Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter

Hotsauce | S2W TALON

The relation graph of Groove, Babuk, Payload.bin, RAMP, and BlackMatter

• Groove mentioned several cryptocurrency wallet addresses such as BTC, XMR and ETH. Those addresses are same as RAMP’s addresses mentioned on their leak site.
• Groove used the file server same as BlackMatter and Babuk [2].
• The operator of RAMP was linked to the operator of Babuk and Payload.bin [3].

Analyzed by Xarvis

Groove’s BTC, XMR and ETH == RAMP

• BTC: 1EZhsp26j4ZfDfKyXpweUtGgrs3fnpPCEd
• ETH: 0xF6a4906fA254ce0e9175E2C3418Dde999b99ed1F
• XMR: 47GyLQAPw4Ee3WVTgCtSxwNcRinsEm3jdSX8FH4DLbjb5t79CJDxrK9gMNVJNDfCLEjhdJZyWCPBG5CkiTnGqMvnPgKTTV3

Comparison of cryptocurrency addresses between Groove and RAMP

Conclusion

• In this post, we mentioned the fact of Groove and RAMP using the same cryptocurrency wallet address that was mentioned on their leak sites.
• It is highly probable that the operator of RAMP, Groove and BlackMatter are the same or the same group.
• We need to keep monitoring their activities to track the cryptocurrency wallet address that was mentioned by these ransomware.

Related articles by S2W TALON

[1] Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands | by S2W | S2W BLOG | Sep, 2021 | Medium

[2] BlackMatter x Babuk : Using the same web server for sharing leaked files | by S2W | S2W BLOG | Sep, 2021 | Medium

The leaked data uploaded to the same web server by BlackMatter and Babuk

[3] [SoW] W2 Aug | EN | Story of the week: Ransomware on the Darkweb | by S2W | S2W BLOG | Aug, 2021 | Medium

Ransomware threat actors 2020–2021 (Rebranded Ransomware)

• Homepage: https://www.s2wlab.com
• Facebook: https://www.facebook.com/S2WLAB/
• Twitter: https://twitter.com/s2wlab