W1 July | EN | Story of the week: Ransomware on the Darkweb
Truth of Dare
With Contribution from Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong | S2W LAB Talon
SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.
Executive Summary
- [Statistics] The number of companies infected by ransomware is 55 in one week which is 19.5% higher compared to previous week, and United States is still positioned at the highest which amounts to 58% among all victims infected by ransomware.
- [Dark Web] LockBit operator refutes comments in Prodaft report that none of the developers are using Express VPN, and that IP information related to LockBit is not related to them.
- [Dark Web] New ransomware discovered: Vice Society, Hive Ransomware and teslarvng2.
- [Dark Web] Babuk Builder, which can create payload of Babuk Ransomware and decrypt encrypted files, is shared and publicly available.
- [Dark Web] Exploit in forum has launched the file exchange service that is independently operated without using third-party services. Hive Ransomware is trying using this service for data leakage.
1. Weekly Status
A. Status of the infected firms (06/21~06/27)
- For a week, a total of 55 infected firms were mentioned which is 19.5% higher compared to previous week.
- 12 threat groups’ activities were detected
B. TOP 5 targeted countries
- United States — 58.2%
- Canada — 9.1%
- France — 7.3%
- Italy & United Kingdom — 5.5%
- Mexico — 3.6%
C. TOP 5 targeted industrial sectors
- Service- 23.6%
- Manufacturer & Healthcare — 9.1%
- Financial — 7.3%
- Food production & Construction & IT — 5.5%
- Government & Industrial & Transportation & Aerospace — 3.6%
D. Current status of data leak site operated by ransomware groups
- We are keep monitoring the status of data leak sites operated by ransomware groups and approximately 23 sites operate stably while 5 sites are unstable.
- “Latest Updated” is based on the date the victim company information was updated.
Current status of monitoring data leak site operated by ransomware
- Among the currently monitored ransomware leak sites, an average of 23 sites are stable and show steady activity.
2. Posts related to Ransomware threat actors @Dark Web
A. The current status of LockBit
A-1. Prodaft published the IoC and the decryptor for LockBit victims
- On June 23rd, Prodaft who published the report of “LockBit RaaS In-Depth Analysis” shared the threat information of the IoC and Decryptor directly relevant to LockBit.
- The post included with the personal ID of the companies infected by LockBit and the information of Decryptor
A-2. The operator of LockBit said, “None of the developers have ever used Express VPN.”
- An extension of the “LockBit Renewal after the Prodaft Report” mentioned at SoW last week.
- LockBit has mentioned “None of the developers have ever used Express VPN” for responding Prodaft Report.
- According to LockBit, IP address mentioned in Prodaft Report was not relevant to them.
- If IP address mentioned in Prodaft Report was real IP address, it would be leaked not into some type of report, but directly into some of the special services.
A-3. The operator of LockBit mentioned the article about Russian Federal Security Service plans
- LockBit has mentioned the article about the plan of Russia and USA working the collaboration to identify the hackers using ransomware
- Sharing stories about money laundering and a country where they can live safely with money earned through ransomware activities
B. New Ransomware
B-1. Vice Society (aka. v-society)
- On Friday, June 11th, Michael Gillespie posted a tweet stating that Vice Society (“.v-society”) and HelloKitty (“.crypt”) are the same.
- The ransomware using OpenSSL (AES256 + secp256k1 + ECDSA) to encrypt files, and the samples are not shared due to victim confidentiality.
- Special thanks to Michael’s tweet, we found the data leak site of Vice Society. We identified 10 of the companies infected by Vice Society
B-2. Hive
- On June 26th, dnwls0719 tweets the post about the information of Hive ransomware, the data leak site, and ransom note
https://twitter.com/fbgwls245/status/1408632067181604865?s=20
- Next, specific user published the information of Hive Ransomware, the data leak site, and Ransom note
- As the result of checking the data leak site, Hive Ransomware sharing the sample of the victim using the download link of send.exploit.in
- As the result of checking the data leak site, Hive Ransomware sharing the sample of the victim using the download link of send.exploit.in
- So far, no activity information has been detected on affiliate partner activities of Hive ransomware or on DDW forums.
B-3. teslarvng2
- It is confirmed that the teslarvng2 ransomware started forum activity after posting leaked information of the victim company p****.com to Raidforums on April 16
- Joined Date: April 16, 2021
- First posted on: April 16, 2021
- The leaked information of the victim company updated on June 25th is m****.com, and about 260GB of internal corporate documents are included
- Contract documents, research data, accounting data, etc
C. Babuk Builder released
- Used to create Babuk’s payload and decrypt files encrypted with Babuk.
- As a result of the test, it was confirmed that the act of actually generating the payload and the fact that the key file is generated by the curve25519 algorithm.
- kp.curve25519
- ks.curve25519
- Mutex of the previously released Babuk ransomware sample confirms that the encrypted file extension is the same.
- Mutex: DoYouWantToHaveSexWithCuongDong
- encrypted file extension: .babyk (ver4)
Conclusion
- Ransomware-as-a-Service(RaaS) business type continues to grow in the darkweb, and leak of Babuk builder does not imply the termination, but start of new ransomware.
- Conti Ransomware Leak site just updated 16 cases on June 25, and it seems likely that their affiliates start looking for the new victims.
- In response to Prodaft reports, ransomware groups, including LockBit, are likely to create leak sites that are more difficult to track and more robust.
- Homepage: https://www.s2wlab.com
- Facebook: https://www.facebook.com/S2WLAB/
- Twitter: https://twitter.com/s2wlab