Ransomed[.]vc Sunsets Operations, Auctions Off Infrastructure

Key Findings

• The ransomware and data extortion (R&DE) collective known as Ransomed[.]vc announced in its Telegram channel that it no longer wanted to continue running the project and was selling all aspects of its infrastructure. 

• At the time of writing, one Ransomed[.]vc leak site has been closed down, and the other hosts a closing note on its home page. However, its ransomware forum (on which Ransomed[.]vc coordinates its ransomware-as-a-service projects) remains active, likely to assist in the sale of its infrastructure and assets. 

• Since August 2023, ZeroFox has identified more than 40 R&DE victims of Ransomed[.]vc, almost 60 percent of which are organizations based in Europe. 

• These posts very likely represent a legitimate cessation of Ransomed[.]vc’s activity and a fire sale of the operation’s infrastructure. Threat actors will likely be motivated to purchase the infrastructure to target victims, create spin-off extortion operations, or leverage for further malicious activity. However, Ransomed[.]vc’s closure is very unlikely to have any considerable impact on the broader R&DE threat.

Details

R&DE collective Ransomed[.]vc announced in its Telegram channel on October 30, 2023, that it will discontinue the project and sell off its infrastructure. The collective’s closure is unlikely to have any considerable impact on the broader R&DE threat landscape, as affiliates are likely to pivot to other extortion operations at pace and continue their respective targeting with little cessation or downtime. The post states that the sale package includes: 

• Domains (Ransomed[.]vc, Ransomed[.]biz, and its dark web forum);
• A ransomware builder claimed to be fully undetectable; 
• Source code; 
• Access to affiliate groups; 
• Social media accounts; 
• Telegram channel and group; 
• VPN access for 11 companies with revenue totaling USD 3 billion; 
• Thirty-seven (37) databases; and
• A control panel for the locker. 

Ransomed[.]vc announces closure of operations

Source: hXXps://t[.]me/ransomed_channel/98

A follow-up post published in the Ransomed[.]vc Telegram channel on November 8, 2023, stated that six individuals associated with the operation may have been arrested, blaming their lack of effective operational security and inexperience. The post also stated that all 98 Ransomed[.]vc affiliates had been fired with immediate effect; ZeroFox has not independently confirmed the veracity of these claims.

Ransomed[.]vc announces possible arrest of operatives and firing of 98 affiliates

Source: hXXps://t[.]me/ransomed_channel/147

At the time of writing, one Ransomed[.]vc leak site has been closed down, and the other hosts a closing note on the home page. However, its ransomware forum (on which Ransomed[.]vc coordinates its ransomware-as-a-service projects) remains active, likely to assist in the sale of its infrastructure and assets. 

Identified as early as August 2023, Ransomed[.]vc originated as an underground forum discussing cybercriminal activity, including data brokerage, network access, and exploitation of vulnerabilities. The group specialized primarily in Europe-based targets, and the operation was engaging in extortion activities by the end of August 2023. Since August, at least 40 victims of Ransomed[.]vc extortion were Europe-based, representing 60 percent of the collective’s overall activity.

Ransomed[.]vc extortion incidents by month

Source: ZeroFox Intelligence

These posts very likely represent a legitimate cessation of Ransomed[.]vc’s activity and a fire sale of the operation’s infrastructure. Threat actors (not limited to extortion collectives) will likely be motivated to purchase the infrastructure to target victims, create spin-off extortion operations, or leverage for further malicious activity. 

• Ransomware collectives are known to obtain and incorporate source code from other ransomware strains into their payloads. 
• Threat actors deploying Ransomed[.]vc are very likely to continue their operations by pivoting to other ransomware-as-a-service offerings.

Recomendations

• Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege. 
• Implement network segmentation to separate resources. 
• Implement secure password policies with phishing-resistant MFA, complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform detection of R&DE threats and their associated tactiques, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site or cloud servers at least once per year—and ideally more frequently. 
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management system and ensure all business IT assets are updated with the latest software as quickly as possible. 
• Proactively monitor for compromised accounts being brokered in deep and dark web forums. 
• Configure ongoing monitoring for Compromised Account Credentials.