## **0mega** 🔎 `ransomware.live`has an active parser for indexing 0mega's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 0mega - Blog | 🟢 | 30/07/2024 02:00 | `http://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onion` | 📸 | | none | 🟢 | 30/07/2024 02:00 | `http://0mega.cc` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-0mega.png) ### _Victims_ > 7 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Four Hands LLC`](https://google.com/search?q=Four+Hands+LLC) | 25/01/2024 | Manufacturing and distributing home furnishing products, retail, design | 📸 | | [`Rotorcraft Leasing Company`](https://google.com/search?q=Rotorcraft+Leasing+Company) | 17/10/2023 | Helicopter support, pilot training, fueling service, maintenance | | | [`US Liner Company & American Made LLC`](https://google.com/search?q=US+Liner+Company+%26+American+Made+LLC) | 04/10/2023 | Industrial engineering, manufacturing, advanced materials, thermoplastic composite solutions | | | [`Aviacode (GeBBS)`](https://google.com/search?q=Aviacode+%28GeBBS%29) | 12/02/2023 | Medical coding, outsourced coding, auditing & consulting | | | [`Aviacode`](https://google.com/search?q=Aviacode) | 09/01/2023 | Medical coding, outsourced coding, auditing & consulting | | | [`Nextlabs`](https://google.com/search?q=Nextlabs) | 15/09/2022 | Business services, security software & IT services, risk management software | | | [`Maxey Moverley`](https://google.com/search?q=Maxey+Moverley) | 14/07/2022 | Electronics repair & refurbishment, technical service, CCTV | | --- ## **8base** > With its adept use of double-extortion tactics and a repertoire that includes modified variants of known ransomware like Phobos, 8Base has orchestrated significant cyber incidents, impacting numerous organizations worldwide with its relentless and evolving strategies. 🔎 `ransomware.live`has an active parser for indexing 8base's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Home | 🔴 | 03/11/2023 15:01 | `http://basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion` | 📸 | | Home | 🔴 | 28/07/2024 11:02 | `http://xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion` | 📸 | #### **External information** - https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html - https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/ - https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html - https://socradar.io/dark-web-profile-8base-ransomware/ - https://twitter.com/rivitna2/status/1674718854549831681 - https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/ #### **Ransom note** * [📝 1 ransom note](notes/8base) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-8base.png) ### _Victims_ > 402 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Hokushinko Co., Ltd.`](https://google.com/search?q=Hokushinko+Co.%2C+Ltd.) | 21/06/2024 | Hokushinko Co., Ltd. is a company that specializes in the construction of railway signals and traffic lights, as well as technology implementation.https://hokushinko.jp/company/ | 📸 | | [`Taiyo Kogyo Co., Ltd.`](https://google.com/search?q=Taiyo+Kogyo+Co.%2C+Ltd.) | 21/06/2024 | Taiyo Kogyo Co., Ltd., a leading company in the production of large-sized membrane structures, occupying a leading position in the world-class market.We present corporate information, business information, products and services, as well as construction results.https://www.taiyokogyo.co.jp/ | 📸 | | [`TC Capital Asia Limited`](https://google.com/search?q=TC+Capital+Asia+Limited) | 21/06/2024 | TC Capital Group is a boutique corporate finance advisory house based in Hong Kong.We are licensed by the Securities and Futures Commission of Hong Kong (SFC) to provide services in:Dealing in securitiesAdvising on corporate financeAsset management http://www.tccapital.com.hk/en | 📸 | | [`Topserve Service Solutions`](https://www.topserve.com.ph) | 21/06/2024 | Topserve Service Solutions, Inc. was founded and established on January 27, 1997 by Alex F. Tanwangco. Starting with a core staff of six, Topserve created a niche in the aviation industry in 1999 when it headed Aircraft Maintenance Servicing for a list of airline partners. Today, we have successfully expanded our list of partners in manufacturing and packing services, retail, hotels, fast food chains, warehousing and logistics, courier and delivery services, administrative/office-based services, business process outsourcing, and the academe.www.topserve.com.ph | 📸 | | [`LCS and Partners`](https://www.lcs.com.tw) | 21/06/2024 | Worthy a Bootstrap-based, Responsive HTML5 Template LCS & Partners ("LCS") is an elite corporate law firm based in Taipei. Since the firm was founded in 1998, it has grown rapidly to approximately 50 legal professionals and gained a reputation as one of the top corporate law firms in Taiwan that regularly handles major and complex cases for top-tier domestic and international clients.www.lcs.com.tw | 📸 | | [`Ojai srl`](https://google.com/search?q=Ojai+srl) | 18/06/2024 | Eco friendly Italian Custom Eyewear Custom curated artisanal sustainable Wooden Eyewear from Italy. Explore our diverse collection of Wooden glasses, available in a wide range of styles and colors. The FEB31st glasses are the result of a simple and strong idea: to revisit wood, a material ancient and modern, elegant and natural, through the design lens. The interpreter of this dream is the designer Valerio Cometti, whose visionary talent gave form to the idea of combining the naturalness of wood with the energy of color. The result is a collection of unique glasses of tinted wood with a sophisticated vintage flavour https://feb31st.it/ | 📸 | | [`Embotits Espina, SLU`](https://e-espina.com/) | 11/06/2024 | For more than a century, the Espina family has been offering sausages of the highest quality, based on the wisdom and technological modernization of industrial processes. Today, Espina sausages are represented in the main European markets and are certified according to the strictest quality standards of IFS and BRC https://e-espina.com/es | | | [`Nidec Motor Corporation`](https://google.com/search?q=Nidec+Motor+Corporation) | 03/06/2024 | Founded in 1973, Nidec Corporation is a global manufacturer of electric motors, and related components and equipment. The Company provides generalmotors, equipment devices, as well as precious small motors, including hard drive and hard disk drive (HDD) spindle motors, other small precision brushless direct current (DC) motors, brushless DC fans, and other small motors. The company is headquartered in Kyoto, Japan.nidec.com | 📸 | | [`ISETO CORPORATION`](https://google.com/search?q=ISETO+CORPORATION) | 03/06/2024 | Information processing services, production and sale of computer paper, development and sale of system equipment.The main trading partners are City banks, trust banks, regional banks, labor banks, credit unions, life insurance, non-life insurance, local governments, government agencies, credit card companies, leasing companies, electricity, gas, cable television companies and 3,000 other companies.https://www.iseto.co.jp/en/ | 📸 | | [`Architecture LEJEUNE GIOVANELLI`](https://lejeunegiovanelli.wixsite.com/architecture-lg) | 27/05/2024 | Architecture LEJEUNE GIOVANELLI Development, renovation, repair, reconstruction of buildings https://lejeunegiovanelli.wixsite.com/architecture-lg | | ↪️ More victims [here](/group/8base?id=posts) --- ## **Abrahams_Ax** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Database Error | 🔴 | 09/02/2024 21:02 | `http://abrahamm32umasogaqojib3ey2w2nwoafffrguq43tsyke4s3fz3w4yd.onion` | 📸 | | none | 🔴 | 30/03/2024 21:02 | `http://abrahams-ax.se` | 📸 | ### _Victims_ > no victim found --- ## **BrainCipher** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Brain Cipher Leaks | 🟢 | 30/07/2024 02:02 | `http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion` | 📸 | | Brain Cipher Client Area | 🔴 | 07/07/2024 13:36 | `http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-BrainCipher.png) ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Sherbrooke Metals`](https://google.com/search?q=Sherbrooke+Metals) | 21/07/2024 | | 📸 | | [`Apex Global Big leak outlooks - 2tb.`](https://google.com/search?q=Apex+Global+%7C+Big+leak+outlooks+-+2tb.) | 21/07/2024 | | 📸 | | [`Cole Technologies Group`](https://google.com/search?q=Cole+Technologies+Group) | 21/07/2024 | | 📸 | | [`Family Wealth Advisors Ltd.`](https://google.com/search?q=Family+Wealth+Advisors+Ltd.) | 21/07/2024 | | 📸 | | [`Mars 2 LLC`](https://google.com/search?q=Mars+2+LLC) | 21/07/2024 | | 📸 | | [`Indonesia Terkoneksi`](https://kominfo.go.id) | 01/07/2024 | More important than money, only honor. | 📸 | --- ## **ElDorado** > Not a ransomware #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Data Leak | 🟢 | 30/07/2024 02:02 | `http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ElDorado.png) ### _Victims_ > 15 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`TBMCG.com`](https://google.com/search?q=TBMCG.com) | 06/06/2024 | ... Tags: #TBM #Consulting Group #United States | 📸 | | [`www.vet.k-state.edu`](https://google.com/search?q=www.vet.k-state.edu) | 06/06/2024 | ... Tags: #VETERINARY HEALTH CENTER #Mosier Hall #Manhattan | 📸 | | [`www.uccretrievals.com`](https://google.com/search?q=www.uccretrievals.com) | 06/06/2024 | ... Tags: #Family Owned and Operated #Highly Trained, Knowledgeable #Sklar Technology Partners | 📸 | | [`HTE Technologies`](https://google.com/search?q=HTE+Technologies) | 06/06/2024 | ... Tags: #MANUFACTURING PRODUCTIVITY #Factory Automation and Industrial Productivity #United States | 📸 | | [`goughhomes.com`](https://google.com/search?q=goughhomes.com) | 06/06/2024 | ... Tags: #GOUGH HOMES #GOUGH CONSTRUCTION #United States | 📸 | | [`Baker Triangle`](https://google.com/search?q=Baker+Triangle) | 06/06/2024 | ... Tags: #Baker Triangle #Construction #United States | 📸 | | [`www.tankerska.hr`](https://google.com/search?q=www.tankerska.hr) | 06/06/2024 | ... Tags: #Tankerska #Marine Shipping and Transportation #Croatia | 📸 | | [`cityofpensacola.com`](https://google.com/search?q=cityofpensacola.com) | 06/06/2024 | ... Tags: #cyberattack #municipalities #Florida | 📸 | | [`thunderbirdcc.org`](https://google.com/search?q=thunderbirdcc.org) | 06/06/2024 | ... Tags: #Thunderbird Country Club #Country Club #Rancho Mirage | 📸 | | [`www.itasnatta.edu.it`](https://google.com/search?q=www.itasnatta.edu.it) | 06/06/2024 | ... Tags: #ISTITUTO DI ISTRUZIONE SUPERIORE #Giulio Natta #MILANO - MI | 📸 | ↪️ More victims [here](/group/ElDorado?id=posts) --- ## **SenSayQ** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | SenSayQ | 🟢 | 30/07/2024 02:03 | `http://gmixcebhni6c3kcf5m7xxybomaphj7pizoqtxiqmrz5wsh6g6x5s2wqd.onion` | 📸 | | SenSayQ | 🔴 | 05/06/2024 13:19 | `http://159.69.60.54.` | 📸 | | SenSayQ | 🔴 | 05/06/2024 17:36 | `http://152.89.198.177.` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-SenSayQ.png) ### _Victims_ > no victim found --- ## **aGl0bGVyCg** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Error Response Page | 🔴 | 30/10/2022 18:20 | `http://hitleransomware.cf` | ❌ | ### _Victims_ > no victim found --- ## **abyss** 🔎 `ransomware.live`has an active parser for indexing abyss's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Abyss-data | 🟢 | 30/07/2024 02:04 | `http://3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-abyss.png) ### _Victims_ > 52 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`zoppo.com`](https://google.com/search?q=zoppo.com) | 28/07/2024 | zoppo.com 233Gb uncompressed data | | | [`crimsonwinegroup.com`](https://google.com/search?q=crimsonwinegroup.com) | 25/07/2024 | crimsonwinegroup.com.com 1.6Tb uncompressed data | | | [`greenlightbiosciences.com`](https://google.com/search?q=greenlightbiosciences.com) | 15/07/2024 | greenlightbiosciences.com 726Gb uncompressed data | | | [`landmarklife.com`](https://google.com/search?q=landmarklife.com) | 27/06/2024 | landmarklife.com 2.4Tb uncompressed data | | | [`conferenceusa.com`](https://google.com/search?q=conferenceusa.com) | 27/06/2024 | conferenceusa.com 1Tb uncompressed data | | | [`tpocc.org`](https://google.com/search?q=tpocc.org) | 25/06/2024 | tpocc.org 570Gb uncompressed data | | | [`malca-amit.com`](https://google.com/search?q=malca-amit.com) | 18/06/2024 | malca-amit.com 30Gb + VMware images CHKC-NGSQL.MAFE.COM HKG-TSPLS.MAFE.COM 1.2Tb | | | [`woldae.com`](https://google.com/search?q=woldae.com) | 07/05/2024 | woldae.com 9.7Tb uncompressed data | | | [`rangam.com`](https://rangam.com) | 23/04/2024 | rangam.com 1.1Tb uncompressed data | | | [`rameywine.com`](https://google.com/search?q=rameywine.com) | 29/03/2024 | rameywine.com 61Gb uncompressed data | | ↪️ More victims [here](/group/abyss?id=posts) --- ## **adminlocker** _`extensions .admin1 .admin2 .admin3 .1admin .2admin .3admin`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Admin Locker | 🔴 | 20/05/2022 03:49 | `http://adminavf4cikzbv6mbbp7ujpwhygnn2t3egiz2pswldj32krrml42wyd.onion` | ❌ | #### **External information** - http://t.me/dotADMINbot ### _Victims_ > no victim found --- ## **againstthewest** _`closed forum, access sold from https://sellix.io/atwforums`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Threat Actors - Onion Forums - Internal Error | 🔴 | 07/01/2023 20:56 | `http://giphvoitymatg4cv7bxqh5dz6sn6bfscywoat4qtslztkomf5lavrayd.onion` | 📸 | ### _Victims_ > no victim found --- ## **akira** 🔎 `ransomware.live`has an active parser for indexing akira's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🟢 | 30/07/2024 02:04 | `http://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion` | ❌ | #### **External information** - https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/ - https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/ - https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/ - https://twitter.com/MalGamy12/status/1651972583615602694 #### **Ransom note** * [📝 1 ransom note](notes/akira) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20230529| 💬 | |20230606| 💬 | |20230616| 💬 | |20230628| 💬 | |20230707| 💬 | |20230719| 💬 | |20230722| 💬 | |20230727| 💬 | |20230728| 💬 | |20230815| 💬 | |20230929| 💬 | |20231112| 💬 | |20231115| 💬 | |20231209| 💬 | |20231217| 💬 | |20231227| 💬 | |20240127| 💬 | |20240129| 💬 | |20240131| 💬 | |20240201| 💬 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-akira.png) ### _Victims_ > 307 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Environmental DesignInternational`](https://google.com/search?q=Environmental+DesignInternational) | 25/07/2024 | Environmental Design International inc. (EDI) is an MBE/WBE/DBE/W OSB certified professional engineering firm headquartered in Chic ago. NDAs and confidential agreements, employees personal documen ts, detailed financial data. Everything is over 60GB. | | | [`Empereon Constar`](https://google.com/search?q=Empereon+Constar) | 25/07/2024 | Empereon Constar is a leading business process outsourcing compan y providing end-to-end front and back office solutions. About 800 GB of data will be available for downloading. We hold many SQLs w ith clients data, employee files, detailed financial data. The da ta is more than interesting. | | | [`SKC West`](https://google.com/search?q=SKC+West) | 24/07/2024 | SKC-West is the premier supplier for all Industrial Hygiene, Envi ronmental and Safety equipment on the West Coast. Employee data, lots of agreements, confidential files, financial data. Everythin g will be available for downloading soon. | | | [`American Acryl`](https://google.com/search?q=American+Acryl) | 24/07/2024 | American Acryl L.P. is a joint venture owned by Nippon Shokubai A merica Industries, Inc. (“NAII”) and Arkema Inc. American Acryl manufactures acrylic acid at its Bayport, Texas facility for the benefit of its owners. They don't need their data so we are going to share the files with you. Customers information, financial fi les, personal employee information, detailed financial data and s o on. | | | [`Electroalfa`](https://google.com/search?q=Electroalfa) | 24/07/2024 | Electroalfa is a successful Romanian company, built by visionary people who managed to innovate complex industrial products to hel p move society forward. 10GB of data will be released. Projects i nformation, clients, detailed personal employee information can b e found in the archives we are going to upload. | | | [`CALDAN Conveyor`](https://google.com/search?q=CALDAN+Conveyor) | 24/07/2024 | CALDAN Conveyor is a worldwide leading, Danish supplier of overhe ad conveyor and floor conveyor systems. All the dat awill be rele ased soon. Banking information, transactions details, agreements, clients and everything else. | | | [`siParadigm`](https://google.com/search?q=siParadigm) | 23/07/2024 | siParadigm has built a legacy in laboratory testing solutions bas ed on scientific excellence, innovation, and world-class service. 141 GB of data will be uploaded. Full pack of personal data: pas sports, NDAs, confidential agreements, medical reports, driver li censes, birth certificates, social security numbers and other per sonal and docs, financial info, clients and so on. | | | [`Notarkammer Pfalz`](https://google.com/search?q=Notarkammer+Pfalz) | 23/07/2024 | The Notary Fund and the Bavarian Notary Association. 200GB of dat a will be available. Numerous SQLs, employee information, detaile d financial data. | | | [`Win Systems`](https://google.com/search?q=Win+Systems) | 23/07/2024 | Win systems is a provider of casino solutions for the global gami ng industry. Lots of passport, DNIs (identification cards), credi t cards and other personal documents of employees. Information of clients and casinos, financials, other internal business data. 1 0GB of extremely interesting data. | | | [`Amino Transport`](https://google.com/search?q=Amino+Transport) | 15/07/2024 | Amino has been in business since 1999 and is a growing Third-Part y Logistics (3PL) Company with 3 Texas locations and employees na tionwide. 20GB of data will be available soon. We will upload the ir files containing lots of financial files, customer invoices, b ank details, checks and so on. | | ↪️ More victims [here](/group/akira?id=posts) --- ## **ako** > A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion` | ❌ | #### **External information** - https://digital.nhs.uk/cyber-alerts/2020/cc-3345 - https://www.bleepingcomputer.com/news/security/ako-ransomware-another-day-another-infection-attacking-businesses/ - https://malwiki.org/index.php?title=Ako #### **Ransom note** * [📝 1 ransom note](notes/ako) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **alphalocker** 🔎 `ransomware.live`has an active parser for indexing alphalocker's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | -- | 🟢 | 30/07/2024 02:05 | `http://mydatae2d63il5oaxxangwnid5loq2qmtsol2ozr6vtb7yfm5ypzo6id.onion` | 📸 | | Blog | 🟢 | 30/07/2024 02:05 | `http://mydatae2d63il5oaxxangwnid5loq2qmtsol2ozr6vtb7yfm5ypzo6id.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-alphalocker.png) ### _Victims_ > 11 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`https://goftac.com/ firsttx.com First Texas Alliance Corp (FTAC)`](https://goftac.com) | 24/04/2024 | https://goftac.com/ firsttx.com First Texas Alliance Corp (FTAC)Providing advisory services to business owners, professionals, and high-net-worth individuals. zackh@firsttx.com Zack HooperChuck Marler Financial Planning Client cmarler@ssgsta.comstole data:doc/xls/t...Read more ⇒ | 📸 | | [`https://geodis.com`](https://geodis.com) | 18/04/2024 | GEODIS Thai Ltd. came under attack! All SQL bases of the company are available! We think there's a lot to see!GEODIS is a leading worldwide provider of customized transportation, warehousing, global logistics, and supply chain solutions. We unlock value in a complex and evolving world.Read more ⇒ | 📸 | | [`https://www.consorzioinnova.it`](https://consorzioinnova.it) | 09/03/2024 | 225GB DATAemployeesclientsdatabase and etc | 📸 | | [`BM Catalysts bmcatalysts.co.uk`](https://google.com/search?q=BM+Catalysts++++bmcatalysts.co.uk) | 14/02/2024 | BM Catalysts is the largest independent manufacturer of high-quality aftermarket catalytic converters, DPFs and front pipes in Europethe accounting.+ projects+ hr info and etc stolen and will be uploaded~100 GB docs | 📸 | | [`elandenergy.com Eland Energy`](https://google.com/search?q=elandenergy.com+++++++++Eland+Energy) | 26/01/2024 | Eland Energy is an independent oil and natural gas exploration and production company. Eland's operations are focused onshore in the United States.stole ~100gb docs | 📸 | | [`IntegrityInc.org Integrity Inc`](https://google.com/search?q=IntegrityInc.org+++Integrity+Inc) | 24/01/2024 | IntegrityInc.org Integrity, Inc. is an organization that provides home and community based services for people with developmental disabilities in the state of Arkansas.!!!this company has allowed confidential data to be published!!!SQL DB/accounting and other docs | 📸 | | [`https://www.carri.com`](https://google.com/search?q=https%3A%2F%2Fwww.carri.com) | 24/01/2024 | All important information downloaded from the https://www.carri.com servers will be placed here: -Customer data -Financial data of the company -Employee information etc. | 📸 | | [`https://www.gadotbio.com/ Gadot Biochemical Industries Ltd`](https://google.com/search?q=https%3A%2F%2Fwww.gadotbio.com%2F++Gadot+Biochemical+Industries+Ltd) | 24/01/2024 | Gadot Biochemical Industries LtdGBi is a leading manufacturer of food and nutraceutical ingredients, committed to providing the quality products and reliable supply our customers demand.GBi has been meeting the needs of the food, beverage, pharmaceutical, nutritional supplement, and detergen...Read more ⇒ | 📸 | | [`accolade-group.com + levelwear.com +Taiwan microelectronics(CRM).`](https://google.com/search?q=accolade-group.com+%2B+levelwear.com+%2BTaiwan++microelectronics%28CRM%29.) | 24/01/2024 | accolade-group.com + levelwear.comLevelwear is a premium sports apparel brand providing on-trend, technically superior, and value rich apparel to the upper-end golf and licensed sports markets. Their core strengths include innovation, decoration, and quick response.+Taiwan microelec...Read more ⇒ | 📸 | | [`a24group.com ambition24hours.co.za`](https://google.com/search?q=a24group.com++ambition24hours.co.za) | 24/01/2024 | The A24Group has been operating for over 27 years, providing high-quality temporary nurses and care assistants across England, Scotland, and Wales. We're dedicated to serving various client groups, including the NHS, Integrated Care Boards, nursing homes, and mental health and support businesses, as...Read more ⇒ | 📸 | ↪️ More victims [here](/group/alphalocker?id=posts) --- ## **alphv** > ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a Service (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV is marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an icon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks since November 18, 2021.ALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize the amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop virtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other hosts on the local network. _`aka blackcat - fileserver `ihoqnxnvdwybrv6kiteiesjc3ic6du6axtv3arouxr6ddswrxa2wrbyd.onion``_ 🔎 `ransomware.live`has an active parser for indexing alphv's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | THIS WEBSITE HAS BEEN SEIZED | 🔴 | 19/12/2023 13:35 | `http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion` | 📸 | | THIS WEBSITE HAS BEEN SEIZED | 🔴 | 19/12/2023 13:36 | `http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion` | ❌ | | | 🔴 | 07/06/2023 03:03 | `http://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion` | 📸 | | THIS WEBSITE HAS BEEN SEIZED | 🔴 | 09/03/2024 15:07 | `http://alphvuzxyxv6ylumd2ngp46xzq3pw6zflomrghvxeuks6kklberrbmyd.onion` | 📸 | #### **External information** - https://blog.group-ib.com/blackcat - https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html - https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf - https://community.riskiq.com/article/47766fbd - https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf - https://github.com/f0wl/blackCatConf - https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3 - https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf - https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html - https://killingthebear.jorgetesta.tech/actors/alphv - https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/ - https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023 - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf - https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809 - https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ - https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf - https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v - https://securelist.com/a-bad-luck-blackcat/106254/ - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware - https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor - https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html - https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/ - https://unit42.paloaltonetworks.com/blackcat-ransomware/ - https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive - https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group - https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/ - https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous - https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/ - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware - https://www.ic3.gov/Media/News/2022/220420.pdf - https://www.intrinsec.com/alphv-ransomware-gang-analysis - https://www.intrinsec.com/alphv-ransomware-gang-analysis/ - https://www.mandiant.com/resources/blog/alphv-ransomware-backup - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ - https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ - https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/ - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html - https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html - https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html - https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022 - https://www.varonis.com/blog/alphv-blackcat-ransomware - https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/ #### **Ransom note** * [📝 4 ransom notes](notes/alphv) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-alphv.png) ### _Victims_ > 724 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`ipmaltamira`](https://www.ipmaltamira.com.mx) | 03/03/2024 | Infraestructura Portuaria Mexicana S.A. de C.V. (IPM), subsidiary of PINFRA, was created as a response to 1994 Mexican Federal Government initiative for Port Privatization. The cession was given to IPM on june 1996 for the operation and management of Terminal #2 on the Port of Altamira, with an extension until year 2036. | 📸 | | [`Ewig Usa`](https://ewig-mco.com) | 03/03/2024 | Ewig Group is a one stop solution provider in electronic manufacturing to global customers. We are a Hong Kong based company with well- equipped manufacturing facilities in China. | 📸 | | [`SBM & Co`](https://www.sbmaccountancy.co.uk/) | 01/03/2024 | Established in 1993, we have many years of experience in assisting clients with accounting and taxation matters. We assist businesses and individuals as well as specialized industries. Our clients range from owner-managed businesses to those listed on the London Stock Exchange. | 📸 | | [`SBM & Co [You have 48 hours. Check your e-mail]`](https://www.sbmaccountancy.co.uk/) | 01/03/2024 | Established in 1993, we have many years of experience in assisting clients with accounting and taxation matters. We assist businesses and individuals as well as specialized industries. Our clients range from owner-managed businesses to those listed on the London Stock Exchange. | 📸 | | [`Petrus Resources Ltd`](https://www.petrusresources.com/) | 01/03/2024 | Petrus Resources Ltd. is a Canadian energy company active in property exploitation, strategic acquisitions and risk-managed exploration in the western province of Alberta. The company has an extensive inventory of low risk oil and natural gas development assets in its Ferrier, North Ferrier and Thorsby operating areas. Petrus has an experienced management team and board of directors with a strong track record of shareholder value creation. The company is return-driven and focused on delivering per share growth in cash flow, production and reserves. | 📸 | | [`Kumagai Gumi Group`](https://www.kumagaigumi.co.jp) | 01/03/2024 | Kumagai Gumi Co., Ltd. is a Japanese construction company founded in Fukui, Fukui Prefecture, Japan. The company still has registered headquartersin Fukui, but the actual head office is located in Shinjuku, Tokyo | 📸 | | [`Allan Berger & Associates`](https://www.bergerlawnola.com/) | 29/02/2024 | Over the past four decades, Allan Berger has established himself as one of the region’s most preeminent personal injury law attorneys. With a diverse team of experienced attorneys and specialized support staff, Allan Berger & Associates in New Orleans has a proven record of obtaining multi-million dollar verdicts and settlements for its clients. Since 1974, Berger has been an advocate for the people of Louisiana in all aspects of personal injury law. AB&A represents injured victims and their families primarily in the areas of auto accidents, pharmaceutical litigation, medical malpractice, products liability and offshore injuries. | 📸 | | [`Change Healthcare - Optum - UnitedHealth`](https://google.com/search?q=Change+Healthcare+-+Optum+-+UnitedHealth) | 28/02/2024 | | 📸 | | [`verbraucherzentrale hessen`](https://verbraucherzentrale-hessen.de) | 27/02/2024 | sample leaked data before official publication | 📸 | | [`Electro Marteix`](https://emtek.es) | 27/02/2024 | EMTEK is the trade name of the company ELECTRO MARTEIX, SL. We have a wide experience of more than 35 years in the industrial, domestic and service sector. We are specialists in the installation of electricity, water, gas, heating, air conditioning, thermal and photovoltaic solar energy, telecommunications, public and private lighting, fire systems, comprehensive maintenance, and implementation of new technologies for energy saving projects for large, medium and small companies and private homes. We are a company with a great concern for sustainability, that is why we are committed to renewable energies and energy efficiency. At EMTEK we believe in a sustainable consumption that satisfies our energy needs and does not compromise the environment. We also take special care for safety at work, we strictly comply with the Law on Occupational Risk Prevention. | 📸 | ↪️ More victims [here](/group/alphv?id=posts) --- ## **apt73** > ATP73 🔎 `ransomware.live`has an active parser for indexing apt73's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | APT73 | 🔴 | 24/04/2024 12:44 | `http://eraleignews.com` | 📸 | | APT73 | 🟢 | 30/07/2024 02:06 | `http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion` | 📸 | | APT73 | 🟢 | 30/07/2024 02:06 | `http://fleqwmg7xnanypt5km2m75l72q7nlcvlp2m4sdmgjxorsn6tb3zyp3qd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-apt73.png) ### _Victims_ > 12 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`www.gannons.co.uk`](https://google.com/search?q=www.gannons.co.uk) | 14/06/2024 | Gannons Commercial Law Limited Catherine Gannon, then a tax solicitor at a large US law firm, looks out from their ivory tower and spots a gap in ... | 📸 | | [`Borrer Executive Search`](https://google.com/search?q=Borrer+Executive+Search) | 13/06/2024 | Borrer Executive Search is an AESC accredited boutique search and selection firm based in Lausanne, Switzerland. internal documents, agreements ... | 📸 | | [`www.bigalsfoodservice.co.uk`](https://google.com/search?q=www.bigalsfoodservice.co.uk) | 13/06/2024 | Our foodservice roots trace all the way back to a butchers shop in Dublin city centre in 1966. Kepak Foodservice specialise in creating innovative,... | 📸 | | [`apex.uk.net`](https://google.com/search?q=apex.uk.net) | 12/06/2024 | Apex Engineering Service has established itself as a leading supplier of technical services to the construction industry worldwide. Passwords, int... | 📸 | | [`AlphaNovaCapital`](https://google.com/search?q=AlphaNovaCapital) | 12/06/2024 | Private limited Company 272KB | 📸 | | [`AMI Global Assistance`](https://google.com/search?q=AMI+Global+Assistance) | 12/06/2024 | Your trusted partner for personalized, timely, and reliable medical support services worldwide. https://x.com/AMIGlobalAssist Personal data, pas... | 📸 | | [`brightwayconsultants.co.uk`](https://google.com/search?q=brightwayconsultants.co.uk) | 23/05/2024 | Brightway Consultants Ltd is a chartered surveying firm based in London. They offer comprehensive surveying services tailored to clients' individua... | 📸 | | [`fortify.pro`](https://google.com/search?q=fortify.pro) | 08/05/2024 | The Canadian company has been developing high-quality and reliable software for corporate needs since 2015. They are renowned professionals of soft... | 📸 | | [`melting-mind.de`](https://google.com/search?q=melting-mind.de) | 03/05/2024 | German company melting-mind.de. IT systems company operating throughout Europe and offering a wide range of services in all areas of information te... | | | [`www.servicepower.com`](https://google.com/search?q=www.servicepower.com) | 02/05/2024 | Large software development company Service Power. Great Britain. Documents of internal systems, credits to internal resources. 328 MB | 📸 | ↪️ More victims [here](/group/apt73?id=posts) --- ## **arcusmedia** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Arcus Media | 🟢 | 30/07/2024 02:07 | `http://arcuufpr5xxbbkin4mlidt7itmr6znlppk63jbtkeguuhszmc5g7qdyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-arcusmedia.png) ### _Victims_ > 28 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Doodle Tech`](https://google.com/search?q=Doodle+Tech) | 20/07/2024 | https://doodletech.aeWith our unique blend of expertise,... | 📸 | | [`Freightliner of Grand Rapids & Kalamazoo`](https://google.com/search?q=Freightliner+of+Grand+Rapids+%26+Kalamazoo) | 29/06/2024 | https://www.ftlgr.com Freightliner of Grand Rapids &... | 📸 | | [`DatAnalítica`](https://google.com/search?q=DatAnal%C3%ADtica) | 29/06/2024 | www.datanalitica.comWe are the Dominican consulting firm... | 📸 | | [`Clima Lodi`](https://google.com/search?q=Clima+Lodi) | 29/06/2024 | https://www.climalodi.com Innovative heating and air conditioning... | 📸 | | [`Total Revisjon DA`](https://google.com/search?q=Total+Revisjon+DA) | 26/06/2024 | Totalrevisjon.no tal Revisjon DA ble stiftet... | 📸 | | [`GED Lawyers – Sells Open`](https://google.com/search?q=GED+Lawyers+%E2%80%93+Sells+Open) | 26/06/2024 | Gedlawyers.com Proudly Serving Clients For Personal... | 📸 | | [`GED Lawyers`](https://google.com/search?q=GED+Lawyers) | 26/06/2024 | Gedlawyers.com Proudly Serving Clients For Personal... | 📸 | | [`GED Lawyers & ..`](https://google.com/search?q=GED+Lawyers+%26+..) | 20/06/2024 | Gedlawyers.com Proudly Serving Clients For Personal... | 📸 | | [`BankSelfStorage`](https://google.com/search?q=BankSelfStorage) | 20/06/2024 | We offer personal and business storage... | 📸 | | [`Exhaustpro shops`](https://google.com/search?q=Exhaustpro+shops) | 20/06/2024 | This female owner and her partners... | 📸 | ↪️ More victims [here](/group/arcusmedia?id=posts) --- ## **arvinclub** 🔎 `ransomware.live`has an active parser for indexing arvinclub's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Arvin Club – آزادی برای اتصال | 🔴 | 01/08/2022 20:10 | `http://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhqicpad.onion` | ❌ | | Arvin - Blog | 🔴 | 06/11/2023 03:07 | `http://arvinc7prj6ln5wpd6yydfqulsyepoc7aowngpznbn3lrap2aib6teid.onion` | 📸 | #### **External information** - http://t.me/arvin_club - https://sosintel.co.uk/a-special-investigation-exposing-a-ransomware-groups-clear-web-ip-and-their-duplicate-identities/ ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-arvinclub.png) ### _Victims_ > 35 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Islamic Azad University Electronic Campus`](https://ec.iau.ir) | 15/10/2023 | | | | [`Jahesh Innovation`](https://jahesh.co) | 14/10/2023 | | | | [`Kimia Tadbir Kiyan`](https://ktkco.ir) | 13/10/2023 | | | | [`Islamic Azad University of Shiraz`](https://shiraz.iau.ir) | 08/10/2023 | | | | [`Pasouk biological company`](https://pasouk.ir) | 02/10/2023 | | | | [`Shirin Travel Agency`](http://anonissfireenterfdks2u53jqevumbu6hjm35ioorsa7eq5bsjlucad.onion/do.php?filename=bd413d1583d4b7dc9901121.rar) | 01/10/2023 | | | | [`Aban Tether & OK exchange`](https://abantether.com https://ok-ex.io) | 02/09/2023 | | | | [`sti company`](https://sticompany.co) | 23/08/2023 | | | | [`Sabalan Azmayesh`](https://www.sabalanmedical.ir) | 08/08/2023 | | | | [`Parsian Bitumen`](https://www.parsianbitumen.com) | 07/08/2023 | | | ↪️ More victims [here](/group/arvinclub?id=posts) --- ## **atomsilo** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | AtomSilo | 🔴 | 17/12/2021 05:02 | `http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion` | ❌ | | AtomSilo | 🔴 | 25/01/2022 06:15 | `http://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion` | ❌ | #### **External information** - https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/ - https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/ - https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/ - https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://twitter.com/siri_urz/status/1437664046556274694?s=20 - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion #### **Ransom note** * [📝 1 ransom note](notes/atomsilo) ### _Victims_ > 4 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Tegravendas`](https://google.com/search?q=Tegravendas) | 21/12/2021 | | | | [`Eisai Co., Ltd.`](https://google.com/search?q=Eisai+Co.%2C+Ltd.) | 21/12/2021 | | | | [`LIGHT CONVERSION`](https://google.com/search?q=LIGHT+CONVERSION) | 21/12/2021 | | | | [`CristÃ¡lia - IndÃºstria FarmacÃªutica`](https://google.com/search?q=Crist%C3%83%C2%A1lia+-+Ind%C3%83%C2%BAstria+Farmac%C3%83%C2%AAutica) | 21/12/2021 | | | --- ## **avaddon** > Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://avaddongun7rngel.onion` | ❌ | #### **External information** - https://arxiv.org/pdf/2102.04796.pdf - https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis - https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/ - https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4 - https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1 - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/ - https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/ - https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure - https://twitter.com/Securityinbits/status/1271065316903120902 - https://twitter.com/dk_samper/status/1348560784285167617 - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire - https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/ - https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/ - https://www.connectwise.com/resources/avaddon-profile - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/ - https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ - https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/ - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.mandiant.com/resources/chasing-avaddon-ransomware - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.swascan.com/it/avaddon-ransomware/ - https://www.tgsoft.it/files/report/download.asp?id=568531345 - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted - https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/ - https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/ #### **Ransom note** * [📝 1 ransom note](notes/avaddon) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20210112| 💬 | |20210324| 💬 | |20210430| 💬 | |20210512| 💬 | |20210518| 💬 | |20210518.2| 💬 | |20210518.3| 💬 | ### _Victims_ > 142 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`EFCO forms`](https://google.com/search?q=EFCO+forms) | 09/09/2021 | | | | [`Sky Leasing, LLC`](https://google.com/search?q=Sky+Leasing%2C+LLC) | 09/09/2021 | | | | [`Golden Aluminum`](https://google.com/search?q=Golden+Aluminum) | 09/09/2021 | | | | [`J.C. Cannistraro`](https://google.com/search?q=J.C.+Cannistraro) | 09/09/2021 | | | | [`Lonrho`](https://google.com/search?q=Lonrho) | 09/09/2021 | | | | [`American Bank Systems INC`](https://google.com/search?q=American+Bank+Systems+INC) | 09/09/2021 | | | | [`Brown Robert LLP`](https://google.com/search?q=Brown+Robert+LLP) | 09/09/2021 | | | | [`National AIDS Control Council`](https://google.com/search?q=National+AIDS+Control+Council) | 09/09/2021 | | | | [`Monterey Bay Air Resources District`](https://google.com/search?q=Monterey+Bay+Air+Resources+District) | 09/09/2021 | | | | [`Dade City Florida`](https://google.com/search?q=Dade+City+Florida) | 09/09/2021 | | | ↪️ More victims [here](/group/avaddon?id=posts) --- ## **avos** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://avos2fuj6olp6x36.onion` | ❌ | #### ** Negotiation chats** | Name | Link | |---|---| |20210903| 💬 | ### _Victims_ > no victim found --- ## **avoslocker** > _`captcha prevents indexing`_ 🔎 `ransomware.live`has an active parser for indexing avoslocker's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | DDOS Protection | 🔴 | 08/07/2023 00:10 | `http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion` | 📸 | | AvosLocker | 🔴 | 16/08/2023 15:08 | `http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion` | 📸 | #### **External information** - https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/ - https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/ - https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux - https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html - https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen - https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf - https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ - https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group - https://www.ic3.gov/Media/News/2022/220318.pdf - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker #### **Ransom note** * [📝 1 ransom note](notes/avoslocker) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-avoslocker.png) ### _Victims_ > 70 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Cambian Group`](https://google.com/search?q=Cambian+Group) | 11/02/2023 | Includes data from Care Tech Holdings PLC (parent holding company, caretech-uk.com) & ByTheBridge.co.uk & Cambian Group. A billion dollar mega-corporation and British orphans, what could go wrong? | | | [`Memtech Acoustical`](https://google.com/search?q=Memtech+Acoustical) | 11/02/2023 | Memtech Acoustical is your 'one-stop' source for acoustic services, noise control and acoustic material installation. There is no need to coordinate consultants, order materials and arrange for installation. Memtech does it all. Memtech Acoustical Industrial, Commercial, and Acoustic Noise Control Solutions | | | [`Global Mining Products`](https://google.com/search?q=Global+Mining+Products) | 11/02/2023 | Global Mining's Product Catalog is available for download. MINExpo 2012 Please Visit Global Mining Products Inc at MINExpo 2012 Booth No. 9144 Service and Repair Facilities 3 Location To Serve You Better Global Mining - USA Ph: 775-778-3410 Fax: 775-778-3418 Global Mining - Canada Ph: 604-538-0058 Fax: 604-541-2850 PT GloMinPro Indonesia | | | [`Buckeye Packaging`](https://google.com/search?q=Buckeye+Packaging) | 11/02/2023 | Buckeye Packaging offers high-quality custom packaging solutions in a variety of substrates, delivered with outstanding customer service and terrible network security. 