S2W BLOG
Published in

S2W BLOG

W1 Jun | EN | Story of the week: Ransomware on the Darkweb

Corporate Data Matters

Co-Author: Denise Dasom Kim, Jungyeon Lim, YH Jeong @ Talon

Image from unsplash

SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

Executive Summary

  • Compared to SoW 5 months ago (W1 Jan), the number of victimized firms increased by about 2.6 times, and the ransomware threat groups increased by 1.6 times, requiring attention to ransomware attacks.
  • The United States was mostly positioned at top in terms of the rate of victim infection, but as the number of active ransomware threat groups increased, the percentage of victimized firms’ country locations also varied.
  • Users who worked as affiliate partners with Darkside (as a pentester) claiming to the admin of XSS forum as Darkside did not pay their portion properly, which accepted and permanently suspended the Darkside account.
  • Babuk ransomware rebranded as Payload Bin and their first victim was CD PROJEKT.
  • The CD PROJEKT’s source code leak is an incident found to be related to HelloKitty ransomware as Babuk ransomware announced last week planning to integrate a platform by gathering ransomware partners who did not operate their own data leak site.

1. Weekly Status

A. Status of the victimized firms (5/24 ~ 5/30)

  • For a week, a total of 80 victimized firms were mentioned and a change in the state of the data leaked from the victims in the ransomware site was detected.
  • 11 threat groups’ activities were detected.
  • Compared to previous statistics 5 months ago, the number of victims increased by about 2.6 times, and the ransomware threat groups increased by 1.6 times that needs to raise awareness about ransomware attacks.

Link to W1 Jan | EN | Story of the Week: Ransomware on the Darkweb

B. TOP 5 targeted countries

The United States was mostly positioned at top in terms of the rate of victim infection, but as the number of active ransomware threat groups increased, the percentage of victimized firms’ country locations also varied.

  1. United States — 26.3%
  2. Germany — 11.3%
  3. France — 8.8%
  4. United Kingdom — 5.0%
  5. Norway — 3.8%

C. TOP 5 targeted industrial sectors

  1. Manufacturer — 18.8%
  2. industrial — 11.3%
  3. Education — 8.8%
  4. Financial & Consultancy & Service — 6.3%
  5. Health Care & Store & Real estate — 5.0%

2. Posts related to Ransomware threat actors @Dark Web

A. Darkside permanently banned from XSS forum

On May 14th, the user (qwety1) of the XSS Forum claimed to the admin that the user did not receive any amount working as a pentester participating with the affiliate program of DarkSide Ransomware.

The administrator of the XSS Forum mentioned they begin the procedure for paying compensation with the rule of XSS Forum as below.

return to the victims occurs from the balance, dividing proportionally between the victims in a% ratio. Consideration of the return process takes place directly in black, within 7 days .

The administrator started reviewing proofs for 6 asserting users of participated in Darkside ransomware affiliate program. After that, 3 users were confirmed and compensated its loss by admin.

XSS.IS adminThanks to all. The question is closed.
darksupp(Darkside ransomware's Operator) - the status is set. But I want to emphasize that the status is set purely on a formal basis.
Appeared faded> there was a "cut" of the deposit> the status is set. This is the observance of the procedure, nothing more.
Since I do not know anything, I am not ready to take responsibility for any loud statements and will not hang labels.
My job is just to follow the rules honestly, clearly and correctly.

As a consequence, Darkside is banned by administrator violating the forum policy as a scammer.

B. Babuk ransomware rebranded as Payload[.]bin

Link to W4 May | EN | Story of the Week: Ransomware on the Darkweb

Last week, we covered a post where the Babuk ransomware launch an integrated platform gathering partners who don’t have a data leak site, and operate them instead. On May 31, the Babuk ransomware rebranded as Payload Bin and re-organised the homepage.

All leaks data previously disclosed by the Babuk ransomware disappeared with renewal but CD Projekt’s source code data. The CD PROJEKT’s source code leak is an incident found to be related to HelloKitty ransomware on Feb 9.

Ransomware damage announced by CD Projekt
Ransom note released by CD Projekt via Twitter

https://twitter.com/CDPROJEKTRED/status/1359048125403590660/photo/1

After the announcement, there was a user looking for the leaked data regarding CD Projekt’s incident.

However, there wasn’t any free sharing page on DDW, rather a seller appeared trying to sell the source code of CD Projekt on DDW as a form of auction.

As Babuk announced, the data appears to be CD Projekt’s data which was stolen by HelloKitty ransomware regarding previous incident, and they seem to be partnered with Babuk ransomware now rebranded as Payload Bin.

Conclusion

  • The number of victims mentioned on data leak site operated by ransomware is rapidly increasing compared to 5 months ago, so it needs to be vigilant
  • Babuk ransomware rebranded as Payload Bin, appears to strengthen its strategy of threatening victims by focusing on exfiltrating the data by partnering with the previously active ransomware groups who did not have their own data leak page.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store