, avec le 🇫🇷 Tixeo.
J'ai trouvé, avec le 🇫🇷 Tixeo.
Soyons francs : il n'est pas possible de parler du paysage des menaces cyber en 2025, sans parler des #ShinyHunters et du mode opératoire dit Scattered Spider, emblématique d'une forme d'ingénierie sociale. Echange avec @julien.io de @ransomware.live. #cybermois www.brighttalk.com/webcast/1953...
October 3, 2025 at 3:07 PM
Soyons francs : il n'est pas possible de parler du paysage des menaces cyber en 2025, sans parler des #ShinyHunters et du mode opératoire dit Scattered Spider, emblématique d'une forme d'ingénierie sociale. Echange avec @julien.io de @ransomware.live. #cybermois www.brighttalk.com/webcast/1953...
Le #cybermois, c'est l'occasion de renforcer la connaissance de la menace cyber, dans ses multiples composantes. Bon, pour les violations de données personnelles, j'ai le sentiment qu'on en a bien parlé. Beaucoup. Très très beaucoup.
October 2, 2025 at 2:53 PM
Le #cybermois, c'est l'occasion de renforcer la connaissance de la menace cyber, dans ses multiples composantes. Bon, pour les violations de données personnelles, j'ai le sentiment qu'on en a bien parlé. Beaucoup. Très très beaucoup.
et fin (temporaire ?)
October 1, 2025 at 1:47 PM
et fin (temporaire ?)
En ce début de #cybermois, je vous propose d'apprendre à lire entre les lignes de la communication de crise en cas de #cyberattaque (parce qu'on en est pas à la première et qu'il y en aura d'autres 😭) 🧵
🚨 disclaimer : la réalité est plus nuancée. Je grossis le trait. Juste pour rire. Ou pas 🤷♂️
🚨 disclaimer : la réalité est plus nuancée. Je grossis le trait. Juste pour rire. Ou pas 🤷♂️
October 1, 2025 at 1:46 PM
En ce début de #cybermois, je vous propose d'apprendre à lire entre les lignes de la communication de crise en cas de #cyberattaque (parce qu'on en est pas à la première et qu'il y en aura d'autres 😭) 🧵
🚨 disclaimer : la réalité est plus nuancée. Je grossis le trait. Juste pour rire. Ou pas 🤷♂️
🚨 disclaimer : la réalité est plus nuancée. Je grossis le trait. Juste pour rire. Ou pas 🤷♂️
For a while now, I've been assessing when the last phase of a claimed #ransomware cyberattack took place. Comparing assessed dates with publicly reported dates gives me a 82% ratio of assessments within +/- 10 days of the end of data exfiltration 🤩
www.lemagit.fr/tribune/Rans...
www.lemagit.fr/tribune/Rans...
July 1, 2025 at 3:09 PM
For a while now, I've been assessing when the last phase of a claimed #ransomware cyberattack took place. Comparing assessed dates with publicly reported dates gives me a 82% ratio of assessments within +/- 10 days of the end of data exfiltration 🤩
www.lemagit.fr/tribune/Rans...
www.lemagit.fr/tribune/Rans...
Jon DiMaggio, Allan Liska et moi-même avons discuté de l'évolution de l'écosystème du #ransomware au cours des 18 derniers mois, de l'opération 🚓 Cronos contre LockBit à la disparition de RansomHub, et plus encore. Cliquez pour 30' bien remplies 😉
www.brighttalk.com/webcast/1953...
www.brighttalk.com/webcast/1953...
June 13, 2025 at 3:05 PM
Jon DiMaggio, Allan Liska et moi-même avons discuté de l'évolution de l'écosystème du #ransomware au cours des 18 derniers mois, de l'opération 🚓 Cronos contre LockBit à la disparition de RansomHub, et plus encore. Cliquez pour 30' bien remplies 😉
www.brighttalk.com/webcast/1953...
www.brighttalk.com/webcast/1953...
🤔 this organization might have been attacked by a former #LockBit affiliate.
Going by the username "Attic", registered on Feb. 26th and last seen on March 25th. He generated the #ransomware on the day of his registration.
Going by the username "Attic", registered on Feb. 26th and last seen on March 25th. He generated the #ransomware on the day of his registration.
June 13, 2025 at 12:07 PM
🤔 this organization might have been attacked by a former #LockBit affiliate.
Going by the username "Attic", registered on Feb. 26th and last seen on March 25th. He generated the #ransomware on the day of his registration.
Going by the username "Attic", registered on Feb. 26th and last seen on March 25th. He generated the #ransomware on the day of his registration.