50 GB customer data will be released | | | [`Wesco Turf`](https://google.com/search?q=Wesco+Turf) | 11/02/2023 | Finance, HR, Corporate files present in data leak We are an exclusive provider for Toro, Club Car, Bernhard, Salsco, Harper, Ventrac, and MCI-Flowtronex and Watertronics Pump Stations in Florida and Southern Georgia. Since 1987 Wesco Turf has been the golf, grounds, and irrigation market leader. We are a worldwide provider of the highest quality used golf course equipment. Wesco has been honored multiple times as Toro’s North American Distributor of Excellence. | | | [`CannonDesign`](https://google.com/search?q=CannonDesign) | 11/02/2023 | Employees: 1,100 - Revenue: $279.8M - Site: www.cannondesign.com Exfiltrated: 5.7 TB Wasting our time will result in your data being leaked. Over 5 TB corporate and client files will be released CEO: "Entity": "US", "SSN - US": "367725265", "Last Name": "Lukanic", "First Name": "Bradley", "Nickname": "Brad", "Street Address": "6619 Braeburn Pkwy", "City": "Bethesda", "State/Prov": "MD", "Zip Code": "20817", "Birth Date": "02/15/1971", CFO: "Entity": "US", "SSN - US": "078564382", "Last Name": "Carlino", "First Name": "David", "Nickname": "Dave", "Street Address": "5411 Via Del Sole", "City": "Williamsville", "State/Prov": "NY", "Zip Code": "14221", "Birth Date": "07/29/1961", VP: "Entity": "US", "SSN - US": "121683252", "Last Name": "Schopp", "First Name": "Carolyn", "Nickname": "Carolyn", "Street Address": "3621 W River Road", "City": "Grand Island", "State/Prov": "NY", "Zip Code": "14072", "Birth Date": "10/09/1975", | | | [`Schandy`](https://google.com/search?q=Schandy) | 11/02/2023 | We have more than 100GB Data(Employers Data,CVs,Passports,HR,Confidential files...) | | | [`Ultralife Corporation`](https://google.com/search?q=Ultralife+Corporation) | 11/02/2023 | Publicly traded stock as ULBI. Client information, design, manufacture, financial, accounting, HR and more. Address: 2000 Technology Pkwy, Newark, NY 14513, United States Phone: +1 315 332 7100 | | | [`Hamilton Parker`](https://google.com/search?q=Hamilton+Parker) | 11/02/2023 | 1865 LEONARD AVENUE COLUMBUS, OH 43219 614-358-7800 | | | [`Corporate Interiors Inc`](https://google.com/search?q=Corporate+Interiors+Inc) | 07/01/2023 | Corporate Interiors - Steelcase office furniture - Delaware and Philadelphia Contact Us 1-800-690-9101 | | ↪️ More victims [here](/group/avoslocker?id=posts) --- ## **aztroteam** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion` | ❌ | ### _Victims_ > no victim found --- ## **babuk** > Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys. 🔎 `ransomware.live`has an active parser for indexing babuk's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Babuk - Leaks site | 🔴 | 26/02/2024 07:35 | `http://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion` | 📸 | #### **External information** - http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ - https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ - https://blog.morphisec.com/babuk-ransomware-variant-major-attack - https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html - https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://github.com/EmissarySpider/ransomware-descendants - https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/ - https://killingthebear.jorgetesta.tech/actors/evil-corp - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/ - https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/ - https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/ - https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/ - https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751 - https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d - https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2 - https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b - https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1 - https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f - https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html - https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf - https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf - https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62 - https://securelist.com/ransomware-world-in-2021/102169/ - https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/ - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/ - https://twitter.com/GossiTheDog/status/1409117153182224386 - https://twitter.com/Sebdraven/status/1346377590525845504 - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings - https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/ - https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/ - https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/ - https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/ - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ - https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/ - https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/ - https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/ - https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf - https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/ - https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/ - https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf - https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt - https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html - https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/ #### ** Negotiation chats** | Name | Link | |---|---| |20210203| 💬 | |20210428| 💬 | ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`BridgeMill Athletic Club`](https://google.com/search?q=BridgeMill+Athletic+Club) | 27/07/2021 | https://www.bridgemillathleticclub.com/ | 📸 | | [`spsr-law.com`](https://google.com/search?q=spsr-law.com) | 07/07/2021 | The Babuk v2.0 new | 📸 | | [`E.A. Gibson Shipbrokers`](https://google.com/search?q=E.A.+Gibson+Shipbrokers) | 06/07/2021 | The Babuk 2.0new | 📸 | | [`Arabian Computer Supplies co.`](https://google.com/search?q=Arabian+Computer+Supplies+co.) | 21/06/2021 | The Babuk 2.0 new | 📸 | | [`4murs.com`](https://google.com/search?q=4murs.com) | 15/06/2021 | The Babuk v2.0 new | 📸 | | [`The Babuk team shares the position stated by the most famous hacktivist group.`](https://google.com/search?q=The+Babuk+team+shares+the+position+stated+by+the+most+famous+hacktivist+group.) | 11/06/2021 | The Babuk team shares the position stated by the most famous hacktivist group. | 📸 | --- ## **babyduck** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://babydovegkmhbontykziyq7qivwzy33mu4ukqefe4mqpiiwd3wibnjqd.onion` | ❌ | #### **External information** - https://twitter.com/PolarToffee/status/1445873002801889280?s=20 ### _Victims_ > no victim found --- ## **bianlian** > ⚠️ A decryption tool is available on [Avast](https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/#bianlian_how_to_decrypt) site 🔎 `ransomware.live`has an active parser for indexing bianlian's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | BianLian - Home | 🟢 | 30/07/2024 02:07 | `http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion` | 📸 | | BianLian - Home | 🟢 | 30/07/2024 02:08 | `http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion` | 📸 | #### **External information** - https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/ - https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/ - https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ - https://twitter.com/malwrhunterteam/status/1558548947584548865 - https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/ #### **Ransom note** * [📝 1 ransom note](notes/bianlian) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-bianlian.png) ### _Victims_ > 453 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Augusta Orthopedic`](https://google.com/search?q=Augusta+Orthopedic) | 26/07/2024 | Augusta-Aiken Orthopedic Specialists is a comprehensive medical and surgical practice devoted to the care of musculoskeletal problems. | 📸 | | [`Karvo Companies, Inc.`](https://google.com/search?q=Karvo+Companies%2C+Inc.) | 26/07/2024 | Karvo Companies, Inc. is a dynamic, growth oriented general contractor specializing in heavy highway construction. | 📸 | | [`Insula Group`](https://google.com/search?q=Insula+Group) | 25/07/2024 | Insula Group offers a broad range of IT services and industry leading software products in Australia and overseas. | 📸 | | [`Bunkhouse Group`](https://google.com/search?q=Bunkhouse+Group) | 24/07/2024 | Bunkhouse Group is a company that operates in the Lodging & Resorts industry. | 📸 | | [`Playa Vista Job Opportunities and Business Services`](https://google.com/search?q=Playa+Vista+Job+Opportunities+and+Business+Services) | 24/07/2024 | PVJOBS is a nonprofit 501(c)3 public benefit corporation whose mission is to provide career-track employment opportunities for at-risk youth, adults and veterans in construction and related industries. | 📸 | | [`Accelon Technologies Private`](https://google.com/search?q=Accelon+Technologies+Private) | 24/07/2024 | Accelon Technologies Private is an ERP Consulting company headquartered at Pune, India. | 📸 | | [`Texas Alcohol & Drug Testing Service`](https://google.com/search?q=Texas+Alcohol+%26+Drug+Testing+Service) | 14/07/2024 | Established in 1994, Texas Alcohol and Drug Testing Service (TADTS) is an industry leader in helping companies establish a Drug-Free Workplace. | 📸 | | [`Preferred IT Group`](https://google.com/search?q=Preferred+IT+Group) | 12/07/2024 | Business Services. Complete IT services and support. | 📸 | | [`Island Transportation Corp.`](https://google.com/search?q=Island+Transportation+Corp.) | 04/07/2024 | Island Transportation Corp is one of the largest bulk carriers in the United States servicing the petroleum industry for over 50 years. Company serves a majority of the leading oil companies in the northeast, hauling billions of gallons of product to their facilities each year. | 📸 | | [`Legend Properties, Inc.`](https://google.com/search?q=Legend+Properties%2C+Inc.) | 04/07/2024 | Legend Properties was formed in 1990. Today we are a market share leader in commercial real estate brokerage in the Philadelphia Metropolitan area. | 📸 | ↪️ More victims [here](/group/bianlian?id=posts) --- ## **blackbasta** > "Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates. _`Solve a scrapping issue on 2023-03-08`_ 🔎 `ransomware.live`has an active parser for indexing blackbasta's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Black Basta Blog | 🟢 | 30/07/2024 02:08 | `http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onion` | 📸 | | Chat Black Basta | 🔴 | 17/09/2023 12:10 | `http://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion` | 📸 | | Chat Black Basta | 🟢 | 30/07/2024 02:09 | `http://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion` | ❌ | #### **Ransom note** * [📝 5 ransom notes](notes/blackbasta) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20221011| 💬 | |20221229| 💬 | |20230410| 💬 | |20230501| 💬 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-blackbasta.png) ### _Victims_ > 468 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`memc.com`](https://www.memc.com) | 22/07/2024 | MEMC is a global leader in producing advanced semiconductor materials for the electronics industry with leading-edge design and manufacturing.SITE: www.memc.com ALL DATA SIZE: ≈1tb 1. Corporate data, Financial data… 2. NDA, Confidential data 3. Human Resources, Hire data 4. R&D, Engineering data 5. Personal employees documents and info 6. Clients data & etc… | 📸 | | [`posiplus.com`](https://google.com/search?q=posiplus.com) | 15/07/2024 | Since 1981, Posi+ has been manufacturing aerial devices, stand apart to meet your specific needs. Over the years, the range of products expanded. Motivated by the same concern for performance, quality and safety, Posi+ also offers digger derricks, cable handlers and cable placers for telecoms.SITE: www.posiplus.com Address : 100-489 PIERRE-ROUX E, VICTORIAVILLE QUEBEC, CANADA G6T 1S9Tel#: 1 800 758-5717ALL DATA SIZE: ≈350gb+ 1. Company data 2. Confidential & employees data 3. Financial data & etc… | 📸 | | [`hpecds.com`](https://google.com/search?q=hpecds.com) | 15/07/2024 | CDS, a Hewlett Packard Enterprise company CDS is a wholly owned subsidiary of Hewlett Packard Enterprise and although an integral part of delivery operations in EMEA, is a separate legal entity providing true multi-vendor service capability for Hewlett Packard Enterprise customers. The Hewlett Packard Enterprise service offerings are contained in a single portfolio of branded services, which are delivered by both CDS and Hewlett Packard Enterprise service teams. CDS specialises in on-site delivery for multi-vendor products and technical services. CDS was formed after the acquisition of Synstar plc which had over 40 years’ experience of delivering multi-vendor services across Europe. Our company has a long tradition of delivering highly customised services and we pride ourselves on our commitment to customer satisfaction. This broad range of skills coupled with an agile workforce creates flexibility in service solutions which can be tailored to individual customers needs. CDS embraces all of Hewlett Packard Enterprise’s values and commitment to employees and customers alike.SITE: www.hpecds.com Address : Berkshire, GB - Winnersh Triangle 210 Wharfedale Road Berkshire, RG41 5TP, United KingdomALL DATA SIZE: ≈500gb 1. Company data 2. Confidential data 3. Human Resources, Hire data 4. Personal employees documents 5. Clients data 6. Projects & etc… | 📸 | | [`usdermpartners.com`](https://google.com/search?q=usdermpartners.com) | 15/07/2024 | | 📸 | | [`atos.com`](https://google.com/search?q=atos.com) | 15/07/2024 | For Atos, being Smart means courage and determination to define new standards of excellence. Smart Electrohydraulics is our response to the everchanging market, a commitment we pursue with a unique approach in which every process is analyzed and optimized: from research to design, from production to delivery, up to after-sales service.SITE: www.atos.com Address : Via alla Piana, 5721018 Sesto Calende VA, ItalyALL DATA SIZE: ≈710gb 1. Company data 2. Confidential data 3. Personal employees documents 4. Projects 5. Clients data & etc… | 📸 | | [`thompsoncreek.com_wa`](https://thompsoncreek.com) | 15/07/2024 | Thompson Creek® Window Company is the Mid-Atlantic region’s premier home improvement replacement products company. We have been customizing and manufacturing replacement windows, doors, gutters, siding and roofing in the Mid-Atlantic region since 1980.SITE: www.thompsoncreek.com Address : 4200 Parliament Place Suite 600 Lanham, MD 20706 USAALL DATA SIZE: ≈750gb 1. Corporate data 2. Financial data, Accounting… 3. Human Resources, Hire data… 4. Payroll, personal Tax forms, Agreements… 5. Personal docs employees, clients… & etc… | 📸 | | [`northernsafety.com_wa`](https://northernsafety.com) | 15/07/2024 | Northern Safety Co., Inc. operates as a personal safety equipment distributor company. The Company offers disposable respirators, earplugs, first aid kits, gloves, hard hats, safety glasses, safety supplies, traffic work boots, and fall harnesses. Northern Safety serves customers in the United States.SITE: www.northernsafety.com Address : 761 S. Danny Thomas Blvd. Memphis, TN 38126 USAALL DATA SIZE: ≈750gb 1. Corporate data 2. Finance data 3. HR 4. Users, Employees personal, confidential data & etc… | 📸 | | [`lambertz.de`](https://google.com/search?q=lambertz.de) | 30/06/2024 | The history of Lambertz is impressive, exciting and rich - Lambertz manages to make the leap from a small bakery in Aachen to one of the oldest confectionery manufacturers in Germany. In 2021, the traditional and family-owned company celebrated its 333rd anniversary.SITE: www.lambertz.de Address : Henry Lambertz GmbH & Co. KG: Borchersstrasse 18 D-52072 Aachen Tel# +49 (0)241 / 89 05-0ALL DATA SIZE: ≈800gb+ 1. Employee Personnel data… 2. Firm data: FiBu, Human Resources… 3. Confidential data… & etc… | 📸 | | [`keybenefit.com`](https://google.com/search?q=keybenefit.com) | 25/06/2024 | Key Benefit Administrators, Inc. offers financial services. The Company provides employment benefit services that manages pension, retirement, health, and welfare funds. Key Benefit Administrators serves customers in the United States.SITE: www.keybenefit.com Address : 8330 Allison Pointe Trail Indianapolis, IN 46250, USAALL DATA SIZE: ≈2.5tb 1. Clients 2. Executive 3. HR 4. Audit 5. Home, users, employees data 6. Accounting & etc… | 📸 | | [`scrubsandbeyond.com`](https://google.com/search?q=scrubsandbeyond.com) | 25/06/2024 | Scrubs & Beyond was founded in 2000 with the thinking that the healthcare retail experience could be completely transformed. The result was a retail experience that elevated medical professional essentials beyond the practical — and added a much-needed sense of humanity that was otherwise missing in the industry.SITE: www.scrubsandbeyond.com Address : 12969 Manchester Rd Saint Louis MO, 63131-1805 United StatesALL DATA SIZE: ≈600gb 1. Human Resources data 2. Users folders, Employees confidential data 3. Personal documents 4. Departments data: Accounting, Management… & etc… | 📸 | ↪️ More victims [here](/group/blackbasta?id=posts) --- ## **blackbyte** > Ransomware. Uses dropper written in JavaScript to deploy a .NET payload. 🔎 `ransomware.live`has an active parser for indexing blackbyte's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion` | ❌ | | BlackByte BLOG | 🔴 | 30/12/2021 09:14 | `http://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion` | ❌ | | BlackByte BLOG | 🔴 | 28/03/2022 11:17 | `http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion` | ❌ | | BlackByte BLOG | 🔴 | 24/04/2022 20:21 | `http://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onion` | ❌ | | BlackByte BLOG | 🔴 | 12/07/2022 20:09 | `http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion` | ❌ | | BB Auction | 🔴 | 20/10/2023 21:14 | `http://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion` | 📸 | | BB Auction | 🟢 | 30/07/2024 02:09 | `http://53d5skw4ypzku4bfq2tk2mr3xh5yqrzss25sooiubmjz67lb3gdivcad.onion` | 📸 | | File downloader | 🟢 | 30/07/2024 02:10 | `http://tj3ty2q5jm5au3bmd2embtjscd3qjt7nfio2o7cr6moyy5kgil5pieqd.onion` | 📸 | #### **External information** - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt - https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html - https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf - https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/ - https://redcanary.com/blog/blackbyte-ransomware/ - https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/ - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/ - https://twitter.com/splinter_code/status/1628057204954652674 - https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group - https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups - https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/ - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ - https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape - https://www.ic3.gov/Media/News/2022/220211.pdf - https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html - https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte - https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants #### **Ransom note** * [📝 4 ransom notes](notes/blackbyte) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-blackbyte.png) ### _Victims_ > 137 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Modernauto`](https://www.modernauto.com) | 17/07/2024 | Founded in 1933, Modern Automotive is a family owned and operated network of dealerships located throughout South Carolina. The Network has grown to include Modern Nissan, Modern Toyota, Modern Infiniti in Winston-Salem, Modern Infiniti in Greensboro, Modern Nissan of Concord, Modern Nissan of Lake Norman, Modern Hyundai of Concord, Modern Toyota of Boone and most recently Modern Subaru of Boone. | | | [`Modern Automotive Group`](https://google.com/search?q=Modern+Automotive+Group) | 17/07/2024 | | | | [`City of Newburgh`](https://cityofnewburgh-ny.gov/) | 22/06/2024 | City of Newburgh | | | [`Cityofnewburgh-ny.gov`](https://google.com/search?q=Cityofnewburgh-ny.gov) | 22/06/2024 | | | | [`Encina Wastewater Authority`](https://www.encinajpa.com/) | 13/03/2024 | The Encina Wastewater Authority (EWA) is a public agency located in Carlsbad, California. EWA provides wastewater treatment services to more than 400,000 residents in northwestern San Diego County. EWA's facilities and services are essential for protecting the local ocean environment, preserving public health, and providing valuable water resources for the region. EWA is owned by six public agenci | | | [`Encinajpa`](https://google.com/search?q=Encinajpa) | 06/03/2024 | | | | [`Meridian Cooperative`](https://www.meridian.coop/) | 04/10/2023 | Meridian Cooperative is the only enterprise solution that delivers flexible leading-edge software, services, and technology to utility providers across the country. With solutions ranging from consumer billing and finance to IT, GIS, advanced analytics, cybersecurity, and operations, our enterprise suite provides the tools utilities need to manage business from the office to the field efficiently and securely. | | | [`Hoteles Xcaret`](https://www.xcaret.com/) | 18/09/2023 | Hoteles Xcaret offers the best lodging experiences in Riviera Maya. Our hotels have been designed to satisfy and exceed the demands of different kinds of travelers, from parents wishing to surprise their kids with the best family vacations, to private and sustainable experiences collectors who wish for an incredible journey as a couple. | | | [`Alps Alpine`](https://www.alpsalpine.com/) | 11/09/2023 | Alps Alpine, a leading manufacturer of electronic components and automotive infotainment systems, has brought the world numerous “First 1” and “Number 1” products since its founding in 1948. The Alps Alpine Group currently operates 110 bases in 26 countries and regions, supplying roughly 40,000 different products and solutions to around 2,000 companies worldwide. In January 2019, Alps Electric Co., Ltd. and Alpine Electronics, Inc. integrated their businesses to embark on a new era as Alps Alpine Co., Ltd. Serving a diverse range of markets encompassing an automotive industry currently undergoing major transformation, the mobile and consumer electronics domains, through to energy, healthcare and industry markets, Alps Alpine will combine and build on core device technology established over many years in three areas – human-machine interfaces, SENSORING™ and connectivity – along with system design and software development capabilities to innovate value that brings comfort to and enriches the lives of people everywhere. | | | [`Kirby Risk`](https://www.kirbyrisk.com/) | 09/09/2023 | Since 1926, Kirby Risk has remained committed to the concept of sacrificial service by going above and beyond what it takes to provide you with the right products and services at the right time, to the right place, at the right cost—working hard every day to MAKE IT HAPPEN!Today, Kirby Risk is still known by our customers as a dependable resource dedicated to solving their problems with the more than 40 locations throughout Indiana, Illinois, Ohio and Georgia. Our skilled and experienced team members are available around the clock to meet your electrical product and service needs. We represent over 2,000 manufacturers and carry more than 90,000 top-quality products. | | ↪️ More victims [here](/group/blackbyte?id=posts) --- ## **blackmatter** > Ransomware-as-a-Service _`support host supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | BlackMatter | 🔴 | 04/11/2021 21:45 | `http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion` | ❌ | #### **External information** - http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/ - http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/ - https://asec.ahnlab.com/en/34549/ - https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/ - https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/ - https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/ - https://blog.group-ib.com/blackmatter# - https://blog.group-ib.com/blackmatter2 - https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service - https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html - https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections - https://brandefense.io/darkside-ransomware-analysis-report/ - https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/ - https://community.riskiq.com/article/fdf74f23 - https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6 - https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf - https://github.com/sisoma2/malware_analysis/tree/master/blackmatter - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf - https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html - https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/ - https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b - https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/ - https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted - https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps - https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/ - https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/ - https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/ - https://therecord.media/popular-hacking-forum-bans-ransomware-ads/ - https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/ - https://threatpost.com/guess-fashion-data-loss-ransomware/167754/ - https://twitter.com/GelosSnake/status/1451465959894667275 - https://twitter.com/JAMESWT_MHT/status/1388301138437578757 - https://twitter.com/ValthekOn/status/1422385890467491841?s=20 - https://twitter.com/embee_research/status/1678631524374020098?s=46 - https://twitter.com/sysopfb/status/1422280887274639375 - https://unit42.paloaltonetworks.com/darkside-ransomware/ - https://us-cert.cisa.gov/ncas/alerts/aa21-131a - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion - https://www.acronis.com/en-us/articles/darkside-ransomware/ - https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution - https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/ - https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/ - https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/ - https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/ - https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/ - https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/ - https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ - https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/ - https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/ - https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout - https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/ - https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ - https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/ - https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/ - https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.databreaches.net/a-chat-with-darkside/ - https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968 - https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/ - https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/ - https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/ - https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/ - https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group - https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin - https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/ - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions - https://www.glimps.fr/lockbit3-0/ - https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox - https://www.ic3.gov/Media/News/2021/211101.pdf - https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack - https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime - https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/ - https://www.mandiant.com/resources/burrowing-your-way-into-vpns - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/ - https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline# - https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/ - https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/ - https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/ - https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/ - https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/ - https://www.secjuice.com/blue-team-detection-darkside-ransomware/ - https://www.secureworks.com/research/threat-profiles/gold-waterfall - https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/ - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/ - https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks - https://www.varonis.com/blog/darkside-ransomware/ - https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636 - https://www.youtube.com/watch?v=NIiEcOryLpI - https://www.youtube.com/watch?v=qxPXxWMI2i4 - https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html - https://zawadidone.nl/darkside-ransomware-analysis/ - https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside #### **Ransom note** * [📝 1 ransom note](notes/blackmatter) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20210829| 💬 | |20210907| 💬 | ### _Victims_ > 31 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`National Beverage`](https://google.com/search?q=National+Beverage) | 04/11/2021 | | | | [`Keycentrix`](https://google.com/search?q=Keycentrix) | 04/11/2021 | | | | [`Jobbers Meat Packing Co., Inc.`](https://google.com/search?q=Jobbers+Meat+Packing+Co.%2C+Inc.) | 04/11/2021 | | | | [`Home State Bank`](https://google.com/search?q=Home+State+Bank) | 04/11/2021 | | | | [`Armour Transportation Systems`](https://google.com/search?q=Armour+Transportation+Systems) | 04/11/2021 | | | | [`ZKTeco USA`](https://google.com/search?q=ZKTeco+USA) | 04/10/2021 | | | | [`crystalvalley`](https://google.com/search?q=crystalvalley) | 29/09/2021 | | | | [`Bumper to Bumper Autoparts`](https://google.com/search?q=Bumper+to+Bumper+Autoparts) | 21/09/2021 | | | | [`LA-Martiniquaise`](https://google.com/search?q=LA-Martiniquaise) | 20/09/2021 | | | | [`JMclaughlin`](https://google.com/search?q=JMclaughlin) | 20/09/2021 | | | ↪️ More victims [here](/group/blackmatter?id=posts) --- ## **blackout** 🔎 `ransomware.live`has an active parser for indexing blackout's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Blackout Blog | 🟢 | 30/07/2024 02:10 | `http://black3gnkizshuynieigw6ejgpblb53mpasftzd6pydqpmq2vn2xf6yd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-blackout.png) ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`luzan5.com`](https://google.com/search?q=luzan5.com) | 14/07/2024 | luzan5.com is a small company in the healthcare consulting field, perhaps... | 📸 | | [`badel1862.hr`](https://google.com/search?q=badel1862.hr) | 03/07/2024 | Badel 1862 is an alcoholic beverage manufacturer from Croatia and at the ... | 📸 | | [`mcmtelecom.com`](https://google.com/search?q=mcmtelecom.com) | 29/05/2024 | We carried out an attack on mcmtelecom.com, a b2b telecommunications prov... | 📸 | | [`ht-hospitaltechnik.de`](https://google.com/search?q=ht-hospitaltechnik.de) | 18/04/2024 | Why don't medical companies pay us? As usual we got into the network ht-h... | 📸 | | [`ch-armentieres.fr`](https://google.com/search?q=ch-armentieres.fr) | 26/02/2024 | First post on our new blog ! We encrypted 100+ servers and workstations ... | 📸 | | [`metal7.com`](https://google.com/search?q=metal7.com) | 26/02/2024 | This time we dug into the network of metal7.com, a company that manufactu... | 📸 | --- ## **blackshadow** _`previous clearnet domain blackshadow.cc`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://544corkfh5hwhtn4.onion` | ❌ | ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Shirbit Insurance Company`](https://google.com/search?q=Shirbit+Insurance+Company) | 18/12/2021 | | | | [`K.L.S Capital`](https://google.com/search?q=K.L.S+Capital) | 18/12/2021 | | | | [`CyberServe Company`](https://google.com/search?q=CyberServe+Company) | 18/12/2021 | | | --- ## **blacksuit** > According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware. 🔎 `ransomware.live`has an active parser for indexing blacksuit's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Black Suit | 🔴 | 30/07/2024 00:43 | `http://weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd.onion` | 📸 | #### **External information** - https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/ - https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html #### **Ransom note** * [📝 1 ransom note](notes/blacksuit) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-blacksuit.png) ### _Victims_ > 107 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`hanoverhill.com`](http://hanoverhill.com) | 27/07/2024 | | 📸 | | [`Pojoaque`](http://www.pojoaque.org) | 25/07/2024 | Despite repeated warnings, Pojoaque management has decided to ignore us, showing that they do not care about the data of their employees and partners. They have been repeatedly warned of the consequences of publishing the data. Remember, these are the people who don't care about anything but their own wallets. | 📸 | | [`RhinoCorps`](http://rhinocorps.com) | 24/07/2024 | Despite warnings, Rhinocorps management did not see fit to take care of its partners and employees. Without even looking into it, Rhinocorps said they don't care about the future of the data, so all projects, contracts with non-disclosure clauses, and personal data will be made public within 48 hours. | 📸 | | [`Reward Hospitality from EFC Group`](https://ecfgroup.com/en/brand/reward-hospitality/;https://www.rewardhospitality.com.au/) | 20/07/2024 | Reward Hospitality is Asia Pacific's largest supplier to the hospitality and care industries. With 26 locations Australia-wide, we supply the latest tabletop, buffet, serving ware, glassware, takeaway & packaging, kitchenware, equipment & washroom products. | 📸 | | [`a-g.com - data publication 38gb (150K)`](https://www.a-g.com/) | 13/07/2024 | You have 4 days to contact us; otherwise the data will be released. | 📸 | | [`gbhs.org Publication 51gb`](https://gbhs.org/) | 13/07/2024 | | 📸 | | [`gbhs.org 07/12 Publication 51gb`](https://gbhs.org/) | 13/07/2024 | | 📸 | | [`Image Microsystems`](http://dealscoop.com) | 11/07/2024 | | | | [`City of Cedar Falls`](http://cedarfalls.com) | 10/07/2024 | Unfortunately, the management of cedarfalls.com shows no commitment to ensuring the data security of its employees, customers, and partners. Cedarfalls has 72 hours to resolve this situation; otherwise, the data will be put up for public auction. | 📸 | | [`a-g.com 7/10/24 - data publication 38gb (150K)`](https://www.a-g.com/) | 06/07/2024 | You have 4 days to contact us; otherwise the data will be released. | 📸 | ↪️ More victims [here](/group/blacksuit?id=posts) --- ## **blacktor** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Bl@ckt0r - Bug Hunter and Data Breacher Group | 🔴 | 07/01/2023 21:07 | `http://bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion` | 📸 | ### _Victims_ > 4 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`ticketclub-it`](https://google.com/search?q=ticketclub-it) | 30/12/2021 | | | | [`bankjatim-co-id`](https://google.com/search?q=bankjatim-co-id) | 30/12/2021 | | | | [`salesplaypos-com`](https://google.com/search?q=salesplaypos-com) | 30/12/2021 | | | | [`unexca-edu-ve`](https://google.com/search?q=unexca-edu-ve) | 30/12/2021 | | | --- ## **bluesky** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | BlueSky DECRYPTOR | 🔴 | 17/10/2023 15:13 | `http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/bluesky) ### _Victims_ > no victim found --- ## **bonacigroup** _`claim to donate 80% of earnings to charity`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 502 Bad Gateway | 🔴 | 28/12/2021 14:14 | `http://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onion` | ❌ | ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Marshall Investigative Group Part 1/3 1000 Client`](https://google.com/search?q=Marshall+Investigative+Group+Part+1%2F3+1000+Client) | 06/12/2021 | | | | [`Ward Arcuri Foley & Dwyer Law Firm`](https://google.com/search?q=Ward+Arcuri+Foley+%26+Dwyer+%7C+Law+Firm) | 04/10/2021 | | | | [`Charles Crown Financial Ltd`](https://google.com/search?q=Charles+Crown+Financial+Ltd) | 04/10/2021 | | | --- ## **cactus** 🔎 `ransomware.live`has an active parser for indexing cactus's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🟢 | 30/07/2024 02:11 | `http://cactusbloguuodvqjmnzlwetjlpj6aggc6iocwhuupb47laukux7ckid.onion` | 📸 | #### **Ransom note** * [📝 5 ransom notes](notes/cactus) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cactus.png) ### _Victims_ > 155 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`isometrix.com`](https://isometrix.com) | 17/07/2024 | Download link #1: https://***************.onion/ISOMETRIX/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/ISOMETRIX/PROOF/DATA DESCRIPTIONS: Personal identifiable information, employees and executives personal files, financial data, customer information, contracts\NDA, corporate correspondence, software development data etc. | 📸 | | [`verco.co.uk`](https://verco.co.uk) | 16/07/2024 | Download link #1: https://***************.onion/VERCO/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/VERCO/PROOF/DATA DESCRIPTIONS: Personal identifiable information, corporate confidential data, contracts, engineering data\drawings\projects, employees and executives personal files, financial documents\statements, corporate correspondence, etc. | 📸 | | [`westfalia-automotive.com`](https://westfalia-automotive.com) | 24/06/2024 | Download link #1: https://***************.onion/MONOFLEX/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/MONOFLEX/PROOF/DATA DESCRIPTIONS: Personal identifiable information, engineering data\drawings, employees and executives personal files, financial data, customer information, database exports, corporate correspondence, etc. | | | [`hydmech.com`](https://hydmech.com) | 24/06/2024 | Download link #1: https://***************.onion/HYDMECH/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/HYDMECH/PROOF/DATA DESCRIPTIONS: Engineering data - drawings, r&d, QA, Personal Identification information (passports, DLs, etc.), customer agreements, HR confidential data, executives and employees personal folders, financial statements\payroll, etc. | 📸 | | [`daystar.com`](https://daystar.com) | 23/06/2024 | Download link #1: https://***************.onion/DAYSTARTV/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/DAYSTARTV/PROOF/DATA DESCRIPTIONS: Personal identifiable information, corporate confidential documents, financial data, personnel information, employees personal files, legal documents, corporate correspondence, etc. | 📸 | | [`fbttransport.com`](https://fbttransport.com) | 23/06/2024 | Download link #1: https://***************.onion/OFFICE/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/OFFICE/PROOF/DATA DESCRIPTIONS: Personal identifiable information, financial documents, corporate confidential files, employees and executives personal files, corporate correspondence, etc. | 📸 | | [`hundhausen.de`](https://hundhausen.de) | 23/06/2024 | Download link #1: https://***************.onion/HUNDHAUSEN/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/HUNDHAUSEN/PROOF/DATA DESCRIPTIONS: Corporate confidential data: projects, drawings, financial documents\payrolls, correspondence etc. | 📸 | | [`www.glynmarais.co.za`](https://www.glynmarais.co.za) | 23/06/2024 | Download link #1: https://***************.onion/JGM/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/JGM/PROOF/DATA DESCRIPTIONS: Employees and executives personal files, personal identifiable information, financial documents, corporate confidential files, correspondence, etc. | 📸 | | [`millimages.com`](https://millimages.com) | 23/06/2024 | Download link #1: https://***************.onion/MILLIMAGES/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/MILLIMAGES/PROOF/DATA DESCRIPTIONS: Personal identifiable information, corporate confidential agreements, contracts, financial documents, personnel data, employees personal files, legal documents, corporate correspondence, etc. | 📸 | | [`deskcenter.com`](https://deskcenter.com) | 23/06/2024 | Download link #1: https://***************.onion/DESKCENTER/PROOF/Mirror: https://cactus5dqnqkppa5ayckiyk6dttpqwczdqphv5mxh4dkk5ct544q5aad.onion/DESKCENTER/PROOF/DATA DESCRIPTIONS: Employees personal and corporate data, personal identifying documents, financial documents, customer information, database backups\exports, etc. | | ↪️ More victims [here](/group/cactus?id=posts) --- ## **cheers** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Cheers! | 🔴 | 20/09/2022 06:46 | `http://rwiajgajdr4kzlnrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion` | ❌ | | sembmarine | 🔴 | 20/09/2022 08:22 | `http://crkfkmrh4qzbddfrl2axnkvjp5tgwx73d7lq4oycsfxc7pfgbfhtfiid.onion` | ❌ | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cheers.png) ### _Victims_ > 15 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`DYNAM JAPAN HOLDINGS CO., LTD`](https://google.com/search?q=DYNAM+JAPAN+HOLDINGS+CO.%2C+LTD) | 14/09/2022 | | | | [`An Japan Game Halls Operator`](https://google.com/search?q=An+Japan+Game+Halls+Operator) | 01/09/2022 | | | | [`An British Financial Company -Public`](https://google.com/search?q=An+British+Financial+Company+-Public) | 18/08/2022 | | | | [`An Insurance Company -Paid`](https://google.com/search?q=An+Insurance+Company++-Paid) | 09/08/2022 | | | | [`An Turkey Certified Public Accountancy Firms -Unpay`](https://google.com/search?q=An+Turkey+Certified+Public+Accountancy+Firms++-Unpay) | 09/08/2022 | | | | [`An Insurance Company`](https://google.com/search?q=An+Insurance+Company) | 19/07/2022 | | | | [`An British Financial Company -Unpay`](https://google.com/search?q=An+British+Financial+Company+-Unpay) | 18/07/2022 | | | | [`An International Shipping Company - Paid`](https://google.com/search?q=An+International+Shipping+Company+-+Paid) | 18/07/2022 | | | | [`An International Shipping Company - Unpay`](https://google.com/search?q=An+International+Shipping+Company+-+Unpay) | 01/07/2022 | | | | [`https://`](https://google.com/search?q=https%3A%2F%2F) | 30/06/2022 | | | ↪️ More victims [here](/group/cheers?id=posts) --- ## **chilelocker** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Login | 🔴 | 19/04/2023 13:15 | `http://z6vidveub2ypo3d3x7omsmcxqwxkkmvn5y3paoufyd2tt4bfbkg33kid.onion` | 📸 | #### **Ransom note** * [📝 3 ransom notes](notes/chilelocker) ### _Victims_ > no victim found --- ## **cicada3301** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | | 🟢 | 30/07/2024 02:12 | `http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cicada3301.png) ### _Victims_ > 10 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`NARSTCO`](https://www.narstco.com) | 25/07/2024 | NARSTCO is North America's leading manufacturer and supplier of Steel Railroad Ties and Turnouts. NARSTCO Steel Ties are made in the USA from recycled steel. NARSTCO works with Class 1 railways, transit authorities, short line railways, regional railways, and numerous industrial facilities. If a company does not contact us, we will publish the data. | 📸 | | [`Tri-Star Display`](https://tristardisplay.com) | 25/07/2024 | Tri-Star Display Pte Ltd is a company that operates in the Advertising & Marketing industry. It employs 1 to 4 people and has 1M to 5M of revenue. If a company does not contact us, we will publish the data. | 📸 | | [`Voss Belting & Specialty`](https://www.vossbelt.com) | 25/07/2024 | Voss Belting and Specialty Company is a specialty belt house providing quality solutions for flat conveyor belts, timing belts, and high temperature fabric since 1934. Voss Belting has taken a bold approach to meet the ever-increasing demands today’s technological advancements require. Through continuous research and development, Voss Belting & Specialty Company has emerged as a leader in the expansion of belting design and fabrication. Centrally located in Lincolnwood (Chicago), Illinois, Voss is eager to service your belting needs. If a company does not contact us, we will publish the data. | 📸 | | [`D&K Group, Inc.