Ransomware - Abraham's Ax

Abraham's Ax
Decryptor Available
No
Description

Abraham's Ax appears to be a "one and done" operation. Based on multiple characteristics of the extortion link site, the operators seem to be linked to Moses Staff, an Iranian hacktivist group. Researchers from IBM highlighted all of the similarities between the groups, which is further attributed to an entity dubbed COBALT SAPLING. Since these groups are allegedly the same threat actors, they subsequently use the same tactics, techniques, and procedures (TTPs). The group leverages a remote access trojan (RAT) called StrifeWater RAT, which allows them to send remote commands and deploy what we can assume is ransomware. Although, there is no evidence of ransomware ever being deployed. Hence, there is no ransomware-specific information in the detailed view, and the group is labeled as a Data Broker. The group is most known for breaching the Saudi Arabian Ministry of Interior in November 2022. They posted this agency on their double extortion page, which they have on TOR and the clear web. Aside from the fact that these threat actors are just a spinoff of Moses Staff, not much is known of the group besides this one attack.

Ransomware Type
Data Broker
Country of Origin
Iran
First Seen
Threat Actors
Type
Actor
Hacktivist
COBALT SAPLING
Extortion Types
Direct Extortion
Double Extortion
Communication
Medium
Identifier
Telegram
Twitter | X
Known Victims
Industry Sector Country Extortion Date Amount (USD)
GovernmentSaudi Arabia