Yesterday, Jon DiMaggio and Allan Liska were nice enough to join me to discuss the evolution of the #ransomware ecosystem over the last 18 months, from the Cronos 🚓 operation against LockBit, to the rise and fall of RansomHub...
Be ready for 30 packed minutes 😉
www.brighttalk.com/webcast/1953...
Be ready for 30 packed minutes 😉
www.brighttalk.com/webcast/1953...
June 13, 2025 at 10:28 AM
Yesterday, Jon DiMaggio and Allan Liska were nice enough to join me to discuss the evolution of the #ransomware ecosystem over the last 18 months, from the Cronos 🚓 operation against LockBit, to the rise and fall of RansomHub...
Be ready for 30 packed minutes 😉
www.brighttalk.com/webcast/1953...
Be ready for 30 packed minutes 😉
www.brighttalk.com/webcast/1953...
Le groupe malveillant #Stormous a revendiqué des cyberattaques contre les systèmes de l’éducation nationale et d'autres institutions 🇫🇷
C'est un mensonge. Il n'y a pas eu de #cyberattaque.
C'est un mensonge. Il n'y a pas eu de #cyberattaque.
June 12, 2025 at 10:28 AM
Le groupe malveillant #Stormous a revendiqué des cyberattaques contre les systèmes de l’éducation nationale et d'autres institutions 🇫🇷
C'est un mensonge. Il n'y a pas eu de #cyberattaque.
C'est un mensonge. Il n'y a pas eu de #cyberattaque.
I'm going through #LockBit leaked data again, to see how many unclaimed victims I should add to the counts for the months prior to the leak.
And I wonder... 🤔 did the affiliate using the account "umarbishop47" move over to the Nova brand?
And I wonder... 🤔 did the affiliate using the account "umarbishop47" move over to the Nova brand?
June 6, 2025 at 2:47 PM
I'm going through #LockBit leaked data again, to see how many unclaimed victims I should add to the counts for the months prior to the leak.
And I wonder... 🤔 did the affiliate using the account "umarbishop47" move over to the Nova brand?
And I wonder... 🤔 did the affiliate using the account "umarbishop47" move over to the Nova brand?
June 6, 2025 at 9:16 AM
🤔 Did you know that we've just entered the historically most laid back month of the year in the realm of #ransomware?
(based on historical data since 2020)
(based on historical data since 2020)
June 2, 2025 at 3:06 PM
🤔 Did you know that we've just entered the historically most laid back month of the year in the realm of #ransomware?
(based on historical data since 2020)
(based on historical data since 2020)
Two years after its inception, ransomch.at has a new website 🍾
At its core, you'll still find a #ransomware negotiations reader.
But it's been upgraded for a more convenient reading experience 🤩
Of course, all the chat logs remain available as JSON files for integration in other projects.
At its core, you'll still find a #ransomware negotiations reader.
But it's been upgraded for a more convenient reading experience 🤩
Of course, all the chat logs remain available as JSON files for integration in other projects.
June 1, 2025 at 10:28 AM
Two years after its inception, ransomch.at has a new website 🍾
At its core, you'll still find a #ransomware negotiations reader.
But it's been upgraded for a more convenient reading experience 🤩
Of course, all the chat logs remain available as JSON files for integration in other projects.
At its core, you'll still find a #ransomware negotiations reader.
But it's been upgraded for a more convenient reading experience 🤩
Of course, all the chat logs remain available as JSON files for integration in other projects.
Hier, j'ai parlé avec une IA 🤖 Peut-être était-elle seule, épaulée par un bloc-note #Obsidian. Ou qu'elle n'était utilisée que pour faire de la traduction... À moins que l'IA n'ait été débranchée par un opérateur qui aura repris la main manuellement. Je ne le saurai pas 🤷♂️
May 13, 2025 at 10:28 AM
Hier, j'ai parlé avec une IA 🤖 Peut-être était-elle seule, épaulée par un bloc-note #Obsidian. Ou qu'elle n'était utilisée que pour faire de la traduction... À moins que l'IA n'ait été débranchée par un opérateur qui aura repris la main manuellement. Je ne le saurai pas 🤷♂️
But... this is mostly due to a handful of affiliates who hit often there. Why? 🤔
My thoughts on this: www.lemagit.fr/actualites/3...
My thoughts on this: www.lemagit.fr/actualites/3...
May 9, 2025 at 3:05 PM
But... this is mostly due to a handful of affiliates who hit often there. Why? 🤔
My thoughts on this: www.lemagit.fr/actualites/3...