`](https://www.dkgroup.com) | 25/07/2024 | D&K Group, Inc. is a leading US manufacturer of quality print finishing solutions. All D&K products are made in the USA including thermal extrusion and pressure sensitive (cold) laminating films and adhesives, wide format and desktop laminators, automated one or two sided high-speed laminating systems, and much more. If a company does not contact us, we will publish the data. | 📸 | | [`Leech Lake Gaming`](https://leechlakegaming.com) | 19/07/2024 | Leech Lake Gaming is located on the Leech Lake Reservation in Minnesota. They currently operate three casinos throughout the great state of Minnesota - Northern Lights Casino, Palace Casino, and White Oak Casinno. If the company does not contact us, the data will be published! | 📸 | | [`GroupePRO-B`](https://www.groupepro-b.com) | 16/07/2024 | Established in 1998, PRO-B Group specializes in the design, fabrication, installation, maintenance and servicing of industrial piping, ventilation and exchangers, boilermaking and steel structures. Phone: 819 377-7218 E-mail: info@groupepro-b.com The data will be published soon if the company does not contact us in the chat! | 📸 | | [`Access Group`](https://theaccessgroup.com) | 19/06/2024 | The Access Group is headquartered in Leicestershire, United Kingdom, a provider of business software to mid-sized UK organizations. Offering custom ers across commercial and not-for-profit sectors with productivity and efficiency solutions in the IT field. Providing cloud platforms that assist customers data to be integrated across core business systems. Downloads: http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/access-dataleak | 📸 | | [`Maintel`](https://maintel.co.uk) | 19/06/2024 | Maintel is a provider of managed cloud communications services for the private and public sectors. The company is was founded in 1991 and is headqu artered in London, England. Downloads: http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/maintel-dataleak | 📸 | | [`Basement Systems`](https://basementsystems.com) | 18/06/2024 | Basement Systems Inc., based in Seymour, Connecticut, is a network of basement waterproofing and crawl space repair contractors spanning across the United States and Canada. Downloads: http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/basementsystems-recruiting http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/basementsystems-shared http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/basementsystems-users | 📸 | | [`ASST Rhodense`](https://www.asst-rhodense.it) | 15/06/2024 | The ASST Rhodense, belonging to the ATS of the Metropolitan City of Milan, encompasses the territory and healthcare and social-health facilities of the former ASL Districts of Rho, Garbagnate, and Corsico, as well as the hospital facilities of the former "Guido Salvini" Hospital. Downloads: http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak1 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak2 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak3 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak4 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak5 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak6 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak7 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak8 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak9 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak10 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak12 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak13 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak14 http://cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion/ASST-Rhodense-dataleak15 | 📸 | --- ## **ciphbit** 🔎 `ransomware.live`has an active parser for indexing ciphbit's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | CiphBit | 🔴 | 04/07/2024 08:12 | `http://ciphbitqyg26jor7eeo6xieyq7reouctefrompp6ogvhqjba7uo4xdid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ciphbit.png) ### _Victims_ > 18 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`TrueNet Communications Corp`](http://truenetcommunications.com) | 17/04/2024 | | | | [`Macuz`](http://www.macuz.it) | 09/04/2024 | Founded in Florence in 1952 by Marcello and Alma Macuz, the company represents a historic pillar for the production in the Italian fashion industry, which over the years has been able to grow and consolidate following a philosophy based on strong territorial roots, craftsmanship and the highest quality of its productions. Thanks to the acquisition, Eurmoda will enrich its customer base and strengthen an already complete structure of technologies, skills and plants, which offers the full range of materials required by the high fashion segment, through a vertical service and a fully integrated supply chain. The Macuz family will reinvest in the Group and remain actively involved in the operational management of the companies. Over the past 25 years, Auro Macuz and his family, have transformed the artisan firm into an industry consisting of 3 companies, with over 160 employees and more than 7000 square metres of premises, while maintaining the initial idea and artisanship with which the company was founded and grew. The very high quality of its production is determined by the professionalism of its staff and the constant renewal of its machinery - with pantographs and CNC lathes and state-of-the-art laser engraving and welding machines - without overlooking the passion and attention with which the company supports its clients, starting from an idea or a design up to the delivery of accessories worldwide. | | | [`TermoPlastic S.R.L`](http://www.termoplastic.it) | 06/04/2024 | Termoplastic is a company that designs and manufactures plastic and cartoplastic articles. Its products include envelopes and pockets, cases, exhibitors, folders, name badges, key rings, and more. The company also offers design, engineering, installation, delivery, prototyping, and fittings services. Termoplastic caters to automotive, communication, pharmaceutical, telephony, and other sectors. Since the year 1951, we have been dedicated to the design and production of plastic items. Over the course of 70 years of activity, we have expanded our research and innovation sector, paying particular attention to the evolution of materials. At the moment, we are a solidly structured company, capable of managing each project in all its phases: customer consultancy, creation of the prototype and creation of the finished product, with a focus on cost optimization without neglecting creativity and functionality. Over time, we have collaborated with the most prestigious Italian companies, who have appreciated our finished product and our ability to combine quality and costs | | | [`Commerce Dental Group`](http://commercedentistry.com) | 05/04/2024 | At Commerce Dental Group, we have extensive experience in all aspects of modern dentistry. We offer Comprehensive Dental Care, including everything from the Preventive Education & Routine Hygiene that help to reduce dental problems to expert Cosmetic & Restorative solutions for the dental issues our patients face. Commerce Dental Group is a team of caring, experienced dental professionals who use only the most advanced technologies, materials & procedures & whose primary focus is on comfortable, health-centered dentistry. At our community-focused practice, your comfort & satisfaction come first. We look forward to meeting you soon & developing a relationship with you to build the bridge toward long-term trust & successful dental care. Commerce Dental Group invites you to see why our patients can’t stop smiling. Our dedication to the community goes beyond just caring for teeth. We view ourselves as part of a vital network of practitioners who look after the health & well-being of our friends & neighbors in Commerce & the surrounding communities. Commerce Dental Group is locally owned & part of a tradition of exceptional dentistry. | | | [`Pot O’ Gold Coffee`](http://www.potogoldcoffee.com) | 25/02/2024 | Pot O’ Gold was founded by Larry Jones in 1986 with the dream of providing the very best coffee, equipment and service to the office environment. Since then, we’ve grown to become the largest independent office coffee service in Washington state, expanding to include more than just coffee. Whatever you need for your office breakroom, whether it’s carbonated water coolers or delicious snacks, we’re able to supply you with it. Regardless of the size and demands of your office, we have a uniquely-suited program to meet it. We champion our customers’ needs, maintain quality relationships, and supply personal service recommendations uniquely suited to each individual client. We install commercial coffee brewing equipment (fresh brew, thermal, single cup, semi-auto espresso and fully-auto espresso equipment) in offices throughout the Puget Sound region. We provide routine cleaning and maintenance to this equipment while checking inventory and delivering quality coffee and related products. Over the years, we’ve gained considerable knowledge in the storing, brewing, serving and presentation of high-end coffees for an office environment. Everyone at Pot O’ Gold Coffee Service accepts the responsibilities involved with offering high-quality coffees on an institutional level. Our genuine commitment to provide true value and quality is supported by our investment in futuristic brewing designs and our comprehensive service programs | | | [`MPM Medical Supply`](http://www.mpmmedicalsupply.com) | 02/01/2024 | MPM Medical Supply is a state of the art medical distributor. Recognized for Superior service, low prices and innovative value-added solutions – MPM Medical Supply is dedicated to helping our customers practice high-quality healthcare. From hospitals and surgery centers to physician offices we are dedicated to serving your needs. As the healthcare industry is faced with the challenges of having to do more with less – we are committed to helping you reduce costs without sacrificing the quality of care. Our relationships with Industry leading healthcare manufacturers are an important part of our success. We only partner with manufacturers who have the knowledge and expertise to provide you with the quality products, superior service and innovative solutions you deserve. At MPM Medical Supply, we are dedicated to helping our customers manage cost and practice high-quality healthcare without cutting care. We do this through superior service, low prices, and innovative value added solutions. We're a trusted medical distributor serving hospitals, surgery centers and physician offices for 20+ years. | | | [`NeoDomos`](http://www.neodomos.fr) | 08/11/2023 | NeoDomos, a broker specializing in real estate insurance for over a decade, has been trusted by more than 500 property management clients in the field of unpaid rent insurance in the Marseille, Aix en Provence and regional sectors. PACA and at the national level. Our added value lies in the negotiation of guarantees, solvency and the rate of your unpaid rent contract as well as services linked to other types of lessor protection that we offer. Real Estate Insurance Broker in Aix en Provence, this is the profession whose values we are proud to have carried for many years, in our brokerage firm on a human scale. Ideally located near Aix city center and motorway access, more than 10 years of experience have allowed us to guarantee our clients professional brokerage solutions for the world of Real Estate. We are in fact able to negotiate the best guarantees with numerous French and international insurance companies. Our status as a broker allows us in particular to place ourselves on the client side, in order to analyze all of your needs and determine among all the market offers, those which will best meet your situation. | | | [`APERS`](http://www.apers13.com) | 03/11/2023 | A.P.E.R.S is a 1901 law association agreed with the Ministry of Justice and authorized by the judicial courts of Aix en Provence and Tarascon. It is developing geographically across the entire extent of these two jurisdictions for the victim support service and within the jurisdiction of the Aix-en-Provence TJ for the judicial activity service. The association is responsible for caring for victims in 97 municipalities that make up the 119 municipalities of Bouches-du-Rhône, or approximately more than 900,000 inhabitants. It began operating exclusively with volunteers for the execution of judicial mandates (judicial checks and personality investigations). The necessary professionalization of the workers subsequently led it to hire socio-judicial workers, social workers, victim receptionists and clinical psychologists. In 1991, the victim support service and the criminal mediation service were created. The A.P.E.R.S is authorized by the Ministry of Justice and operates within the jurisdiction of the judicial courts of Aix en Provence (since 1980) and Tarascon (since 1997). Helping victims is today one of the priorities of judicial policies. These now give victims a set of rights. The A.P.E.R.S victim assistance service supports all victims of criminal offenses, natural disasters, collective accidents or attacks and all victims of particularly traumatic violent situations. | | | [`TransTerra`](http://www.transterra.nl) | 16/09/2023 | Transterra Polska Sp. z o.o. is a dynamic international transport company, which is specialized in international trucking. In 2004 we started our activities and each year we realize a steady pace of growth. In the meantime we have grown until a fleet of 82 units and there are still lots off perspectives and challenges for further development in the future. Raymond Stolk started the company with a fleet existing of five trucks. The focus was on long-distance trailer transport between ports and train terminals throughout Europe and Scandinavia. In 2010 we reached the number of 30 running trucks, In 2015 we started our activities in ADR bulk and foodstuffs with the first five ADR equiped trucks with compressors. In the following years we will grow this new service We are experiencing steady growth and this year our fleet consists of 65 trucks of the brands MAN, VOLVO, IVECO and MERCEDES with an average age of 3 years and EURO 6 certification. | | | [`Marston Domsel`](http://www.marston-domsel.com) | 16/09/2023 | Decades of experience have made MARSTON-DOMSEL a household name in the industry. We will continue to aim for the continuous optimisation of our product range in the future so that we can continue to set standards for functionality and performance. Problems are solved in collaboration with competent technicians, not just in Germany but also worldwide. All internationally acquired experience is incorporated together with research results to the benefit of the customer. The manufacturing facilities fulfil all relevant international standards. Due to optimised manufacturing processes, MARSTON-DOMSEL can pass on the benefits of costeffective production to the customer. We have our own laboratory in which we perform customer-specific tests such as resistance tests, elasticity measurements, tension measurements, temperature tests and viscosity measurements. | | ↪️ More victims [here](/group/ciphbit?id=posts) --- ## **cloak** 🔎 `ransomware.live`has an active parser for indexing cloak's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 403 Forbidden | 🟢 | 30/07/2024 02:12 | `http://cloak7jpvcb73rtx2ff7kaw2kholu7bdiivxpzbhlny4ybz75dpxckqd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/cloak) #### ** Negotiation chats** | Name | Link | |---|---| |20230802-2| 💬 | |20230802| 💬 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cloak.png) ### _Victims_ > 77 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Kalaswire.com`](https://google.com/search?q=Kalaswire.com) | 27/07/2024 | Country: USA | | | [`Hv*************.de`](https://google.com/search?q=Hv%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A.de) | 22/07/2024 | Country: germany | | | [`We*******.com`](https://google.com/search?q=We%2A%2A%2A%2A%2A%2A%2A.com) | 22/07/2024 | Country: United Kingdom | | | [`Ka******.com`](https://google.com/search?q=Ka%2A%2A%2A%2A%2A%2A.com) | 22/07/2024 | Country: USA | | | [`upcli.com`](https://google.com/search?q=upcli.com) | 15/07/2024 | Country: USA | | | [`Vi*********.dk`](https://google.com/search?q=Vi%2A%2A%2A%2A%2A%2A%2A%2A%2A.dk) | 15/07/2024 | Country: Denmark | | | [`Abileneisd.org`](https://google.com/search?q=Abileneisd.org) | 04/07/2024 | Country: USA | | | [`Dun*****************uk`](https://google.com/search?q=Dun%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2Auk) | 04/07/2024 | Country: United Kingdom | | | [`P********.pl`](https://google.com/search?q=P%2A%2A%2A%2A%2A%2A%2A%2A.pl) | 30/06/2024 | Country: Poland | | | [`Unit*****************.com`](https://google.com/search?q=Unit%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A.com) | 30/06/2024 | Country: USA | | ↪️ More victims [here](/group/cloak?id=posts) --- ## **clop** > Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection. 🔎 `ransomware.live`has an active parser for indexing clop's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://ekbgzchl6x2ias37.onion` | ❌ | | DDOS Protection | 🟢 | 30/07/2024 02:13 | `http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion` | 📸 | | TORRENT - CL0P^_- LEAKS | 🔴 | 15/07/2024 19:46 | `http://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion` | 📸 | #### **External information** - https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html - https://asec.ahnlab.com/en/19542/ - https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf - https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/ - https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/ - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ - https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/ - https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation - https://github.com/Tera0017/TAFOF-Unpacker - https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md - https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/ - https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/ - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf - https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f - https://medium.com/s2wlab/operation-synctrek-e5013df8d167 - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/ - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/ - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/ - https://twitter.com/darb0ng/status/1338692764121251840 - https://unit42.paloaltonetworks.com/clop-ransomware/ - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities - https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks - https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/ - https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/ - https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/ - https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/ - https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/ - https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/ - https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/ - https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf - https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2 - https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/ - https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/ - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ - https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html - https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/ - https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do - https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/ - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot - https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics - https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e - https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26 - https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/ - https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.secureworks.com/research/threat-profiles/gold-tahoe - https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html - https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html - https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104 - https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672 - https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546 - https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824 - https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop - https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever - https://www.youtube.com/watch?v=PqGaZgepNTE - https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/ - https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/ - https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/ #### **Ransom note** * [📝 3 ransom notes](notes/clop) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-clop.png) ### _Victims_ > 530 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`SOLOMONUS.COM`](https://google.com/search?q=SOLOMONUS.COM) | 25/07/2024 | _URL_ | 📸 | | [`CIFSOLUTIONS.COM`](https://google.com/search?q=CIFSOLUTIONS.COM) | 23/06/2024 | | 📸 | | [`NJORALSURGERY.COM`](https://google.com/search?q=NJORALSURGERY.COM) | 12/06/2024 | | 📸 | | [`UNICRED.COM.AR`](https://www.UNICRED.COM.AR) | 30/05/2024 | Unicred - Cooperativa de Credito y Vivienda | 📸 | | [`EMPIRECOMFORT.COM`](https://www.EMPIRECOMFORT.COM) | 24/05/2024 | Home - Empire Comfort Systems | 📸 | | [`PRIMARYSYS.COM`](https://www.PRIMARYSYS.COM) | 17/05/2024 | Home - My Site | 📸 | | [`COMPEXLEGAL.COM`](https://www.COMPEXLEGAL.COM) | 04/05/2024 | The #1 Medical Record Retrieval Service - Compex Legal Services | 📸 | | [`PINNACLEENGR.COM`](https://www.PINNACLEENGR.COM) | 01/05/2024 | Pinnacle Engineering - Your Partner in Offshore Success | | | [`MCKINLEYPACKAGING.COM`](https://www.MCKINLEYPACKAGING.COM) | 01/05/2024 | McKinley Packaging | | | [`PILOTPEN.COM`](https://www.PILOTPEN.COM) | 01/05/2024 | Welcome To Pilot Pen Global Landing Page | | ↪️ More victims [here](/group/clop?id=posts) --- ## **conti** > Conti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other systems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes under the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10 million for information on the Conti ransomware gang. _`livechat host contirecj4hbzmyzuydyzrvm2c65blmvhoj2cvf25zqj2dwrrqcq5oad.onion`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | CONTI.News | 🔴 | 22/06/2022 06:25 | `http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion` | ❌ | | Access Blocked | 🔴 | 30/03/2024 16:43 | `http://continews.click` | 📸 | | Error Response Page | 🔴 | 23/11/2022 12:36 | `http://continews.bz` | ❌ | #### **External information** - http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/ - https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74 - https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel - https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf - https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/ - https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed - https://arcticwolf.com/resources/blog/karakurt-web - https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf - https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked - https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/ - https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html - https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti - https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ - https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware - https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles - https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html - https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html - https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger - https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html - https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/ - https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html - https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html - https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html - https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html - https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html - https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx - https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf - https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my - https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/ - https://damonmccoy.com/papers/Ransomware_eCrime22.pdf - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf - https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/ - https://github.com/EmissarySpider/ransomware-descendants - https://github.com/TheParmak/conti-leaks-englished - https://github.com/cdong1012/ContiUnpacker - https://github.com/whichbuffer/Conti-Ransomware-IOC - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf - https://intel471.com/blog/conti-emotet-ransomware-conti-leaks - https://intel471.com/blog/conti-leaks-cybercrime-fire-team - https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding - https://intel471.com/blog/shipping-companies-ransomware-credentials - https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/ - https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/ - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/ - https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/ - https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf - https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/ - https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b - https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8 - https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd - https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65 - https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/ - https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/ - https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/ - https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/ - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ - https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/ - https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728 - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v - https://redcanary.com/blog/intelligence-insights-november-2021/ - https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/ - https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/ - https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/ - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098 - https://securelist.com/luna-black-basta-ransomware/106950 - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html - https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html - https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf - https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/ - https://share.vx-underground.org/Conti/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://thedfirreport.com/2021/05/12/conti-ransomware/ - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ - https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/ - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://thehackernews.com/2022/05/malware-analysis-trickbot.html - https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/ - https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/ - https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/ - https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/ - https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/ - https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/ - https://twitter.com/AltShiftPrtScn/status/1350755169965924352 - https://twitter.com/AltShiftPrtScn/status/1417849181012647938 - https://twitter.com/AltShiftPrtScn/status/1423188974298861571 - https://twitter.com/TheDFIRReport/status/1498642512935800833 - https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/ - https://unit42.paloaltonetworks.com/conti-ransomware-gang/ - https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/ - https://us-cert.cisa.gov/ncas/alerts/aa21-265a - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations - https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent - https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir - https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love - https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups - https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement - https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573 - https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/ - https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/ - https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/ - https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/ - https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/ - https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/ - https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/ - https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/ - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ - https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/ - https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/ - https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf - https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf - https://www.connectwise.com/resources/conti-profile - https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ - https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/ - https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ - https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked - https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware - https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware - https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/ - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/ - https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/ - https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide - https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/ - https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/ - https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html - https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months - https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru - https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire - https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf - https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox - https://www.ic3.gov/Media/News/2021/210521.pdf - https://www.ironnet.com/blog/ransomware-graphic-blog - https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf - https://www.mbsd.jp/research/20210413/conti-ransomware/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf - https://www.prevailion.com/what-wicked-webs-we-unweave/ - https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf - https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf - https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf - https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia - https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures - https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships - https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one - https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/ - https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.threatstop.com/blog/conti-ransomware-source-code-leaked - https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf - https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti - https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022 - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti - https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider - https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks - https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1 - https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2 - https://www.youtube.com/watch?v=cYx7sQRbjGA - https://www.youtube.com/watch?v=hmaWy9QIC7c - https://www.youtube.com/watch?v=uORuVVQzZ0A - https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/ - https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks - https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/ #### **Ransom note** * [📝 4 ransom notes](notes/conti) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20201017| 💬 | |20201019| 💬 | |20201109| 💬 | |20201121| 💬 | |20201230| 💬 | |20210107| 💬 | |20210126| 💬 | |20210219| 💬 | |20210305| 💬 | |20210315| 💬 | |20210316| 💬 | |20210426| 💬 | |20210428| 💬 | |20210513| 💬 | |20210517| 💬 | |20210517.b| 💬 | |20210520| 💬 | |20210602| 💬 | |20210611| 💬 | |20210628| 💬 | |20210708| 💬 | |20210715| 💬 | |20210805| 💬 | |20210812| 💬 | |20210820| 💬 | |20210902| 💬 | |20210904| 💬 | |20210923| 💬 | |20211108| 💬 | |20211112| 💬 | |20211205| 💬 | |20211217| 💬 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-conti.png) ### _Victims_ > 333 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Alliance Steel`](https://google.com/search?q=Alliance+Steel) | 07/06/2022 | | | | [`LCRD`](https://google.com/search?q=LCRD) | 25/05/2022 | | | | [`The Contact Company`](https://google.com/search?q=The+Contact+Company) | 25/05/2022 | | | | [`Central Restaurant Products`](https://google.com/search?q=Central+Restaurant+Products) | 24/05/2022 | | | | [`Schaumburg Park District`](https://google.com/search?q=Schaumburg+Park+District) | 24/05/2022 | | | | [`RateGain`](https://google.com/search?q=RateGain) | 24/05/2022 | | | | [`Imenco AS`](https://google.com/search?q=Imenco+AS) | 23/05/2022 | | | | [`Concepts in Millwork`](https://google.com/search?q=Concepts+in+Millwork) | 23/05/2022 | | | | [`Eurofred`](https://google.com/search?q=Eurofred) | 23/05/2022 | | | | [`Agile Sourcing Partners`](https://google.com/search?q=Agile+Sourcing+Partners) | 23/05/2022 | | | ↪️ More victims [here](/group/conti?id=posts) --- ## **cooming** _`previous clearnet domain coomingproject.com`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | CoomingProject announcement | 🔴 | 04/02/2022 23:26 | `http://z6mikrtphid5fmn52nbcbg25tj57sowlm3oc25g563yvsfmygkcxqbyd.onion` | ❌ | | none | 🔴 | 01/05/2021 00:00 | `http://teo7aj5mfgzxyeme.onion` | ❌ | ### _Victims_ > no victim found --- ## **crosslock** 🔎 `ransomware.live`has an active parser for indexing crosslock's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Cross Lock - Data leak | 🔴 | 27/07/2023 21:16 | `http://crosslock5cwfljbw4v37zuzq4talxxhyavjm2lufmjwgbpfjdsh56yd.onion` | 📸 | #### **External information** - https://twitter.com/1ZRR4H/status/1648232869809078273 ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-crosslock.png) ### _Victims_ > 1 victim found | victim | date | Description | Screenshot | |---|---|---|---| | [`validcertificadora.com.br`](https://google.com/search?q=validcertificadora.com.br) | 17/04/2023 | VALID Certificadora Digital Ltda is a company that operates in the Farming industry. It employs 501-1,000 people and has $100M-$250M of revenue. The company is headquartered in São Paulo, Sp, Braz... | 📸 | --- ## **crylock** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://d57uremugxjrafyg.onion` | ❌ | #### **External information** - https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html - https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/ - https://hackmag.com/security/ransomware-russian-style/ - https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/ - https://securelist.com/cis-ransomware/104452/ - https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/ - https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/ - https://twitter.com/albertzsigovits/status/1217866089964679174 - https://twitter.com/bartblaze/status/1305197264332369920 - https://twitter.com/demonslay335/status/971164798376468481 - https://unit42.paloaltonetworks.com/trigona-ransomware-update/ - https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx - https://www.telekom.com/en/blog/group/article/lockdata-auction-631300 ### _Victims_ > no victim found --- ## **cryp70n1c0d3** _`not a ransomware group, also ref 7k4y[...]7eid.onion/documents.html`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | -*- CRYP70N1C0D3 Team -*- | 🔴 | 31/12/2022 15:21 | `http://7k4yyskpz3rxq5nyokf6ztbpywzbjtdfanweup3skctcxopmt7tq7eid.onion` | 📸 | ### _Victims_ > 11 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`iima.ac.in`](https://google.com/search?q=iima.ac.in) | 18/12/2021 | | | | [`hislopcollege.ac.in`](https://google.com/search?q=hislopcollege.ac.in) | 18/12/2021 | | | | [`oppodigital.in`](https://google.com/search?q=oppodigital.in) | 18/12/2021 | | | | [`nals.in`](https://google.com/search?q=nals.in) | 18/12/2021 | | | | [`albatross.co.in`](https://google.com/search?q=albatross.co.in) | 18/12/2021 | | | | [`suriyanar.com`](https://google.com/search?q=suriyanar.com) | 18/12/2021 | | | | [`shinyoko-porno.com`](https://google.com/search?q=shinyoko-porno.com) | 18/12/2021 | | | | [`toxicsites.us`](https://google.com/search?q=toxicsites.us) | 18/12/2021 | | | | [`antistatik-esd-cozumler.com.tr`](https://google.com/search?q=antistatik-esd-cozumler.com.tr) | 18/12/2021 | | | | [`paknavy.gov.pk`](https://google.com/search?q=paknavy.gov.pk) | 18/12/2021 | | | ↪️ More victims [here](/group/cryp70n1c0d3?id=posts) --- ## **cryptbb** 🔎 `ransomware.live`has an active parser for indexing cryptbb's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Home | 🔴 | 20/09/2023 03:17 | `http://crypuglupv3bsqnbt5ruu5lgwrwoaojscwhuoccbmbzmcidft5kiccqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cryptbb.png) ### _Victims_ > 8 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`ToyotaLift Northeast`](https://google.com/search?q=ToyotaLift+Northeast) | 16/08/2023 | Offering forklifts, aerial work platforms, lift trucks, & material handling equipment by Toyota industrial equipment, Raymond, Skyjack, Genie, JLG, Clark. ToyotaLift Northeast is the best place to find high-quality new and used lift trucks. We are a full service material handling equipment dealership at all seven of our locations (PA, NJ, DE, MD and NY) offering forklift sales, service, parts, rental, OSHA forklift training and safety education. Our goal is to provide services that matches the high quality standards of the Toyota forklift products; services that will be unmatched in the greater Philadelphia, New Jersey, New York, Delaware and Maryland areaswww.toyotaliftne.com | 📸 | | [`Aspect Structural Engineers`](https://aspectengineers.com) | 15/08/2023 | Creativity I Excellence I Pragmatism. We are problem solvers and purveyors of thoughtful design for structures big and small. Aspect provides state-of-the-art structural engineering service with the personalized attention that comes from being a small, young firm. We aim to innovate, while always staying mindful of project schedules and budgets. Prefabrication & modular construction are important tools in helping to achieve these objectives. We are experienced with the constraints involved, and know first hand of the design intricacies, and advantages, these types of systems can represent. We also believe that when appropriate, structure = architecture. A holistic approach to building design can gain efficiencies on all fronts, creating structure that doubles as ductwork, structure that conceals sprinkler pipes and structure that is meant to be seenhttps://aspectengineers.com/ | 📸 | | [`Danbury Public Schools`](https://danbury.k12.ct.us) | 01/08/2023 | Danbury Public Schools is a school district headquartered in Danbury, Connecticut. In 2006 Eddie Davis retired from being superintendent. Salvatore Pascarella succeeded Davis that year.https://www.danbury.k12.ct.us/ | 📸 | | [`KIRWIN FRYDAY MEDCALF Lawyers LLP`](https://google.com/search?q=KIRWIN+FRYDAY+MEDCALF+Lawyers+LLP) | 06/07/2023 | The company provide a full range of services in real estate law including residential and commercial sales, purchases and mortgages. The firm also provides comprehensive services in the corporate commercial area including incorporation of businesses, both large and small, acquisition and sales of small businesses and generally assisting our clientele to grow and prosper | 📸 | | [`Jeff Wyler Automotive Family, Inc.`](https://wyler.com) | 04/07/2023 | When you're looking for a new car or need to have your car serviced, come visit Jeff Wyler, one of the top rated car dealers in Ohio, Kentucky, and Indiana. Whether you are looking to buy a new or used vehicle in Cincinnati, Dayton, Columbus or Louisville, need to have service completed on your vehicle, need auto parts and accessories, or body work that needs attention... You can trust your decision when you choose any one of our Jeff Wyler Dealerships. Our dealership reviews and testimonials attest to our long standing reputation, and we invite you to join the Jeff Wyler Family dealerships.https://wyler.com/ | 📸 | | [`Polanglo`](https://polanglo.pl) | 04/07/2023 | Polanglo SP. z O.o. is a network of bookstores and wholesalers operating since 1991 with an educational and language profile. Thanks to the dynamic development, we have been appreciated by the largest university publishing house in the world – Oxford University Press. The Oxford University Press authorities have granted us the exclusive right to import our English Language Teaching materials into Poland, and we make every effort to make Oxford University Press language publications available throughout Poland.https://www.polanglo.pl/ | 📸 | | [`CON-STRUCT`](https://constructiowa.com) | 28/06/2023 | Con-struct, Inc. proudly serves all heavy construction needs in Central Iowa, including Ames, Story County, Marshall County, and surrounding areas.https://constructiowa.com | 📸 | | [`P1 Technical Services`](https://google.com/search?q=P1+Technical+Services) | 03/04/2022 | http://p1-tech.com/P1 Technical Services has been serving the commercial industry by providing expert design, installation, support and maintenance of low voltage infrastructures since 1984.P1 creates cost effective, single-source hardware and service solutions to meet our customer’s individual needs by applying our expertise in Network Design, Routing and Switching, Wireless, Local and Wide Area Networks, VOIP, Structured Cabling, Access Control, Sound Masking and Paging, Video Conferencing, IP Camera Systems, RFID Tracking, Audio Visual Systems, Patient Monitoring, Intercom and Telephone Entry Systems. | 📸 | --- ## **cryptnet** > According to OALabs, this ransomware has the following features: * Files are encrypted with AES CBC using a generated 256 bit key and IV.* The generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files. 