W5 Dec | EN | Story of the week: Ransomware on the Darkweb
Published in
4 min readDec 30, 2020
W5 December, 2020 | English Version
S2W LAB publishes weekly reports of the Ransomware activities that took place at Dark Web. Report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operator, etc.
1. Weekly Status
A. Status of the victimized firms
- For a week, a total of 44 companies where mentioned and a change in the state of the data leaked from the victim company in the ransomware site was detected.
- Activity from 7 threat groups detected
B. TOP 5 targeted countries
- United States — 68.2%
- Canada — 9.1%
- United Kingdom — 6.8%
- Germany — 2.3%
- South Korea — 2.3%
C. TOP 5 targeted industrial sectors
- Industrials — 18.8%
- Services — 18.8%
- Retail — 18.8%
- Manufacturing — 15.6%
- Automotive — 9.4%
2. Status of active Ransomware forum posts @ Dark Web
A. Thanos Builder
- Forums:Exploit[.]IN, XSS[.]IS, CryptBB
- User ID: Nosophoros
- Initial Date of Activity: 11/19/2019
- Whether operating data leaked site: N/A (Selling the program which enables users to build their own ransomware)
- Special note: There was a case that a user named ‘recoba90’ (email: recoba90@protonmail.com) in the past distributed to South Korea with Thanos ransomware builder.
- Related link: https://www.estsecurity.com/enterprise/security-center/notice/view/7061?category-id=6
- Weekly Summary of Activity
- Posted Date: 12/21/2020
- Added new features to obfuscate the forensic analysis (Original post: encoded client output pack option that can only be decrypted and executed in memory with an one time password which is provided to a small loader interface or as command line parameters)
- Added Drive D: Drive Recycle Bin emptying
- Added Access token impersonation as an option
- Also other users who impersonate themselves are advised to be careful
- Accepts Monero and Bitcoin as means of payment
B. Avaddon
- Forums: Exploit[.]IN, XSS[.]IS
- User ID: Avaddon
- Initial Date of Activity: 06/03/2020
- Whether operating data leaked site: In operation
- Weekly Summary of Activity
- Posted Date: 12/25/2020
- Still looking for experts in networks
- Addresses that dumps of victim companies do not cooperate with negotiation were added to the blog.
C. Dreamon Ransomware Builder
- Forums: Exploit[.]IN
- User ID: r3xq1
- Initial Date of Activity: 01/13/2020
- Whether operating data leaked site: N/A (Selling the program which enables users to build their own ransomware)
- Weekly Summary of Activity
- Posted Date: 12/27/2020
- Presented the progress of its upgraded version of the builder and said that there are some improvements left (implying almost done)
- New builder will start with the price of $650
- The price at the moment is $300 which is valid until Jan/01/2021
*Dreamon Ransomware Features
[ Conditional designation ransomware]
[*] Written in .Net [C #].
[*] Uses Hosting CLR technology (you get the native file) - Allows to bypass Windows Defender
[*] Minimum file size (17-20 KB) | (Native - 38.0 KB)
[*] Encrypts AES-256 files (work in stealth mode) `
[*] Deletes system restore points (cannot be recovered after encryption)
[*] Restriction on starting the second instance of the application
[*] Restriction on launch in the CIS countries (Does not work on the territory of the Russian Federation)
[*] Smart check (does not encrypt an already encrypted file twice)
[*] Encrypts entire files (max limit 100MB) - At the request of the user can be changed.
[*] Adds an .html file with information about the transfer of funds to each folder.
[*] Bypass system files and directories (to prevent system crashes)
[*] Protection against starting on virtual machines, sandboxes, etc.
[*] Scans and encrypts all found disks, flash drives, network drives etc.
[*] Removes all files from the recycle bin.
[*] Removed at the end of the work, leaving no traces.[Notes]
[*] Works no worse than native ransomware and even better than most.
[*] When you buy, you get another additional Native ransomware
[*] Does not work with panels (does not send any requests to the network, for greater security)
[*] Key by hash, protection against detection in memory.
[*] No additional encryption algorithms required (performance and security deteriorate)
[*] Files encrypts quickly (very large gig files are encrypted from 1 to 2-3 minutes, depending on the power of the computer)