S2W BLOG
Published in

S2W BLOG

W4 Jan | EN | Story of the week: Ransomware on the Darkweb

It ain’t over yet till the DDoS Sings

S2W LAB publishes weekly reports of the Ransomware activities that took place at Dark Web. Report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operator, etc.

Executive Summary

The number of victimized firms uploaded on the darkweb ransomware site decreased (-22) compared to the past week, and the number of ransomware groups remained same. Industrials sector still positioned at the highest proportion of the industries, but Services sector seemed to increase rapidly which needs to receive careful attention.

Looking back to our previous story, Avaddon mentioned ‘arsenal to “persuade”’ which turned out to be a DDoS attack against victimized firms. As Avaddon seems to be attempting a variety of arsenals to negotiate, victimized firms need to be aware of the secondary attack.

1. Weekly Status

A. Status of the victimized firms (01/18 ~ 01/24)

  • For a week, a total of 29 companies were mentioned and a change in the state of the data leaked from the victim company in the ransomware site was detected.
  • Activity from 7 threat groups detected

B. TOP 5 targeted countries

  1. United States — 58.6%
  2. United Kingdom — 10.3%
  3. Canada — 6.9%
  4. Sweden — 6.9%
  5. Germany — 3.4%

C. TOP 5 targeted industrial sectors

  1. Industrials — 41.4%
  2. Services — 20.7%
  3. Financial — 6.9%
  4. Real Estate — 6.9%
  5. Technology — 6.9%

2. Status of active Ransomware forum posts @ Dark Web

A. Avaddon

  • Forums: Exploit[.]IN, XSS[.]IS
  • User ID: Avaddon
  • Initial Date of Activity: 06/03/2020
  • Leaked Site in Operation (Y/N): Y

Weekly Summary of Activity

Referring to previous SoW…

  • The phrase ‘arsenal to “persuade”’ mentioned by Avaddon in the previous post turns out to be a DDoS attack against victimized firms.
  • The size of DDoS is clearly mentioned but the harassment of the victims will intensify in order to give a huge pressure.

Articles & Analysis report on Avaddon

Avaddon Ransomware Analysis Article

B. Babuk

  • Forums: Raidforums
  • User ID: biba99
  • Initial Date of Activity: 08/26/2020
  • Leaked Site in Operation (Y/N): Y

Weekly Summary of Activity

  • Posted Date: 01/21/2021
  • Babuk Locker version supports linux based (*nix) Virtual Servers (esxi) and NAS

Articles & Analysis report on Babuk

Babuk Locker Analysis Article

C. Lockbit

  • Forums: Exploit[.]IN, XSS[.]IS
  • User ID: LockBit
  • Initial Date of Activity: 01/17/2020
  • Leaked Site in Operation (Y/N): Y

Weekly Summary of Activity

  • Posted Date: 01/21/2021
  • Reply post implying that new Lockbit 2.0 is undergoing

For Reminder, Lockbit’s first post

Articles & Analysis report on Avaddon

LockBit Ransomware Analysis Article

--

--

--

S2W is a big data intelligence company specialized in the Dark Web, Deepweb and any other covert channels.

Recommended from Medium

{UPDATE} Ship Merger Hack Free Resources Generator

❌ SCAM ALERT ❌

Digital Security Policy Template for Nonprofits

How To Block / Blacklist a Number on LG L90 D405

How To Block / Blacklist a Number on LG L90 D405

The KeplerSwap Security System

The Newsletter by Tokenize Xchange (Vol.174| Feb 2022)

{UPDATE} Triviador Slovenija Hack Free Resources Generator

The Supreme Court's Groundbreaking Privacy Victory for the Digital Age

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hyunmin Suh

Hyunmin Suh

Principal Researcher @S2W LAB

More from Medium

Emotet Has Reemerged as Top Malware in Circulation

LogicHub Security RoundUp: May 2022

CyberEd #17 Fraud-As-A-Service? (FaaS)

The Nectar of São Paulo