🔎 `ransomware.live`has an active parser for indexing cryptnet's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | CryptNet RECOVERY | 🔴 | 17/10/2023 19:48 | `http://cryptr3fmuv4di5uiczofjuypopr63x2gltlsvhur2ump4ebru2xd3yd.onion` | 📸 | | CryptNet NEWS | 🔴 | 17/10/2023 19:49 | `http://blog6zw62uijolee7e6aqqnqaszs3ckr5iphzdzsazgrpvtqtjwqryid.onion` | 📸 | #### **External information** - https://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html #### **Ransom note** * [📝 1 ransom note](notes/cryptnet) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cryptnet.png) ### _Victims_ > 2 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Export Hub`](https://www.exporthub.com) | 19/04/2023 | ExportHub Ltd. is committed to safeguarding its users' privacy. We request all our users to read the following 'privacy policy' to understand how their personal & business information will be treated, as they make full use of our services to their benefit. This policy is applicable only to the entire network of marketplaces operated by EH and not by any other company. ExportHub's primary goal in collecting personal or public information is to provide the user with a customized experience on our network of sites. This includes personalized services, interactive communication and other services, most of which are completely free and remaining are paid. Business information is used to display the user's business listing or product offerings across our network to fetch maximum business opportunities for the user.... | 📸 | | [`Urban Import`](https://www.urbanimport.com) | 19/04/2023 | Urban Import was established in 2001 by fellow automotive enthusiasts to provide customers with an unrivaled selection of top quality aftermarket automotive parts. After cementing our presence as an eBay Power Seller, we launched our first online retail site carrying some of the top performance brands of the time. As the aftermarket performance industry began to boom, Urban Import focused on expanding its lineup by securing exclusive distributorship of the D2 Racing brand in North America.... | 📸 | --- ## **cuba** 🔎 `ransomware.live`has an active parser for indexing cuba's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://cuba4mp6ximo2zlo.onion` | ❌ | | Cuba | 🔴 | 08/02/2024 10:44 | `http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion` | 📸 | #### **External information** - https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf - https://digital.nhs.uk/cyber-alerts/2021/cc-3855 - https://www.ic3.gov/Media/News/2021/211203-2.pdf #### **Ransom note** * [📝 1 ransom note](notes/cuba) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cuba.png) ### _Victims_ > 104 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`dms-imaging`](https://google.com/search?q=dms-imaging) | 01/02/2024 | DMS is a French industrial company specialized in digital radiology, with an international reach, and recognized as a key actor and an indispensable partner in creating value through the quality of our solutions as well as our... | | | [`deknudtframes.be`](https://google.com/search?q=deknudtframes.be) | 18/01/2024 | Our teamOur team in Deerlijk consists of enthusiastic and motivated people with passion for their profession. The management, sales, logistics, purchasing, accounting, customer service and marketing are ready for you on a daily... | 📸 | | [`diagnostechs`](https://google.com/search?q=diagnostechs) | 14/11/2023 | HistoryEstablished in 1987, DiagnosTechs was the first laboratory to introduce saliva hormone testing into routine clinical practice. In 1995, DiagnosTechs added saliva and stool-based gastrointestinal and food sensitivity testing,... | | | [`portadelaidefc`](https://google.com/search?q=portadelaidefc) | 13/11/2023 | PORT ADELAIDE is renowned for setting the bar high and expecting success, and the club’s latest strategic vision embraces that expectation.Unveiled at the club’s Annual General Meeting on Friday night, Chasing Greatness is... | | | [`panaya`](https://google.com/search?q=panaya) | 07/11/2023 | About PANAYAPanaya’s Change Intelligence solutions reduce the time, cost, and risk involved in change to business applications like SAP®, Oracle® EBS, and Salesforce.com. Date the files were received: 02... | | | [`prime-art`](https://google.com/search?q=prime-art) | 07/11/2023 | For PAJ, your success is our success.Jewelry making is an art and a science. We are constantly improving and optimizing our skills while integrating cutting-edge technology.By always delivering a troy grain more than anticipated, we... | | | [`Newconcepttech`](https://google.com/search?q=Newconcepttech) | 23/10/2023 | FROM A SINGLE START-UP TO A MULTI-MILLION DOLLAR COMPANYOur prosperity is due to three interlocking factors: the first, being our customers, who have always come first.The second, our employees, who are passionate about serving our... | | | [`mountstmarys`](https://google.com/search?q=mountstmarys) | 10/10/2023 | Mount St Mary’s is rightly proud of its extensive heritage dating back over 160 years. The original vision to educate all young people in the local area remains at the core of our work. Our mission is to ensure individual... | | | [`co.rock.wi.us`](https://google.com/search?q=co.rock.wi.us) | 03/10/2023 | Rock County Public Health DepartmentThe Rock County Public Health Department (RCPHD) is a level III health department in Rock County, Wisconsin. Our staff serves over 160,000 people in more than 25 cities, villages, and towns. As a... | | | [`goldmedalbakery`](https://google.com/search?q=goldmedalbakery) | 19/08/2023 | Gold Medal Bakery aspires to follow three core values in every aspect of its business.Integrity: Gold Medal has built its reputation on meeting the needs of our customers and the millions of consumers they serve. Thus, integrity is... | 📸 | ↪️ More victims [here](/group/cuba?id=posts) --- ## **cyclops** 🔎 `ransomware.live`has an active parser for indexing cyclops's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Blog - Knight | 🔴 | 13/10/2023 15:19 | `http://nt3rrzq5hcyznvdkpslvqbbc2jqecqrinhi5jtwoae2x7psqtcb6dcad.onion` | 📸 | | Please wait... | 🔴 | 14/02/2024 07:43 | `http://knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-cyclops.png) ### _Victims_ > 7 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`important information（Knight）`](https://google.com/search?q=important+information%EF%BC%88Knight%EF%BC%89) | 26/07/2023 | We are about to close the old panel and blog and in version 2. 0 we renamed it Knight. We are releasing the new panel and program this week.We are still recruiting new teams, but you must have enough experience. We have a major update in version 2.0 and our only contact TOX：9096AD7062A4232F5AA31C2F7C4DF0AC1EAD10B78D40A6A3328AD142A42B555E635954D8B6C5 | | | [`Pechexport`](https://google.com/search?q=Pechexport) | 20/07/2023 | Infrastructure and logistics Pêchexport is located in Majunga on a surface of 8400 m². Our premises include offices, a factory, a laboratory, storage equipment and technical workshops. We have a fleet of eight freezer trawlers, two refrigerated trucks and a fleet of vehicles transporting our products upstream.Hygiene and quality We have eight EU and CIQ (The China entry-exit Inspection and Quarantine Bureau) certified refrigerated trawlers. We have a CE-approved fish processing plant, with its HACCP (Hazard Analysis Critical Control Point) approach, a treatment capacity of 5t/day and a cold store that can store up to 300 tons. We have our own bacteriological and physico-chemical analysis laboratory approved by the Institut Pasteur. All our products are systematically tested before each shipment to guarantee the best quality to our customers.Autonomous customs procedures To facilitate the export of our products, we carry out customs procedures ourselves through our transit service autonomously and efficiently.Data:======https://anonfiles.com/[REDACTED]/VISA_ziphttps://anonfiles.com/[REDACTED]/SUIVI_2023_ziphttps://anonfiles.com/[REDACTED]/PERSONNEL_ziphttps://anonfiles.com/[REDACTED]/PROGRAMME_ETABLIR_ETAT_IR_POISSON_ziphttps://anonfiles.com/[REDACTED]/ARMEMENT_zip | | | [`Cvlan`](https://google.com/search?q=Cvlan) | 20/07/2023 | Cvlan( Srl is a company that operates in the Information Technology and Services industry. It employs 21-50 people and has $5M-$10M of revenue.Site:========www.cvlan.itData:========https://anonfiles.com/[REDACTED]/lift_me_zip | | | [`Superloop ISP`](https://google.com/search?q=Superloop+ISP) | 08/07/2023 | Superloop is Australia’s modern challenger telco and internet service provider that’s unleashing the unlimited possibilities of the internet. Superloop is all about experience - we're not just a utility - with a promise to be super from the ground up. We’re more tech than telco, and we deliver quality service across our consumer, business, and wholesale units.Our can-do culture will excite and ignite our customers as we deploy game-changing solutions that solve customer pain points, backed by great customer service delivered by our highly enthused team of Superloopers, who are committed to making the internet experience super. Website: ======== https://superloop.com Data: ======= http://sbibb5lw7p2sedmm3pwifopsx7ky3klxqisjbl5awgze5dk2ueuc2qqd.onion/lift_me-6.zip PASSWORD:693OK@&iCW8PYmxoE7R6TaMg9OfN29Ae http://sbibb5lw7p2sedmm3pwifopsx7ky3klxqisjbl5awgze5dk2ueuc2qqd.onion/zip file name-4.zip PASSWORD:PrNi@7L66T3x@HONyMlpa4R3Qq70jz6c https://bayfiles.com/J4qdZ0x3za PASSWORD:1$q0dz4@h*Q&I$$@igkwELCP3NDR2$dt https://bayfiles.com/J4L6Y5x2zc PASSWORD:qx6uTel$O2lLGZGeUU0yNfiEy6eh%lpU | | | [`Guatemala Military Intelligence Directorate`](https://google.com/search?q=Guatemala+Military+Intelligence+Directorate) | 30/06/2023 | The Guatemalan Armed Forces (Fuerzas Armadas de Guatemala) consists of the National Army of Guatemala (Ejercito Nacional de Guatemala, ENG), the Guatemalan National Defense Navy (Marina de la Defensa Nacional, includes Marines), the Guatemalan Air Force (Fuerza Aerea Guatemalteca, FAG), and the Presidential Honor Guard (Guardia de Honor Presidencial).The Ministry of National Defence is the agency of the Guatemalan government responsible for the budget, training and policy of the armed forces. Based in Guatemala City, the Defence Ministry is heavily guarded, and the President of Guatemala frequently visits. As of 2017 the Minister of National Defence is Major General Luis Miguel Ralda Moreno.The Minister of Defense is responsible for policy. Day-to-day operations are the responsibility of the military chief of staff and the national defense staff.Data:===========https://anonfiles.com/[REDACTED]/diemdn_mil_gt_zip | | | [`ALTARGRUP`](https://google.com/search?q=ALTARGRUP) | 29/06/2023 | Within the roof of Altar Group, the foundations of which were laid in 2012; We operate in 6 different areas: mobile phone insurance, renewal center, domestic and foreign trade, agriculture animal husbandry, software and consultancy. As Altar Group, our corporate strategy is to expand the knowledge and experience we have gained in all areas in which we operate and to carry out studies that will benefit the environment and society. In this direction, with our team of versatile professionals, we continue to work to carry forward all the sectors we are in with a service understanding based on quality and trust in national and international dimensions.We carry out damage assessment and repair activities with the insurance service we provide to the leading companies in the electronic devices sector. In this context, we offer repair and service packages that best meet the needs and demands of consumers for devices such as smartphones and tablets, which have become one of the needs of daily life. While carrying out all these activities, our priority is to provide and maintain customer satisfaction by providing high quality and fast service. With Novo Mobil, our Ministry of Commerce approved renewal center, we examine second-hand devices with precision and perform all necessary cleaning and parts replacement processes and offer the best quality devices back to use. Thanks to this sustainable business model, we both extend the hardware life of the devices and contribute to the reduction of technological waste.We are constantly working, developing and developing with our expert team with a focus on carrying forward the expertise and knowledge we have gained since the day we were established at every stage and producing innovative projects using this information. In this process, by accurately analyzing customer demands and the needs of the market, we make our strategic planning in the best way and carry out the processes in a controlled manner. With the business intelligence software we have developed in order to make process management in the best and simplest way, we offer solutions to the market to facilitate cumbersome management and business follow-up processes. In the light of all the experiences we have gained, we offer project consultancy services with all our transparency to the companies that request it in order to gain a place in the market and to take the right steps.When we analyze the needs of the national market, we can clearly see that technological studies and investments in the field of Agriculture and Livestock are at the initial level and that the awareness of Agriculture 4.0 has not yet been established in our society. In this context, with our internet of things based device and software solutions we have developed, our studies that will increase productivity by offering the right methods and tools in both agricultural production and livestock care are in the project development and testing phase. We continue to contribute to growth and social economy by transforming all the projects we develop and carry out into services and products on a national and international scale. | | | [`Atherfield Medical Service`](https://google.com/search?q=Atherfield+Medical+Service) | 29/06/2023 | Hospitals & Physicians Clinics · AustraliaAtherfield Medical Service has been providing health care in the Yass region for over 100 years. They are an accredited general practice.Data:===========https://anonfiles.com/[REDACTED]/Atherfield_Medical_and_Skin_Cancer_Clinic_Data_zip | | --- ## **dAn0n** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | dAn0n | 🟢 | 30/07/2024 02:14 | `http://2c7nd54guzi6xhjyqrj5kdkrq2ngm2u3e6oy4nfhn3wm3r54ul2utiqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-dAn0n.png) ### _Victims_ > 30 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`thesourcinggroup.com`](https://google.com/search?q=thesourcinggroup.com) | 23/07/2024 | The Sourcing Group (TSG) is a leading business process outsourcing service (BPO) provider recognized for commitment to customer satisfaction. Acquisitions & Subsidiaries: ImageX, Ray Hough, Carpe Die... | | | [`promarkbrands.com`](https://google.com/search?q=promarkbrands.com) | 27/06/2024 | Leading manufacturer and distributor of a complete line of pro and semi-pro photo, video and audio equipment and accessories based in the Chicago S Uburbs in a modern 100,000 sq ft facility, promarks ... | | | [`fifcousa.com`](https://google.com/search?q=fifcousa.com) | 17/06/2024 | Founded in 2009, FIFCO USA, owns and operates breweries and retail locations in New York, Vermont, Oregon, and Washington. Their headquarters is inRochester, New York. Subsidiaries and affiliates: La... | | | [`S&F Concrete Contractors`](https://google.com/search?q=S%26F+Concrete+Contractors) | 23/05/2024 | | 📸 | | [`s-f-concrete.com`](https://google.com/search?q=s-f-concrete.com) | 23/05/2024 | S&F Concrete Contractors, Inc. is committed to being an industry leader in safety and health by setting agressive goals and continually measuring our performance. We will continually work to achieve a... | 📸 | | [`College Park Industries`](https://google.com/search?q=College+Park+Industries) | 08/05/2024 | College Park Industries is a is a prosthetics manufacturing company. It design and manufacture a full line of anatomically correct, customizable prosthetic foot systems, upper limb solutions, endoskel | 📸 | | [`Glenwood Management`](https://google.com/search?q=Glenwood+Management) | 08/05/2024 | Glenwood Management is a property management company, providing luxury apartments throughout New York. The total size of stolen information is 1.78TB. | 📸 | | [`Northeast Orthopedics and Sports Medicine`](https://google.com/search?q=Northeast+Orthopedics+and+Sports+Medicine) | 08/05/2024 | Northeast Orthopedics and Sports Medicine is a company that operates in the Hospital & Health Care industry. The total size of stolen information is 1.56TB. | 📸 | | [`college-park.com`](https://google.com/search?q=college-park.com) | 08/05/2024 | College Park Industries is a is a prosthetics manufacturing company. It design and manufacture a full line of anatomically correct, customizable prosthetic foot systems, upper limb solutions, endoskel... | 📸 | | [`glenwoodnyc.com`](https://google.com/search?q=glenwoodnyc.com) | 08/05/2024 | Glenwood Management is a property management company, providing luxury apartments throughout New York. The total size of stolen information is 1.78TB. | 📸 | ↪️ More victims [here](/group/dAn0n?id=posts) --- ## **dagonlocker** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | The Chat | 🔴 | 10/11/2022 20:33 | `http://dgnh6p5uq234zry7qx7bh73hj5ht3jqisgfet6s7j7uyas5i46xfdkyd.onion` | ❌ | #### **External information** - https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates - https://blogs.blackberry.com/en/2021/11/zebra2104 - https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/ - https://community.riskiq.com/article/47766fbd - https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry - https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/ - https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/ - https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf - https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v - https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/ - https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/ - https://securityscorecard.pathfactory.com/research/quantum-ransomware - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/ - https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/ - https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/ - https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/ - https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ - https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware - https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/ - https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/ - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ - https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html #### **Ransom note** * [📝 1 ransom note](notes/dagonlocker) ### _Victims_ > no victim found --- ## **daixin** 🔎 `ransomware.live`has an active parser for indexing daixin's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 10/11/2022 22:30 | `http://232fwh5cea3ub6qguz3pynijxfzl2uj3c73nbrayipf3gq25vtq2r4qd.onion` | ❌ | | Data Leak | 🟢 | 30/07/2024 02:14 | `http://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-daixin.png) ### _Victims_ > 16 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Acadian Ambulance (US)`](https://acadianambulance.com) | 22/07/2024 | Acadian Ambulance is an employee-owner private ambulance service that covers most of the state of Louisiana, a large portion of Texas, two counties in Tennessee, and one county in Mississippi. | | | [`Dubai Municipality (UAE)`]( https://www.dm.gov.ae) | 05/06/2024 | Dubai Municipality is the Government of Dubai municipal body with jurisdiction over city services and the upkeep of facilities in the Emirate of Dubai, United Arab Emirates and reports directly to the Dubai Executive Council. | | | [`Omni Hotels & Resorts (US)`]( https://www.omnihotels.com/) | 14/04/2024 | Omni Hotels & Resorts is an American privately held, international luxury hotel company based in Dallas, Texas. The company was founded in 1958 as Dunfey Hotels, and operates 50 properties in the United States, Canada, and formerly had a property in Mexico, totaling over 20,010 rooms and employing more than 23,000 people. | | | [`Graphic Solutions Group Inc (US)`]( https://gogsg.com) | 09/12/2023 | GSG digital printing technologies with a half a century of knowledge and experience in traditional sign, screen printing, embroidery and textile decorating. | | | [`North Texas Municipal Water District (US)`]( https://www.ntmwd.com/) | 28/11/2023 | The North Texas Municipal Water District (NTMWD) provides vital wholesale water, wastewater and solid waste management services to more than two million people who call North Texas their home. | | | [`Bluewater Health (CA) and others`](https://bluewaterhealth.ca) | 02/11/2023 | Bluewater Health is a hospital in Sarnia, Ontario. The hospital now encompasses about 600,000 square feet (56,000 m2). It employs almost 1,800 staff and physicians, along with over 700 volunteers, and is Sarnia—Lambton's largest public sector employer. | | | [`Columbus Regional Healthcare System (US)`](https://crhealthcare.org/) | 09/06/2023 | Columbus Regional Healthcare System has one of the highest volume and most experienced robotic surgical programs in Southeastern North Carolina. | | | [`Hit Promotional Products (US)`](https://www.hitpromo.net) | 29/03/2023 | Hit Promotional Products has been a leader in the promotional product industry. As a family-owned business with a long history, Hit Promotional want to build real relationships. | | | [`B&G Foods (CA, US)`](https://bgfoods.com/) | 11/02/2023 | B&G Foods, Inc. manufactures, sells, and distributes a portfolio of shelf-stable and frozen foods, and household products in the United States, Canada, and Puerto Rico. | | | [`Guardian Analytics (US)`](https://guardiananalytics.com) | 20/01/2023 | Guardian Analytics is now a part of NICE Actimize, a business of NICE (Nasdaq:NICE). Consistently ranked as number one in the space, NICE Actimize is the largest and broadest provider of financial crime, risk and compliance solutions for regional and global financial institutions, as well as government regulators. With Guardian Analytics, financial institutions build trust, increase competitiveness, improve their customer experience, and scale operations. | | ↪️ More victims [here](/group/daixin?id=posts) --- ## **darkangels** _`accessing over HTTP returns open dir 29/5/22, 89.38.225.166`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Home | 🔴 | 18/07/2022 23:41 | `http://wemo2ysyeq6km2nqhcrz63dkdhez3j25yw2nvn7xba2z4h7v7gyrfgid.onion` | ❌ | #### **Ransom note** * [📝 1 ransom note](notes/darkangels) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **darkbit** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Error | 🔴 | 15/02/2023 10:43 | `http://iw6v2p3cruy7tqfup3yl4dgt4pfibfa3ai4zgnu5df2q3hus3lm7c7ad.onion` | 📸 | #### **External information** - https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel - https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md - https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/ - https://twitter.com/luc4m/status/1626535098039271425 - https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/ #### **Ransom note** * [📝 1 ransom note](notes/darkbit) ### _Victims_ > no victim found --- ## **darkleakmarket** _`marketplace - not a ransomware group, reputation questionable`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Dark Leak Market | 🔴 | 07/10/2021 16:14 | `http://54rdhzjzc4ids4u4wata4zr4ywfon5wpz2ml4q3avelgadpvmdal2vqd.onion` | ❌ | | Dark Road Market - Carded eletronics, hacked walle | 🔴 | 09/05/2024 02:37 | `http://aby6efzmp7jzbwgidgqc6ghxi2vwpo6d7eaood5xuoxutrfofsmzcjqd.onion` | 📸 | | Dark Leak Market | 🔴 | 25/07/2024 02:46 | `http://darklmmmfuonklpy6s3tmvk5mrcdi7iapaw6eka45esmoryiiuug6aid.onion` | 📸 | | Dark Leak Market | 🟢 | 30/07/2024 02:15 | `http://darkleakyqmv62eweqwy4dnhaijg4m4dkburo73pzuqfdumcntqdokyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-darkleakmarket.png) ### _Victims_ > 39 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Huge iCloud Nudes Leak`](https://google.com/search?q=Huge+iCloud+Nudes+Leak) | 25/05/2022 | | | | [`Xplay Data Leak`](https://google.com/search?q=Xplay+Data+Leak) | 18/05/2022 | | | | [`DDC Data Leak`](https://google.com/search?q=DDC+Data+Leak) | 21/04/2022 | | | | [`Panasonic data breach`](https://google.com/search?q=Panasonic+data+breach) | 21/04/2022 | | | | [`Volvo data breach`](https://google.com/search?q=Volvo+data+breach) | 21/04/2022 | | | | [`UKG Kronos Data Leak`](https://google.com/search?q=UKG+Kronos+Data+Leak) | 21/04/2022 | | | | [`T Mobile Data Leak Dec-2021`](https://google.com/search?q=T+Mobile+Data+Leak+Dec-2021) | 21/04/2022 | | | | [`US Cellular data leak Dec-2021`](https://google.com/search?q=US+Cellular+data+leak+Dec-2021) | 21/04/2022 | | | | [`Major indian cryptocurrency Data Leak`](https://google.com/search?q=Major+indian+cryptocurrency+Data+Leak) | 21/04/2022 | | | | [`Indian Aadhar data & software.`](https://google.com/search?q=Indian+Aadhar+data+%26+software.) | 07/10/2021 | | | ↪️ More victims [here](/group/darkleakmarket?id=posts) --- ## **darkpower** 🔎 `ransomware.live`has an active parser for indexing darkpower's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Dark Power Ransomware | 🔴 | 15/03/2023 06:44 | `http://powerj7kmpzkdhjg4szvcxxgktgk36ezpjxvtosylrpey7svpmrjyuyd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/darkpower) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-darkpower.png) ### _Victims_ > 10 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`onyx-pharma.dz`](https://google.com/search?q=onyx-pharma.dz) | 11/03/2023 | | 📸 | | [`imtenan.com`](https://google.com/search?q=imtenan.com) | 11/03/2023 | | 📸 | | [`agados.cz`](https://google.com/search?q=agados.cz) | 11/03/2023 | | 📸 | | [`evant.com.tr`](https://google.com/search?q=evant.com.tr) | 11/03/2023 | | 📸 | | [`arineta.com`](https://google.com/search?q=arineta.com) | 11/03/2023 | | 📸 | | [`rcc.gob.pe`](https://google.com/search?q=rcc.gob.pe) | 11/03/2023 | | 📸 | | [`goliplik.com.tr`](https://google.com/search?q=goliplik.com.tr) | 11/03/2023 | | 📸 | | [`mdclone.com`](https://google.com/search?q=mdclone.com) | 11/03/2023 | | 📸 | | [`betastree.fr`](https://google.com/search?q=betastree.fr) | 11/03/2023 | | 📸 | | [`northgatesd.net`](https://google.com/search?q=northgatesd.net) | 11/03/2023 | | 📸 | --- ## **darkrace** 🔎 `ransomware.live`has an active parser for indexing darkrace's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Darkrace blog | 🔴 | 20/06/2023 23:24 | `http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-darkrace.png) ### _Victims_ > 10 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`marstrand.se`](https://google.com/search?q=marstrand.se) | 09/06/2023 | Längst ut i väster, där skärgården tar slut och havet tar vid, ligger Marstrand. Seglarstaden och badorten Marstrand är inte utan anledning en storfavorit för alla besökare. Här finns kajen med båtar av alla slag, mysiga hus vid bilfria gator, topprestauranger och caféer, sol och salta bad, musik och skådespel. På toppen av ön tronar Carlstens fästning. Efter en kort färjetur över sundet befinner du dig på själva Marstrandsön, med en levande närvaro från en svunnen tid, blandat med trendiga seglarjackor. På Marstrand finner man både krogliv och stilla lugn beroende på när man besöker ön. Med sina mysiga kvarter, små gränder och prång, sin dominerande fästning och havsutsikt vart man än vänder sig, väcker ön starka känslor. Längs bryggorna i Sveriges största gästhamn ligger båtarna tätt och med GKSS Match Cup Sweden första veckan i juli är Marstrand definitivt seglingens huvudstad i Sverige. | 📸 | | [`vaud-promotion`](https://google.com/search?q=vaud-promotion) | 07/06/2023 | L’Association Vaud Promotion a pour but d’accroître la notoriété, la compétitivité et l’attractivité du canton de Vaud au moyen de la marque VAUD+ dont elle promeut les valeurs. Elle entend réaliser son but en collaboration avec les acteurs économiques, régions et institutions participant à la promotion du canton de Vaud, à travers les activités, produits et services qui en font le succès, qu’ils soient économiques, académiques, touristiques, culturels, sportifs, issus du terroir vaudois et gastronomiques.A cet effet, elle anime une communauté d’acteurs multisectoriels vaudois qui incarnent et véhiculent les valeurs de la marque VAUD+. | 📸 | | [`COOPERATIVETECH`](https://google.com/search?q=COOPERATIVETECH) | 07/06/2023 | Cooperative Technologies delivers proven, industry specific standards-based software that helps organizations cut operational overhead costs and improve customer service. Platform-independent customizable software solutions keep carriers in charge of their funds, reducing risk while staying on top of industry trends. Insurance and financial carriers depend upon our list bill reconciliation and 1035 exchange solutions. | 📸 | | [`PICPLUS.COM`](https://google.com/search?q=PICPLUS.COM) | 06/06/2023 | Pictures Plus and O'Roke Photography have over 50 years of combined experience providing School, Sports, Event & Portrait photography services in the Quad-State area. We are members of the PSPA (Professional School Photographers Association) as well as PMA (Photo Marketing Associates) and have a long history of community involvement and support. We have designed a hassle-free picture day, providing multiple photography stations to make your day run faster. We are staffed with trained and qualified personnel to ensure accuracy, quality and efficiency leading up to and on picture day. Our Customer Service cares about each and every customer. We stand by our friendly, home-town service and 100% Satisfaction Guarantee. | 📸 | | [`rzepeckimroczkowski`](https://google.com/search?q=rzepeckimroczkowski) | 05/06/2023 | Rzepecki Mroczkowski Sp. Z o.o. - z grupą Volkswagen związani jesteśmy od 1991, jako autoryzowany dealer marki Volkswagen oraz Volkswagen Samochody Dostawcze. Siedziba Spółki zlokalizowana jest w Poznaniu przy ulicy Wiatracznej 5. W tej samej lokalizacji prowadzimy również autoryzowany serwis i sprzedaż oryginalnych części zamiennych dla marek: Volkswagen, Volkswagen Samochody Dostawcze, Audi oraz Skoda. | 📸 | | [`hep global GmbH`](https://google.com/search?q=hep+global+GmbH) | 04/06/2023 | A partner for everything to do with solar energy. That’s hep. Since 2008. We develop, build, operate and finance solar parks. World-wide. For energy production that can do more than supply electricity. The large-scale photovoltaic facilities we have developed have a capacity of around 1,310 MW peak. From our sites in Germany, Japan and the USA we operate 18 solar projects ourselves. Our active pipeline for future projects comprises around 5,300 MW peak. (The number of solar parks in operation are up to date. All the other figures are updated every six months.) | 📸 | | [`PESSI`](https://google.com/search?q=PESSI) | 03/06/2023 | PESSI is committed to provide services and benefits to workers and their dependents in close partnership with the employers. By bringing transparency and ensuring fairness to its business processes, PESSI's noble task of providing comprehensive medical coverage and a number of cash benefits to its secured clientele comprising of downtrodden workers and their dependents including parents is expected to significantly enhance the coverage and scope of its services. PESSI is indeed a partner in enhancing productivity of businesses by providing security and peace of mind to workers. May Allah give us strength to standby our commitments. | 📸 | | [`PLURISERVICE`](https://google.com/search?q=PLURISERVICE) | 03/06/2023 | Pluriservice Spa nasce nel 1986, è leader nel settore Auto ID (codice a barre). Produce e commercializza un’ampia gamma di prodotti tecnologicamente avanzati e innovativi. È distributore in esclusiva per il territorio nazionale di alcuni dei brand più riconosciuti a livello mondiale nel settore Auto ID. È proprietaria dei brand PLUS e APIX e produce soluzioni software con Storm Open Solutions, la software house nata nel 2001, depositaria nello sviluppo e rinnovo delle suite E2K per i settori hospitality e retail, con oltre 5000 clienti attivi. Pluriservice Solutions è il system integrator del gruppo che nel 2006 ha raggiunto 6 Mln di fatturato con i contratti di locazione attivi. Raining Labels nasce nel 2005 e si occupa di realizzare etichette adesive standard e personalizzate, ad oggi ha realizzato oltre 5 milioni di m2 di etichette. La Proget Sistem Italia è dedicata alla progettazione e ingegnerizzazione dei sistemi di etichettatura e stampa. | 📸 | | [`CONATECO`](https://google.com/search?q=CONATECO) | 02/06/2023 | CO.NA.TE.CO. ( Consorzio Napoletano Terminal Containers ), è stato fondato nel 1995. Oggi è il più grande Terminal nel porto di Napoli e il quarto in Italia. La favorevole posizione geografica nel cuore del Mediterraneo, pone il porto di Napoli e, in particolare, il Terminal CO.NA.TE.CO., nel bel mezzo delle rotte commerciali internazionali, in modo da rappresentare uno dei principali collegamenti tra Nord e Sud Europa. | 📸 | | [`ERT`](https://google.com/search?q=ERT) | 30/05/2023 | ERT is a Portuguese multinational company with its core business on the manufacture of automotive interior components. Our headquarters are located in São João da Madeira, at the heart of one Portugal’s automotive industry cluster. | 📸 | --- ## **darkside** > Darkside ransomware group has started its operation in August of 2020 with the model of RaaS (Ransomware-as-a-Service). They have become known for their operations of large ransoms scale. They have announced that they prefer not to attack hospitals, schools, non-profits, and governments, but rather big organizations that can be able to pay large ransoms. Darkside ransomware group became very famous following the cyberattack of the Colonial Pipeline and Toshiba unit. The FBI finally terminate the Darkside operation and Managed to pull money from their wallets back. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion` | ❌ | #### **External information** - http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/ - http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/ - https://asec.ahnlab.com/en/34549/ - https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/ - https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/ - https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/ - https://blog.group-ib.com/blackmatter# - https://blog.group-ib.com/blackmatter2 - https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service - https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html - https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections - https://brandefense.io/darkside-ransomware-analysis-report/ - https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/ - https://community.riskiq.com/article/fdf74f23 - https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6 - https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf - https://github.com/sisoma2/malware_analysis/tree/master/blackmatter - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf - https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html - https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/ - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/ - https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b - https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/ - https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted - https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps - https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/ - https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/ - https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/ - https://therecord.media/popular-hacking-forum-bans-ransomware-ads/ - https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/ - https://threatpost.com/guess-fashion-data-loss-ransomware/167754/ - https://twitter.com/GelosSnake/status/1451465959894667275 - https://twitter.com/JAMESWT_MHT/status/1388301138437578757 - https://twitter.com/ValthekOn/status/1422385890467491841?s=20 - https://twitter.com/embee_research/status/1678631524374020098?s=46 - https://twitter.com/sysopfb/status/1422280887274639375 - https://unit42.paloaltonetworks.com/darkside-ransomware/ - https://us-cert.cisa.gov/ncas/alerts/aa21-131a - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion - https://www.acronis.com/en-us/articles/darkside-ransomware/ - https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution - https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/ - https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/ - https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/ - https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/ - https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/ - https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/ - https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ - https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/ - https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/ - https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout - https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/ - https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ - https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/ - https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/ - https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.databreaches.net/a-chat-with-darkside/ - https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968 - https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/ - https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/ - https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/ - https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/ - https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group - https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin - https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/ - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions - https://www.glimps.fr/lockbit3-0/ - https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox - https://www.ic3.gov/Media/News/2021/211101.pdf - https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack - https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime - https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/ - https://www.mandiant.com/resources/burrowing-your-way-into-vpns - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/ - https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline# - https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/ - https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/ - https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/ - https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/ - https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/ - https://www.secjuice.com/blue-team-detection-darkside-ransomware/ - https://www.secureworks.com/research/threat-profiles/gold-waterfall - https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/ - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/ - https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks - https://www.varonis.com/blog/darkside-ransomware/ - https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636 - https://www.youtube.com/watch?v=NIiEcOryLpI - https://www.youtube.com/watch?v=qxPXxWMI2i4 - https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html - https://zawadidone.nl/darkside-ransomware-analysis/ - https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside #### **Ransom note** * [📝 1 ransom note](notes/darkside) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20200811| 💬 | |20201115| 💬 | |20210215| 💬 | |20210413| 💬 | |20210418| 💬 | ### _Victims_ > no victim found --- ## **darkvault** 🔎 `ransomware.live`has an active parser for indexing darkvault's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | DarkVault | 🟢 | 30/07/2024 02:15 | `http://tx23pk4zw5qynq3tmfk2jz5zbel63p4nwvkheswze7r6gzxhzcbseyad.onion` | 📸 | | DarkVault BLOG | 🟢 | 30/07/2024 02:16 | `http://mdhby62yvvg6sd5jmx5gsyucs7ynb5j45lvvdh4dsymg43puitu7tfid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-darkvault.png) ### _Victims_ > 36 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`blankstyle.com`](https://google.com/search?q=blankstyle.com) | 26/07/2024 | Blankstyle and its founders have a collective history in the wholesale distribution and manufacturing world of thirty plus years. We are constantly evolving our offering and our service to meet the needs of our customers. Headquartered in Southern ca with roots in the local surf and skate industry we have expanded nationwide and now boast an expansive distribution network strategically located throughout the United States with the goal of providing fast easy access to an excessively large selection of blank t-shirts and other apparel. | 📸 | | [`eurovilla.hr`](https://google.com/search?q=eurovilla.hr) | 23/07/2024 | Eurovilla real estate agency founded in 2002. has become one of the leading agencies in the Croatia, with an emphasis on exclusive properties in Zagreb and the coastal zone. It deals with the sale and rental of residential and business facilities. | 📸 | | [`foremedia.net`](https://google.com/search?q=foremedia.net) | 03/07/2024 | With years of experience in the digital ads industry, we, at ForeMedia, see ourselves as an innovative digital display advertising network that unites the advertisers and publishers through its self-serve platform. We strive to improve the conversion rate of our advertisers to maximize their ROI while working hard to make the most out of our publishers’ web traffic to increase their revenue. And we are able to do it because of our in-house team of expert and dedicated support who works hard and is never afraid to innovate. At ForeMedia, we treat our partnerships and relationships as our top priority which also serves as the foundation of our work. | 📸 | | [`sequelglobal.com`](https://google.com/search?q=sequelglobal.com) | 03/07/2024 | Sequel Logistics is a supply chain management company, providing solutions specifically for critical logistics requirements, on a worldwide basis. The company was founded in 2004 in Bangalore, and over the years, have developed specialized capabilities and domain knowledge, to design, execute and manage supply chain and logistics of high value and critical products for B2B & B2C business in India, US and Europe. | 📸 | | [`pandacare.ae`](https://google.com/search?q=pandacare.ae) | 29/06/2024 | Panda Care Car Wash and Pet grooming is your one-stop solution for all your Vehicle and Pet needs. With our state-of-the-art facilities and experienced staff, we provide top-quality car wash, tinting, and pet grooming services that will leave your vehicles looking like new & keep your furry friend looking sharp! Our services are fast, reliable, and affordable; Stop by today to experience Panda Care's service firsthand! | 📸 | | [`life.vet.br`](https://google.com/search?q=life.vet.br) | 29/06/2024 | Acting in the market since 2004 and with great experience of laboratories in the interior of the state of Rio de Janeiro. Now comes a new concept in veterinary diagnoses, Life.vet. We have as main objective the excellence in customer service, quality in transportation and sample processing, constant professional updating and new techniques in diagnostics. All this combined with cutting-edge technology in information management equipment and systems. Our new concept is based on a qualified team of veterinarians, biomedicals, production engineer and specialized technicians. All trained to provide all assistance and performing the most varied types of exams. | 📸 | | [`buyeazzy.com`](https://google.com/search?q=buyeazzy.com) | 27/06/2024 | BuyEazzy is building online Beauty Destination for Bharat, through trusted neighborhood micro-preneurs. We are on a mission to onboard 300 Mn+ offline users from Tier2/+ cities and towns in India onto online shopping and enable them to experience the power of Digital Democratized commerce. | 📸 | | [`decreditos.com`](https://google.com/search?q=decreditos.com) | 25/06/2024 | Decreditos provides loans through a 100% online process. In constant search and development of new products that allow easy access for all people to the financial sector. The company has branches in more than 4,000 cities and has been in business for 20 years. | 📸 | | [`oexpress.id`](https://google.com/search?q=oexpress.id) | 21/06/2024 | OExpress adalah platform logistik yang menawarkan berbagai layanan pengiriman ekspres, sebagai ekspedisi dengan sistem pintar yang membantu meningkatkan keberhasilan pengiriman. | 📸 | | [`journohq.com`](https://google.com/search?q=journohq.com) | 17/06/2024 | Create your own story with Journo! From classic journal writing to travel maps and photo books, you'll be able to document your adventures, print your journals, publish your travels online and much more! | 📸 | ↪️ More victims [here](/group/darkvault?id=posts) --- ## **dataleak** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | DataLeak | 🔴 | 22/02/2023 12:58 | `http://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onion` | 📸 | #### **Ransom note** * [📝 2 ransom notes](notes/dataleak) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-dataleak.png) ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`nissin.com.br Disclose the compressed package password`](https://google.com/search?q=nissin.com.br+Disclose+the+compressed+package+password) | 02/12/2022 | | | | [`rkw-group.com Disclose the compressed package password`](https://google.com/search?q=rkw-group.com+Disclose+the+compressed+package+password) | 02/12/2022 | | | | [`ni*usa.com`](https://google.com/search?q=ni%2Ausa.com) | 02/12/2022 | | | | [`wiesauplast.de`](https://google.com/search?q=wiesauplast.de) | 02/12/2022 | | | | [`grantweber.com`](https://google.com/search?q=grantweber.com) | 02/12/2022 | | | | [`The Beacon Insurance Company Limited`](https://google.com/search?q=The+Beacon+Insurance+Company+Limited) | 02/12/2022 | | | --- ## **diavol** > A ransomware with potential ties to Wizard Spider. