Closed Mathieu4141 closed 1 month ago
For me, yes. From an attribution perspective, It is required for tracking devs and affiliates separately.
FYI, We did a major update in the ransomware group galaxy cluster. It's now inline with the ransomlook.io dataset. Maybe in the future, for ransomware group, I would really prefer to use that galaxy cluster. On the other hand, if the TA can be dissociated from the ransomware group then it makes sense to have those as `threat-actor.
Thanks for the review and context, will definitely take that into account next time!
Just a quick question, is there a specific use-case to put the ransomware groups in the threat actor galaxy? compared to use the ransomware group cluster https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json#L24593 ?