French version: 🇫🇷


The intrusion set TA505 has been active since at least 2014 when it initially stole financial information through the use of Dridex and mass distributed ransomwares. It evolved and now conducts phishing campaigns against a wide range of businesses. Its goal is now to resell the access it gained to the information system of its victims or to encrypt it entirely to ask for a ransom.

This report provides a synthetis of ANSSI's knowledge on TA505 to help increasing protections against it.

Indicators of compromise are available on the page CERTFR-2020-IOC-004.