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Chat | 🔴 | 31/10/2022 16:33 | `http://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onion` | ❌ | #### **External information** - https://arcticwolf.com/resources/blog/karakurt-web - https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/ - https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/ - https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922 - https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648 - https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/ - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/ - https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/ - https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/ - https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/ - https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider - https://www.ic3.gov/Media/News/2022/220120.pdf - https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday #### **Ransom note** * [📝 2 ransom notes](notes/diavol) ### _Victims_ > no victim found --- ## **dispossessor** > This is not a ransomware group but a data broker 🔎 `ransomware.live`has an active parser for indexing dispossessor's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Just a moment... | 🔴 | 03/06/2024 03:00 | `http://dispossessor.com` | 📸 | | Dispossessor.com | 🟢 | 30/07/2024 02:16 | `http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-dispossessor.png) ### _Victims_ > 337 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`airedentalarts.com`](https://google.com/search?q=airedentalarts.com) | 29/07/2024 | https://streamable.com/tkc7xk - video of files part1. | 📸 | | [`tursso.com`](https://google.com/search?q=tursso.com) | 29/07/2024 | https://streamable.com/ixp9fn + https://streamable.com/2l7h7x videos of confidential files exfiltrated from Tursso Companies INC. | 📸 | | [`qatar.vcu.edu`](https://google.com/search?q=qatar.vcu.edu) | 29/07/2024 | https://streamable.com/k5439m - VCUarts Qatar files 10 minutes video. | 📸 | | [`delhihospital.com`](https://google.com/search?q=delhihospital.com) | 28/07/2024 | Richland Parish Hospital Video of files 10 minutes - https://streamable.com/jh06bs . | 📸 | | [`olympusgrp.com`](https://google.com/search?q=olympusgrp.com) | 03/07/2024 | Olympus Group representative (his email olympusgroup1@mailfence.com) break down the deal. Video Proof of our conversation is here - https://streamable.com/7b3hw9 Download video here - https://upload.disroot.org/r/rmycUywF#swFHPxGZ3qihzAskKwG2Hwym9xd0BUMxDjDUpPB57VQ= Even 1 clerk in chain with Chief Justice will easily open the investigation due our file leak and mailing with BCC to clients and assign Supreme Court employee with getting to the bottom of the leak. Source: https://www.newsnationnow.com/politics/reports-law-clerks-among-scotus-leak-suspects/ | 📸 | | [`fidelia-consulting.com`](https://google.com/search?q=fidelia-consulting.com) | 27/06/2024 | Fidelia Consulting is an accounting firm based in Nanterre, near Paris. The firm offers a range of services including accounting, payroll management, legal and tax advice, and business creation support. Established in 2010, they focus on personalized client relationships and cater to various sectors such as construction, e-commerce, restaurants, and freelancers. | 📸 | | [`UMAPS`](https://google.com/search?q=UMAPS) | 04/06/2024 | VIDEO OF FILES PART1 - http://cybertube.video/web/index.html#!/details?id=160b79ab060e136a02e655272228597f&serverId=2be5e68176ff4f8fbb930fe66321ab72 . Youtube videos will be posted, if we will not get the required payment amount . The "Unidad Municipal de Agua Potable y Saneamiento" (Municipal Unit of Potable Water and Sanitation) typically refers to a local government entity responsible for managing the supply of clean drinking water and sanitation services within a municipality or local area. | 📸 | | [`umbrellaproperties.com PART2`](https://google.com/search?q=umbrellaproperties.com+PART2) | 22/05/2024 | VIDEO OF FILES PART#1 - http://cybertube.video/web/index.html#!/details?id=782ccbf2b08c75eb63d1d90d23670518&serverId=2be5e68176ff4f8fbb930fe66321ab72 Umbrella Properties offers apartments, duplexes and townhouses for rent in many styles ranging from studios, one-bedroom, two-bedroom, and also three-bedroom units. We offer affordable housing to residents in Eugene, Springfield, Junction City and Bend. In a concerning turn of events, the website of Umbrella Properties, a prominent real estate company, has been compromised by hackers, putting a significant amount of sensitive data at risk. The breach raises alarms about the security measures in place to protect critical information and underscores the growing threat of cyberattacks targeting businesses across various sectors. By partnering with the our team, Umbrella Properties can navigate the complexities of cybersecurity with confidence and ensure the continued security and integrity of its digital infrastructure. | 📸 | | [`UMBRELLA PROPERTIES`](https://google.com/search?q=UMBRELLA+PROPERTIES) | 21/05/2024 | VIDEO OF FILES PART1 - http://cybertube.video/web/index.html#!/details?id=782ccbf2b08c75eb63d1d90d23670518&serverId=2be5e68176ff4f8fbb930fe66321ab72 . Youtube videos will be posted, if we will not get the required payment amount . Umbrella Properties offers apartments, duplexes and townhouses for rent in many styles ranging from studios, one-bedroom, two-bedroom, and also three-bedroom units. We offer affordable housing to residents in Eugene, Springfield, Junction City and Bend. In a concerning turn of events, the website of Umbrella Properties, a prominent real estate company, has been compromised by hackers, putting a significant amount of sensitive data at risk. The breach raises alarms about the security measures in place to protect critical information and underscores the growing threat of cyberattacks targeting businesses across various sectors. By partnering with the our team, Umbrella Properties can navigate the complexities of cybersecurity with confidence and ensure the continued security and integrity of its digital infrastructure. | 📸 | | [`umbrellaproperties.com`](https://google.com/search?q=umbrellaproperties.com) | 13/05/2024 | Umbrella Properties offers apartments, duplexes and townhouses for rent in many styles ranging from studios, one-bedroom, two-bedroom, and also three-bedroom units. We offer affordable housing to residents in Eugene, Springfield, Junction City and Bend. In a concerning turn of events, the website of Umbrella Properties, a prominent real estate company, has been compromised by hackers, putting a significant amount of sensitive data at risk. The breach raises alarms about the security measures in place to protect critical information and underscores the growing threat of cyberattacks targeting businesses across various sectors. By partnering with the our team, Umbrella Properties can navigate the complexities of cybersecurity with confidence and ensure the continued security and integrity of its digital infrastructure. | 📸 | ↪️ More victims [here](/group/dispossessor?id=posts) --- ## **donex** 🔎 `ransomware.live`has an active parser for indexing donex's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Donex ransomeware leakage - | 🔴 | 02/04/2024 10:49 | `http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-donex.png) ### _Victims_ > 5 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`mirel`](https://www.mirelasbl.be) | 27/02/2024 | Nous sommes votre partenaire en matière de recrutement et de sélection. Nous nous déplaçons sans engagement en entreprise afin de ... | 📸 | | [`CHOCOTOPIA`](https://www.chocotopia.cz) | 27/02/2024 | Chocotopia is a center of entertainment in the heart of Prague. You can visit here Museum of Chocolate and experience Chocolate ... | 📸 | | [`elsapspa`](https://www.elsap.it) | 24/02/2024 | Da oltre 50 anni, Elsap è un’impresa dedita alla rappresentanza e alla distribuzione di componenti elettronici ed elettromeccanici ... | 📸 | | [`PFLEET`](https://www.pfleet.com) | 23/02/2024 | P-Fleet is a leader in expense and payment management solutions for commercial fleets, including those with owner-operators and in ... | 📸 | | [`vdhelm`](https://vanderhelmlogistics.com) | 22/02/2024 | Van der Helm is a 4PL logistic service provider with a limitless passion for transport and logistics. From our offices in Den Hoor ... | 📸 | --- ## **donutleaks** 🔎 `ransomware.live`has an active parser for indexing donutleaks's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | _D0#Nut::__chat | 🔴 | 21/10/2022 20:39 | `http://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onion` | 📸 | | none | 🟢 | 30/07/2024 02:17 | `http://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onion` | 📸 | | _d0nut.::Files_ | 🔴 | 21/10/2022 20:39 | `http://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion` | ❌ | | Index of / | 🟢 | 30/07/2024 02:17 | `http://dk4mkfzqai6ure62oukzgtypedmwlfq57yj2fube7j5wsoi6tuia7nyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-donutleaks.png) ### _Victims_ > 42 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Jack "Designer" Sparrow.`](https://google.com/search?q=Jack+%22Designer%22+Sparrow.) | 24/07/2024 | http://1-sourcedesign.com/ ...and this Canadian company has distinguished itself by its reluctance to share with anyone, including the authors of the tools they use. In the depths of the date, a huge number of all kinds of cracks, serial numbers, Warez, etc. were discovered. It’s like I’ve… | 📸 | | [`Industrial Bolsera`](https://www.industrialbolsera.com) | 24/07/2024 | https://www.industrialbolsera.com/ca/index.htm A dubious company for sure. But which one is).Our design and R & D departments look for the most suitable solution. Subsequently, the product is manufactured according to a rigorous quality policy guaranteeing an excellent final product.At Industrial Bolsera, we apply… | 📸 | | [`KickDown ESET company. No overpayments at 0% (renamed and update)`](https://google.com/search?q=KickDown+ESET+company.+No+overpayments+at+0%25+%28renamed+and+update%29) | 21/07/2024 | This is what this note is now called. It's not about us "making" ESET. It's about the fact that: AT THE MOMENT I FUCKED THEIR NEW VERSION OF PREMIUM HOME SECURITY EDITION BEFORE THE PENTEST. == NO MORE == ....as the ever-condolent and praying “journalists” from... And now there will be a… | | | [`ESET. PREMIUM.`](https://google.com/search?q=ESET.+PREMIUM.) | 20/07/2024 | in preparation for the next goal, eset smart security premium was tested today. He fought epically, heroically and bravely with everything, with anything (mostly rubbish in C#), but, as befits a real AB, he chose not to notice the host of the party. It's something like drinking: once you fuck… | | | [`all-mode.com`](https://google.com/search?q=all-mode.com) | 18/07/2024 | A Legacy Of Excellence Founded in 1972 All-Mode Communications inc. has always been dedicated to giving our customers a world class experience whether it is running, testing and certifying new cable infrastructure; installing a new phone system; or helping with a move to a cloud hosted phone service. From the… | | | [`labline.it`](https://google.com/search?q=labline.it) | 17/07/2024 | Scientific research comes first Diatech Lab Line is not simply the name of a new company that joins a group of distributors of products for biomedical research, it is much more. Our range of products arises from the continuous search for cutting-edge and high-quality solutions that can make an active… | 📸 | | [`valleylandtitleco.com - UPD`](https://valleylandtitleco.com) | 15/07/2024 | I-❤️-TEXAS... there could be your advertisement here, but I posted the (official) statements of this company for the month. You can easily make sure that they are a bit of a pussy. It happens in a day that they "close" 10 times larger sums... I always thought that Texas… | 📸 | | [`valleylandtitleco.com`](https://google.com/search?q=valleylandtitleco.com) | 03/07/2024 | I-❤️-TEXAS... there could be your advertisement here, but I posted the (official) statements of this company for the month. You can easily make sure that they are a bit of a pussy. It happens in a day that they "close" 10 times larger sums... I always thought that Texas… | 📸 | | [`Patriot Machine, Updated data leak.`](https://google.com/search?q=Patriot+Machine%2C+Updated+data+leak.) | 16/05/2024 | Today we consider make public any related data about Patriot Machine operations and business. The defense contractors which cant defense his docs. Updated version of that will be on our file server. Stay tuned. Guys was so skill-able and professional what mr.Mask and his SpaceX working with them. Its… | | | [`Pittsburgh’s Trusted Orthopaedic Surgeons`](https://www.gpoa.com) | 14/05/2024 | Hello everyone! We got some not very smart people who was compromise and do not want to protect their clients data. Today here medical company from Pittsburgh(USA):"Pittsburgh’s Trusted Orthopaedic Surgeons" [must be not so trusted as you thought, but okay] Web site: https://www.gpoa.com/ "Pittsburgh’… | 📸 | ↪️ More victims [here](/group/donutleaks?id=posts) --- ## **doppelpaymer** > Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt". #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Start-maximized.com | 🔴 | 23/09/2021 10:08 | `http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion` | ❌ | #### **External information** - http://www.secureworks.com/research/threat-profiles/gold-drake - https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp - https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec - https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/ - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf - https://killingthebear.jorgetesta.tech/actors/evil-corp - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen - https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/ - https://sites.temple.edu/care/ci-rw-attacks/ - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/ - https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/ - https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/ - https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/ - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/ - https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/ - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/ - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/ - https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf - https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.secureworks.com/research/threat-profiles/gold-drake - https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf - https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/ - https://www.youtube.com/watch?v=LUxOcpIRxmg - https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/ #### **Ransom note** * [📝 4 ransom notes](notes/doppelpaymer) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **dragonforce** 🔎 `ransomware.live`has an active parser for indexing dragonforce's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | DragonForce - Blog | 🟢 | 30/07/2024 02:18 | `http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion` | 📸 | | DragonForce - Recovery | 🔴 | 19/05/2024 12:47 | `http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/dragonforce) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-dragonforce.png) ### _Victims_ > 79 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`BK Aerospace`](https://b-kmfg.com) | 25/07/2024 | > What do you think about the classified documents, orders and much more by BOEING? > What about the Hellfire Dummy Seeker blueprints? Offer a full range of complementary services to our customers for design, test, manufacture and assembly of complex hardware. | | | [`CertiCon`](https://certicon.cz) | 25/07/2024 | CertiCon is a Czech company engaged in technological innovation and development of software and hardware solutions for healthcare, telecommunication. | | | [`Dimbleby Funeral Homes`](https://www.dimblebyfuneralhomes.com) | 24/07/2024 | Since 1931, the Dimbleby Funeral Homes have been caring for families during the most difficult time of their lives. Our commitment to excellence and our passion for providing exceptional service to the families we are privileged to serve is unsurpassed in our area. Our team of caring professionals will assist your family in creating a meaningful, personalized and memorable ceremony to honor your loved one. | | | [`John Gallin & Son`](https://gallin.com) | 24/07/2024 | Our firm was founded in 1886 by John Gallin, an Irish immigrant. The firm continues to be run by the Gallin family, now in its fourth generation of management. We work on projects located throughout the New York City metro area. Additionally, we have special expertise working with the unique demands of Manhattan high-rise buildings. Our clients comprise a cross-section of area businesses, including finance, retail, insurance, real estate, and law. We also have a great deal of experience working with non-profits and schools. | | | [`SBRPCA`](https://www.rcc911.org) | 16/07/2024 | South Bay Regional Public Communications Authority (SBRPCA), hosted by the City of Hawthorne, provides dispatching services of multiple police and fi re departments in southern California, including El Segundo, Hermosa Beach, Gardena, and Manhattan Beach. Business Challenge. | | | [`Mainland Machinery`](https://mainlandmachinery.com) | 16/07/2024 | Having rich experience in the industrial mining equipment industry, Mainland Machinery is a one-stop shop for all companies in steel and heavy metal | | | [`Raffmetal Spa`](https://www.raffmetal.it) | 08/07/2024 | Minerals & Mining | | | [`Vermont Panurgy`](https://panurgyvt.com) | 02/07/2024 | For over 30 years, we have also been providing outstanding IT and training services for state agencies. | | | [`Gray & Adams`](https://adm.gray-adams.com) | 02/07/2024 | Gray & Adams is the UK market-leader in the manufacture of specialist temperature controlled and bespoke vehicles. | | | [`Elite Fitness`](https://elitefitness.co.nz) | 02/07/2024 | Elite Fitness has grown over the last 28 years with a true pioneering kiwi spirit to now being one of the largest fitness retailers in Australasia | | ↪️ More victims [here](/group/dragonforce?id=posts) --- ## **dread** _`marketplace - not a ransomware group`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | DDOS Protection | 🔴 | 30/07/2024 00:51 | `http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion` | 📸 | ### _Victims_ > no victim found --- ## **dunghill** 🔎 `ransomware.live`has an active parser for indexing dunghill's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Dunghill Leak - Details | 🔴 | 23/07/2024 15:54 | `http://p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-dunghill.png) ### _Victims_ > 17 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Nuevatel`](https://google.com/search?q=Nuevatel) | 15/07/2024 | | 📸 | | [`Nexperia`](https://google.com/search?q=Nexperia) | 10/04/2024 | Headquartered in the Netherlands, Nexperia is a global semiconductor company with a rich European history and more than 15,000 employees in Europe, Asia and the United States. As a leading expert in the design and manufacture of mission-critical semiconductors, Nexperia components provide the basic functionality for virtually every electronic device in the world - from automotive and industrial to mobile and consumer applications. | 📸 | | [`Array Networks`](https://google.com/search?q=Array+Networks) | 29/02/2024 | Array Networks is an American networking hardware company. It sells network traffic encryption tools. Was founded in 2000 by Lawrence Lu and is based in Milpitas, California. It received funding from the venture capital firm U.S. Venture Partners and the private equity firm H&Q Asia Pacific. On May 13, 2009, Array Networks became the first non-Taiwan company to be listed on the Taiwan Stock Exchange. The company sold 54 million shares that had a total value of about $79 million. In 2009, 43% of the company's market share was in China, and its main product type sold there consisted of SSL VPN devices. | 📸 | | [`Supply Technology`](https://google.com/search?q=Supply+Technology) | 07/11/2023 | Supply Technologies, a subsidiary of ParkOhio(NASDAQ:PKOH), specializes in supplier selection and management, planning, implementing, managing the physical flow of product for world-class international manufacturing companies, and servicing customers in the various markets. Supply Technologies has expertise in global sourcing with more than 7,500 suppliers worldwide and ensures that you’ll get the exact parts you need, on time, at the best quality and at the right price. | 📸 | | [`Robins & Morton`](https://google.com/search?q=Robins+%26+Morton) | 26/09/2023 | Robins and Morton is a company operating as a construction firm. It specializes in planning and design, construction management, multiple delivery methods, self-performed work, and green building. The company serves healthcare, government, and commercial markets. In the past ten years alone, it have completed nearly $10 billion in projects. These projects vary from major new hospitals and complex renovations, to hospitality projects and a variety of other commercial work. | 📸 | | [`CannonDesign`](https://google.com/search?q=CannonDesign) | 26/09/2023 | CannonDesign is a global architecture, engineering and consulting practice that provides services for a range of project types, including hospitals and medical centers, corporate headquarters and commercial office buildings, higher education and PK-12 education facilities, hotels and hospitality, mixed-use, sports facilities, and science and research buildings. In 2017 and 2019, Fast Company named CannonDesign one of the 10 most innovative architecture firms in the world. | 📸 | | [`Roper & Vertafore`](https://google.com/search?q=Roper+%26+Vertafore) | 26/09/2023 | Vertafore is a Denver-based insurance technology company. It has developed various software for insurance companies, such as content management and workflow software, insurance knowledge base, data and analytics. It's insurance management software solutions allow participants in the insurance distribution channel to adapt to an evolving insurance industry by efficiently scaling their businesses through deeper access to information and insights. | 📸 | | [`Go-Ahead Group`](https://google.com/search?q=Go-Ahead+Group) | 26/09/2023 | Go-Ahead Group plc is a passenger transport company based in Newcastle upon Tyne, England. The majority of its operations are within the United Kingdom, Ireland, Singapore, Norway, and Germany. Go-Ahead diversified into ground handling services at various British airports via the acquisition of Gatwick Handling International, British Midland, and Reed Aviation. Acquired numerous other British transport companies, including Thames Travel, Carousel Buses, Hedingham, Anglian Bus, and HC Chambers & Son. It was contracted to operate bus and rail services in Germany and Singapore. During January 2023, it was announced that Go-Ahead was expanding into the Australian market via the U-Go Mobility joint venture with the engineering company UFL. | 📸 | | [`Ropertech.com & Vertafore.com`](https://google.com/search?q=Ropertech.com+%26+Vertafore.com) | 26/09/2023 | Vertafore is a Denver-based insurance technology company. It has developed various software for insurance companies, such as content management and workflow software, insurance knowledge base, data and analytics. It's insurance management software solutions allow participants in the insurance distribution channel to adapt to an evolving insurance industry by efficiently scaling their businesses through deeper access to information and insights. | 📸 | | [`Go-Ahead Group`](https://google.com/search?q=Go-Ahead+Group) | 26/09/2023 | Go-Ahead Group plc is a passenger transport company based in Newcastle upon Tyne, England. The majority of its operations are within the United Kingdom, Ireland, Singapore, Norway, and Germany. Go-Ahead diversified into ground handling services at various British airports via the acquisition of Gatwick Handling International, British Midland, and Reed Aviation. Acquired numerous other British transport companies, including Thames Travel, Carousel Buses, Hedingham, Anglian Bus, and HC Chambers & Son. It was contracted to operate bus and rail services in Germany and Singapore. During January 2023, it was announced that Go-Ahead was expanding into the Australian market via the U-Go Mobility joint venture with the engineering company UFL. | 📸 | ↪️ More victims [here](/group/dunghill?id=posts) --- ## **ech0raix** > The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 404 page not found | 🔴 | 07/01/2023 21:20 | `http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion` | 📸 | #### **External information** - https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/ - https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf - https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought - https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/ - https://www.anomali.com/blog/the-ech0raix-ransomware - https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/ - https://www.ibm.com/downloads/cas/Z81AVOY7 - https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/ - https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/ - https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt - https://www.qnap.com/en/security-advisory/QSA-20-02 - https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf #### **Ransom note** * [📝 1 ransom note](notes/ech0raix) ### _Victims_ > no victim found --- ## **embargo** 🔎 `ransomware.live`has an active parser for indexing embargo's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | EMBARGO | 🟢 | 30/07/2024 02:19 | `http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/embargo) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-embargo.png) ### _Victims_ > 11 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`pioneerworldwide.com`](https://google.com/search?q=pioneerworldwide.com) | 26/07/2024 | Founded in 1917, Pioneer Balloon Company is the world's premier manufacturer of latex balloons, with a diversified range of products that includes Microfoil® balloons and Bubble Balloons. Additionally, Pioneer offers innovative product solutions to customers in the advertising, entertaining, decorating, and social expressions markets. Headquartered in Wichita, KS, USA, Pioneer has facilities in the United States, Canada, England, Australia, Mexico, and Brazil. - 1.65 TB | 📸 | | [`summervillepolice.com`](https://google.com/search?q=summervillepolice.com) | 26/07/2024 | The Summerville Police Department is committed to building relationships with community members while providing the highest level of service in shooting black children. - 1.71 TB | 📸 | | [`diligentusa.com`](https://google.com/search?q=diligentusa.com) | 11/07/2024 | Diligent Delivery Systems provides transportation services for businesses within varying industries. Major clients include WorldPac and PharMerica. The company is currently facing tight liquidity and debt default due 23 million cash uses within the past 18 months. Management has been tasked with refinancing existing debt, sourcing a new investor, or selling the business. - Total leak size: 600+ GB For any clients and buyers who have interest in working with Diligent or investing/buying this company, we have invaluable data for you. All documents and the entire collection of emails since January 1 2024 for: - Larry Browne (CEO) - Darl Petty (CFO) - Carlos Navarro (COO) - Alan Geraldi (Legal Counsel) Additionally, we have database backups, documents belonging to clients (protected by NDA), and more. If you had doubts about the financial situation of this company, no need to doubt. We will be releasing the entire collection shortly. The company will try to deny that they have these financial difficulties and that they are trying to sell the company, but these emails and documents tell different story. Some contacts for you: Larry Browne lbrowne@diligentusa.com larrybrowne@gmail.com (713) 906-4385 (281) 854-1300 713-906-9253 713-906-4385 President Darl Petty dpetty@diligentusa.com 713-906-6167 281-854-1313 CFO Carlos Navarro cnavarro@diligentusa.com 713.205.8861 (713)275-2555 713-377-2799 COO Alan Geraldi ageraldi@diligentusa.com (281)948-2604 (832)300-3595 General Counsel (Legal) Lisa Musick lmusick@diligentusa.com (713)906-7317 (281)854-1301 Executive Assistant Scott Bruder sbruder@diligentusa.com (713)906-0070 (281)854-1317 VP of National Sales Automative Dawn Vesey dvesey@diligentusa.com 615.719.0481 HR Director Tim Barrett tbarrett@diligentusa.com 615-362-6799 629-335-3399 Director of Information Technologies Ed Saddler esaddler@diligentusa.com (346)988-7464 Information Technology Level 2 Support Ron Lewis rlewis@diligentusa.com (281)728-3174 (281)854-1355 IT Support Manager Jakob Akin jakin@diligentusa.com 6292438907 6292438907 Systems Administrator | 📸 | | [`gerard-perrier.com`](https://google.com/search?q=gerard-perrier.com) | 04/07/2024 | Gerard Perrier Industrie SA is a France-based company that provides electrical and electronic automation solutions to industry including design and manufacturing, installation and maintenance. The Company operates through its subsidiaries, including SAS Geral, which designs and manufactures electronic and electrical automation and control equipment; SAS Soteb, which installs and maintains different types of electrical and automation equipment, SAS Ardatem, which specializes in the nuclear energy sector and ensure technical assistance, among others. Gerard Perrier Industrie's customers include manufacturers of machinery, professional equipment and capital goods, and electrical departments of industrial production sites in the chemical, mechanical and food processing sectors, among others. The Company’s activities also include provision of energy-related services, installation, and maintenance services, and construction of electrical and electronic assemblies. - 1,4 T Data | 📸 | | *Removed following a legal request* | 29/06/2024 | | | | [`dmedelivers.com`](https://google.com/search?q=dmedelivers.com) | 06/06/2024 | Marketing, Printing, Logistics - 1 TB+ databases, source code, client files | 📸 | | [`shamrocktradingcorp.com`](https://google.com/search?q=shamrocktradingcorp.com) | 21/05/2024 | Shamrock Trading Corporation is the parent company for a family of brands in transportation services, finance and technology. The company offers transportation logistics, discount programs, and international trade financing. - | 📸 | | [`orga-soft.de`](https://google.com/search?q=orga-soft.de) | 17/05/2024 | Software Development - SQL BASES AND SOURCES 650 GB, LINK WILL BE AVAILABLE SOON | 📸 | | [`rexmoore.com`](https://google.com/search?q=rexmoore.com) | 08/05/2024 | Founded in 1922 and headquartered in Sacramento, California, Rex Moore is a family-owned and managed company, providing electrical and integrated systems engineering, manufacturing, construction and maintenance. The company performs both design/build and bid work for most electrical and low voltage projects. - DATA will be available soon. SQL Databases + big amount of Documents. | 📸 | | [`firstmac.com.au`](https://google.com/search?q=firstmac.com.au) | 30/04/2024 | Firstmac Limited is an Australian owned company with experience in home and investment loans. They have a range of market insurance products backed by international company, Allianz Group. International ratings agency Standard & Poors gives Firstmac its highest possible ranking (strong) for loan serviceability abilities. - 500+ GB full databases, source codes, sensitive customer data | 📸 | ↪️ More victims [here](/group/embargo?id=posts) --- ## **entropy** > Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples. _`captcha prevents indexing`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Entropy hall of fall | 🔴 | 27/02/2022 08:16 | `http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion` | ❌ | #### **External information** - https://killingthebear.jorgetesta.tech/actors/evil-corp - https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen - https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/ - https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728 - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ ### _Victims_ > no victim found --- ## **ep918** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onion` | ❌ | ### _Victims_ > no victim found --- ## **everest** > Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage. 🔎 `ransomware.live`has an active parser for indexing everest's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Everest Ransomware Group | 🟢 | 30/07/2024 02:19 | `http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion` | 📸 | #### **External information** - https://www.reuters.com/article/us-usa-products-colonial-pipeline-ransom/more-ransomware-websites-disappear-in-aftermath-of-colonial-pipeline-hack-idUSKCN2CX0KT ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-everest.png) ### _Victims_ > 160 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Speed Advisory`](https://google.com/search?q=Speed+Advisory) | 26/07/2024 | Company has the last 24 hours to contact us using the instructions left.In case of silence, all data will be publishedTotal amount of stolen data : 150 GB https://www.speedadvisors.com/https://hubercpas.comhttps://dspeedcpa.com | 📸 | | [`SH Pension`](https://www.shpension.se/) | 22/07/2024 | Company has the last 24 hours to contact us using the instructions left.In case of silence, all data will be publishedTotal amount of stolen data : 100 GB https://www.shpension.se/ | 📸 | | [`The Law Office of Omar O. Vargas, P.C.`](https://quenotedeporten.com) | 17/07/2024 | Company must contact us using the instructions in next 3 days. Total amount of stolen data: 450 GB https://www.quenotedeporten.com | 📸 | | [`STUDIO NOTARILE BUCCI – OLMI`](https://studionotarilebucciolmi.it) | 17/07/2024 | Company must contact us using the instructions in next 3 days. Total amount of stolen data: 400 GB https://studionotarilebucciolmi.it | 📸 | | [`Gramercy Surgery Center`](https://google.com/search?q=Gramercy+Surgery+Center) | 15/07/2024 | Company has the last 24 hours to return to the chatTotal amount of stolen data : 465 GBhttps://gramercysurgery.com | 📸 | | [`Cukierski & Associates, LLC`](https://cukierski.cpa) | 13/06/2024 | The company has 24 hours to contact us or the files will be published and clients notified https://cukierski.cpa | 📸 | | [`Diogenet S.r.l.`](https://diogenet.it) | 13/06/2024 | Company has the last 48 hours to contact us using the instructions left.In case of silence, all data will be published and clients notifiedTotal amount of stolen data : 115 GB https://www.diogenet.it/ | 📸 | | [`2K Dental`](https://2kdental.com) | 13/06/2024 | Company has the last 48 hours to contact us using the instructions left.In case of silence, all data will be published and clients notified https://www.2kdental.com/ | | | [`Zuber Gardner CPAs pt.2`](https://google.com/search?q=Zuber+Gardner+CPAs+pt.2) | 12/06/2024 | The company’s files are still on our servers and it is stupid to think that they are not there.The company has 24 hours to contact us or the files will be published and clients notifiedhttps://www.zubergardner.com https://gofile.io/d/[REDACTED] 1GB | 📸 | | [`Voorhees Family Office Services`](https://google.com/search?q=Voorhees+Family+Office+Services) | 04/06/2024 | Company has the last 24 hours to contact us using the instructions left.In case of silence, all data will be publishedTotal amount of stolen data : 600 GBhttps://www.vfos.com/ | 📸 | ↪️ More victims [here](/group/everest?id=posts) --- ## **exorcist** > According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.For example, a file originally named "1.jpg" could appear as something similar to "1.jpg.rnyZoV" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - "[random-string]-decrypt.hta" (e.g. "rnyZoV-decrypt.hta") - into affected folders. These files contain identical ransom messages. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onion` | ❌ | #### **External information** - https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81 ### _Victims_ > no victim found --- ## **flocker** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | FSOCIETY - FLOCKER | 🟢 | 30/07/2024 02:20 | `http://flock4cvoeqm4c62gyohvmncx6ck2e7ugvyqgyxqtrumklhd5ptwzpqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-flocker.png) ### _Victims_ > 14 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`A*****D`](https://google.com/search?q=A%2A%2A%2A%2A%2AD) | 19/07/2024 | To the executives of A*****D, We have breached A*****D.com servers and your security measures and obtained critical data from your […] | | | [`O***M`](https://google.com/search?q=O%2A%2A%2AM) | 10/07/2024 | To the board of O***M, We have gained access to your system O***M.com and have highly confidential data, including 450GB […] | 📸 | | [`K*****S`](https://google.com/search?q=K%2A%2A%2A%2A%2AS) | 03/07/2024 | To the leadership of K*****S.ca We have infiltrated the K*****S.ca servers, a well-known Law Firm institution. In just 7 days, […] | 📸 | | [`F*****H`](https://google.com/search?q=F%2A%2A%2A%2A%2AH) | 03/07/2024 | To the board of F*****H, We have gained unauthorized access to your system F*****H.com and have procured highly confidential data, | 📸 | | [`H*******Y`](https://google.com/search?q=H%2A%2A%2A%2A%2A%2A%2AY) | 27/06/2024 | To The Leadership Of H*******Y We have Successfully breached H*******y.net servers your systems are Encrypted, We took backup copy of […] | 📸 | | [`D*****S`](https://google.com/search?q=D%2A%2A%2A%2A%2AS) | 22/06/2024 | To The Board Of D*****S We have Successfully breached d*****s.com servers your systems are locked, We took backup copy of […] | 📸 | | [`SBC Global, Bitfinex, Coinmom, and Rutgers University Part 2`](https://google.com/search?q=SBC+Global%2C+Bitfinex%2C+Coinmom%2C+and+Rutgers+University+Part+2) | 05/05/2024 | the four victims of our attack – SBC Global, Bitfinex, Coinmom, and Rutgers University. You refused to pay, and now […] | 📸 | | [`SBC Global, Bitfinex, Coinmama, and Rutgers University Part 2`](https://google.com/search?q=SBC+Global%2C+Bitfinex%2C+Coinmama%2C+and+Rutgers+University+Part+2) | 05/05/2024 | The four victims of our attack – SBC Global, Bitfinex, Coinmama, and Rutgers University. You refused to pay, and now […] | 📸 | | [`SBC Global, Bitfinex, Coinmama, and Rutgers University Part 2 Leak`](https://google.com/search?q=SBC+Global%2C+Bitfinex%2C+Coinmama%2C+and+Rutgers+University+Part+2+Leak) | 05/05/2024 | The four victims of our attack – SBC Global, Bitfinex, Coinmama, and Rutgers University. You refused to pay, and now […] | 📸 | | [`Coinmoma`](https://www.coinmama.com/) | 26/04/2024 | To the management of Coinmoma, We have gained access to Coinmoma.com and have obtained sensitive data including user information and […] | 📸 | ↪️ More victims [here](/group/flocker?id=posts) --- ## **fog** > Fog, which uses the .flocked extension for encrypted files, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. By June, Storm-0844 was deploying Fog more than Akira. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | FOG | 🟢 | 30/07/2024 02:21 | `http://xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion` | 📸 | | Blog | 🟢 | 30/07/2024 02:21 | `http://xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion` | 📸 | | Blog | 🟢 | 30/07/2024 02:22 | `http://xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/fog) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-fog.png) ### _Victims_ > 11 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`BASF - Nunhems`](https://google.com/search?q=BASF+-+Nunhems) | 29/07/2024 | 30 GB | 📸 | | [`City of Cold Lake`](https://google.com/search?q=City+of+Cold+Lake) | 26/07/2024 | 10 GB | 📸 | | [`Odessa College`](https://google.com/search?q=Odessa+College) | 25/07/2024 | 18 GB | 📸 | | [`Wichita State University Campus of Applied Sciences and Technology`](https://google.com/search?q=Wichita+State+University+Campus+of+Applied+Sciences+and+Technology) | 22/07/2024 | 10 GB | 📸 | | [`German University of Technology in Oman`](https://google.com/search?q=German+University+of+Technology+in+Oman) | 16/07/2024 | 10 GB | 📸 | | [`West Allis-West Milwaukee School District`](https://google.com/search?q=West+Allis-West+Milwaukee+School+District) | 11/07/2024 | 9,5 GB | 📸 | | [`Djg Projects`](https://google.com/search?q=Djg+Projects) | 07/07/2024 | 19.4GB | 📸 | | [`Alvin Independent School District`](https://google.com/search?q=Alvin+Independent+School+District) | 04/07/2024 | 60GB | 📸 | | [`Verweij Elektrotechniek`](https://google.com/search?q=Verweij+Elektrotechniek) | 04/07/2024 | 95GB | 📸 | | [`Asbury Theological Seminary`](https://google.com/search?q=Asbury+Theological+Seminary) | 24/06/2024 | 10 GB | 📸 | ↪️ More victims [here](/group/fog?id=posts) --- ## **freecivilian** 🔎 `ransomware.live`has an active parser for indexing freecivilian's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Free Civilian | 🔴 | 07/01/2023 21:22 | `http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-freecivilian.png) ### _Victims_ > 14 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`mfa.gov.ua`](https://google.com/search?q=mfa.gov.ua) | 31/12/2022 | | | | [`minagro.gov.ua`](https://google.com/search?q=minagro.gov.ua) | 31/12/2022 | | | | [`mon.gov.ua`](https://google.com/search?q=mon.gov.ua) | 31/12/2022 | | | | [`kmu.gov.ua`](https://google.com/search?q=kmu.gov.ua) | 31/12/2022 | | | | [`gkh.in.ua`](https://google.com/search?q=gkh.in.ua) | 31/12/2022 | | | | [`bdr.mvs.gov.ua`](https://google.com/search?q=bdr.mvs.gov.ua) | 31/12/2022 | | | | [`kyivcity.com`](https://google.com/search?q=kyivcity.com) | 31/12/2022 | | | | [`motorsich.com`](https://google.com/search?q=motorsich.com) | 31/12/2022 | | | | [`mtsbu.ua`](https://google.com/search?q=mtsbu.ua) | 31/12/2022 | | | | [`health.mia`](https://google.com/search?q=health.mia) | 31/12/2022 | | | ↪️ More victims [here](/group/freecivilian?id=posts) --- ## **fsteam** > New possible leak site posted to a forum on November 20th, 2022, no victims at present. Unclear if its for a ransomware or extortion group #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Home | 🔴 | 07/01/2023 21:23 | `http://hkk62og3s2tce2gipcdxg3m27z4b62mrmml6ugctzdxs25o26q3a4mid.onion` | 📸 | ### _Victims_ > no victim found --- ## **grief** > Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt". _`captcha prevents indexing`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Grief list | 🔴 | 02/05/2022 11:11 | `http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion` | ❌ | #### **External information** - https://heimdalsecurity.com/blog/doppelpaymer-gets-a-rebranding - https://www.bleepingcomputer.com/news/security/nra-no-comment-on-russian-ransomware-gang-attack-claims/ #### **Ransom note** * [📝 1 ransom note](notes/grief) ### _Victims_ > no victim found --- ## **groove** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Утечки - Groove | 🔴 | 30/10/2021 10:50 | `http://ws3dh6av66sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion` | ❌ | #### **External information** - https://intel471.com/blog/groove-gang-ransomware-babuk-revil-blackmatter - https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates ### _Victims_ > 13 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Я не пью виски но с ним бы выпил`](https://google.com/search?q=%D0%AF+%D0%BD%D0%B5+%D0%BF%D1%8C%D1%8E+%D0%B2%D0%B8%D1%81%D0%BA%D0%B8+%D0%BD%D0%BE+%D1%81+%D0%BD%D0%B8%D0%BC+%D0%B1%D1%8B+%D0%B2%D1%8B%D0%BF%D0%B8%D0%BB) | 30/10/2021 | | | | [`episcopalretirement.com Возможна утечка`](https://google.com/search?q=episcopalretirement.com++%D0%92%D0%BE%D0%B7%D0%BC%D0%BE%D0%B6%D0%BD%D0%B0+%D1%83%D1%82%D0%B5%D1%87%D0%BA%D0%B0) | 23/10/2021 | | | | [`Про русских в США`](https://google.com/search?q=%D0%9F%D1%80%D0%BE+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%B8%D1%85+%D0%B2+%D0%A1%D0%A8%D0%90) | 23/10/2021 | | | | [`therecord.media 30k USD`](https://google.com/search?q=therecord.media+30k+USD) | 23/10/2021 | | | | [`hagerstownpd.org`](https://google.com/search?q=hagerstownpd.org) | 22/10/2021 | | | | [`trivalleypc.com`](https://google.com/search?q=trivalleypc.com) | 22/10/2021 | | | | [`robinwoodortho.com`](https://google.com/search?q=robinwoodortho.com) | 13/09/2021 | | | | [`Одно интервью`](https://google.com/search?q=%D0%9E%D0%B4%D0%BD%D0%BE+%D0%B8%D0%BD%D1%82%D0%B5%D1%80%D0%B2%D1%8C%D1%8E) | 10/09/2021 | | | | [`Украина и экстрадиции в США`](https://google.com/search?q=%D0%A3%D0%BA%D1%80%D0%B0%D0%B8%D0%BD%D0%B0+%D0%B8+%D1%8D%D0%BA%D1%81%D1%82%D1%80%D0%B0%D0%B4%D0%B8%D1%86%D0%B8%D0%B8+%D0%B2+%D0%A1%D0%A8%D0%90) | 10/09/2021 | | | | [`ludofact.de 50 GB data stolen`](https://google.com/search?q=ludofact.de+50+GB+data+stolen) | 09/09/2021 | | | ↪️ More victims [here](/group/groove?id=posts) --- ## **hades** > According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the .~HL[5_random_characters] (first 5 characters of encryption password) extension. