README.md

Ruthless Mantis

Ruthless Mantis, or PTI-288, is a ransomware group that employs double extortion by exfiltrating data before encrypting systems. They collaborate with numerous ransomware affiliate programs, such as Ragnar Locker, INC Ransom, and others, to enhance their operational reliability and expand their range of actions.

The full report is available here.

Indicators of Compromise (IOC)

Backend servers

138.99.216.7
170.130.55.168
179.60.149.234
179.60.149.41
185.46.46.112
195.201.205.126
45.134.26.62
45.135.232.16
45.135.232.41
45.140.17.10
45.140.17.33
45.145.6.39
45.155.204.16
45.155.204.2
45.155.204.24
45.155.204.30
45.155.204.47
45.155.204.48
45.182.189.187
45.227.255.7
45.93.201.103
46.161.27.121
46.161.40.96
46.3.197.208
62.204.41.196
65.109.63.232
77.91.124.253
81.19.135.244
81.19.136.244
83.97.73.121
85.209.11.201
85.209.11.202
85.209.11.234
91.191.209.158
91.191.209.74
91.215.85.18
91.215.85.8
91.221.66.24
91.234.19.223
94.130.139.232
95.216.58.125

Account used for persistent access

adam.v@thespsgroup.com
mike.m@farsco.com
a.ruben@uk.com
a.starkoln@e-nvidia.com
headh1@rtx.com
info@alabama.com
info@alaska.com
info@amazonca.com
info@info.cz
info@jbcommunications.com
info@prsanew.com
info@ugan.com
info@uk.com
info@union.com
mainsupport@rtx.com
muhamad@uk.com
polizasimcruz@lbc.bo
privacy.eu@pli-petronas.com
qwerty@gmail.org
leeetfucke4443ew@onionmail.org
nullw1nter@currently.com
sadfssdgs@onionmail.org

Account used for data exfiltration

ienkosss@cyberfear.com
coconut@cyberfear.com
elit2938394@cyberfear.com
jjlvadqurc@cyberfear.com
sekot86866@kkoup.com
vericaw148@sportrid.com
wipaba6602@cohodl.com