W4 Jun | EN | Story of the week: Ransomware on the Darkweb

Malware Analysis
1

Hide and Seek

With contribution from Denise Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong | S2W LAB Talon

978×547
Image from unsplash
SoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The report includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark web forum posts by ransomware operators, etc.

Executive Summary

  1. [Statistics] The number of companies infected by ransomware same as last week’s statistics, and still the United States was the most infected from ransomware, followed by France with 21.7%.
  2. [Dark Web] LockBit starts to operate the new Leak site (LockBit 2.0) with an affiliate program after the release of publication from Prodaft.
  3. [Dark Web] Despite arrested 6 members of Clop ransomware group from Ukraine, the leak site of Clop ransomware is still alive and has the lowest activity this year.
  4. [Bitcoin] When we tracking the transaction flow of the victims related to Revil and LockBit, we can check that they are using coinjoin of Wasabi Wallet to minimize the traceability of criminals.

1. Weekly Status

A. Status of the victimized firms (06/14~06/20)

861×1123
861×464
  • For a week, a total of 46 victimized firms were mentioned and the count is same as last week.
  • 10 threat groups’ activities were detected
  • From June 1st to June 19th, there wasn’t any update from Everest data leak site. They started to update the victim information after the 3 weeks dormant period.

B. TOP 5 targeted countries

1024×633
  1. United States — 43.5%
  2. France — 21.7%
  3. Brazil & United Kingdom — 6.5%
  4. Canada — 4.3%
  5. India & Italy & Spain — 2.2%

C. TOP 5 targeted industrial sectors

1024×632
  1. Manufacturer & Services- 13.0%
  2. Financial — 10.9%
  3. Consultancy & Industrial & IT — 6.5%
  4. Agriculture & Consumer goods & Store — 4.3%
  5. Retail & Materials & Sports & Transportation — 2.2%

D. Current status of data leak site operated by ransomware groups

  • We are keep monitoring the status of data leak sites operated by ransomware groups and approximately 21 sites operate stably while 4 sites are unstable.
915×580

2. Posts related to Ransomware threat actors @Dark Web

A. Still alive Clop ransomware gang

In the article “Ukraine arrests Clop ransomware gang members, seizes servers”, they mentioned the seizure of Clop Ransomware gang’s servers as below.

https://www.bleepingcomputer.com/news/security/ukraine-arrests-clop-ransomware-gang-members-seizes-servers/
  • Ukraine arrested 6 members of Clop ransomware gang, and they mentioned “it is not yet clear if the arrested individuals are affiliates or core members of the ransomware operation.”
  • Law enforcement officers conducted 21 searches in the capital and Kyiv region, in the homes of the defendants, and in their cars. The defendants face up to eight years in prison.
  • Cybersecurity company Intel 471 told BleepingComputer that the Ukrainian authorities arrested only individuals involved in laundering money for the Clop gang since its core members are likely out of harm’s way in Russia.

Clop Ransomware’s leak site is still alive on Tor network even after the release of this article on June 16th. From January 1st to June 21st, the activity of Clop Ransomware and frequency of update on victim information dramatically decreased as seen in below graph.

1024×614
  • There was a dramatic update in the beginning of the year and they showed a steady updates during mid-February to mid-May.
  • Activity began to fall from mid-May; however, we are keep observing the activity despite the seizure of servers in Ukraine.

B. The current status of LockBit’s operator and the renewal of LockBit 2.0

LockBit Renewal after the Prodaft Report

  • A user posted an inquiry about the case regarding the report published by Prodaft of how they got the information and IP address according to the report.
1024×585
  • LockBit’s operator replied and they mentioned someone got into their system but they did not explicitly mentioned the vulnerability in detail.
1024×233
  • According to LockBit’s operator, the anonymous attacker did not use 0-day, it was an injection.
1024×235

LockBit renewal the leak site of Ransomware

  • New Leak site URL: lock****.onion
  • There isn’t any leaked data uploaded yet.
1024×402
  • They are now hiring and advertising affiliate partners via their own blog not the DDW forums.
1024×895
  • They now advertise their ransomware emphasizing its encryption and download speed which is much faster than others by providing the comparison table.
1024×1142
1024×1151

C. A cryptocurrency analysis of Revil ransomware

  • We have spotted coinjoin technique as we track down the flow of bitcoin paid by JBS, a victim of the REvil ransomware.
  • Sent about 21 BTC to the pattern related to coinjoin, Wasabi wallet.
  • Last Transactions : 2021–06–02 14:26
  • Bitcoin Address : bc1qr2kdlzdtrcm7ldkle78kfd75em4c0gj8mselzj
772×594
  • In addition, 210 BTC is left in below address which amounts to 90% of total amount (301BTC) paid by JBS that needs to be monitored.
  • Last Transactions : 2021–06–02 15:58
  • Bitcoin Address : bc1q3hapxu8n2g2s00rluzz803lzpkwgz9fh097vxu
1024×439
  • It is highly suspect that they will cash out at some point via cryptocurrency exchanges, so it is critical to keep monitor this address in terms of AML(Anti Money Laundering) regulation under the guidance of FATF.
  • In the case of Binance, they suspended the user’s account from sending the Bitcoin to Wasabi wallet under the policy violation of AML.
https://www.coindesk.com/binance-blockade-of-wasabi-wallet-could-point-to-a-crypto-crack-up

D. About Wasabi Wallet

1024×352
  • WASABI WALLET provides the free software of the service that supports the coinjoin. The operator of Ransomware likely to adopt this technology for obscuring the footprint of the transaction history of Bitcoin.
  • Wasabi wallet creates the untrusted transaction of coinjoin using Tor network. It mixes participants’ BTC input addresses as they call it ‘coinjoin’ by literally joining participants’ coins in a single transaction, then fresh output addresses for participants.
  • Wasabi wallet uses the address type of bech32, and it has the feature that starts with “bc1”.
  • If the specific transaction distributes the same or similar amount to multiple places with addresses starting with “bc1”, it can be suspected that the coinjoin was used in the case.

Conclusion

  • LockBit’s operator started the activity of new affiliate program on new leak site, LockBit 2.0.
  • Revil and LockBit uses coinjoin of Wasabi wallet for money laundering and the address we provide shall be monitored by law enforcement.
  • Clop ransomware is still alive and be aware of its activity.

W4 Jun | EN | Story of the week: Ransomware on the Darkweb was originally published in S2W LAB BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: W4 Jun | EN | Story of the week: Ransomware on the Darkweb | by Hyunmin Suh | S2W LAB BLOG | Jun, 2021 | Medium