Sheriff

Sheriff operates as a cybercriminal entity specializing in financial sector intrusions, with activities centered on credential theft, data brokerage, and facilitating ransomware operations. The group gained notoriety for compromising trading platforms and corporate networks, notably advertising 62,000 stolen eToro accounts containing login credentials, personal information, and financial balances in July 2020. Their operations extend to breaching investment funds, cybersecurity companies, educational institutions, and transportation sector targets through brute-force attacks and credential-stealing malware. Sheriff demonstrates particular focus on exploiting vulnerabilities in Citrix remote desktop servers, a technique consistent with patterns observed in ransomware affiliate operations. The group monetizes stolen access through underground sales of compromised credentials and by enabling ransomware deployments against corporate victims.

Distinctive attributes include Sheriff's confirmed collaboration with the REvil ransomware syndicate, indicating integration into high-tier cybercriminal ecosystems. This partnership involved coordinated network intrusions where Sheriff provided initial access that REvil operators leveraged for ransomware deployment. Forensic connections between their Citrix server exploitation methods and REvil's known tactics underscore operational alignment with established ransomware-as-a-service frameworks. Sheriff exhibits specialized competency in cross-sector financial data theft, targeting both trading platforms and organizations holding monetizable financial records. The group maintains underground marketplace presence for credential sales while simultaneously engaging in access brokerage for ransomware affiliates, demonstrating hybrid monetization strategies characteristic of mature cybercrime operations. Their activities reflect connections to transnational cybercriminal networks rather than isolated actions.