W1 Jan | English | Story of the week: Ransomware on the Darkweb
W1 January, 2021
S2W LAB publishes weekly reports of the Ransomware activities that took place at Dark Web. Report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operator, etc.
Executive Summary
In the last week, the number of victimized firms mentioned on ransomware sites have decreased slightly (-13) compared to the previous week, while the number of ransomware groups remain same as 7. The target countries are the United States, Canada, United Kingdom, Germany and South Korea in the same order as in the previous week. However, it is notable that the ransomware groups’ attacks against Canadian-based companies have increased significantly by more than 10%.
In the case of attack target industries, industrials sectors such as aviation, space, construction, manufacturing, and defense positioned at the highest share, which increased by 15% compared to the previous week. Attacks on government sectors and IT companies also appear to be on the new rise.
The activity of Babuk ransomware has recently detected that it requires to take heed of our alert.
1. Weekly Status
A. Status of the victimized firms
- For a week, a total of 31 companies where mentioned and a change in the state of the data leaked from the victim company in the ransomware site was detected.
- Activity from 7 threat groups detected
B. TOP 5 targeted countries
- United States — 56.7%
- Canada — 20.0%
- United Kingdom — 3.3%
- Germany — 3.3%
- South Korea — 3.3%
C. TOP 5 targeted industrial sectors
- Industrials — 33.3%
- Retail — 16.7%
- Government — 10.0%
- Materials — 6.7%
- IT — 6.7%
2. Status of active Ransomware forum posts @ Dark Web
A. Babuk
- Forums: Raidforums
- User ID: biba99
- Initial Date of Activity: 08/26/2020
- Whether operating data leaked site: In operation
Weekly Summary of Activity
- Posted Date: 01/03/2021
- Posted samples of victim’s data
- Contact page: babukq4e2p3wu4iq.onion
- Data leak page: gtmx56k4hutn3ikv.onion
B. Thanos Builder
- Forums:Exploit[.]IN, XSS[.]IS, CryptBB, ClubCRD
- User ID: Nosophoros
- Initial Date of Activity: 11/19/2019
- Whether operating data leaked site: N/A (Selling the program which enables users to build their own ransomware)
- Special note: There was a case that a user named ‘recoba90’ (email: recoba90@protonmail.com) in the past distributed to South Korea with Thanos ransomware builder.
- Related link: https://www.estsecurity.com/enterprise/security-center/notice/view/7061?category-id=6
Weekly Summary of Activity
- Posted Date: 01/04/2021
- Added a digital encryption key feature → obfuscating the forensic technique such as decompiling, debugging that cannot be run without the right encryption key
- If the right digital key is input, the client will decrypt and execute in memory without leaving the disk trace and the memory will be disposed when the process ends
- Small and full encryption files mode procedures rewritten
(tested with 2 core, 2Gb RAM computer that can encrypt 100Gb data in 1min 30sec)
C. Darkside
- Forums: XSS[.]IS, Exploit[.]IN,
- User ID: darksupp
- Initial Date of Activity: 11/04/2020 (XSS forum)
- Whether operating data leaked site: In operation
Weekly Summary of Activity
- Posted Date: 12/28/2020
- They have opened press center where visitors can register as
‘Recovery company’ or ‘Press’ - If registered as ‘Press’ — able to receive official comments and ask questions, and get a notification if there is any leak from large sized victims
- If registered as ‘Company recovery’ — receives a separate channel to discuss additional discounts or any issues regarding the case
- Home: https://www.s2wlab.com
- Facebook: https://www.facebook.com/S2WLAB/
- Twitter: https://twitter.com/s2wlab