W2 Jun | EN | Story of the Week: Ransomware on the Darkweb

Unfinished Tales of Ransomware

With contribution from Denise Dasom Kim, Jungyeon Lim, YH Jeong | S2W LAB Talon

Image from unsplash
SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

Executive Summary

  1. [STATS] The number of ransomware victims was 86 in one week, an increase of 7.5% from the previous week and 252% from 5 months ago.
  2. [CURRENT AFFAIRS] Although the FBI warns of ransomware comparing the threat to 9/11 terror, Russia-based REvil ransomware interviewed that it would make no exceptions to attacking US-based companies, despite the FBI warns.
  3. [DARKWEB] As postings related to ransomware on forums are banned, ransomware operators such as Lockbit seem to induce communication via private channels.
  4. [DARKWEB] Ransomware operators are not allowed to make any posts officially, but their affiliate program partners (such as Pentesters), have been spotted actively uploading posts about purchasing access accounts to Citrix / VPN / ESXi. Companies using products related to any of those products should adopt MFA in order to prevent unauthorized access.
  5. [NEW] Newly emerged ransomware such as Epilson red, BlackCocaine continue to appear.

1. Weekly Status

A. Status of the victimized firms (05/31~06/06)

  • For a week, a total of 86 victimized firms were mentioned and a change in the state of the data leaked from the victims in the ransomware site was detected. The number of victims increased by about 7.5% from the previous week, and 252% rise compared to 5 months ago.
  • 15 threat groups’ activities were detected (+4 groups compared to previous week).
  • Newly appeared — blackcocaine
Link to W2 Jan | EN | Story of the Week: Ransomware on the Darkweb

B. TOP 5 targeted countries

  • The United States was highly targeted by the ransomware groups.
  • The FBI warns of ransomware groups announcing that they compare ransomware threats to 9/11 terror.
  • In this regard, the REvil group, which is known to be based in Russia, interviewed that it would make no exceptions to attacking US-based companies, despite the warns from the FBI
  1. United States — 46.5%
  2. France — 10.5%
  3. United Kingdom & Canada — 5.8%
  4. Germany -3.5%
  5. Poland & Australia & Spain & Greece — 2.3%

C. TOP 5 targeted industrial sectors

  1. Financial — 12.8%
  2. Services — 11.6%
  3. Manufacturer — 10.5%
  4. Education — 9.3%
  5. Transportation — 5.8%

2. Posts related to Ransomware threat actors @Dark Web

A. Ransomware Operators redirect communication channel to private

  • LockBit ransomware operator has suggested creating a separate private section on the XSS forum that only allows authorized users.
  • This section appears to be only for ransomware purposes avoiding from censorship.
  • The administrator has not replied yet.
I propose to create a private section in which the administrator will admit only authoritative users, in whom there is no doubt. This section will contain private information without any prohibitions and censorship.

B. Posts related to ‘BUY/SELL’ Shell, Citrix, ESXi, VPN, RDP accesses

The ransomware groups are well organised as formal companies and they recruit pentesters which they call them as affiliates responsible for infiltrating the corporate network. Pentesters are very interested in keywords such as Shell, Citrix, ESXi, VPN, and RDP.

As shown in the figure above, all posts related to ransomware affiliate program have been banned from the forum, but posts that may be of interest to ransomware operators are still being actively shared.

In particular, users claiming to cooperate with the ransomware group, Nephilim, are seeking bots or botnet access that infect corporate systems.

It is worth paying attention to this same user posting about botnet logs of particular interest.

XenApp1 / auth / login.aspx
auth / silentDetection.aspx
/ citrix /
/ + CSCOE + /
/ dana /
/ dana- na /

The same user mentioned above has shared the VDI account of a Korean company as a botnet log on other hacking forum.

Bots that collect log information as above format include Vidar, Redline, Ficker, Taurus, Raccoon, etc.

For more information about stealer, please check our deep analysis report on stealers as below.

<Vidar Stealer report by S2W LAB>

Link to Deep Analysis of Vidar Stealer

<Raccon Stealer report by S2W LAB>

Link to Deep Analysis of Raccoon Stealer

C. Newly emerged ransomware

  1. Epsilon Red

Operators of new ransomware Epsilon Red attack Microsoft Exchange servers

Epsilon Red is written in the Golang language and contains a set of unique PowerShell scripts to prepare for encryption.
Operators of a new ransomware called Red Epsilon are exploiting vulnerabilities in Microsoft Exchange servers to compromise computer systems and encrypt data. Specialists from information security company Sophos discovered a new malware while investigating an attack on an unnamed large American hospitality company. Attackers entered the corporate network using vulnerabilities in the local Microsoft Exchange server. Experts currently do not know if hackers exploited ProxyLogon vulnerabilities to access devices.
Epsilon Red is written in the Golang (Go) language and contains a set of unique PowerShell scripts that prepare the device for file encryption. Scripts are capable of disabling processes and services of security solutions, databases, backup programs, Office applications and email clients, deleting Volume Shadow Copies, stealing the Security Account Manager (SAM) file with password hashes, deleting Windows event logs, disabling Windows Defender, elevating privileges on the system, etc.
Most of the scripts are numbered from 1 to 12, but there are several that are named by the same letter. One of them, c.ps1, appears to be a clone of the Copy-VSS penetration testing tool.
Once a network has been compromised, hackers gain access to computers via the Remote Desktop Protocol (RDP) and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts. Sophos researchers noticed that attackers were also installing the Tor browser and a copy of the commercial remote desktop software Remote Utilities.
The ransomware encrypts all data in the target folders by adding the .epsilonred extension, sparing executable files or DLLs that can disrupt the operation of important programs or even the operating system.
Although the name and tools are unique to a given attacker, the ransom note on infected computers is similar to the note left by the REvil group. However, the Epsilon Red note includes a few minor grammatical corrections. No other similarities were found between Epsilon Red and REvil ransomware.
Based on the results of the analysis of the address of the attackers' cryptocurrency wallet, it became known that at least one of the victims paid a ransom in the amount of 4.29 bitcoins (approximately $ 210,000) on May 15 of this year.
Source: <https://www.securitylab.ru/news/520713.php>
  • Epsilon Red does not steal files from victims, but rather they focus on encrypting the victim’s file so they can sell the decryption tool to victims.
  • Uses ransom notes to provide details about victim information.
  • When the file is encrypted, they leave .epsilonred in the extension.

2. BlackCocaine

It is known to have infected an Indian IT company in recent incident according to cyble. They are called BlackCocain as they leave .BlackCocacine in the extension when they infect the data.

BlackCocaine 협상페이지 Source from Cyble


  • Ransomware operators appear to remain closed to communication in public, and their affiliate program partners are still eagerly searching for corporate access on the dark web.
  • Users working with Nephilim ransomware are very intersted in botnet logs, and it is implicated that these users buys many botnet logs that are linked to Citrix, Vmware, or VPN accounts. In order to prevent such an unauthorized access, we highly recommend to set the MFA (Multi Factor Authentication) when accessing to corporate network via Citrix, Vmware, or VPN.

W2 Jun | EN | Story of the Week: Ransomware on the Darkweb was originally published in S2W LAB BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: W2 Jun | EN | Story of the Week: Ransomware on the Darkweb | by Hyunmin Suh | S2W LAB BLOG | Jun, 2021 | Medium