W1 July | EN | Story of the week: Ransomware on the Darkweb

Truth of Dare

With Contribution from Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong | S2W LAB Talon

SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

Executive Summary

1. [Statistics] The number of companies infected by ransomware is 55 in one week which is 19.5% higher compared to previous week, and United States is still positioned at the highest which amounts to 58% among all victims infected by ransomware.
2. [Dark Web] LockBit operator refutes comments in Prodaft report that none of the developers are using Express VPN, and that IP information related to LockBit is not related to them.
3. [Dark Web] New ransomware discovered: Vice Society, Hive Ransomware and teslarvng2.
4. [Dark Web] Babuk Builder, which can create payload of Babuk Ransomware and decrypt encrypted files, is shared and publicly available.
5. [Dark Web] Exploit in forum has launched the file exchange service that is independently operated without using third-party services. Hive Ransomware is trying using this service for data leakage.

1. Weekly Status

A. Status of the infected firms (06/21~06/27)

• For a week, a total of 55 infected firms were mentioned which is 19.5% higher compared to previous week.
• 12 threat groups’ activities were detected

B. TOP 5 targeted countries

1. United States — 58.2%
2. Canada — 9.1%
3. France — 7.3%
4. Italy & United Kingdom — 5.5%
5. Mexico — 3.6%

C. TOP 5 targeted industrial sectors

1. Service- 23.6%
2. Manufacturer & Healthcare — 9.1%
3. Financial — 7.3%
4. Food production & Construction & IT — 5.5%
5. Government & Industrial & Transportation & Aerospace — 3.6%

D. Current status of data leak site operated by ransomware groups

• We are keep monitoring the status of data leak sites operated by ransomware groups and approximately 23 sites operate stably while 5 sites are unstable.
• “Latest Updated” is based on the date the victim company information was updated.

Current status of monitoring data leak site operated by ransomware

• Among the currently monitored ransomware leak sites, an average of 23 sites are stable and show steady activity.

2. Posts related to Ransomware threat actors @Dark Web

A. The current status of LockBit

A-1. Prodaft published the IoC and the decryptor for LockBit victims

• On June 23rd, Prodaft who published the report of “LockBit RaaS In-Depth Analysis” shared the threat information of the IoC and Decryptor directly relevant to LockBit.
• The post included with the personal ID of the companies infected by LockBit and the information of Decryptor

https://github.com/prodaft/malware-ioc/tree/master/LockBit

A-2. The operator of LockBit said, “None of the developers have ever used Express VPN.”

• An extension of the “LockBit Renewal after the Prodaft Report” mentioned at SoW last week.
• LockBit has mentioned “None of the developers have ever used Express VPN” for responding Prodaft Report.
• According to LockBit, IP address mentioned in Prodaft Report was not relevant to them.
• If IP address mentioned in Prodaft Report was real IP address, it would be leaked not into some type of report, but directly into some of the special services.

A-3. The operator of LockBit mentioned the article about Russian Federal Security Service plans

• LockBit has mentioned the article about the plan of Russia and USA working the collaboration to identify the hackers using ransomware

• Sharing stories about money laundering and a country where they can live safely with money earned through ransomware activities

B. New Ransomware

B-1. Vice Society (aka. v-society)

• On Friday, June 11th, Michael Gillespie posted a tweet stating that Vice Society (“.v-society”) and HelloKitty (“.crypt”) are the same.
• The ransomware using OpenSSL (AES256 + secp256k1 + ECDSA) to encrypt files, and the samples are not shared due to victim confidentiality.

https://twitter.com/demonslay335/status/1403109032014061568

• Special thanks to Michael’s tweet, we found the data leak site of Vice Society. We identified 10 of the companies infected by Vice Society

B-2. Hive

• On June 26th, dnwls0719 tweets the post about the information of Hive ransomware, the data leak site, and ransom note

https://twitter.com/fbgwls245/status/1408632067181604865?s=20

• Next, specific user published the information of Hive Ransomware, the data leak site, and Ransom note

• As the result of checking the data leak site, Hive Ransomware sharing the sample of the victim using the download link of send.exploit.in

• As the result of checking the data leak site, Hive Ransomware sharing the sample of the victim using the download link of send.exploit.in

• So far, no activity information has been detected on affiliate partner activities of Hive ransomware or on DDW forums.

B-3. teslarvng2

• It is confirmed that the teslarvng2 ransomware started forum activity after posting leaked information of the victim company p****.com to Raidforums on April 16

• Joined Date: April 16, 2021

• First posted on: April 16, 2021

• The leaked information of the victim company updated on June 25th is m****.com, and about 260GB of internal corporate documents are included
• Contract documents, research data, accounting data, etc

C. Babuk Builder released

https://twitter.com/GossiTheDog/status/1409117153182224386

https://www.virustotal.com/gui/file/82e560a078cd7bb4472d5af832a04c4bc8f1001bac97b1574efe9863d3f66550/detection

• Used to create Babuk’s payload and decrypt files encrypted with Babuk.
• As a result of the test, it was confirmed that the act of actually generating the payload and the fact that the key file is generated by the curve25519 algorithm.
• kp.curve25519
• ks.curve25519

• Mutex of the previously released Babuk ransomware sample confirms that the encrypted file extension is the same.
• Mutex: DoYouWantToHaveSexWithCuongDong

• encrypted file extension: .babyk (ver4)

Conclusion

• Ransomware-as-a-Service(RaaS) business type continues to grow in the darkweb, and leak of Babuk builder does not imply the termination, but start of new ransomware.
• Conti Ransomware Leak site just updated 16 cases on June 25, and it seems likely that their affiliates start looking for the new victims.
• In response to Prodaft reports, ransomware groups, including LockBit, are likely to create leak sites that are more difficult to track and more robust.

• Homepage: https://www.s2wlab.com
• Facebook: https://www.facebook.com/S2WLAB/
• Twitter: https://twitter.com/s2wlab