Menu
Browse

Cyber Threat Actor: Sheriff

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
2 incidents
Profile

The threat actor operates under the aliases Sheriff and Energydrinkkk and is believed to be based in Russia. Public reporting links the individual to the REvil ransomware group, noting interactions through REvil’s UNKN persona and describing the actor as a rising star in the Russian‑speaking underground. The actor’s reputation stems from advertising large volumes of compromised credentials and offering network access to criminal buyers.

Targeting has been observed across multiple sectors, with a clear emphasis on financial institutions, banks, and government agencies, as highlighted by the actor’s self‑described specialty and the sale of eToro trading accounts. Additional focus appears in the energy and oil‑and‑gas sector under the Energydrinkkk moniker, where access to an energy company’s Microsoft Online environment was offered. Victimology also includes universities in Australia, Canada and the United States, a private U.S. cybersecurity firm, major investment funds, companies involved in long‑distance passenger transportation, warehouse logistics, cloud computing, and a European construction firm. The geographic spread of victims suggests opportunistic rather than region‑specific selection, while the actor’s own location remains tied to Russia.

The actor’s tactics rely on brute‑force attacks against exposed services and the deployment of credential‑stealing malware to harvest usernames, passwords, and related data. Initial access frequently involves exploiting open remote desktop connections to Citrix servers, a method that aligns with REvil’s preferred intrusion vector. After gaining footholds, the actor steals data, copies passwords and contact information, and then advertises the resulting access—such as RDP entry to an energy firm’s network or administrative rights to hundreds of thousands of e‑commerce orders—for sale or auction. Notable publicized actions include the July 2020 auction of roughly 62,000 eToro accounts, the June 2020 offer of access to a European construction company and 3,200 cPanel accounts, the May 2020 claim of admin rights to 815,000 e‑commerce orders, and the Energydrinkkk proposal to facilitate a ransomware attack against an energy‑sector target for $1,500. These activities demonstrate a financially driven model of selling access and data to enable further ransomware operations and fraud.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source