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://ixltdyumdlthrtgx.onion` | ❌ | #### **External information** - http://www.secureworks.com/research/threat-profiles/gold-winter - https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp - https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/ - https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://killingthebear.jorgetesta.tech/actors/evil-corp - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://twitter.com/inversecos/status/1381477874046169089?s=20 - https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware - https://www.accenture.com/us-en/blogs/security/ransomware-hades - https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities - https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/ - https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ - https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions - https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure - https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf #### **Ransom note** * [📝 1 ransom note](notes/hades) ### _Victims_ > no victim found --- ## **handala** > Not a Ransomware Group #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Suspected phishing site - Cloudflare | 🟢 | 30/07/2024 02:22 | `http://handala.to` | 📸 | | Handala Hack Team – Free Palestine | 🟢 | 30/07/2024 02:23 | `http://handala-hack.to` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://vmjfieomxhnfjba57sd6jjws2ogvowjgxhhfglsikqvvrnrajbmpxqqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-handala.png) ### _Victims_ > 27 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Innovalve 3TB Data Leak ( $300M )`](https://google.com/search?q=Innovalve+3TB+Data+Leak+%28+%24300M+%29) | 26/07/2024 | Handala Leaked 3TB Innovalve Sensitive Data On July 17th, Edwards Lifesciences American company bought Innovalve startup from Sheba for 300 million (https://www.ynet.co.il/economy/article/r1jvlozuc) dollars! So let us give you a gift of 300 million dollars! We are now publishing all data about this startup for free! We have been monitoring this deal for a long time,… | 📸 | | [`BLEnergy`](https://google.com/search?q=BLEnergy) | 23/07/2024 | BLEnergy (https://il.linkedin.com/company/blenergy-bess-integrator), a member of the Blilious Group, is a leading company in planning, supply, construction, and operation of Battery Energy Storage Systems (BESS) for a variety of needs. Advanced energy storage systems by BLEnergy consist of CATL Energy Storage product technology. CATL is the leading battery manufacturer in the world in the fields of… | 📸 | | [`Handala’s attack on Israeli organizations`](https://google.com/search?q=Handala%E2%80%99s+attack+on+Israeli+organizations) | 21/07/2024 | Handala’s attack on Israeli organizations Yesterday, after the problem occurred in CrowdStrike, Handala started a targeted phishing campaign ( https://twitter.com/x/status/1814658084460957890) using his dedicated wiper and FUD against thousands of Zionist organizations! So far, dozens of Zionist organizations have lost more than several terabytes of their data, and INCD (https://www.gov.il/he/pages/alert200724) is still unaware of a significant part… | 📸 | | [`Eyal Baror the key official of the 8200 unit`](https://google.com/search?q=Eyal+Baror+the+key+official+of+the+8200+unit) | 17/07/2024 | Do you know real Eyal Baror? Does Edwards Lifesciences know who he made a deal with? Have we gone to hack Innovalve without purpose? From 1993 to 2003, Eyal Baror was directly responsible for the secure communication research and development unit of Unit 8200. Yes, you guessed right, he is one of the key officials… | 📸 | | [`[temporary] Warning for Eyal Baror`](https://google.com/search?q=%5Btemporary%5D+Warning+for+Eyal+Baror) | 16/07/2024 | Dear Eyal Baror You have 24 hours to resign and take responsibility for this disaster, otherwise we will publish all your personal data such as private photos, emails, research documents, ethical cases, messages, etc.! You don’t want Edwards Lifesciences to know what ugly things you said behind their back after selling the Innovalve? Deadline: 16:30… | 📸 | | [`Innovalve Bio Medical`](https://google.com/search?q=Innovalve+Bio+Medical) | 15/07/2024 | Congratulations on setting fire to an incredible $300 million! Handala Hacked Innovalve Bio Medical Ltd too null Today, Edwards Lifesciences American company bought Innovalve startup from Sheba for 300 million (https://www.ynet.co.il/economy/article/r1jvlozuc) dollars! So let us give you a gift of 300 million dollars! We are now publishing all data about this startup for free! Download… | 📸 | | [`Sheba Medical Center`](https://google.com/search?q=Sheba+Medical+Center) | 15/07/2024 | Handala Hacked Sheba Medical Center Chaim Sheba Medical Center is the largest hospital in Occupied lands. This is the 9th-best hospital in the world. We could have targeted all parts of this center and endangered the lives of thousands of people, but according to our discretion, we destroyed the heart department of this hospital and… | 📸 | | [`Sonol ( Gas Stations )`](https://google.com/search?q=Sonol+%28+Gas+Stations+%29) | 11/07/2024 | Gas now! Handala Hacked Sonol At a time when our children are under severe siege and no medicine or fuel is allowed to enter, it is not possible to let the Zionists see peace! Before this cyber attack, we notified all fuel stations via SMS! These Zionists are so cowardly! Where are our jihadis and… | 📸 | | [`Independent Education System`](https://google.com/search?q=Independent+Education+System) | 01/07/2024 | Handala Hacked Centralized system of Independent Education System of Haredi Judaism! As you can see, these loved ones are working very hard and should not be sent to military service! Please respect the rights of your citizens, honorable court! We will talk about this secret organization and the shadow government in detail later! Even many… | 📸 | | [`Zerto Security`](https://zerto.com) | 23/06/2024 | Handala Hacked Zerto ( One of the largest Zionist cyber security companies in the world ) Zerto, a Hewlett Packard Enterprise company, empowers customers to run an always-on business by simplifying the protection, recovery, and mobility of on-premises and cloud applications. Zerto’s cloud data management and protection platform eliminates the risks and complexity of modernization… | 📸 | ↪️ More victims [here](/group/handala?id=posts) --- ## **haron** _`login page, no posts`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Clients page | 🔴 | 31/01/2022 20:17 | `http://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion` | ❌ | #### **External information** - https://therecord.media/new-haron-ransomware-gang-emerges-borrowing-from-avaddon-and-thanos - https://threatpost.com/ransomware-gangs-haron-blackmatter/168212 ### _Victims_ > no victim found --- ## **hellogookie** 🔎 `ransomware.live`has an active parser for indexing hellogookie's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | HelloGookie | 🔴 | 17/07/2024 11:58 | `http://gookie256cvccntvenyxrvn7ht73bs6ss3oj2ocfkjt5y6vq6gfi2tad.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-hellogookie.png) ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Hey everyone! Some private keys here.`](https://google.com/search?q=Hey+everyone%21+Some+private+keys+here.) | 19/04/2024 | LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBNENoODBXOTFVc09raE9jSDNxVjJ6eTZlUGxhTzVCeXNQOGpyVThMcVB0bVpiR3lXCmRNV3dkb2FyTDJZVituRDZ4dVYzLzd3L1UzMGhObVpiYXV1a0ZFYUhnbWNzTXhORXBuSklTUFNiNmhnU0dEeE8KUzQ0R0xYcXdCVkV5VHBoTDlwL1N1RmJXeTNwZFQw... | | | [`Hey cisco!`](https://cisco.com) | 19/04/2024 | You lied to us and play for time to kick us out. We will meet you soon, again. Next time you'll have no chance. cisco.com\Administrator:500:aad3b435b51404eeaad3b435b51404ee:4e0de2e548880cd48c588f1391fa6386::: cisco.com\carriep:12342831:aad3b435b5140... | | | [`CD Projekt!`](https://google.com/search?q=CD+Projekt%21) | 19/04/2024 | How you doin? I just remembered some passwords... do you have it? ah, whatever... just leave it here... w3: oJX&S5678536Y8as%23 gwent: GyrS^&4A89x, w3rtx: NIh\*AS^8x0Xppw thronebreaker: AN87*-2047UIOSh78^X magnet:?xt=urn:btih:44134E7ADE0F85E0... | | --- ## **hellokitty** > Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions. _`aka fivehands`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | News | 🔴 | 02/10/2021 15:17 | `http://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion` | ❌ | #### **External information** - https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html - https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/ - https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html - https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html - https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html - https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/ - https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7 - https://twitter.com/fwosar/status/1359167108727332868 - https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ - https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group - https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/ - https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks - https://www.cisa.gov/uscert/ncas/alerts/aa22-249a - https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/ - https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/ - https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire - https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html - https://www.ic3.gov/Media/News/2021/211029.pdf - https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/ #### **Ransom note** * [📝 1 ransom note](notes/hellokitty) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **hive** > Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.In 2022 there was a switch from GoLang to Rust. _`US announces it seized Hive ransomware gang’s leak sites and decryption keys`_ 🔎 `ransomware.live`has an active parser for indexing hive's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | This domain has been seized | 🔴 | 27/01/2023 04:45 | `http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion` | 📸 | | This domain has been seized | 🔴 | 27/01/2023 06:47 | `http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion` | 📸 | | This domain has been seized | 🔴 | 27/01/2023 06:47 | `http://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion` | 📸 | #### **External information** - https://arxiv.org/pdf/2202.08477.pdf - https://blog.group-ib.com/hive - https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html - https://github.com/reecdeep/HiveV5_file_decryptor - https://github.com/rivitna/Malware/tree/main/Hive - https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/ - https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/ - https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/ - https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023 - https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098 - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html - https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/ - https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/ - https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ - https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape - https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group - https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/ - https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/ - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/ - https://www.connectwise.com/resources/hive-profile - https://www.ic3.gov/Media/News/2021/210825.pdf - https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf - https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery - https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/ - https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals - https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/ - https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware - https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/ - https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/ - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive - https://www.varonis.com/blog/hive-ransomware-analysis - https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/ - https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf #### **Ransom note** * [📝 2 ransom notes](notes/hive) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20211004| 💬 | |20211005| 💬 | |20211026| 💬 | |20211102| 💬 | |20211113| 💬 | |20211126| 💬 | |20211213| 💬 | |20211220| 💬 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-hive.png) ### _Victims_ > 206 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`R C Stevens Construction`](https://rcstevens.com/ ) | 16/01/2023 | As commercial construction specialists in Orlando, we provide new construction and renovation services with an emphasis on design/build. R. C. Stevens is qualified to design and construct any type of commercial construction project in Orlando. We offer all of the necessary resources to meet each client’s specific project needs for design and construction services related to manufacturing/industrial, commercial, healthcare, financial, religious, and renovations. At. R. C. Stevens, the spirit of innovation can be found in each and every Orlando commercial construction project we do. Every team member at R.C. Stevens strives daily to uphold the founding principles of quality and integrity as having long been a company tradition since 1926. | | | [`G.W. Becker`](https://gwbcrane.com) | 11/01/2023 | ***** DATA IS COMING SOON **** G.W. Becker, Inc. is a full service, single source, provider of choice for quality overhead crane products and solutions. Family owned since 1980, we have grown from a local overhead crane parts supplier to a recognized industry leader offering a full spectrum of overhead crane related products and services throughout North America. Proud to be an Executive Member of the Crane Manufacturer’s Association of America, we design and manufacture custom overhead cranes, hoists and components to CMAA Specifications (Class “A” through “F”) or AIST Technical Report #6. We utilize our knowledgeable in-house team of mechanical, structural and electrical engineers to offer application assistance, custom design engineering and manufacturing of overhead crane products with our customers’ needs first and foremost. Empowered with highly trained and qualified technicians, G.W. Becker, Inc. provides self-performing installations, inspections and field service repairs for all makes and models of overhead cranes; providing compliance with local regulations and ensuring a safe and productive material handling operation. Staying true to our mission and values, we strive to understand our customers’ needs and deliver specialized expertise and long-term planning solutions for the unique challenges of purchasing and maintaining overhead crane and hoist equipment. | | | [`Consulate Health Care`](https://consulatehc.com/) | 06/01/2023 | Consulate Health Care is a leading provider of senior healthcare services, specializing in post-acute care. We offer services ranging from comprehensive short-term rehabilitation and transitional care to Alzheimer’s and dementia care. Consulate Health Care began as a small provider in Cheswick, PA with a strong focus on patient needs. We haven’t waivered from that focus, which has strengthened our family and allows us to sustain jobs in many communities, create rigorous systems of care and deploy technology that makes it easier to understand patient needs. Even as we’ve grown to provide services across 5 states, it’s the little things we do while fulfilling our mission statement of "Providing Service with Our Hearts and Hands" that really makes the difference. From visiting with our patients while they eat, to pulling up the sheets to just the right height, our employees care for patients like family, not because it’s their job, but because it’s their calling. | | | [`Centro Médico Virgen De La Caridad`](https://cmvcaridad.com) | 31/12/2022 | Grupo Centro Médico Virgen de la Caridad, a private health company with its own identity that was born in 1981 in the city of Cartagena, where it is headquartered, currently has 2 hospitals (Cartagena and Caravaca), 20 polyclinics, 23 physiotherapy clinics and 16 dental clinics , which are distributed throughout different parts of the Region of Murcia and Orihuela Costa. In addition, the group has 1 aesthetic clinic (Cartagena), plus 1 Ophthalmological clinic (Cartagena). The health entity that is committed to global, close, accessible and highly qualified care, is made up of more than 600 professionals (including health, administrative and patient care personnel) whose purpose is to offer a wide range of services on a daily basis under the better and more complete health care. All our centers are equipped with the most advanced technology, an essential support, which together with our highly qualified human capital, has made us, over almost 40 years of activity, a benchmark in private medicine in the Region of Murcia. We welcome you to Grupo Centro Médico Virgen de la Caridad, where new challenges are not a problem but a challenge for growth and improvement in private healthcare . | | | [`Camst Group`](https://www.camstgroup.com ) | 30/12/2022 | Camst Group is a company that specializes in restaurant services. It offers catering & banqueting, restaurant & bars, catering at the fair, and collective cater. | | | [`MHMR Authority Of Brazos Valley`](https://www.mhmrabv.org) | 22/12/2022 | The MHMR Authority of Brazos Valley is a public non-profit community MHMR center. Through the Texas Department of State Health Services and Texas Department of | | | [`Alvaria`](https://www.alvaria.com) | 21/12/2022 | Alvaria, (pronounced: ahl-vahr-ee-uh), a global leader delivering optimized customer experience and workforce engagement software and cloud services technology solutions. | | | [`Interface`](https://www.interface.com) | 20/12/2022 | **** 30% OF THE DATA IS COMING SOON **** Interface, Inc. is a global flooring company specializing in carbon neutral carpet tile and resilient flooring. Stocks: NASDAQ: TILE Equity: IF6N.F, IF6N.BE, IF6N.HA | | | [`North Idaho College`](https://google.com/search?q=North+Idaho+College) | 20/12/2022 | Founded in 1933, North Idaho College is a community college in Coeur d'Alene, Idaho. | | | [`Innovative Education Management`](https://google.com/search?q=Innovative+Education+Management) | 20/12/2022 | Innovative Education Management (IEM) has been successfully developing and operating California charter schools since 1998 | | ↪️ More victims [here](/group/hive?id=posts) --- ## **holyghost** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | HolyGhost | 🔴 | 22/04/2022 17:36 | `http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion` | ❌ | ### _Victims_ > no victim found --- ## **hotarus** _`aka hotarus corp`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Hotarus Corp | 🔴 | 22/10/2021 04:52 | `http://r6d636w47ncnaukrpvlhmtdbvbeltc6enfcuuow3jclpmyga7cz374qd.onion` | ❌ | #### **External information** - https://www.bleepingcomputer.com/news/security/ransomware-gang-hacks-ecuadors-largest-private-bank-ministry-of-finance/ ### _Victims_ > no victim found --- ## **hunters** 🔎 `ransomware.live`has an active parser for indexing hunters's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | HUNTERS INTERNATIONAL | 🟢 | 30/07/2024 02:23 | `http://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion` | 📸 | | HUNTERS INTERNATIONAL | 🟢 | 30/07/2024 02:24 | `http://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion` | 📸 | | HUNTERS INTERNATIONAL | 🟢 | 30/07/2024 02:25 | `http://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion` | 📸 | | HUNTERS INTERNATIONAL | 🔴 | 18/04/2024 22:36 | `http://huntersinternational.org` | 📸 | #### **Ransom note** * [📝 2 ransom notes](notes/hunters) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-hunters.png) ### _Victims_ > 163 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Crownlea Group`](https://www.crownlea.com/) | 29/07/2024 | Country : United Kingdom - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`The Gill Corporation`](https://www.thegillcorp.com/) | 29/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Priefert`](https://www.priefert.com/) | 29/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Physical & Occupational Therapy Examiners ofTexas`](https://ptot.texas.gov) | 25/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Physical & Occupational Therapy Examiners of Texas`](https://ptot.texas.gov) | 25/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Betances Health Center`](https://betances.org) | 24/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Arcmed Group`](https://www.arcmedgroup.com/) | 19/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Northeast Rehabilitation Hospital Network`](https://www.northeastrehab.com) | 18/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Seamon Whiteside`](https://seamonwhiteside.com/) | 18/07/2024 | Country : United States of America - Exfiltraded data : yes - Encrypted data : yes | 📸 | | [`Santa Rosa`](https://www.santarosa.gob.ar) | 18/07/2024 | Country : Argentina - Exfiltraded data : yes - Encrypted data : yes | 📸 | ↪️ More victims [here](/group/hunters?id=posts) --- ## **icefire** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Leakage List | 🔴 | 24/08/2022 13:04 | `http://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion` | ❌ | | Leakage List | 🔴 | 13/03/2023 04:44 | `http://7kstc545azxeahkduxmefgwqkrrhq3mzohkzqvrv7aekob7z3iwkqvyd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/icefire) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-icefire.png) ### _Victims_ > 11 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`*.algotrader.com`](https://google.com/search?q=%2A.algotrader.com) | 20/08/2022 | | | | [`*.bestservers.pro`](https://google.com/search?q=%2A.bestservers.pro) | 20/08/2022 | | | | [`*.iperactive.com.ar`](https://google.com/search?q=%2A.iperactive.com.ar) | 20/08/2022 | | | | [`*.cco1.com`](https://google.com/search?q=%2A.cco1.com) | 20/08/2022 | | | | [`*.vps-vds.com`](https://google.com/search?q=%2A.vps-vds.com) | 20/08/2022 | | | | [`*.guneshosting.com`](https://google.com/search?q=%2A.guneshosting.com) | 20/08/2022 | | | | [`*.kodhosting.com`](https://google.com/search?q=%2A.kodhosting.com) | 20/08/2022 | | | | [`*.kru.ac.th`](https://google.com/search?q=%2A.kru.ac.th) | 20/08/2022 | | | | [`*.directfn.net`](https://google.com/search?q=%2A.directfn.net) | 20/08/2022 | | | | [`*.feesh.ch`](https://google.com/search?q=%2A.feesh.ch) | 20/08/2022 | | | ↪️ More victims [here](/group/icefire?id=posts) --- ## **incransom** 🔎 `ransomware.live`has an active parser for indexing incransom's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | INC Ransom | 🔴 | 09/07/2024 23:52 | `http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion` | 📸 | | none | 🔴 | 10/07/2024 05:54 | `http://incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion` | 📸 | | Error Response Page | 🔴 | 26/07/2024 12:28 | `http://incbackend.top` | 📸 | | INC Ransom | 🔴 | 07/02/2024 05:00 | `http://incapt.blog` | 📸 | | Error Response Page | 🔴 | 08/07/2024 17:27 | `http://incapt.su` | 📸 | | Disclosures | 🟢 | 30/07/2024 02:26 | `http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/incransom) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-incransom.png) ### _Victims_ > 157 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Association Management Strategies(AAMC.local)`](https://google.com/search?q=Association+Management+Strategies%28AAMC.local%29) | 23/07/2024 | Association Management Strategies is a full-service association management company providing management expertise and administrative services to in dustry associations, coalitions, professional societies, trade shows and other special events. AMS tailors its services to meet the goals, needs and budget of each of its clients. The result is a true business partnership that is built for success. | 📸 | | [`Norther n Bedford County School District (nbcsc.org)`](https://google.com/search?q=Norther+n+Bedford+County+School+District+%28nbcsc.org%29) | 17/07/2024 | The Northern Bedford County School District is a public school district serving parts of Bedford County, Pennsylvania. The boroughs of Hopewell and Woodbury and the townships of Bloomfield, Hopewell, Woodbury, and South Woodbury are located within district boundaries. It encompasses approximately 112 square miles. According to 2000 federal census data, it serves a resident population of 6,556 | 📸 | | [`maingroup`](https://google.com/search?q=maingroup) | 16/07/2024 | WELCOME TO THE WILD ATLANTIC WAY STARTING POINT The Inishowen Gateway Hotel in Donegal is a three-star property located on the Inishowen peninsula, North East Donegal, an area of outstanding natural beauty and the hidden treasure of Donegal’s stunning landscape. Located only a short 15 minute drive from Derry and 30 minutes from Letterkenny, our Hotel in Donegal offers an ideal base to explore the surrounding area and the Wild Atlantic Way route. | 📸 | | [`CIMP.COM`](https://google.com/search?q=CIMP.COM) | 08/07/2024 | Welcome to Consultants in Pain Medicine, PA. CPM is lead by a multi-disciplinary team of highly trained physicians. We strive to provide the latest in pain treatment options – offering superior clinical care, up-to-date techniques and the latest technology. Pain affects every aspect of the patient. Our preferred and most beneficial treatment is a multi-disciplinary approach. | 📸 | | [`A.L.P. Lighting Components`](https://google.com/search?q=A.L.P.+Lighting+Components) | 06/07/2024 | Founded in 1972 A.L.P. is an international company that does the design, manufacturing, and distribution of lighting components and components for other technical industries. The company is headquartered in Niles, Illinois. | 📸 | | [`Center for Human Capital Innovation (centerforhci.org)`](https://google.com/search?q=Center+for+Human+Capital+Innovation+%28centerforhci.org%29) | 05/07/2024 | The Center for Human Capital Innovation (CHCI) advises government organizations on "best practices" and "next practices" in strategic human capital management. Our overall mission is to improve the effectiveness and efficiency of federal government operations through systematic improvements in Human Capital Management practices. CHCI serves as a trusted advisor, think-tank, thought leader, educator, analyst and coach dedicated to advancing the science of talent management for organizations in the government sector. The aim of CHCI is to improve the Return on People throughout government. Our mission is to provide government leaders with valuable assessment tools, deployment advice, sound Human Capital Management analyses, as well as innovative insight related to integrated talent strategy, acquisition, development, engagement, management and evaluation. Years of research and collaboration has equipped CHCI with an extensive database of substantiated methods and ideas from a field of the brightest thought leaders in talent management. Those insights, coupled with our deep and comprehensive understanding of strategic human capital management, result in measurable, real-world strategies that help client organizations attract and retain high-performing people, build a diverse and inclusive workplace, and leverage individual and team performance throughout the enterprise. | 📸 | | [`waupaca.wi.us`](https://google.com/search?q=waupaca.wi.us) | 05/07/2024 | Waupaca County is a county in the U.S. state of Wisconsin. As of the 2010 census, the population was 52,410. The county seat is Waupaca. The county was created in 1851 and organized in 1853. It is named after the Waupaca River, a Menominee language name meaning 'white sand bottom', 'pale water', or 'tomorrow river'. | 📸 | | [`waupacacounty-wi.gov`](https://google.com/search?q=waupacacounty-wi.gov) | 05/07/2024 | Waupaca County is a county in the U.S. state of Wisconsin. As of the 2010 census, the population was 52,410. The county seat is Waupaca. The county was created in 1851 and organized in 1853. It is named after the Waupaca River, a Menominee language name meaning 'white sand bottom', 'pale water', or 'tomorrow river'. | 📸 | | [`REPLIGEN`](https://google.com/search?q=REPLIGEN) | 03/07/2024 | Repligen is a bioprocessing-focused life sciences company bringing expertise and innovation to our customers since 1981. We are inspiring advances in bioprocessing through the development and commercialization of high-value products and flexible solutions that address critical steps in the production of biologic drugs. | 📸 | | [`Guhring USA`](https://google.com/search?q=Guhring+USA) | 02/07/2024 | Guhring is a world-class manufacturer of round shank cutting tools for the metalworking industry; also a provider of top-quality coating, reconditioning and tool management services. More than a century of expertise in cutting tool manufacturing, combined with powerful R&D resources, place Guhring at the forefront of technical innovations in cutting tools. Globally there are 26 production plants and 36 service centers, along with hundreds of knowledgeable technical support experts, providing Guhring products and services to the industry. | | ↪️ More victims [here](/group/incransom?id=posts) --- ## **insane** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Going insane | 🔴 | 12/02/2024 06:29 | `http://nv5lbsrr4rxmewzmpe25nnalowe4ga7ki6yfvit3wlpu7dfc36pyh4ad.onion` | 📸 | | Going insane | 🔴 | 12/02/2024 06:29 | `http://gfksiwpsqudibondm6o2ipxymaonehq3l26qpgqr3nh4jvcyayvogcid.onion` | 📸 | | Going insane | 🔴 | 12/02/2024 06:30 | `http://r2ad4ayrgpf7og673lhrw5oqyvqg4em2fpialk7l7gxkasvqkqow4qad.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-insane.png) ### _Victims_ > 1 victim found | victim | date | Description | Screenshot | |---|---|---|---| | [`JspPharma`](https://google.com/search?q=JspPharma) | 17/01/2024 | A few words about the breached company: JSP Pharmaceutical Manufacturing (Thailand) PCL is engaged in Researching, Developing and producing drugs, dietary supplements, cosmetics, herbs, and dietary supplements in the form of vitamins including healthy coffee Ready.Its segments include Manufacturing and distribution of products under the customer's Brand name and Own Brand name.The majority of the revenue comes from the manufacturing and distribution of products under the customer's brand name.The Group is managed and operates principally in Thailand. | 📸 | --- ## **karakurt** 🔎 `ransomware.live`has an active parser for indexing karakurt's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Chat | 🟢 | 30/07/2024 02:27 | `http://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead.onion` | 📸 | | Magazine | 🟢 | 30/07/2024 02:27 | `http://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://karaleaks.com` | 📸 | #### **External information** - https://www.malwarebytes.com/blog/news/2022/06/karakurt-extortion-group-threat-profile #### **Ransom note** * [📝 2 ransom notes](notes/karakurt) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-karakurt.png) ### _Victims_ > 74 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Hospice of Huntington`](https://google.com/search?q=Hospice+of+Huntington) | 22/09/2023 | Hospice of Huntington, Inc. is the first hospice in the State of West Virginia. Founded in 1982. Karakurt has obtained 20 gb data of the hospice. Many financial and operating files. HR information, medical records, PI of volunteers, information of donations and much other. | | | [`Yakima Valley Radiology`](https://google.com/search?q=Yakima+Valley+Radiology) | 22/09/2023 | Yakima Valley Radiology PC is a company that operates in the Hospital & Health Care industry. 10 of the organization contain financial reports, client lists with contacts, list of patients for 15 years (212579 rows), a database of social security numbers (including staff, doctors) with 766000 rows. | | | [`Valley Mountain Regional Center`](https://google.com/search?q=Valley+Mountain+Regional+Center) | 31/08/2023 | Valley Mountain Regional Center is a private company that serves children and adults with developmental disabilities. Data: 147GB (medical record, passports, SSNs, accounting, financial documents).Soon. | 📸 | | [`COSI`](https://google.com/search?q=COSI) | 02/08/2023 | COSI, Columbus, Ohio's dynamic Center of Science and Industry, inspires the scientists, dreamers, and innovators of tomorrow. We've taken about 75GBs of data from this organization. You will find there their projects information, lots of accounting and financial documents, contracts (some of them are confidential), clients contacts, donations information an so on. There are also databases containing clients, partners and employee data, transactions and correspondence. Wait for the release. | 📸 | | [`McAlester Regional Health Center`](https://google.com/search?q=McAlester+Regional+Health+Center) | 28/07/2023 | Founded in 1978, McAlester Regional Health Center is devoted to a continuum of care offering a variety of health care services to the citizens of Southeast Oklahoma. Another one medical center doesn't care about their patients' data. 126gb of this organization data includes medical information, personal documents, financial and accounting data and lots of HR documentation. 40gb of DNA tests of patients is a bonus! Stay tuned. | 📸 | | [`Regional Family Medicine`](https://google.com/search?q=Regional+Family+Medicine) | 28/07/2023 | Regional Family Medicine is a primary care group comprised of two separate clinic locations, eight primary care physicians, four advanced practice nurses, and over fifty other nurses, technicians and support staff. There is some data on medical staff, ss numbers, medical reports, bank statements, invoices, some confidential docs, incidents. +5gb SQL. | 📸 | | [`Jefferson County Health Center`](https://google.com/search?q=Jefferson+County+Health+Center) | 03/07/2023 | Jefferson County Hospital, Waurika, Oklahoma, is a 25-bed critical access facility providing medical services to residents of Jefferson County and surrounding communities. 1.1 TB from the medical facility: medical records, test results, and personal information of employees and patients. Accounting and financial information is abundant. This data will be uploaded during upcoming summer release. | 📸 | | [`CentroMed`](https://google.com/search?q=CentroMed) | 28/06/2023 | El Centro del Barrio (CDB), which started doing business as CentroMed in 2001, was founded in 1971 and ran one counseling program for children and adolescents. They lost 25 GB of their data, which contains several thousand ssns and other medical and health information. Accounting, financial, human resources data is also represented. | 📸 | | [`Pan Pacific Hotels Group`](https://google.com/search?q=Pan+Pacific+Hotels+Group) | 28/06/2023 | Pan Pacific Hotels Group is a wholly-owned hotel subsidiary of Singapore-listed UOL Group Limited. Pan Pacific Melbourne has lost lots of corporate and personal documents. Contracts, ssns, passports, drivers licenses. 40+GB of data are coming. | 📸 | | [`Reeds Spring School District`](https://google.com/search?q=Reeds+Spring+School+District) | 26/06/2023 | Gibson Technical Center is a career and technical education school that is part of the Reeds Spring School District. 155GB have been stolen from their network. You can find there: HR, detailed finance and accounting, employee information and contracts, confidential students information including medical documents, databases with complete students information. The data will be uploaded during upcoming summer leaks. | | ↪️ More victims [here](/group/karakurt?id=posts) --- ## **karma** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Karma Leaks | 🔴 | 05/11/2021 02:09 | `http://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onion` | ❌ | #### **External information** - https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/ - https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware - https://www.bleepingcomputer.com/news/security/new-karma-ransomware-group-likely-a-nemty-rebrand/ - https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/ - https://securityaffairs.co/wordpress/123568/malware/karma-ransomware-nemty-similarities.html #### **Ransom note** * [📝 1 ransom note](notes/karma) ### _Victims_ > 7 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Our first post`](https://google.com/search?q=Our+first+post) | 04/10/2021 | | | | [`Saurer. Part 1.`](https://google.com/search?q=Saurer.+Part+1.) | 04/10/2021 | | | | [`Align Technology. Part 1.`](https://google.com/search?q=Align+Technology.+Part+1.) | 04/10/2021 | | | | [`The next leak will be of a multi billion dollar cosmetics and fragrance company.`](https://google.com/search?q=The+next+leak+will+be+of+a+multi+billion+dollar+cosmetics+and+fragrance+company.) | 04/10/2021 | | | | [`Align Technology. Part 2.`](https://google.com/search?q=Align+Technology.+Part+2.) | 04/10/2021 | | | | [`SI Group. Part 1.`](https://google.com/search?q=SI+Group.+Part+1.) | 04/10/2021 | | | | [`YASH Technologies. Part 1.`](https://google.com/search?q=YASH+Technologies.+Part+1.) | 04/10/2021 | | | --- ## **kelvinsecurity** _`not a ransomware group`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 429 | 🟢 | 30/07/2024 02:28 | `http://kelvinsecteamcyber.wixsite.com` | 📸 | #### **External information** - https://twitter.com/Ksecureteamlab ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-kelvinsecurity.png) ### _Victims_ > 26 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`TRANSCONTRACT`](https://google.com/search?q=TRANSCONTRACT) | 24/05/2022 | | | | [`Mansfield Energy`](https://google.com/search?q=Mansfield+Energy) | 24/05/2022 | | | | [`Channel Navigator business intelligence IT`](https://google.com/search?q=Channel+Navigator+business+intelligence+IT) | 13/05/2022 | | | | [`Next Leak On Hold`](https://google.com/search?q=Next+Leak+On+Hold) | 06/05/2022 | | | | [`PTC Industries`](https://google.com/search?q=PTC+Industries) | 06/05/2022 | | | | [`Municipality of Posadas`](https://google.com/search?q=Municipality+of+Posadas) | 03/05/2022 | | | | [`bfclcoin`](https://google.com/search?q=bfclcoin) | 03/05/2022 | | | | [`Instance IT Solutions India`](https://google.com/search?q=Instance+IT+Solutions+India) | 03/05/2022 | | | | [`Waiting for next leak`](https://google.com/search?q=Waiting+for+next+leak) | 25/04/2022 | | | | [`NATION Costa Rica`](https://google.com/search?q=NATION+Costa+Rica) | 25/04/2022 | | | ↪️ More victims [here](/group/kelvinsecurity?id=posts) --- ## **killsec** 🔎 `ransomware.live`has an active parser for indexing killsec's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Kill Security 2.0 | 🟢 | 30/07/2024 02:28 | `http://kill432ltnkqvaqntbalnsgojqqs2wz4lhnamrqjg66tq6fuvcztilyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-killsec.png) ### _Victims_ > 9 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`maxcess-logistics.com`](https://google.com/search?q=maxcess-logistics.com) | 01/07/2024 | Maxcess Logistics is a freight forwarding and logistics company based in Rades, Tunisia. They provide a variety of logistics solutions including airfreight, seafreight, and customs clearance. | 📸 | | [`agranibank.org`](https://google.com/search?q=agranibank.org) | 17/05/2024 | Agrani Bank PLC is a state-owned commercial bank of Bangladesh established in 1972. Its headquarters is situated at Motijheel in Dhaka, the capital city of Bangladesh. | 📸 | | [`laxmicapital.com.np`](https://google.com/search?q=laxmicapital.com.np) | 17/05/2024 | Laxmi Capital Market Limited, Finance, Banking, eBanking, Online Banking, Capital | 📸 | | [`delhipolice.gov.in`](https://google.com/search?q=delhipolice.gov.in) | 03/04/2024 | We have got Delhi Police breached. We managed to export all the data except for the pictures which we exported only 4GB and the rest are stored on their shitty server... | 📸 | | [`politiaromana.ro`](https://google.com/search?q=politiaromana.ro) | 21/03/2024 | We managed to gain access to a server belonging to the Romanian police and discovered over 200,000 records. To completely delete this data, we ask for a ransom of 1500 EUR. | 📸 | | [`rabitbd.com`](https://google.com/search?q=rabitbd.com) | 21/03/2024 | We got the Bangladeshi payment system (aka Rabitbd) breached. For us to wipe the databreach, we ask for a ransom of 2k EUR (negotiable). | 📸 | | [`pbgbank.com`](https://google.com/search?q=pbgbank.com) | 21/03/2024 | We have got PBGB (Paschim Banga Gramin Bank) breached.For us to wipe the databreach, we ask for a ransom of 10.000 EUR (negotiable). | 📸 | | [`excellifecoaching.com`](https://google.com/search?q=excellifecoaching.com) | 21/03/2024 | We have extracted the whole database. WP plugins data, theme, WooCommerce data etc. We have also logged out administrators for security reason and changed password. | 📸 | | [`keralapolice.gov.in`](https://google.com/search?q=keralapolice.gov.in) | 21/03/2024 | The Kerala Police is the law enforcement agency for the Indian state of Kerala. We have got keralapolice.gov.in (Kerala police) breached. For us to wipe the databreach, we ask for a ransom of 2500 EUR (negotiable). | 📸 | --- ## **knight** > [Cyclops](group/cyclops) rebrand 🔎 `ransomware.live`has an active parser for indexing knight's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Please wait... | 🔴 | 14/02/2024 07:56 | `http://knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion` | 📸 | #### **Ransom note** * [📝 2 ransom notes](notes/knight) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-knight.png) ### _Victims_ > 49 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`DHX–Dependable Hawaiian Express`](https://google.com/search?q=DHX%E2%80%93Dependable+Hawaiian+Express) | 12/02/2024 | DHX–Dependable Hawaiian Express20 GB of accounting documents were stolenbackup NAS server stolenDHX-Dependable Hawaiian Express is the leading ocean freight company currently serving Hawaii and Guam. Offering ocean services, both Full Container Load (FCL) and Less Than Container Load (LCL), you can ship from all four west coast ports and throughout the continental U.S. to Hawaii and Guam. Using our transcontinental trucking network, we move LCL shipments from any point in the United States, and we offer FCL intermodal services to and from Hawaii and Guam. We also offer both LCL and FCL eastbound service from Hawaii and Guam to the continental U.S.DGX–Dependable Global Express Visit SiteDGX is one of the most respected international ocean and air freight service providers. DGX serves global ocean and air destinations through most ports or airports, to and from any point in the United States, as well as between foreign points. With consolidation, Full Container Load (FCL) and Less Than Container Load (LCL) services from most worldwide locations and all global origins to any point within the continental U.S., DGX has terminals and gateways in Long Beach, Oakland, Portland, Seattle, New York, Atlanta, Chicago and Houston. Additionally we have 14 offices located throughout the Pacific Rim, Oceania, Asia and the Pacific Islands. See all DGX USA Gateway locations.Our air service offers the highest quality of global air freight service available within the air cargo industry. Shipments from 1 lb to 10,000 lbs or more can easily move door to door, or door to airport. Whether oversize, heavyweight or hazardous materials, we ensure that the integrity of your shipment is maintained throughout carriage. DGX is fully compliant with all U.S. Government agency rules and regulations including TSA, DHS, and FAA and is also IATA licensed. | 📸 | | [`GRUPO SCA（Release of all data)`](https://google.com/search?q=GRUPO+SCA%EF%BC%88Release+of+all+data%29) | 05/02/2024 | https://www.gruposca.com/historia/Release of all dataEnjoy:http://uzfrntnmwojla5v4w3xvpxerjg43kuzqxmtspqhi5qclwtof5ibgonyd.onion/GRUPOSCA/GRUPOSCA.rar5.png 46.46 KB1.png 97.33 KB2.png 27.62 KB7.png 134.84 KB6.png 76.01 KB8.png 324.76 KB9.png 136.46 KB10.png 175.1 KB | 📸 | | [`FEPCO Zona Franca SAS`](https://google.com/search?q=FEPCO+Zona+Franca+SAS) | 04/02/2024 | we have +100GB of confidential data, bank contracts, invoices, customer data, company invoices, company receipts. | 📸 | | [`AbelSantosyAsociados`](https://google.com/search?q=AbelSantosyAsociados) | 02/02/2024 | We'll provide a sample of the data. Enjoy:http://uzfrntnmwojla5v4w3xvpxerjg43kuzqxmtspqhi5qclwtof5ibgonyd.onion/AbelSantosyAsociados/sampledata.rarOur activities cover the regulatory, technical, medical, marketing, building and administrative management aspects of companies dedicated to the manufacturing and/or marketing of pharmaceutical, cosmetic, dental, biomedical, mass consumption, household health products, diagnostic reagents, nutritional/ dietary, phytotherapeutic and food. Our areas of activity are under the responsibility of professionals with extensive national and international experience, developed in leading companies in the production and marketing of health products, who guarantee personalized attention, framed in excellence, reliability and confidentiality.1.png 74.46 KB2.png 75.2 KB3.png 136.72 KB4.png 460.44 KB5.png 70.5 KB | 📸 | | [`CityDfDefiance(Disclosure of all)`](https://google.com/search?q=CityDfDefiance%28Disclosure+of+all%29) | 01/02/2024 | Because of their lack of cooperation, we had to release all the data, which included law enforcement documents and law enforcement videos, including some of their classified documents, which looked very interesting.The latest data compression pack is All.rar(387Gb)We have obtained more than 390Gb files on their internal network, which contain employee files,law enforcement video,mail and various confidential documents such as contracts.It seems that they don't care about the privacy of their employees and law enforcement. Let's publish part of the data first.FIRST:http://uzfrntnmwojla5v4w3xvpxerjg43kuzqxmtspqhi5qclwtof5ibgonyd.onion/cityofdefiance/part1.rarWe will release it one after anothercityofdefiance.comDefiance,OhioCity in and the county seat of Defiance County, Ohio, United States • Defiance is a city in and the county seat of Defiance County, Ohio, United States, about 55 miles southwest of Toledo and 47 miles northeast of Fort Wayne, Indiana, in Ohio's northwestern corner. The population was 17,066 at the 2020 censusCity of Defiance631 Perry Street Defiance, Ohio 43512Phone: 419-784-2101https://www.facebook.com/cityofdefiance/50MB sample files:https://gofile.io/d/[REDACTED] | 📸 | | [`DIROX LTDA (Vietnã)`](https://google.com/search?q=DIROX+LTDA+%28Vietn%C3%A3%29) | 01/02/2024 | Dirox is a proven turn-key digital solution partner with 20 years of experience, over 120 talented employees, and offices in the United States (Los Angeles), Paris (France), Saigon (Vietnam), Osaka (Japan), and Ottawa (Canada).50GB of confidential banking data, clients, invoices.2.png 66.23 KB3.png 272.7 KB4.png 129.07 KB5.png 293.52 KB6.png.png 306.03 KB7.png 110.34 KB8.png 164.41 KB9.png 150.39 KB12.png 505.37 KB13.png 117.74 KB | 📸 | | [`Chamber of Deputies of Romania (Camera Deputaților din România)`](https://google.com/search?q=Chamber+of+Deputies+of+Romania+%28Camera+Deputa%C8%9Bilor+din+Rom%C3%A2nia%29) | 29/01/2024 | We have obtained more than size of 250,000 MB documents and contracts and more information from Chamber of Deputies of Romania Let's publish a small part of the data first. https://gofile.io/d/[REDACTED] media and TV important documents about Deputes ( National ID , salary , spending, adverting contracts , employees offices Deputes and more) https://satoshidisk.com/pay/CKXGq2premier.png 1.64 MBu.png 774.6 KB1.png 89.66 KBresponder.png 80.1 KBresponder2.png 147.84 KB4.png 526.58 KB3.png 409.77 KB5.png 55.7 KB | 📸 | | [`ABECOM LTDA`](https://google.com/search?q=ABECOM+LTDA) | 29/01/2024 | We have more than 170 GB of confidential ABECOM company files, contracts, finances, projects, customer and employee data, reports, sales and purchase documents, returns, freight, invoices, photos of employees' cars, photos of employees, vehicle checks, repair and warranty submissions, thermography, signatures, photos and videos. | 📸 | | [`Agro Baggio LTDA`](https://google.com/search?q=Agro+Baggio+LTDA) | 07/01/2024 | Apparently, the DPO/LGPD rules that Agro Baggio holds so dear are not working properly. But this time you can't get away. Your servers are lying down and the network is tightly closed and unavailable. We got more than 70 GB in compressed form of important data Agro Boggio, John Deere and Costumers. Don't make mistakes and do the right thing. This time you won't get away with it. Time. Best regards. Don't forget that the DPO/LGPD fine is high.Further data leakage will be on your conscience. Your tongue is your enemy. Nothing personal, just business. Best regards. 