S2W BLOG
Published in

S2W BLOG

Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter

Hotsauce | S2W TALON

The relation graph of Groove, Babuk, Payload.bin, RAMP, and BlackMatter

  • Groove mentioned several cryptocurrency wallet addresses such as BTC, XMR and ETH. Those addresses are same as RAMP’s addresses mentioned on their leak site.
  • Groove used the file server same as BlackMatter and Babuk [2].
  • The operator of RAMP was linked to the operator of Babuk and Payload.bin [3].
Analyzed by Xarvis

Groove’s BTC, XMR and ETH == RAMP

  • BTC: 1EZhsp26j4ZfDfKyXpweUtGgrs3fnpPCEd
  • ETH: 0xF6a4906fA254ce0e9175E2C3418Dde999b99ed1F
  • XMR: 47GyLQAPw4Ee3WVTgCtSxwNcRinsEm3jdSX8FH4DLbjb5t79CJDxrK9gMNVJNDfCLEjhdJZyWCPBG5CkiTnGqMvnPgKTTV3
Comparison of cryptocurrency addresses between Groove and RAMP

Conclusion

  • In this post, we mentioned the fact of Groove and RAMP using the same cryptocurrency wallet address that was mentioned on their leak sites.
  • It is highly probable that the operator of RAMP, Groove and BlackMatter are the same or the same group.
  • We need to keep monitoring their activities to track the cryptocurrency wallet address that was mentioned by these ransomware.

Related articles by S2W TALON

[1] Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands | by S2W | S2W BLOG | Sep, 2021 | Medium

[2] BlackMatter x Babuk : Using the same web server for sharing leaked files | by S2W | S2W BLOG | Sep, 2021 | Medium

The leaked data uploaded to the same web server by BlackMatter and Babuk

[3] [SoW] W2 Aug | EN | Story of the week: Ransomware on the Darkweb | by S2W | S2W BLOG | Aug, 2021 | Medium

Ransomware threat actors 2020–2021 (Rebranded Ransomware)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store