In the ever-evolving cyber threat landscape, Ransomed.vc, a ransomware syndicate with a rapidly growing reputation on the Dark Web, has once again made headlines. This time, their target is Japan’s telecommunications giant, NTT Docomo.
This development comes hot on the heels of the recent data breach at Sony, which appears to be connected to the activities of Ransomed.vc.
The group is demanding a hefty ransom of $1,015,000 from NTT Docomo after Sony refused to meet their demands, leading to the public release of stolen data, reads Resecurity report.
The big question now is whether this signals the beginning of a new wave of cyberattacks targeting Japan.
Ransomed.vc, which started as an underground forum in August 2023, has rapidly transformed into a formidable ransomware syndicate.
Initially focusing on data leaks, access brokerage, vulnerabilities, exploits, and other cybercriminal tradecrafts, the forum aimed to build a thriving community of like-minded individuals.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Their credit system, rewarding members based on their activity, incentivized the sharing of valuable, previously undisclosed information.
The forum primarily focused on sharing compromised data, combo lists with credentials, and personally identifiable information (PII), all highly sought-after commodities in the modern underground ecosystem.
As their operations evolved, Ransomed.vc adopted a unique extortion approach, dubbing themselves “a leading company in digital peace tax.”
This method involved exploiting GDPR laws and data protection regulations to coerce European Union-based victims into paying ransoms.
Failure to comply would result in the public release of stolen information, leading to GDPR fines.
The group’s rationale was that paying the ransom served as an expense, potentially outweighing the significant fines and subsequent financial and reputational damage from regulators.
Establishing an Affiliate Program
Ransomed.vc has also established an affiliate program, inviting others to monetize compromised access to enterprise networks.
While they don’t allow attacks on critical infrastructure, exceptions can be made with “special confirmation from admin.” This move suggests a network of cybercriminals and compromised access suppliers forming around the syndicate.
The recent Sony incident sheds light on the group’s activities. Stolen files, including source codes, internal presentations, and confidential information, were exposed.
Notably, the breach appears to involve an engineer’s workstation and references to SVN repositories.
The breach’s scope might not encompass all systems, as initially claimed, but the authenticity of the exposed artifacts is evident.
Amplifying the Leak
What’s intriguing is that the leak was amplified by an individual known as BorisTulev, who claimed to be a Ransomed.vc affiliate.
On September 23, 2023, the group released a new archive containing 2.4 GB of data, revealing fresh sensitive details behind the incident, including compromised credentials and an SSH private key.
Interestingly, the leaked data points to an IP address related to one of NTT DOCOMO’s data centers.
The announcement of the attack on NTT DOCOMO was dated September 26, but a day earlier, on September 25, BorisTulev had already published information about the victim on the Dark Web forum, leading to his immediate ban from the platform.
This raises questions about whether this was an intentional strategy by Ransomed.vc or a premature move by BorisTulev.
The actor’s profile indicates a South Slavic ethnic background, specifically Bulgaria, adding to the intrigue surrounding their origin.
The Security HUNTER (HUMINT) team has reached out to Ransomed.vc via TOX (TOR IM) regarding the Sony breach and NTT DOCOMO.
The group claims to possess 240 GB of stolen Sony data, which they are willing to sell for a relatively low price, starting at $10,000 in BTC.
Their primary motivation appears to be public shaming rather than profit, a tactic known as “pressure support” to compel victims into arranging payments.
Interestingly, Ransomed.vc has links to the Telegram account @EOMLOL, as identified in their source code.
This account’s reference to Blackforums[.]net, another underground forum focusing on data breaches, suggests a web of interconnected cybercriminal activity.
Blackforums[.]net also features actors with ties to Ransomed.vc, pointing to a complex ecosystem of cyber threats.
Furthermore, a recent development involved the creation of a “Five Families” alliance, composed of groups previously involved in large-scale cyber incidents.
This alliance, which includes STORMOUS, GhostSec, SigedSec, and others, indicates a shift from hacktivism to ransomware operations, with a focus on collaborating and recruiting new members to scale their operations.
While the Resecurity team closely monitors Ransomed.vc’s actions, the group claims to possess unreleased data breaches affecting U.S.-based corporations, government entities, and European targets.
This ongoing threat emphasizes the importance of proactive surveillance and threat intelligence gathering to protect against evolving cyber threats.