MalwareRansomwareUsed by 2 actors

Groove

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Boriselcin

On Aug. 22, Orange announced a new ransomware affiliate program called “ Groove ,” which claimed to be an aggressive, financially motivated criminal organization dealing in industrial espionage for the previous two years.

via krebs on securitykrebsonsecurity.com

Orange

via krebs on securitykrebsonsecurity.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

1 technique

T1027.014Polymorphic CodeEvidence1

TacticStealth

Polymorphism involves encrypted viruses where the decryption routine code is variable.

Impact

2 techniques

T1486Data Encrypted for ImpactEvidence1

TacticImpact

On January 1, 2021, a new user “Babuk” registered on the crime forum Verified... “We run an affiliate program,” Babuk explained in their introductory post on Verified.

T1657Financial TheftEvidence1

TacticImpact

Babuk continued to post databases stolen from companies that refused to pay a ransom, but they posted the leaks to both their victim shaming blog and to multiple cybercrime forums... Babuk announced they were shuttering the affiliate program and its encryption services, and that they would now focus on data theft and extortion instead.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

Tequila is not only Stealth, Polymorphic, and Multipartite, it is also an anti-anti-virus virus (or retrovirus) and uses tunneling.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

krebs on securityNews

Feb 14, 2022

Wazawaka Goes Waka Waka - Krebs on Security

Groove is described as a ransomware affiliate program announced on RAMP, though later characterized by Boriselcin as largely a pet project intended to provoke media and the security industry.

web archiveNews

Jul 5, 1997

IBM Research | Projects | Antivirus Research | Timeline

First .EXE-infecting virus using MtE; also targeted many anti-virus products.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.