keeling

Keeling is described as a ransomware-as-a-service (RaaS) operation with an affiliate model and revenue-sharing, operating in the broader trend of increasingly stealthy, business-driven extortion. Reported targeting includes financial institutions, healthcare, legal firms, and managed service providers (MSPs), with emphasis on higher-value victims and maximizing business impact and payout potential. Keeling affiliates are noted exploiting unpatched Fortinet vulnerabilities, particularly affecting smaller IT environments and MSP-managed networks. The activity described aligns with modern ransomware tradecraft: initial access via misconfigurations and trusted tools, social engineering (including Microsoft Teams-based IT-staff impersonation to induce installation of remote-control tools), and abuse of legitimate IT/admin utilities (e.g., PowerShell, Nmap, Advanced IP Scanner, RClone, Azure Copy, and backup software APIs). The briefing also characterizes contemporary ransomware operations (including groups like Keeling) as using longer dwell times, multi-stage reconnaissance, stealthy lateral movement, data theft/exfiltration as a core extortion lever, and multi-layer extortion (double/triple extortion), sometimes applying supply-chain pressure and timing attacks for maximum operational impact. No nation-state attribution, specific aliases, or named sub-groups for Keeling are provided in the source content.