1 word = 1 mistake = 1 file. Enjoy. end.png 361.26 KB20230601-1.png 446.84 KB20230601-transfer.png 433.02 KB | 📸 | | [`GRUPO SCA`](https://www.gruposca.com) | 06/01/2024 | We got over 100Gb of data from their network, containing their confidential files, and it looks like they don't care about their clients' dataGrupo SCA es una firma nacional de consultoría, soluciones y asesoramiento presente en el mercado desde hace más de veinte años. Nuestro equipo directivo está formado en firmas multinacionales del sector y nuestra experiencia, metodologías de trabajo y nivel de servicio nos han permitido fidelizar a los clientes con los que hemos trabajado.Nuestra especialización y capacidades nos permiten aportar valor al cliente tanto a nivel estratégico y en la planificación de su negocio, como a nivel funcional para mejorar la gestión de su organización, procesos y tecnología, y a nivel operativo, ayudando en la ejecución de determinadas tareas, bien por colaboración directa con los departamentos usuarios o por externalización de las mismas.Los continuos requerimientos de nuestros clientes nos han conducido a la búsqueda de una especialización por áreas de actividad dentro de cada una de las sociedades que integran Grupo SCA. La configuración actual de Grupo SCA permite ofrecer un servicio integral a nuestros clientes.El Grupo cuenta con oficinas en Madrid, Barcelona, Bilbao y más de 200 clientes en todos los sectores de actividad. La propia evolución del mercado nos ha llevado también a desarrollar actividades en diferentes países de Lationamérica, Mediterráneo Sur y la Federación Rusa.5.png 46.46 KB1.png 97.33 KB2.png 27.62 KB7.png 134.84 KB6.png 76.01 KB8.png 324.76 KB9.png 136.46 KB10.png 175.1 KB | 📸 | ↪️ More victims [here](/group/knight?id=posts) --- ## **la_piovra** > ℹ️ La Piovra Ransomware is an exercise of the company Offensive Security (also known as OffSec) 🔎 `ransomware.live`has an active parser for indexing la_piovra's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | La Piovra Ransomware | 🔴 | 14/06/2023 10:25 | `http://et22fibzuzfyzgurm35sttm52qbzvdgzy5qhzy46a3gmkrrht3lec5ad.onion` | 📸 | | La Piovra Ransomware – a new cartel | 🔴 | 14/06/2023 10:26 | `http://h3txev6jev7rcm6p2qkxn2vctybi4dvochr3inymzgif53n2j2oqviqd.onion` | 📸 | | La Piovra Ransomware - Members Only | 🔴 | 11/08/2023 17:27 | `http://wx3djgl4cacl6y4x7r4e4mbqrrub24ectue7ixyix2du25nfowtvfiyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-la_piovra.png) ### _Victims_ > 1 victim found | victim | date | Description | Screenshot | |---|---|---|---| | [`MegaCorp One`](https://google.com/search?q=MegaCorp+One) | 25/06/2022 | In case you were wondering how we did it, your entire website code is on github!!!! A look on the code, a vuln here and there, and voila, all your files are now encrypted. We will start releasing other proprietary data that we copied. You have 2 days to pay! | 📸 | --- ## **leaktheanalyst** _`not a ransomware group`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | #LeakTheAnalyst | 🔴 | 05/08/2022 10:37 | `http://leaktheanalyst.fireeye62c3da3fnosymmmcqcty7rl7cjucpbkzaz275a4qs5fgkzhad.onion` | ❌ | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-leaktheanalyst.png) ### _Victims_ > 20 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`19 You Must Never Forget LeakTheAnalyst`](https://google.com/search?q=19+You+Must+Never+Forget+LeakTheAnalyst) | 29/03/2022 | | | | [`18 Build your own drone`](https://google.com/search?q=18+Build+your+own+drone) | 29/03/2022 | | | | [`17 "Shoulders! How shocking!" Queen`](https://google.com/search?q=17+%22Shoulders%21+How+shocking%21%22+Queen) | 01/01/2022 | | | | [`16 Nuclear leak`](https://google.com/search?q=16+Nuclear+leak) | 01/01/2022 | | | | [`15.1 Supplementary`](https://google.com/search?q=15.1+Supplementary) | 01/01/2022 | | | | [`15 All we know`](https://google.com/search?q=15+All+we+know) | 01/01/2022 | | | | [`14 Kids vs. Governments !`](https://google.com/search?q=14+Kids+vs.+Governments+%21) | 01/01/2022 | | | | [`13 We are kids !`](https://google.com/search?q=13+We+are+kids+%21) | 01/01/2022 | | | | [`12 Escape from the dark`](https://google.com/search?q=12+Escape+from+the+dark) | 01/01/2022 | | | | [`11 you're awake!`](https://google.com/search?q=11+you%27re+awake%21) | 01/01/2022 | | | ↪️ More victims [here](/group/leaktheanalyst?id=posts) --- ## **lilith** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Lilith | 🔴 | 09/08/2022 14:56 | `http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion` | ❌ | #### **External information** - https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/ - https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/ - https://github.com/werkamsus/Lilith - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388 - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479 - https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html - https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group - https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/ #### **Ransom note** * [📝 1 ransom note](notes/lilith) ### _Victims_ > no victim found --- ## **lockbit** > _`null`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://lockbitkodidilol.onion` | ❌ | #### **External information** - https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511 - https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel - https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf - https://analyst1.com/ransomware-diaries-volume-1/ - https://asec.ahnlab.com/en/35822/ - https://asec.ahnlab.com/en/41450/ - https://asec.ahnlab.com/ko/39682/ - https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/ - https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/ - https://blog.lexfo.fr/lockbit-malware.html - https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness - https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities - https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html - https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/ - https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html - https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/ - https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/ - https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf - https://github.com/EmissarySpider/ransomware-descendants - https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://id-ransomware.blogspot.com/search?q=lockbit - https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker - https://intel471.com/blog/privateloader-malware - https://ke-la.com/lockbit-2-0-interview-with-russian-osint/ - https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/ - https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/ - https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf - https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023 - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf - https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511 - https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085 - https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1 - https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a - https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/ - https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/ - https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/ - https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf - https://redcanary.com/blog/intelligence-insights-november-2021/ - https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/ - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack - https://securelist.com/crimeware-report-lockbit-switchsymb/110068/ - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://securelist.com/new-ransomware-trends-in-2022/106457/ - https://security.packt.com/understanding-lockbit/ - https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html - https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/ - https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments - https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/ - https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/ - https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354 - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421 - https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/ - https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/ - https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/ - https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/ - https://twitter.com/MsftSecIntel/status/1522690116979855360 - https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor - https://unit42.paloaltonetworks.com/emerging-ransomware-groups/ - https://unit42.paloaltonetworks.com/lockbit-2-ransomware/ - https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions - https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ - https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/ - https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/ - https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/ - https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/ - https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/ - https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/ - https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/ - https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/ - https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/ - https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/ - https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf - https://www.connectwise.com/resources/lockbit-profile - https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/ - https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/ - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1 - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/ - https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion - https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware - https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb - https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/ - https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign - https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants - https://www.glimps.fr/dcouverte-dune-nouvelle-version-du-ramsomware-lockbit/ - https://www.glimps.fr/lockbit3-0/ - https://www.ic3.gov/Media/News/2022/220204.pdf - https://www.intrinsec.com/alphv-ransomware-gang-analysis - https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques - https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/ - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions - https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - https://www.netskope.com/blog/netskope-threat-coverage-lockbit - https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf - https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/ - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ - https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/ - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ - https://www.seqrite.com/blog/indian-power-sector-targeted-with-latest-lockbit-3-0-variant/ - https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/ - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt - https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html - https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html - https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html - https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html - https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022 - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit - https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf - https://www.youtube.com/watch?v=C733AyPzkoc - https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/ - https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/ #### **Ransom note** * [📝 3 ransom notes](notes/lockbit) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **lockbit2** _`previous clearnet fqdn lockbitapt.uz`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | LOCKFILE | 🔴 | 21/11/2021 19:05 | `http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion` | ❌ | | LockBit BLOG | 🔴 | 17/06/2022 16:10 | `http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion` | ❌ | | LockBit BLOG | 🔴 | 17/06/2022 16:10 | `http://oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onion` | ❌ | | LockBit BLOG | 🔴 | 17/06/2022 16:11 | `http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion` | ❌ | | LockBit BLOG | 🔴 | 17/06/2022 16:11 | `http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion` | ❌ | #### **External information** - https://threatpost.com/lockbit-ransomware-proliferates-globally/168746 - https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html - https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-006-acsc-ransomware-profile-lockbit-20 ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-lockbit2.png) ### _Victims_ > 1006 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`datalit.it`](https://google.com/search?q=datalit.it) | 28/06/2022 | | | | [`oak-brook.org`](https://google.com/search?q=oak-brook.org) | 26/06/2022 | | | | [`ecos-office.com`](https://google.com/search?q=ecos-office.com) | 21/06/2022 | | | | [`coteg-azam.fr`](https://google.com/search?q=coteg-azam.fr) | 21/06/2022 | | | | [`sigma-alimentos...`](https://google.com/search?q=sigma-alimentos...) | 21/06/2022 | | | | [`farmaciacirici....`](https://google.com/search?q=farmaciacirici....) | 21/06/2022 | | | | [`agricolaandrea....`](https://google.com/search?q=agricolaandrea....) | 21/06/2022 | | | | [`business.gov.om`](https://google.com/search?q=business.gov.om) | 20/06/2022 | | | | [`builditinc.com`](https://google.com/search?q=builditinc.com) | 20/06/2022 | | | | [`rhenus.group`](https://google.com/search?q=rhenus.group) | 20/06/2022 | | | ↪️ More victims [here](/group/lockbit2?id=posts) --- ## **lockbit3** > LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies. _`null`_ 🔎 `ransomware.live`has an active parser for indexing lockbit3's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Title | 🔴 | 25/02/2024 01:59 | `http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion` | 📸 | | Title | 🔴 | 25/02/2024 01:59 | `http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:00 | `http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:00 | `http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:01 | `http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:02 | `http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:02 | `http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:03 | `http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:03 | `http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion` | 📸 | | Title | 🔴 | 25/02/2024 02:04 | `http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:10 | `http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:11 | `http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:12 | `http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:12 | `http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:13 | `http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:13 | `http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:14 | `http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 18:52 | `http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:15 | `http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion` | 📸 | | LockBit LOGIN | 🔴 | 19/02/2024 20:15 | `http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion` | 📸 | | none | 🔴 | 23/06/2024 14:08 | `http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion` | 📸 | | 502 Bad Gateway | 🔴 | 16/06/2024 06:02 | `http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion` | 📸 | | 502 Bad Gateway | 🔴 | 16/06/2024 10:37 | `http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion` | 📸 | | LockBit BLOG | 🔴 | 15/06/2024 16:09 | `http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion` | 📸 | | LockBit BLOG | 🔴 | 15/06/2024 14:13 | `http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion` | 📸 | | LockBit BLOG | 🔴 | 15/06/2024 14:14 | `http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion` | 📸 | | Humanity check | 🔴 | 29/07/2024 05:29 | `http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion` | 📸 | | 504 Gateway Time-out | 🔴 | 26/06/2024 15:04 | `http://ofj3oaltwaf67qtd7oafk5r44upm6wkc2jurpsdyih2c7mbrbshuwayd.onion` | 📸 | | none | 🔴 | 29/07/2024 06:30 | `http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion` | 📸 | | none | 🟢 | 30/07/2024 02:29 | `http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion` | 📸 | | none | 🟢 | 30/07/2024 02:29 | `http://lockbitw2ygzasbt35ffpdb46r4vkej6flm3siyabaxzdodwpiatfgqd.onion` | 📸 | | Humanity check | 🟢 | 30/07/2024 02:30 | `http://lockbit23xxhej7swdop24cru7ks2w66pw7zgdkydqo6f7wfyfqo7oqd.onion` | 📸 | | Humanity check | 🟢 | 30/07/2024 02:30 | `http://lockbit7ixelt7gn3ynrs3dgqtsom6x6sd2ope4di7bu6e6exyhazeyd.onion` | 📸 | | Humanity check | 🟢 | 30/07/2024 02:31 | `http://lockbitck6escin3p33v3f5uef3mr5fx335oyqon2uqoyxuraieuhiqd.onion` | 📸 | | Humanity check | 🟢 | 30/07/2024 02:31 | `http://lockbitfhzimjqx2v7p2vfu57fpdm5zh2vsbfk5jkjod3k5pszbek7ad.onion` | 📸 | | Humanity check | 🟢 | 30/07/2024 02:31 | `http://lockbiti7ss2wzyizvyr2x46krnezl4xjeianvupnvazhbqtz32auqqd.onion` | 📸 | | Humanity check | 🟢 | 30/07/2024 02:32 | `http://lockbitkwkmhfb2zr3ngduaa6sd6munslzkbtqhn5ifmwqml4sl7znad.onion` | 📸 | | Humanity check | 🟢 | 30/07/2024 02:32 | `http://lockbitqfj7mmhrfa7lznj47ogknqanskj7hyk2vistn2ju5ufrhbpyd.onion` | 📸 | #### ** Negotiation chats** | Name | Link | |---|---| |**************************149576| 💬 | |aguasdoporto.pt| 💬 | |bakkerheftrucks.com| 💬 | |bankbsi.co.id| 💬 | |brownintegratedlogistics.com| 💬 | |chsf.fr| 💬 | |colonialgeneral.com| 💬 | |continental.com| 💬 | |datair.com| 💬 | |des-ae.com| 💬 | |emunworks.com| 💬 | |entrust.com| 💬 | |gavresorts.com.br| 💬 | |genusplc.com| 💬 | |gocontec.com| 💬 | |guardiananalytics.com| 💬 | |hgc.com.hk| 💬 | |kaycan.com| 💬 | |lapostemobile.fr| 💬 | |millennia.pro| 💬 | |msim.de| 💬 | |myerspower.com| 💬 | |newbridge.org| 💬 | |nicklaus.com| 💬 | |okcu.edu| 💬 | |omscomponents.it| 💬 | |plasticproductsco.com| 💬 | |porcelanosa-usa.com| 💬 | |preflooring.com| 💬 | |psenergy.com| 💬 | |qsi-q3.de| 💬 | |royalmailgroup.com| 💬 | |samyang.com| 💬 | |scohil.com| 💬 | |sirva.com| 💬 | |software-line.it| 💬 | |tapcocu.org| 💬 | |vitalityhp.net| 💬 | |vsainc.com| 💬 | |wabteccorp.com| 💬 | |wcinet.com| 💬 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-lockbit3.png) ### _Victims_ > 1906 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`glnf.fr`](https://google.com/search?q=glnf.fr) | 25/07/2024 | La Grande Loge nationale française (abrégé en GLNF) est une obédience maçonnique française fondée en 1913 sous le nom de « Grande Loge nationale indépendante et régulière pour la France et ses colonies | | | [`e21c.co.uk`](https://google.com/search?q=e21c.co.uk) | 24/07/2024 | E21c - Business Information. Education · United Kingdom · 99 Employees. A message from our CEO: Education for the 21st Century is driven by a determination to create welcoming and open schools for the local community, where every person thrives, make... | 📸 | | [`petroassist.co.uk`](https://google.com/search?q=petroassist.co.uk) | 24/07/2024 | PETROTEC GROUP Billions private files from whole group servers. Tomorrow blog will updated. Equipped with 100% own technology, the Petrotec Group focuses on the distribution of Fuel Dispensers, Car Wash Equipment, Fleet Management Systems and... | 📸 | | [`tccfleet.com`](https://google.com/search?q=tccfleet.com) | 22/07/2024 | TCC’s history began in 1917 with, the founder of Tai Chong Hsiang Steamship Company, Mr. C.S. Koo’s establishment of Tai Chong Hsiang Customs Brokerage Company in 1917. Leaving behind a poverty-stricken childhood, Mr. C.S. Koo was determined to set o... | 📸 | | [`joliet86.org`](https://google.com/search?q=joliet86.org) | 18/07/2024 | Joliet Public Schools District 86 provides a high-quality, inclusive, and equitable education for students to grow, lead, and thrive by empowering staff, collaborating with families, and embracing our diverse community. | 📸 | | [`customssupport.be`](https://google.com/search?q=customssupport.be) | 18/07/2024 | We are specialised in - Import, export, and transit - Goods Classification - Customs Consultancy | 📸 | | [`fbrlaw.com`](https://google.com/search?q=fbrlaw.com) | 18/07/2024 | First part is ALL QuickBook databases after 48 hours. Fusco, Brandenstein & Rada, P.C. Your Experienced Workers’ Compensation and Social Security Disability Attorneys Are you unable to work or has your income been impacted by an injury at wo... | 📸 | | [`barkingwell.gr`](https://google.com/search?q=barkingwell.gr) | 18/07/2024 | Barking Well Media was founded by the Greek entrepreneur Nikos Koklonis, who was selected by Fortune magazine for its "40 under 40" list as one of the top entrepreneurs of 2015 in Greece under 40 years old. | 📸 | | [`troyareasd.org`](https://google.com/search?q=troyareasd.org) | 18/07/2024 | The Troy Area School District is a school district of the third class organized under state law in Bradford County, PA. It contains the boroughs of Alba, Burlington, Sylvania and Troy, and the townships of Armenia, Burlington, Columbia, Granville, So... | 📸 | | [`paysdelaloire.fr`](https://google.com/search?q=paysdelaloire.fr) | 18/07/2024 | Regional aid and services foreconomy and innovation Industry, commerce, agriculture, fishing, food or research... I discover all the regional aid and services useful to my projects for my business, my farm or my organization. | 📸 | ↪️ More victims [here](/group/lockbit3?id=posts) --- ## **lockbit3_fs** _`null`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | LockBit - Leaked | 🔴 | 07/01/2023 21:41 | `http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:41 | `http://lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:42 | `http://lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:42 | `http://lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:43 | `http://lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:43 | `http://lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:44 | `http://lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:44 | `http://lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:46 | `http://lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:46 | `http://lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion` | 📸 | | LockBit - Leaked | 🔴 | 31/12/2022 15:54 | `http://lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:48 | `http://lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:48 | `http://lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:49 | `http://lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:49 | `http://lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:50 | `http://lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:51 | `http://lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:52 | `http://lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion` | 📸 | | LockBit - Leaked | 🔴 | 31/12/2022 16:00 | `http://lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onion` | 📸 | | LockBit - Leaked | 🔴 | 31/12/2022 16:01 | `http://lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:53 | `http://lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:54 | `http://lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:55 | `http://lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion` | 📸 | | LockBit - Leaked | 🔴 | 07/01/2023 21:55 | `http://lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onion` | 📸 | | LockBit File Share | 🔴 | 07/01/2023 21:56 | `http://lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onion` | 📸 | | LockBit Private Note | 🔴 | 22/12/2022 21:02 | `http://lockbitnotexk2vnf2q2zwjefsl3hjsnk4u74vq4chxrqpjclfydk4ad.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:23 | `http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:24 | `http://lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 15:22 | `http://lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:25 | `http://lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:26 | `http://lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 15:24 | `http://lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 15:25 | `http://lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 15:27 | `http://lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 15:28 | `http://lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:29 | `http://lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:30 | `http://lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 15:30 | `http://lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:32 | `http://lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion` | 📸 | | LockBit - Leaked | 🔴 | 19/05/2024 18:33 | `http://lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion` | 📸 | ### _Victims_ > no victim found --- ## **lockdata** _`marketplace - not a ransomware group`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | LockData Auction | 🔴 | 09/04/2022 16:16 | `http://wm6mbuzipviusuc42kcggzkdpbhuv45sn7olyamy6mcqqked3waslbqd.onion` | ❌ | #### **External information** - https://www.telekom.com/en/blog/group/article/lockdata-auction-631300 - https://twitter.com/darktracer_int/status/1418318232885153792 ### _Victims_ > 5 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`[USA] OrthoCare, 700 Lake Ave, Ste 6, Manchester, New Hampshire, 03103`](https://google.com/search?q=%5BUSA%5D+OrthoCare%2C+700+Lake+Ave%2C+Ste+6%2C+Manchester%2C+New+Hampshire%2C+03103) | 09/09/2021 | | | | [`[Saudi Arabia] Al Wefag Trading & Manufacturing`](https://google.com/search?q=%5BSaudi+Arabia%5D+Al+Wefag+Trading+%26+Manufacturing) | 09/09/2021 | | | | [`[CZ] GORDIC spol. s r.o.`](https://google.com/search?q=%5BCZ%5D++GORDIC+spol.+s+r.o.) | 09/09/2021 | | | | [`[USA] Crary Industries Inc.`](https://google.com/search?q=%5BUSA%5D+Crary+Industries+Inc.) | 09/09/2021 | | | | [`[CHINA] TCL China Star Optoelectronics Technology Co., Ltd`](https://google.com/search?q=%5BCHINA%5D+TCL+China+Star+Optoelectronics+Technology+Co.%2C+Ltd) | 09/09/2021 | | | --- ## **lolnek** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 27/08/2022 08:28 | `http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion` | ❌ | | none | 🔴 | 11/05/2023 04:34 | `http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion` | 📸 | | none | 🔴 | 01/10/2022 05:15 | `http://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion` | ❌ | ### _Victims_ > no victim found --- ## **lorenz** > Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files. _`rfi location woe2suafeg6ehxivgvvn4nh6ectbdhdqgc4vzph27mmyn7rjf2c52jid.onion/index.php`_ 🔎 `ransomware.live`has an active parser for indexing lorenz's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Lorenz | 🟢 | 30/07/2024 02:33 | `http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion` | 📸 | | Lorenz | 🟢 | 30/07/2024 02:33 | `http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion` | 📸 | #### **External information** - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ - https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/ - https://therecord.media/free-decrypter-available-for-lorenz-ransomware/ - https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20 - https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/ - https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware - https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/ - https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/ #### **Ransom note** * [📝 2 ransom notes](notes/lorenz) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-lorenz.png) ### _Victims_ > 77 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Bayer Heritage Federal Credit Union`](https://google.com/search?q=Bayer+Heritage+Federal+Credit+Union) | 01/12/2023 | | | | [`EOS`](https://www.EOS) | 15/11/2023 | | | | [`Cogdell Memorial Hospital`](https://google.com/search?q=Cogdell+Memorial+Hospital) | 09/11/2023 | | | | [`Koh Brothers`](https://google.com/search?q=Koh+Brothers) | 02/11/2023 | | | | [`Truck Bodies & Equipment International`](https://www.Truck Bodies & Equipment International) | 27/10/2023 | | | | [`Broad River Retail/Ashley Store`](https://www.Broad River Retail/Ashley Store) | 15/10/2023 | | | | [`AllCare Pharmacy`](https://www.AllCare Pharmacy) | 02/10/2023 | | | | [`Dee Sign`](https://www.Dee Sign) | 12/09/2023 | | | | [`BF&S Civil Engineers`](https://www.BF&S Civil Engineers) | 20/08/2023 | | | | [`Felling Trailers, Inc.`](https://www.Felling Trailers, Inc.) | 13/07/2023 | | | ↪️ More victims [here](/group/lorenz?id=posts) --- ## **losttrust** 🔎 `ransomware.live`has an active parser for indexing losttrust's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | LostTrust home | 🔴 | 02/11/2023 08:08 | `http://hscr6cjzhgoybibuzn2xud7u4crehuoo4ykw3swut7m7irde74hdfzyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-losttrust.png) ### _Victims_ > 53 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Arazoza Brothers`](https://arazozabrothers.com) | 26/09/2023 | Arazoza Brothers is Florida’s leading Commercial Landscape company. We take pride in delivering consistently excellent results for clients across the state, throughout the lifespan of their landscapes. | | | [`Popovici Niu Stoica & Asociaii`](https://pnsa.ro) | 26/09/2023 | Popovici Nițu Stoica & Asociații is one of the first incorporated professional partnerships in Romania. The Firm acts as outside counsel to a wide spectrum of legal entities, including key players in major industries, financial institutions, public authorities and investment funds. The Firm has linked its name with the creation of the essential Romanian market economy institutions after 1990, including the property funds, the stock exchanges, numerous regulatory agencies and judicial bodies. For decades, significant investment and acquisitions projects on the local market have been carried out with the legal assistance of Popovici Nițu Stoica & Asociații. The Popovici name is associated with legal service in Romania since the beginning of the last century. | | | [`Procab`](https://procab.se) | 26/09/2023 | With a vision of 0% incidents we are driven to create safety in the process industry. We offer the market the best selection of valves and accessories control flows. It our partners and customers we want to create as good result from first contact. With commitment and high level of service this will be done in improvement processes, continues need as well as in project or in complete systems for big as well as small plants. Procab was founded in 1984 and have since 2003 been in its existing form as a modern and personal valve company. With Knowledge, Confident and Helpfulness as our beacon we want to grow in long term relations with both customers and partners. We want to develop our selves all the time to offer a better product, not the least in projects related to environment and innovations. Welcome to the modern company of knowledge and Valves. | | | [`Hoosier Uplands Economic Development`](https://hoosieruplands.org) | 26/09/2023 | Hoosier Uplands is a local non-profit agency based in Southern Indiana that serves as an Area Agency on Aging, Community Action Agency, licensed Home Health Care and Hospice agency, and Community Housing Development Organization! | | | [`Oasys Technologies`](https://oasystechnologies.com) | 26/09/2023 | Oasys Technologies is the premiere IT staffing and consulting firm in Minnesota. Serving the largest corporations in the Midwest, Oasys Technologies offers talented IT resources, software engineers trained in the most current technologies, and long-term careers. | | | [`Merced City School District`](https://mcsd.k12.ca.us) | 26/09/2023 | OUR MISSION All scholars are ensured equitable access to high quality instruction in environments that value and build from their unique talents. Guiding scholars toward mastery of academics, we build from our scholars talents to nurture their continuous academic achievement, critical-thinking skills, and develop the resiliency, perseverance and confidence necessary to excel in learning and life. Our District team provides positive, inclusive environments where all scholars feel safe, respected, and connected. | | | [`Morgan School District`](https://morgansd.org) | 26/09/2023 | The Morgan County School District Community stands united in the pursuit of educational excellence. It is our mission to create a challenging, learning environment that emphasizes literacy and numeracy. We seek to assist students as they prepare for responsible citizenship, meaningful work, advanced education, and life-long learning. | | | [`Ferguson Wellman`](https://fergusonwellman.com) | 26/09/2023 | WE ARE A PRIVATELY OWNED, INVESTMENT ADVISORY FIRM serving individuals, families and institutions. For more than 40 years, we have designed and managed customized investment portfolios for clients’ IRAs, trusts, foundations, endowments, corporate retirement and pension plans. Ferguson Wellman and its division, West Bearing Investments, manage $8.2 billion for 913 clients. (updated annually, as of January 1, 2022) We have created two entry points to the same investment strategies that have been created by our own team of analysts. Our minimum for Ferguson Wellman client portfolios is $4 million and $1 million for West Bearing clients. With areas of expertise in investments, wealth management, institutional services and financial planning, we work together as a team to serve all client needs. Our private family office, Octavia Group, provides a suite of services that bring order and clarity to clients’ entire financial well-being. It is designed exclusively for our clients who have a minimum of $10 million managed by our firm. | | | [`TORMAX`](https://tormax.com) | 26/09/2023 | TORMAX Quality for Demanding Customers TORMAX installed Europe’s first automatic door in 1951. Today a leading manufacturer of automatic door systems worldwide with 25 Group companies and 500+ distributors. TORMAX automatic door systems are found in office buildings, shopping malls, hotels and restaurants, department stores, airports and train stations, on ships and in apartment buildings – in short, in hundreds of thousands of buildings around the world. TORMAX is a division of the LANDERT Group, a privately owned Group of companies, characterised by innovation, quality and genuine entrepreneurship. The LANDERT Group was founded in 1924 with its headquarters in Bulach near Zurich, Switzerland, and employs over 1000 staff members across its two divisions SERVAX (customised electric drives) and TORMAX (automatic door systems). | | | [`Brown and Streza`](https://brownandstreza.com) | 26/09/2023 | OUR MISSION Serve families, businesses, entrepreneurs, investors, philanthropists, and charitable organizations through our unified approach to business and personal planning. Provide exceptional, integrated domestic and international legal services in: • Comprehensive Tax Planning • Trusts & Estates Planning • Ultra-High-Net-Worth Planning • Trust & Estate Administration • Charitable Sector • Business Planning • Mergers & Acquisitions • Business Succession Planning • Real Estate Proactively serve clients, staff, and professional advisors by investing in technology, education, and long-term relationships. | | ↪️ More victims [here](/group/losttrust?id=posts) --- ## **lv** > LV ransomware group main message: "Here are companies which didn't meet consumer data protection obligations. They rejected to fix their mistakes, they rejected to protect this data in the case when they could and had to ptotect it. These companies prefered to sell their private information, their employees' and customers' personal data". Security researchers claim that the LV group is utilizing the REvil ransomware group malware. The LV group claim to have compromised the corporate network of Groupe Reorev. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 26/12/2022 04:52 | `http://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onion` | ❌ | | Start-maximized.com | 🔴 | 02/12/2021 13:09 | `http://4qbxi3i2oqmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion` | ❌ | #### **External information** - https://www.secureworks.com/research/lv-ransomware - https://securityaffairs.co/wordpress/119306/malware/lv-ransomware-repurposed-revil-binary.html #### **Ransom note** * [📝 1 ransom note](notes/lv) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-lv.png) ### _Victims_ > 63 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`GLEN DIMPLEX GROUP UNITS WERE HACKED (DEFOND, DEFONDTECH AND OTHER). MORE THAN 1TB DATA WA`](https://google.com/search?q=GLEN+DIMPLEX+GROUP+UNITS+WERE+HACKED+%28DEFOND%2C+DEFONDTECH+AND+OTHER%29.+MORE+THAN+1TB+DATA+WA) | 27/11/2022 | | | | [`UNITEDAUTO.MX HAVE BEEN HACKED DUE TO MULTIPLE NETWORK VULNERABILITIES. MORE THAN 2TB OF P`](https://google.com/search?q=UNITEDAUTO.MX+HAVE+BEEN+HACKED+DUE+TO+MULTIPLE+NETWORK+VULNERABILITIES.+MORE+THAN+2TB+OF+P) | 19/11/2022 | | | | [`THEW ASSOCIATES HACKED. MORE THEN 50 GB SENSETIVE DATA LEAKED.`](https://google.com/search?q=THEW+ASSOCIATES+HACKED.+MORE+THEN+50+GB+SENSETIVE+DATA+LEAKED.) | 14/11/2022 | | | | [`BRAZILIAN PET FOODS`](https://google.com/search?q=BRAZILIAN+PET+FOODS) | 11/11/2022 | | | | [`LAW OFFICES OF JOHN T ORCUTT WAS HACKED. MORE THEN 2TB SENSETIVE DATA LEAKED.`](https://google.com/search?q=LAW+OFFICES+OF+JOHN+T+ORCUTT+WAS+HACKED.+MORE+THEN+2TB+SENSETIVE+DATA+LEAKED.) | 09/11/2022 | | | | [`CONSUMAX.COM.AR - WAS HACKED AND MORE THEN 2TB SENSETIVE DATA LEAKED`](https://google.com/search?q=CONSUMAX.COM.AR+-+WAS+HACKED+AND+MORE+THEN+2TB+SENSETIVE+DATA+LEAKED) | 03/11/2022 | | | | [`Saint Jean Industries - MORE THEN 1.5 TB DATA LEAKED`](https://google.com/search?q=Saint+Jean+Industries++-+MORE+THEN+1.5+TB+DATA+LEAKED) | 02/11/2022 | | | | [`AWESOME-DENTAL.COM - HACKED AND MORE THEN 100GB LEAKED`](https://google.com/search?q=AWESOME-DENTAL.COM+-+HACKED+AND+MORE+THEN+100GB+LEAKED) | 02/11/2022 | | | | [`WICKERSHAMCONSTRUCTION.COM - HACKED AND MORE THEN 1000GB DATA LEAKED!`](https://google.com/search?q=WICKERSHAMCONSTRUCTION.COM+-+HACKED+AND+MORE+THEN+1000GB+DATA+LEAKED%21) | 02/11/2022 | | | | [`PARAMOUNT ENTERPRISE INTERNATIONAL HACKED AND MORE THEN 1.5 TB DATA LEAKED`](https://google.com/search?q=PARAMOUNT+ENTERPRISE+INTERNATIONAL+HACKED+AND+MORE+THEN+1.5+TB+DATA+LEAKED) | 02/11/2022 | | | ↪️ More victims [here](/group/lv?id=posts) --- ## **madcat** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | MadCat Ransomware | 🔴 | 27/11/2023 03:42 | `http://i2gc52bwm2vu2wnohwi3cli7t7hj3y2q7qj3th2bs64h2eej7z5jcgqd.onion` | 📸 | #### **External information** - https://cybernews.com/news/madcat-ransomware-gang-stealing-from-criminals/ ### _Victims_ > no victim found --- ## **malas** 🔎 `ransomware.live`has an active parser for indexing malas's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Somos malas... podemos ser peores | 🟢 | 30/07/2024 02:34 | `http://malas2urovbyyavjzaezkt5ohljvyd5lt7vv7mnsgbf2y4bwlh72doqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-malas.png) ### _Victims_ > 171 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Banco Azzoaglio`](https://google.com/search?q=Banco+Azzoaglio) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`Ларина`](https://google.com/search?q=%D0%9B%D0%B0%D1%80%D0%B8%D0%BD%D0%B0) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`Utair`](https://google.com/search?q=Utair) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`The Sound Organisation`](https://google.com/search?q=The+Sound+Organisation) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`Angle Metal Mfg.`](https://google.com/search?q=Angle+Metal+Mfg.) