VERY IMPORTANT

As of 2021, more and more ransomware operators use the service provided by IcedID’s operators. Telekom Security as well as others observed ransomware deployment after IcedID infections. This is in line with the general trend towards human-operated ransomware operations. In this blog post, Telekom Security presents ways how to hunt for IcedID samples and detect local IcedID infections. This allows on one side blue teamers to proactively find latent infections that could turn into ransomware deployment and on the other side incident responders to quickly find a patient zero during an investigation. In addition to this blog post, Telekom Security recommends to read this technical analysis of IcedID core and a recent technical analysis of the initial IcedID GZIP loader. All scripts, YARA signatures and, additional IoCs mentioned in this blog post can be found in the Telekom Security Github repository.