Published in


W1 Jan | English | Story of the week: Ransomware on the Darkweb

W1 January, 2021

S2W LAB publishes weekly reports of the Ransomware activities that took place at Dark Web. Report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operator, etc.

Executive Summary

In the last week, the number of victimized firms mentioned on ransomware sites have decreased slightly (-13) compared to the previous week, while the number of ransomware groups remain same as 7. The target countries are the United States, Canada, United Kingdom, Germany and South Korea in the same order as in the previous week. However, it is notable that the ransomware groups’ attacks against Canadian-based companies have increased significantly by more than 10%.

In the case of attack target industries, industrials sectors such as aviation, space, construction, manufacturing, and defense positioned at the highest share, which increased by 15% compared to the previous week. Attacks on government sectors and IT companies also appear to be on the new rise.

The activity of Babuk ransomware has recently detected that it requires to take heed of our alert.

1. Weekly Status

A. Status of the victimized firms

  • For a week, a total of 31 companies where mentioned and a change in the state of the data leaked from the victim company in the ransomware site was detected.
  • Activity from 7 threat groups detected

B. TOP 5 targeted countries

  1. United States — 56.7%
  2. Canada — 20.0%
  3. United Kingdom — 3.3%
  4. Germany — 3.3%
  5. South Korea — 3.3%

C. TOP 5 targeted industrial sectors

  1. Industrials — 33.3%
  2. Retail — 16.7%
  3. Government — 10.0%
  4. Materials — 6.7%
  5. IT — 6.7%

2. Status of active Ransomware forum posts @ Dark Web

A. Babuk

  • Forums: Raidforums
  • User ID: biba99
  • Initial Date of Activity: 08/26/2020
  • Whether operating data leaked site: In operation

Weekly Summary of Activity

Babuk Locker posted by biba99
  • Posted Date: 01/03/2021
  • Posted samples of victim’s data
  • Contact page: babukq4e2p3wu4iq.onion
  • Data leak page: gtmx56k4hutn3ikv.onion

B. Thanos Builder

Weekly Summary of Activity

Thanos Ransomware Builder posted by Nosophoros
  • Posted Date: 01/04/2021
  • Added a digital encryption key feature → obfuscating the forensic technique such as decompiling, debugging that cannot be run without the right encryption key
  • If the right digital key is input, the client will decrypt and execute in memory without leaving the disk trace and the memory will be disposed when the process ends
  • Small and full encryption files mode procedures rewritten
    (tested with 2 core, 2Gb RAM computer that can encrypt 100Gb data in 1min 30sec)

C. Darkside

  • Forums: XSS[.]IS, Exploit[.]IN,
  • User ID: darksupp
  • Initial Date of Activity: 11/04/2020 (XSS forum)
  • Whether operating data leaked site: In operation

Weekly Summary of Activity

Darkside advertising post
  • Posted Date: 12/28/2020
  • They have opened press center where visitors can register as
    ‘Recovery company’ or ‘Press’
  • If registered as ‘Press’ — able to receive official comments and ask questions, and get a notification if there is any leak from large sized victims
  • If registered as ‘Company recovery’ — receives a separate channel to discuss additional discounts or any issues regarding the case




S2W is a big data intelligence company specialized in the Dark Web, Deepweb and any other covert channels.

Recommended from Medium


SourceLess Blockchain: Introducing the New Web

What are Optimistic Rollups?

How to fix a surge of “your connection is not private” browser/Chrome errors that began in October…

A cloud of error messages saying “Your connection is not private”

Compile malware with famous payloads for exploitation using the “TheFatRat” tool

Product Security — Dev Sec Tips — 2

17 million SYN Burn Event

3 DevOps Security Tips

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hyunmin Suh

Hyunmin Suh

Principal Researcher @S2W LAB

More from Medium

Emotet Has Reemerged as Top Malware in Circulation

Council Post: IT And OT Convergence Need Holistic Cybersecurity Protection

The Weekly Threat 5–24–2022

CyberEd #3 Autoruns