W1 July | EN | Story of the week: Ransomware on the Darkweb

Truth of Dare

With Contribution from Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong | S2W LAB Talon

SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

Executive Summary

  1. [Statistics] The number of companies infected by ransomware is 55 in one week which is 19.5% higher compared to previous week, and United States is still positioned at the highest which amounts to 58% among all victims infected by ransomware.
  2. [Dark Web] LockBit operator refutes comments in Prodaft report that none of the developers are using Express VPN, and that IP information related to LockBit is not related to them.
  3. [Dark Web] New ransomware discovered: Vice Society, Hive Ransomware and teslarvng2.
  4. [Dark Web] Babuk Builder, which can create payload of Babuk Ransomware and decrypt encrypted files, is shared and publicly available.
  5. [Dark Web] Exploit in forum has launched the file exchange service that is independently operated without using third-party services. Hive Ransomware is trying using this service for data leakage.

1. Weekly Status

A. Status of the infected firms (06/21~06/27)

  • For a week, a total of 55 infected firms were mentioned which is 19.5% higher compared to previous week.
  • 12 threat groups’ activities were detected

B. TOP 5 targeted countries

  1. United States — 58.2%
  2. Canada — 9.1%
  3. France — 7.3%
  4. Italy & United Kingdom — 5.5%
  5. Mexico — 3.6%

C. TOP 5 targeted industrial sectors

  1. Service- 23.6%
  2. Manufacturer & Healthcare — 9.1%
  3. Financial — 7.3%
  4. Food production & Construction & IT — 5.5%
  5. Government & Industrial & Transportation & Aerospace — 3.6%

D. Current status of data leak site operated by ransomware groups

  • We are keep monitoring the status of data leak sites operated by ransomware groups and approximately 23 sites operate stably while 5 sites are unstable.
  • “Latest Updated” is based on the date the victim company information was updated.

Current status of monitoring data leak site operated by ransomware

  • Among the currently monitored ransomware leak sites, an average of 23 sites are stable and show steady activity.

2. Posts related to Ransomware threat actors @Dark Web

A. The current status of LockBit

A-1. Prodaft published the IoC and the decryptor for LockBit victims

  • On June 23rd, Prodaft who published the report of “LockBit RaaS In-Depth Analysis” shared the threat information of the IoC and Decryptor directly relevant to LockBit.
  • The post included with the personal ID of the companies infected by LockBit and the information of Decryptor

A-2. The operator of LockBit said, “None of the developers have ever used Express VPN.”

  • An extension of the “LockBit Renewal after the Prodaft Report” mentioned at SoW last week.
  • LockBit has mentioned “None of the developers have ever used Express VPN” for responding Prodaft Report.
  • According to LockBit, IP address mentioned in Prodaft Report was not relevant to them.
  • If IP address mentioned in Prodaft Report was real IP address, it would be leaked not into some type of report, but directly into some of the special services.

A-3. The operator of LockBit mentioned the article about Russian Federal Security Service plans

  • LockBit has mentioned the article about the plan of Russia and USA working the collaboration to identify the hackers using ransomware
  • Sharing stories about money laundering and a country where they can live safely with money earned through ransomware activities

B. New Ransomware

B-1. Vice Society (aka. v-society)

  • On Friday, June 11th, Michael Gillespie posted a tweet stating that Vice Society (“.v-society”) and HelloKitty (“.crypt”) are the same.
  • The ransomware using OpenSSL (AES256 + secp256k1 + ECDSA) to encrypt files, and the samples are not shared due to victim confidentiality.
  • Special thanks to Michael’s tweet, we found the data leak site of Vice Society. We identified 10 of the companies infected by Vice Society

B-2. Hive

  • On June 26th, dnwls0719 tweets the post about the information of Hive ransomware, the data leak site, and ransom note
  • Next, specific user published the information of Hive Ransomware, the data leak site, and Ransom note
  • As the result of checking the data leak site, Hive Ransomware sharing the sample of the victim using the download link of send.exploit.in
  • As the result of checking the data leak site, Hive Ransomware sharing the sample of the victim using the download link of send.exploit.in
  • So far, no activity information has been detected on affiliate partner activities of Hive ransomware or on DDW forums.

B-3. teslarvng2

  • It is confirmed that the teslarvng2 ransomware started forum activity after posting leaked information of the victim company p****.com to Raidforums on April 16
  • Joined Date: April 16, 2021
  • First posted on: April 16, 2021
  • The leaked information of the victim company updated on June 25th is m****.com, and about 260GB of internal corporate documents are included
  • Contract documents, research data, accounting data, etc

C. Babuk Builder released

  • Used to create Babuk’s payload and decrypt files encrypted with Babuk.
  • As a result of the test, it was confirmed that the act of actually generating the payload and the fact that the key file is generated by the curve25519 algorithm.
  • kp.curve25519
  • ks.curve25519
  • Mutex of the previously released Babuk ransomware sample confirms that the encrypted file extension is the same.
  • Mutex: DoYouWantToHaveSexWithCuongDong
  • encrypted file extension: .babyk (ver4)


  • Ransomware-as-a-Service(RaaS) business type continues to grow in the darkweb, and leak of Babuk builder does not imply the termination, but start of new ransomware.
  • Conti Ransomware Leak site just updated 16 cases on June 25, and it seems likely that their affiliates start looking for the new victims.
  • In response to Prodaft reports, ransomware groups, including LockBit, are likely to create leak sites that are more difficult to track and more robust.

W1 July | EN | Story of the week: Ransomware on the Darkweb was originally published in S2W LAB BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: W1 July | EN | Story of the week: Ransomware on the Darkweb | by Hyunmin Suh | S2W LAB BLOG | Jul, 2021 | Medium