Threat Intelligence Tarot
Vol. II · 99
Criminal (Russian-speaking, suspected)
risk 3/5
The Neon Predator
Akira
Howling Scorpius
SMBsHealthcareEducationManufacturingCritical infrastructure
Active since March 2023 · Financial extortion, Double extortion
The Neon Predator stalks through the corridors of unpatched VPN infrastructure, its retro aesthetic masking thoroughly modern cruelty. It hunts the small and mid-sized who cannot afford the defense they need.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1133
External Remote Services
Initial Access
T1021.001
Remote Desktop Protocol
Lateral Movement
T1486
Data Encrypted for Impact
Impact
T1490
Inhibit System Recovery
Impact
T1078
Valid Accounts
Defense Evasion
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • 250+ victims in first year of operation
  • Cisco VPN vulnerability exploitation as primary initial access
  • $42M+ ransom collected (FBI 2024 advisory)
  • Retro 1980s-styled dark web leak site as brand differentiator
Defenses
  • MFA enforcement on all VPN and remote access authentication
    NIST CSF: PR.AC
  • Timely patching of Cisco and other VPN appliances (within 72 hours of critical CVE)
    CIS Control 7
  • Endpoint detection covering ransomware behavioral patterns including VSS deletion
    CIS Control 10
  • Tested backup and recovery procedures with defined RTO and RPO
    CIS Control 11
Reversed: Their Weakness
Its overwhelming reliance on VPN credential exploitation means organizations with MFA enforced on all VPN access and timely Cisco patches see dramatic reduction in exposure to this group.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Black ChoirNext →The Gambit
Related Adversaries
The Centipede
Rhysida
5 shared TTPs
The Black Choir
Black Basta
5 shared TTPs
The Sanctioned Serpent
Evil Corp
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.