My thoughts on this: www.lemagit.fr/actualites/3...
You think #ransomware doesn't happen in 🇨🇳, you're in for a surprise: it seems to be top affected country in the sample provided by the leaked data. Yep. We all have a massive blind spot there. And that applies as well to 🇮🇳.
May 9, 2025 at 3:05 PM
You think #ransomware doesn't happen in 🇨🇳, you're in for a surprise: it seems to be top affected country in the sample provided by the leaked data. Yep. We all have a massive blind spot there. And that applies as well to 🇮🇳.
The #LockBit leak keeps on giving. Before turning my eyes to the negotiations, I digged into the affiliates activities and... their geographical distribution 🧐
If you only look at the global picture, you already start noticing something unusual: APAC is strongly represented 😳
If you only look at the global picture, you already start noticing something unusual: APAC is strongly represented 😳
May 9, 2025 at 3:05 PM
The #LockBit leak keeps on giving. Before turning my eyes to the negotiations, I digged into the affiliates activities and... their geographical distribution 🧐
If you only look at the global picture, you already start noticing something unusual: APAC is strongly represented 😳
If you only look at the global picture, you already start noticing something unusual: APAC is strongly represented 😳
only 44 user accounts are associated with actual encryptor builds, among which 30 were actually active at the moment of the dump.
That's your number of active #LockBit affiliates by then. But several affiliates (~7) with still active accounts are not really working with this #ransomware
That's your number of active #LockBit affiliates by then. But several affiliates (~7) with still active accounts are not really working with this #ransomware
May 8, 2025 at 3:09 PM
only 44 user accounts are associated with actual encryptor builds, among which 30 were actually active at the moment of the dump.
That's your number of active #LockBit affiliates by then. But several affiliates (~7) with still active accounts are not really working with this #ransomware
That's your number of active #LockBit affiliates by then. But several affiliates (~7) with still active accounts are not really working with this #ransomware
A significant bunch of "users" with an account on the hacked part of #LockBit infrastructure was inactive. I've plotted an activity timeline for the remaining.
Note that hack seems to have happened on April 29th.
Note that hack seems to have happened on April 29th.
May 8, 2025 at 11:19 AM
A significant bunch of "users" with an account on the hacked part of #LockBit infrastructure was inactive. I've plotted an activity timeline for the remaining.
Note that hack seems to have happened on April 29th.
Note that hack seems to have happened on April 29th.
The #LockBit leak from tonight feels a bit like Xmas before Xmas 🎄
1️⃣ The data doesn't seem to cover a very long period of time, at first sight: only from December 2024 until now. But it will shed a very interesting light on the current activity level of this #ransomware brand.
1️⃣ The data doesn't seem to cover a very long period of time, at first sight: only from December 2024 until now. But it will shed a very interesting light on the current activity level of this #ransomware brand.
May 8, 2025 at 10:28 AM
The #LockBit leak from tonight feels a bit like Xmas before Xmas 🎄
1️⃣ The data doesn't seem to cover a very long period of time, at first sight: only from December 2024 until now. But it will shed a very interesting light on the current activity level of this #ransomware brand.
1️⃣ The data doesn't seem to cover a very long period of time, at first sight: only from December 2024 until now. But it will shed a very interesting light on the current activity level of this #ransomware brand.
L'authentification à facteurs multiples, ou #MFA, est importante pour renforcer la sécurité des comptes en ligne. Mais si un cleptogiciel passe par là alors que votre session sur votre service de banque en ligne (ou autre service Web) est encore active, cela n'aidera pas. Du coup 👇 #infostealer
May 2, 2025 at 1:05 PM
L'authentification à facteurs multiples, ou #MFA, est importante pour renforcer la sécurité des comptes en ligne. Mais si un cleptogiciel passe par là alors que votre session sur votre service de banque en ligne (ou autre service Web) est encore active, cela n'aidera pas. Du coup 👇 #infostealer
🧐 Ce cas présente un intérêt tout particulier. Vous avez sûrement tous déjà entendu au moins une fois "il ne faut pas payer la rançon ; ça fait de toi un bon payeur et tu vas te faire attaquer à nouveau". Passons sur le fait que cette allégation fait partie des légendes urbaines du #ransomware...
April 26, 2025 at 3:03 PM
🧐 Ce cas présente un intérêt tout particulier. Vous avez sûrement tous déjà entendu au moins une fois "il ne faut pas payer la rançon ; ça fait de toi un bon payeur et tu vas te faire attaquer à nouveau". Passons sur le fait que cette allégation fait partie des légendes urbaines du #ransomware...