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`Красный Восток Агро`](https://google.com/search?q=%D0%9A%D1%80%D0%B0%D1%81%D0%BD%D1%8B%D0%B9+%D0%92%D0%BE%D1%81%D1%82%D0%BE%D0%BA+%D0%90%D0%B3%D1%80%D0%BE) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`Petromiralles`](https://google.com/search?q=Petromiralles) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`nanoCAD`](https://google.com/search?q=nanoCAD) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`Baggio`](https://google.com/search?q=Baggio) | 09/04/2023 | using Zimbra vulnerability | 📸 | | [`ЖБИ2-Инвест`](https://google.com/search?q=%D0%96%D0%91%D0%982-%D0%98%D0%BD%D0%B2%D0%B5%D1%81%D1%82) | 09/04/2023 | using Zimbra vulnerability | 📸 | ↪️ More victims [here](/group/malas?id=posts) --- ## **malekteam** 🔎 `ransomware.live`has an active parser for indexing malekteam's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Just a moment... | 🟢 | 30/07/2024 02:34 | `http://malekteam.ac` | 📸 | | Malek Team | 🟢 | 30/07/2024 02:35 | `http://195.14.123.2.` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-malekteam.png) ### _Victims_ > 7 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`emalon.co.il`](https://google.com/search?q=emalon.co.il) | 05/04/2024 | 🔥Malek team in the newest cyber attack to Israeli sites, recently hacked emalon.co.il. "emalon" in hebrew "אימלון" was an travelling site that hacked by "Malek team".🔥🔴 & MALEK TEAM DESTROYED ALL DATA 🔴🔥 MALEK TEAM has everything 🔪🩸 | 📸 | | [`Doctorim`](https://google.com/search?q=Doctorim) | 05/04/2024 | 🔥"Doctorim" ,in Hebrew "דוקתורים" ,is the online medical site in Israel which attacked by Malek teambased on this successful cyber attack, we have the information of more than 1,200,000 persons and companions ☠️information includes: ☠️🩸 verified names🩸 verified identity numbers,🩸 verified contact numbers🩸 verified emails & phones🩸 & etc ...🧨⚠️and we destroyed all data⚠️🧨 MALEK TEAM has everything 🔪🩸 | 📸 | | [`Beit Handesai`](https://google.com/search?q=Beit+Handesai) | 15/01/2024 | Beit Handesai ,in Hebrew "בית ההנדסאי" , the engineering company in Israel attacked by Malek team 🔥 based on this successful cyber attack, we have the information of more than 60,000 persons and companions ☠️ information includes: ☠️documents including:🩸 names & identity numbers,🩸 contact numbers and emails,🩸 phones & home addresses🩸 PDFs of passports️🩸 & etc ...🧨⚠️and we destroyed all data⚠️🧨 MALEK TEAM has everything 🔪🩸 | 📸 | | [`Ono Academic College`](https://google.com/search?q=Ono+Academic+College) | 24/12/2023 | 👁 130000 records of Personal Information include First name Last name Email Address Phone number Home Number Password ... | 📸 | | [`dorimedia`](https://google.com/search?q=dorimedia) | 24/12/2023 | 🩸 Dori Media Group Hacked by Malek Team 🩸We have destroyed more than 100 TB data from this company. Since 1998 This is just the beginning of the story. Wait 🧨👀 Dori Media Group LTDDori Media Group is an international group of media companies, located in Israel, Switzerland, Argentina, Spain and Singapore. The group produces and distributes TV and New Media content, broadcasts various TV channels and operates video-content internet sitesWe will leaks all this information soon 👁 | 📸 | | [`gav.co.il`](https://google.com/search?q=gav.co.il) | 24/12/2023 | 🔥🔥After infiltrating the network system of this site, we took the necessary access to it and transferred its useful data And at the end, we deleted part of the existing information. Some information transferred from the GAV site:Identity information and identification documents ☠️a large of financial and administrative files and documentsInformation and details of projects 🩸This amount of sensitive site information (about 10 terabytes) which was not worth transferring in terms of volume and time was deleted and destroyed 🔥 | 📸 | | [`ZIV Hospital`](https://google.com/search?q=ZIV+Hospital) | 24/12/2023 | The ZIV medical center in northern Israel, in Safed, hacked by Malek team 🔥 based on this successful cyber attack, we have the information of more than 300,000 patients and companions ☠️documents including:🩸 names & identity numbers,🩸 contact numbers and emails,🩸 types of diseases and drugs,🩸 genetic codes of patients,️🩸 their DNAs & RNAs,🩸 & etc ...MALEK TEAM has everything 🔪🩸 | 📸 | --- ## **mallox** > This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this malware is dated to mid-June 2021. The extension of the encrypted files are set to the compromised company: . _`wtyafjyhwqrg[...].onion/post?get_listBlog`_ 🔎 `ransomware.live`has an active parser for indexing mallox's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Mallox - Data Leaks | 🟢 | 30/07/2024 02:35 | `http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion` | 📸 | #### **External information** - https://asec.ahnlab.com/en/39152/ - https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/ - https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/ - https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html - https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/ - https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html - https://unit42.paloaltonetworks.com/mallox-ransomware/ - https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/ - https://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware #### **Ransom note** * [📝 2 ransom notes](notes/mallox) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-mallox.png) ### _Victims_ > 49 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`XENAPP-GLOBER`](https://google.com/search?q=XENAPP-GLOBER) | 14/07/2024 | Description not available | 📸 | | [`integraservices`](https://google.com/search?q=integraservices) | 13/07/2024 | Description not available | 📸 | | [`"Moshe Kahn Advocates"`](https://google.com/search?q=%22Moshe+Kahn+Advocates%22) | 05/06/2024 | Description not available | | | [`Río Negro`](https://google.com/search?q=R%C3%ADo+Negro) | 03/06/2024 | Description not available | 📸 | | [`Madata Data Collection & Internet Portals`](https://google.com/search?q=Madata+Data+Collection+%26+Internet+Portals) | 03/06/2024 | Description not available | 📸 | | [`Assist Informatica`](https://google.com/search?q=Assist+Informatica) | 23/05/2024 | Description not available | | | [`speditionlangen.de`](https://google.com/search?q=speditionlangen.de) | 09/04/2024 | Description not available | | | [`Rafum Group`](http://www.rafumgroup.com) | 16/03/2024 | Description not available | | | [`Ramdev Chemical Industries`](https://ramdevpigments.com) | 14/03/2024 | Description not available | | | [`highfashion.com.hk`](https://google.com/search?q=highfashion.com.hk) | 03/03/2024 | Description not available | | ↪️ More victims [here](/group/mallox?id=posts) --- ## **marketo** _`marketplace - not a ransomware group, previous clearnet marketo.cloud`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://marketojbwagqnwx.onion` | ❌ | | none | 🔴 | 01/05/2021 00:00 | `http://g5sbltooh2okkcb2.onion` | ❌ | | 404 Not Found | 🔴 | 04/10/2021 08:05 | `http://fvki3hj7uxuirxpeop6chgqoczanmebutznt2mkzy6waov6w456vjuid.onion` | ❌ | | 502 Bad Gateway | 🔴 | 14/03/2022 05:12 | `http://jvdamsif53dqjycuozlaye2s47p7xij4x6hzwzwhzrqmv36gkyzohhqd.onion` | ❌ | #### **External information** - https://www.digitalshadows.com/blog-and-research/marketo-a-return-to-simple-extortion - https://securityaffairs.co/wordpress/121617/cyber-crime/puma-available-marketo.html - https://t.me/marketo_leaks - https://t.me/marketocloud ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-marketo.png) ### _Victims_ > 32 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Vehicle Service Group (VSG)`](https://google.com/search?q=Vehicle+Service+Group+%28VSG%29) | 14/02/2022 | | | | [`Millensys`](https://google.com/search?q=Millensys) | 07/12/2021 | | | | [`GigaTribe`](https://google.com/search?q=GigaTribe) | 07/12/2021 | | | | [`Morgan Truck Body, LLC`](https://google.com/search?q=Morgan+Truck+Body%2C+LLC) | 07/12/2021 | | | | [`Luxottica Group S.p.A.`](https://google.com/search?q=Luxottica+Group+S.p.A.) | 07/12/2021 | | | | [`Kawasaki Kisen Kaisha, Ltd. (“K” LINE)`](https://google.com/search?q=Kawasaki+Kisen+Kaisha%2C+Ltd.+%28%E2%80%9CK%E2%80%9D+LINE%29) | 07/12/2021 | | | | [`X-FAB`](https://google.com/search?q=X-FAB) | 07/12/2021 | | | | [`Axis Communications`](https://google.com/search?q=Axis+Communications) | 07/12/2021 | | | | [`Gamesa Corporation leaked data`](https://google.com/search?q=Gamesa+Corporation+leaked+data) | 07/12/2021 | | | | [`Sea Mar Community Health Centers`](https://google.com/search?q=Sea+Mar+Community+Health+Centers) | 07/12/2021 | | | ↪️ More victims [here](/group/marketo?id=posts) --- ## **maze** > Maze ransomware group is one of the most known ransomware gangs, they targeted organizations worldwide across many industries. Security researchers believed that Maze operates as an affiliated network model. MAZE was one of the first groups that made a 'Double Extortion Attack' involved Allied Universal, in November 2019, the group leaks their victim's data in the darknet. On November 1, 2020, MAZE announced an official press release that they are closing their operation. is malware targeting organizations worldwide across many industries. Security researchers claim that the threat actor behind the MAZE group is 'TA2101'. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onion` | ❌ | #### **External information** - http://www.secureworks.com/research/threat-profiles/gold-village - https://adversary.crowdstrike.com/adversary/twisted-spider/ - https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel - https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf - https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer - https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis - https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html - https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/ - https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html - https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html - https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html - https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/ - https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html - https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf - https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf - https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md - https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html - https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/ - https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/ - https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f - https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/ - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/ - https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/ - https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U - https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/ - https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/ - https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/ - https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/ - https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://oag.ca.gov/system/files/Letter%204.pdf - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/ - https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/ - https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf - https://securelist.com/maze-ransomware/99137/ - https://securelist.com/targeted-ransomware-encrypting-data/99255/ - https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html - https://sites.temple.edu/care/ci-rw-attacks/ - https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/ - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/ - https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/ - https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/ - https://twitter.com/certbund/status/1192756294307995655 - https://us-cert.cisa.gov/ncas/alerts/aa20-345a - https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update - https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf - https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf - https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/ - https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/ - https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/ - https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/ - https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/ - https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/ - https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/ - https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/ - https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/ - https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/ - https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/ - https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/ - https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/ - https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat - https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/ - https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/ - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf - https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1 - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/ - https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/ - https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/ - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.docdroid.net/dUpPY5s/maze.pdf - https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html - https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html - https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf - https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware - https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us - https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - https://www.secureworks.com/research/threat-profiles/gold-village - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html - https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html - https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf - https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/ - https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/ #### **Ransom note** * [📝 1 ransom note](notes/maze) ### _Victims_ > no victim found --- ## **mbc** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnlc53yxir22ad.onion` | ❌ | #### **External information** - https://www.thenationalnews.com/business/2021/08/21/mbc-ransomware-group-claims-responsibility-for-cyber-attack-on-irans-railway-network/ ### _Victims_ > no victim found --- ## **medusa** 🔎 `ransomware.live`has an active parser for indexing medusa's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Human Verify | 🔴 | 01/03/2024 12:41 | `http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion` | 📸 | | Medusa Chat | 🔴 | 27/05/2024 17:15 | `http://medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion` | 📸 | | Human Verify | 🔴 | 30/05/2024 14:49 | `http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion` | 📸 | | 503 Service Temporarily Unavailable | 🔴 | 03/06/2024 16:33 | `http://dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion` | 📸 | | Human Verify | 🔴 | 30/07/2024 01:08 | `http://kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onion` | 📸 | | Human Verify | 🔴 | 29/07/2024 23:40 | `http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://45.9.148.39` | ❌ | | Human Verify | 🟢 | 30/07/2024 02:36 | `http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion` | 📸 | | Human Verify | 🟢 | 30/07/2024 02:37 | `http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onion` | ❌ | #### **External information** - https://news.drweb.com/show/?i=10302&lng=en - https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf - https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/ - https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/ #### **Ransom note** * [📝 1 ransom note](notes/medusa) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-medusa.png) ### _Victims_ > 280 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Gentlemen Group GmbH`](https://www.gentlemengroup.de/) | 27/07/2024 | Gentlemen Group GmbH (founded on January 1, 2021) provides services management, enterprise services (ESM) and management of identification and access (IAM), and technological consultations with an emphasis on strategy, organization, IT, as well as the implementation of decisions and training. Gentlemen Group GmbH corporate office is located in Starnberger Str. 8, 14612 Falkensee, Germany. The total amount of data leakage is 218.4 GB | 📸 | | [`Vivara`](https://google.com/search?q=Vivara) | 24/07/2024 | Vivara is the largest retailer of jewelry in Brazil, with over 200 stores in major cities. The company also sells a wide range of design watches fr om brands such as Coach, Juicy Couture, Gucci, Lacoste, and more. Vivara corporate office is located in lj 207 Sai so 6580, Guara, Federal District, 71000-000, Brazil and has 1,167 employees. The total amount of data leakage is 1.18Tb and includes confidential data of CEO, top management team, employees and customers. Data also includes company's many hidden illegal activities. | 📸 | | [`Coffrage LD`](https://google.com/search?q=Coffrage+LD) | 23/07/2024 | Coffrage LD specializes in formwork and concrete placement in commercial industrial, civil engineering, and multi-story building sectors. Coffrage LD corporate office is located in 2621 De La Rotonde Ave, Charny, Quebec, G6X 2M2, Canada and has 88 employees. The total amount of data leakage is 453.4 GB | 📸 | | [`Owens Valley Career Development Center`](https://google.com/search?q=Owens+Valley+Career+Development+Center) | 23/07/2024 | Owens Valley Career Development Center (founded in 1976) is a dedicated American Indian organization operating under a consortium of Sovereign Nations. Nowadays, OVCDC is a multifaceted business reaching into all aspects of social services and educational services, as well as economic development markets, providing Native American communities with a mechanism for bettering quality of life. Owens Valley Career Development Center corporate office is located in 2574 Diaz Ln, Bishop, California, 93514, United States and has 195 employees. The total amount of data leakage is 300.2 GB | 📸 | | [`AA Munro Insurance`](https://google.com/search?q=AA+Munro+Insurance) | 22/07/2024 | AA Munro Insurance - offer personal and commercial insurance solutions, as well as financial services. AA Munro Insurance corporate office is located in 219 Main St Ste 105, Antigonish, Nova Scotia, B2G 2C1, Canada and has 174 employees. | | | [`Globes`](https://google.com/search?q=Globes) | 22/07/2024 | Globes - periodical publishing, coverage of Israeli business in management, investment, technology, law, accounting, and marketing. Globes corporate office is located in 53 Etzel St, Rishon LeZiyyon, Central District, 75706, Israel and has 298 employees. | | | [`Jariet Technologies`](https://google.com/search?q=Jariet+Technologies) | 16/07/2024 | Jariet Technologies, Inc. is a fabless semiconductor company specializing in high-speed data converter technology. Jariet Technologies corporate office is located in 103 W Torrance Blvd, Redondo Beach, California, 90277, United States and has 64 employees.The total amount of data leakage is 325.5 GB | 📸 | | [`H&H Group`](https://google.com/search?q=H%26H+Group) | 16/07/2024 | The H&H Group is full-service printing and sign shop. The H&H Group corporate office is located in 854 N Prince St, Lancaster, Pennsylvania, 17603, United States and has 40 employees. The total amount of data leakage is 395.8 GB | 📸 | | [`ValeCard`](https://google.com/search?q=ValeCard) | 15/07/2024 | ValeCard (founded in 1995) - provides complex and integrated solutions for managing benefits, finances and frosts. ValeCard corporate office is located in 904 R Machado De Assis, Uberlandia, Minas Gerais, 38400-112, Brazil and has 399 employees. The total amount of data leakage is 107.6 GB | 📸 | | [`Royal Brighton Yacht Club`](https://google.com/search?q=Royal+Brighton+Yacht+Club) | 15/07/2024 | Royal Brighton Yacht Club is one of Australia's premier yacht clubs, offering a wide range of sailing events and activites year-round. Royal Brighton Yacht Club corporate office is located in PO Box 74, Brighton, Victoria, 3186, Australia and has 19 employees. The total amount of data leakage is 94.2 GB | 📸 | ↪️ More victims [here](/group/medusa?id=posts) --- ## **medusalocker** > Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC. 🔎 `ransomware.live`has an active parser for indexing medusalocker's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion` | 📸 | | Ransomware blog – We will not give ourselves a nam | 🟢 | 30/07/2024 02:37 | `http://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion` | 📸 | #### **External information** - http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html - https://asec.ahnlab.com/en/48940/ - https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/ - https://blog.talosintelligence.com/2020/04/medusalocker.html - https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/ - https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html - https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 - https://twitter.com/siri_urz/status/1215194488714346496?s=20 - https://us-cert.cisa.gov/ncas/alerts/aa20-345a - https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf - https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/ - https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/ - https://www.cisa.gov/uscert/ncas/alerts/aa22-181a - https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1 - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/ - https://www.cybereason.com/blog/medusalocker-ransomware - https://www.mandiant.com/resources/chasing-avaddon-ransomware - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ - https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/ - https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/ - https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/ #### **Ransom note** * [📝 1 ransom note](notes/medusalocker) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-medusalocker.png) ### _Victims_ > 42 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Protected: HIDE NAME`](https://google.com/search?q=Protected%3A+HIDE+NAME) | 09/05/2024 | There is no excerpt because this is a protected post. | 📸 | | [`Protected: HIDE NAME SELL DATA SOON`](https://google.com/search?q=Protected%3A+HIDE+NAME+SELL+DATA+SOON) | 25/04/2024 | There is no excerpt because this is a protected post. | 📸 | | [`SHAMASS.ORG`](https://google.com/search?q=SHAMASS.ORG) | 25/04/2024 | Descriptionemployee information – agreement – customer email(.xls)-.msg outlook files Price-$50000 (sale in one hand there are options for making a profit from these files will be included in the deal) | 📸 | | [`skalar.com`](https://google.com/search?q=skalar.com) | 29/11/2023 | There is no excerpt because this is a protected post. | 📸 | | [`Protected: Name is hidden`](https://google.com/search?q=Protected%3A+Name+is+hidden) | 29/11/2023 | There is no excerpt because this is a protected post. | 📸 | | [`wellons.org`](https://google.com/search?q=wellons.org) | 23/10/2023 | Descriptionemployee information – agreement – customer email(.xls)- pst files 15+GB all outlook message 2006-2023 year Price: 55000$ | 📸 | | [`Ada-Borup-West School`](https://google.com/search?q=Ada-Borup-West+School) | 23/10/2023 | Descriptionemployee information – student information – all contracts Price: 35000$ | 📸 | | [`Confidential files`](https://google.com/search?q=Confidential+files) | 02/10/2023 | A large number of documents of large companies are available for sale Revenue-$10-$70kk Financial documents, client cases, passports, tax evasion and many other documents are in closed sale, please contact qtox to coordinate the sale | 📸 | | [`Protected: INSULCANA CONTRACTING LTD`](https://google.com/search?q=Protected%3A+INSULCANA+CONTRACTING+LTD) | 27/07/2023 | There is no excerpt because this is a protected post. | 📸 | | [`INSULCANA CONTRACTING LTD`](https://google.com/search?q=INSULCANA+CONTRACTING+LTD) | 27/07/2023 | Descriptionemployee information – agreement – customer email(.xls)- passport all canada and other documents Price: 35000$ | 📸 | ↪️ More victims [here](/group/medusalocker?id=posts) --- ## **meow** 🔎 `ransomware.live`has an active parser for indexing meow's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | MEOW | 🔴 | 13/07/2024 08:05 | `http://meow6xanhzfci2gbkn3lmbqq7xjjufskkdfocqdngt3ltvzgqpsg5mid.onion` | 📸 | | none | 🔴 | 25/03/2024 12:47 | `http://totos7fquprkecvcsl2jwy72v32glgkp2ejeqlnx5ynnxvbebgnletqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-meow.png) ### _Victims_ > 44 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Texas Tech University`](https://google.com/search?q=Texas+Tech+University) | 26/07/2024 | | | | [`Global Industry Analysts`](https://google.com/search?q=Global+Industry+Analysts) | 26/07/2024 | 669 | | | [`Encore`](https://google.com/search?q=Encore) | 26/07/2024 | | | | [`Daikin`](https://google.com/search?q=Daikin) | 26/07/2024 | 692 | | | [`Miami Gardens Florida`](https://google.com/search?q=Miami+Gardens+Florida) | 26/07/2024 | | | | [`Nuclep`](https://google.com/search?q=Nuclep) | 26/07/2024 | | | | [`Andersen Tax`](https://google.com/search?q=Andersen+Tax) | 26/07/2024 | | | | [`The Physical Medicine Rehabilitation Center`](https://google.com/search?q=The+Physical+Medicine+Rehabilitation+Center) | 26/07/2024 | | | | [`Villarreal and Begum Law Firm`](https://google.com/search?q=Villarreal+and+Begum+Law+Firm) | 26/07/2024 | | | | [`Greenheck`](https://google.com/search?q=Greenheck) | 16/07/2024 | 9000$ | | ↪️ More victims [here](/group/meow?id=posts) --- ## **metaencryptor** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Metaencryptor::Home | 🟢 | 30/07/2024 02:39 | `http://metacrptmytukkj7ajwjovdpjqzd7esg5v3sg344uzhigagpezcqlpyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-metaencryptor.png) ### _Victims_ > 23 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`MBE CPA`](https://mbe.cpa) | 14/06/2024 | MBE CPA is accounting service and business services company, provide financial solutions for individual and business. Revenue: $25 M | 📸 | | [`Autohaus Ebert`](https://www.autohaus-ebert.de) | 07/05/2024 | Autohaus Ebert GmbH & Co.KG has been there for its customers for more than 120 years. At 12 locations around the Weinheim headquarters, the company offers a wide range of new and used cars as well as commercial vehicles. In addition, Autohaus Ebert GmbH & Co.KG offers comprehensive services related to automobiles. Revenue: $200M | | | [`Elbers GmbH & Co. KG`](https://www.eurofleurs.de) | 07/05/2024 | Wholesale and retail trade, import and export of flowers, plants, vegetables and horticultural necessities. Revenue: $ 3 M | | | [`Jetson Specialty Marketing Services, Inc.`](https://jetsonmarketing.com) | 07/05/2024 | JSM is a full-service direct marketing communications company steadfast in assisting clients acquire new customers and build profitable, long-term relationships with those customers. From Analytics and Database Management to Direct Mail, Critical Communications, Digital Variable Print Production to Postal Optimization, Piece-level Tracking and Response Processing, JSM has a suite of solutions to assist in growing client's business. | | | [`Vega Reederei GmbH & Co. KG`](https://www.vega-reederei.de) | 07/05/2024 | Headquartered at the Port of Hamburg, Vega is one of the world's fastest-growing shipping companies. Vega offers its customers a wide range of services that include shipbuilding, shipping operations, chartering, ship disposal and financial services. Read less Revenue: EUR 19M Year 2022 | | | [`Max Wild GmbH`](https://www.maxwild.com) | 07/05/2024 | Max Wild GmbH, based in Berkheim, has been responsible for the professional and sustainable implementation of numerous services in the field of construction, demolition, environment & recycling and logistics since 1955. As a family business, Max Wild offers its customers consistency and conversion strength combined with great regional connectivity. Customers receive innovative and tailor-made solutions for small and large projects and are supported with an individual service package from all divisions. | 📸 | | [`stormtech`](https://stormtech.com) | 07/12/2023 | stormtech | 📸 | | [`Garda`](https://www.garda.com/) | 07/12/2023 | Garda | 📸 | | [`JD Sprinter Holdings 2010 SL`](https://www.sprintersports.com) | 28/11/2023 | JD Sprinter Holdings 2010 SL retails sportswear, outdoor clothing, and related equipment. over 7500 employees 109 M EUR EBITDA | 📸 | | [`TANATEX Chemicals`](https://tanatexchemicals.com) | 01/11/2023 | TANATEX Chemicals is an international organisation that sells, develops, and produces chemicals for the textile industry. The company have been leading innovative solutions for textile processing for almost 60 years. It has worldwide network of offices and distributors, support customers all over the world.Revenue: $117M Year 2022 | 📸 | ↪️ More victims [here](/group/metaencryptor?id=posts) --- ## **midas** > This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Info | 🔴 | 15/04/2022 00:21 | `http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion` | ❌ | #### **External information** - https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/ - https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/ - https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-midas.png) ### _Victims_ > 44 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Basra Multipurposr Terminal`](https://google.com/search?q=Basra+Multipurposr+Terminal) | 14/04/2022 | | | | [`SUPREME SERVICES`](https://google.com/search?q=SUPREME+SERVICES) | 07/04/2022 | | | | [`Jiangsu Kaili Carpet Co., Ltd.`](https://google.com/search?q=Jiangsu+Kaili+Carpet+Co.%2C+Ltd.) | 07/04/2022 | | | | [`New Company 04.2022`](https://google.com/search?q=New+Company+04.2022) | 03/04/2022 | | | | [`NetCompany`](https://google.com/search?q=NetCompany) | 23/03/2022 | | | | [`Bigmtransport`](https://google.com/search?q=Bigmtransport) | 21/03/2022 | | | | [`1`](https://google.com/search?q=1) | 18/03/2022 | | | | [`Grcouceiro`](https://google.com/search?q=Grcouceiro) | 15/03/2022 | | | | [`S`](https://google.com/search?q=S) | 23/02/2022 | | | | [`SOUTHWARK METAL MANUFACTURING`](https://google.com/search?q=SOUTHWARK+METAL+MANUFACTURING) | 22/02/2022 | | | ↪️ More victims [here](/group/midas?id=posts) --- ## **mindware** > Ransomware, potential rebranding of win.sfile. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | DataLeakBlog | 🔴 | 16/08/2022 10:33 | `http://dfpc7yvle5kxmgg6sbcp5ytggy3oeob676bjgwcwhyr2pwcrmbvoilqd.onion` | ❌ | #### **External information** - https://www.sentinelone.com/blog/from-the-front-lines-another-rebrand-mindware-and-sfile-ransomware-technical-breakdown/ ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-mindware.png) ### _Victims_ > 13 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`willsent`](https://google.com/search?q=willsent) | 05/05/2022 | | | | [`welplaat`](https://google.com/search?q=welplaat) | 05/05/2022 | | | | [`toshfarms`](https://google.com/search?q=toshfarms) | 05/05/2022 | | | | [`thebureau`](https://google.com/search?q=thebureau) | 05/05/2022 | | | | [`smd`](https://google.com/search?q=smd) | 05/05/2022 | | | | [`simpsonplastering`](https://google.com/search?q=simpsonplastering) | 05/05/2022 | | | | [`nottco`](https://google.com/search?q=nottco) | 05/05/2022 | | | | [`micropakkn`](https://google.com/search?q=micropakkn) | 05/05/2022 | | | | [`mediuscorp`](https://google.com/search?q=mediuscorp) | 05/05/2022 | | | | [`diager`](https://google.com/search?q=diager) | 05/05/2022 | | | ↪️ More victims [here](/group/mindware?id=posts) --- ## **mogilevich** 🔎 `ransomware.live`has an active parser for indexing mogilevich's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Mogilevich - Blog - Leaks | 🔴 | 03/03/2024 15:47 | `http://dkgn45pinr7nwvdaehemcrpgcjqf4fooit3c4gjw6dhzrp443ctvnoad.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-mogilevich.png) ### _Victims_ > 9 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Shein`](https://shein.com/) | 01/03/2024 | Revenue: +$30B We successfully fucked shein's servers Category: child labour Data compromised:customers,shipment, employees information Size: 300GB Data is also for sale! Deadline: 3.10.24 If you are an employee of the company or someone who would like to buy the data, click on me | | | [`Kick`](https://kick.com/) | 01/03/2024 | We successfully breached kick's system Category: video livestreaming Data compromised:streamers/users, affiliate program and logs data Size: 75GB Data is also for sale! Deadline: 3.10.24 If you are an employee of the company or someone who would like to buy the data, click on me | | | [`DJI Company`](https://www.dji.com/) | 01/03/2024 | Revenue: $21B 2022 We successfully breached DJI's system Category: World's largest drone maker Data compromised:customers data, private projects Size: 1TB Data is also for sale! Deadline: 3.10.24 If you are an employee of the company or someone who would like to buy the data, click on me | | | [`Bangladesh Police`](https://www.pbi.gov.bd/) | 28/02/2024 | We successfully breached Bangladesh Police Category: Bangladesh police Data compromised:a lot of internal files of their infrastructure Size: 13GB Data is also for sale! Deadline: 3.2.24 If you are an employee of the company or someone who would like to buy the data, click on me | | | [`EpicGames`](https://www.epicgames.com/) | 27/02/2024 | We have quietly carried out an attack to EpicGames' servers Category: Video game publisher & Software developer Data compromised:email, passwords, full name, payment information, source code and many other data included. Size: 189GB Data is also for sale! Deadline: 3.4.24 If you are an employee of the company or someone who would like to buy the data, click on me | | | [`Ireland's Department of Foreign Affairs`](https://dfa.ie/) | 27/02/2024 | We successfully breached Ireland's Department of Foreign Affairs Category: Foreign Affairs Data compromised:documents Size: 7GB Data is also for sale! Deadline: 3.3.24 If you are an employee of the company or someone who would like to buy the data, click on me | | | [`EpicGames 189GB leaked for you`](https://www.epicgames.com/) | 27/02/2024 | Revenue: $5.8B GROSS REVENUE We have quietly carried out an attack to EpicGames' servers Category: Video game publisher & Software developer Data compromised:email, passwords, full name, payment information, source code and many other data included. Size: 189GB DATABASE | | | [`BAZAARVOICE.COM`](https://www.bazaarvoice.com) | 26/02/2024 | We successfully pwned Bazaarvoice's servers. Category: Business Intelligence, Development & Design Software Data compromised:first name, last name, company name, business email and password Size: 30GB Data is also for sale! Deadline: 3.2.24 If you are an employee of the company or someone who would like to buy the data, click on me | | | [`INFINITIUSA.COM`](https://www.infinitiusa.com) | 20/02/2024 | We successfully breached InfinitiUSA's system. Category: Motor Vehicle Manufacturing, Motor Vehicles, Manufacturing Data compromised: vin, first name, last name, address, zip, city, state, mobile, mobile provider, email and password Size: 22GB Data is also for sale! Deadline: 2.25.24 If you are an employee of the company or someone who would like to buy the data, click on me | | --- ## **moneymessage** _`hash : bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b`_ 🔎 `ransomware.live`has an active parser for indexing moneymessage's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | News | 🟢 | 30/07/2024 02:40 | `http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion` | 📸 | #### **External information** - https://twitter.com/Threatlabz/status/1641113991824158720 #### **Ransom note** * [📝 1 ransom note](notes/moneymessage) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-moneymessage.png) ### _Victims_ > 21 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`First Baptist Medical Center`](https://google.com/search?q=First+Baptist+Medical+Center) | 19/06/2024 | | 📸 | | [`Insurance Agency Marketing Services`](https://google.com/search?q=Insurance+Agency+Marketing+Services) | 16/05/2024 | | 📸 | | [`Anna Jaques Hospital`](https://google.com/search?q=Anna+Jaques+Hospital) | 19/01/2024 | | 📸 | | [`Tri-Way Manufacturing Technologies`](https://google.com/search?q=Tri-Way+Manufacturing+Technologies) | 12/10/2023 | | 📸 | | [`Toscana Promozione`](https://google.com/search?q=Toscana+Promozione) | 03/10/2023 | | 📸 | | [`MD LOGISTICS`](https://google.com/search?q=MD+LOGISTICS) | 03/10/2023 | | 📸 | | [`Maxco Supply`](https://google.com/search?q=Maxco+Supply) | 03/10/2023 | | 📸 | | [`Riverside Logistics`](https://google.com/search?q=Riverside+Logistics) | 03/09/2023 | | 📸 | | [`Estes Design & Manufacturing`](https://google.com/search?q=Estes+Design+%26+Manufacturing) | 03/09/2023 | | 📸 | | [`Aiphone`](https://google.com/search?q=Aiphone) | 03/09/2023 | | 📸 | ↪️ More victims [here](/group/moneymessage?id=posts) --- ## **monti** 🔎 `ransomware.live`has an active parser for indexing monti's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 404 Not Found | 🔴 | 10/10/2022 17:13 | `http://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onion` | ❌ | | MONTI - Leaks site | 🔴 | 30/07/2024 01:13 | `http://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onion` | 📸 | #### **External information** - https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger #### **Ransom note** * [📝 2 ransom notes](notes/monti) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-monti.png) ### _Victims_ > 62 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`forestparkga.gov`](https://google.com/search?q=forestparkga.gov) | 24/07/2024 | City & PD | 📸 | | [`Regas (regasenergy.com)`](https://google.com/search?q=Regas+%28regasenergy.com%29) | 24/07/2024 | Electricity, Oil & Gas | 📸 | | [`Excelsior Orthopaedics`](https://google.com/search?q=Excelsior+Orthopaedics) | 08/07/2024 | Hospitals & Physicians Clinics | 📸 | | [`Wayne Memorial Hospital`](https://google.com/search?q=Wayne+Memorial+Hospital) | 30/06/2024 | Wayne Memorial Hospital is a non-profit, community-controlled hospital based in Honesdale, Pennsylvania serving Wayne, Pike and Sullivan Counties. | | | [`Compagnia Trasporti Integrati S.R.L`](https://google.com/search?q=Compagnia+Trasporti+Integrati+S.R.L) | 24/06/2024 | Italian Logistics. ctilog.it | 📸 | | [`VTWin.ca`](https://google.com/search?q=VTWin.ca) | 24/06/2024 | shitty | 📸 | | [`Aéroport de Pau`](https://www.pau.aeroport.fr) | 26/05/2024 | Full leak | 📸 | | [`Esc Pau Etudes-Conseils`](https://google.com/search?q=Esc+Pau+Etudes-Conseils) | 26/05/2024 | Colleges & Universities | 📸 | | [`CNPC Sport`](https://www.cnpc.fr) | 26/05/2024 | Colleges & Universities | 📸 | | [`project sold`](https://google.com/search?q=project+sold) | 15/05/2024 | project sold | 📸 | ↪️ More victims [here](/group/monti?id=posts) --- ## **mosesstaff** > Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data. _`not a ransomware group`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://mosesstaffm7hptp.onion` | ❌ | | Page not found – Moses Staff | 🔴 | 20/05/2024 06:31 | `http://moses-staff.se` | 📸 | #### **External information** - https://twitter.com/moses_staff_se - https://t.me/moses_staff_links - https://t.me/moses_staff_se_8 - https://www.zdnet.com/article/mosesstaff-attackers-deploy-ransomware-on-your-systems-no-payment-no-decryption-possible/ - https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/ ### _Victims_ > 16 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Electron Csillag`](https://google.com/search?q=Electron+Csillag) | 18/12/2021 | | | | [`Meshulam`](https://google.com/search?q=Meshulam) | 18/12/2021 | | | | [`DOSIK Technology`](https://google.com/search?q=DOSIK+Technology) | 18/12/2021 | | | | [`Epsilor Company`](https://google.com/search?q=Epsilor+Company) | 18/12/2021 | | | | [`First part of Israel Post data leaked`](https://google.com/search?q=First+part+of+Israel+Post+data+leaked) | 18/12/2021 | | | | [`Israel MOD and Benny Gantz`](https://google.com/search?q=Israel+MOD+and+Benny+Gantz) | 18/12/2021 | | | | [`First part of Epsilor data leaked`](https://google.com/search?q=First+part+of+Epsilor+data+leaked) | 18/12/2021 | | | | [`Ehud Leviathan Engineering`](https://google.com/search?q=Ehud+Leviathan+Engineering) | 18/12/2021 | | | | [`David Engineers`](https://google.com/search?q=David+Engineers) | 18/12/2021 | | | | [`H.G.M Engineering`](https://google.com/search?q=H.G.M+Engineering) | 18/12/2021 | | | ↪️ More victims [here](/group/mosesstaff?id=posts) --- ## **mount-locker** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://mountnewsokhwilx.onion` | ❌ | #### **External information** - https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game - https://www.securitymagazine.com/articles/94954-sophos-identifies-connection-between-mount-locker-and-astro-locker-team-ransomware #### ** Negotiation chats** | Name | Link | |---|---| |20201016| 💬 | ### _Victims_ > no victim found --- ## **mydecryptor** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://5s4ixqul2enwxrqv.onion` | ❌ | ### _Victims_ > no victim found --- ## **n3tworm** > N3tw0rm ransomware group is linked to Iran by many security researchers especially for the fact that the group targeting only Israeli companies. Like other ransomware groups, N3tw0rm has a data leak site in the darknet. Due to the low ransom price the group requested and lack of response to negotiations, some security researchers believe that the N3tw0rm group's main goal is to be used for sowing chaos for Israeli interests and not for profit. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://n3twormruynhn3oetmxvasum2miix2jgg56xskdoyihra4wthvlgyeyd.onion` | ❌ | #### **External information** - https://www.bleepingcomputer.com/news/security/n3tw0rm-ransomware-emerges-in-wave-of-cyberattacks-in-israel/ - https://www.haaretz.com/israel-news/tech-news/.premium-iranian-hackers-hit-h-m-israel-amid-new-wave-of-cyberattacks-1.9766404 ### _Victims_ > no victim found --- ## **nefilim** > According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://hxt254aygrsziejn.onion` | ❌ | #### **External information** - http://www.secureworks.com/research/threat-profiles/gold-mansard - https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf - https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html - https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://securelist.com/evolution-of-jsworm-ransomware/102428/ - https://us-cert.cisa.gov/ncas/alerts/aa20-345a - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion - https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf - https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/ - https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/ - https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/ - https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf - https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot - https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks - https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html - https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks #### **Ransom note** * [📝 1 ransom note](notes/nefilim) ### _Victims_ > 10 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Atlanta Allergy & Asthma. Part 1.`](https://google.com/search?q=Atlanta+Allergy+%26+Asthma.+Part+1.) | 09/09/2021 | | | | [`Grimmway Farms. Part 1.`](https://google.com/search?q=Grimmway+Farms.+Part+1.) | 09/09/2021 | | | | [`Elliott Group / Cascade Engineering / Unitex Textile Rental Services. Teaser.`](https://google.com/search?q=Elliott+Group+%2F+Cascade+Engineering+%2F+Unitex+Textile+Rental+Services.+Teaser.) | 09/09/2021 | | | | [`Seven Seas. Part 1.`](https://google.com/search?q=Seven+Seas.+Part+1.) | 09/09/2021 | | | | [`The MADSACK Media Group. Part 1.`](https://google.com/search?q=The+MADSACK+Media+Group.+Part+1.) | 09/09/2021 | | | | [`Tegut. Part 1.`](https://google.com/search?q=Tegut.+Part+1.) | 09/09/2021 | | | | [`TPG Internet. Part 1.`](https://google.com/search?q=TPG+Internet.+Part+1.) | 09/09/2021 | | | | [`Saipa Press. Part 1.`](https://google.com/search?q=Saipa+Press.+Part+1.) | 09/09/2021 | | | | [`Tegut. Part 2.`](https://google.com/search?q=Tegut.+Part+2.) | 09/09/2021 | | | | [`The MADSACK Media Group. Part 2.`](https://google.com/search?q=The+MADSACK+Media+Group.+Part+2.) | 09/09/2021 | | | --- ## **nemty** > Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion` | ❌ | #### **External information** - http://www.secureworks.com/research/threat-profiles/gold-mansard - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/ - https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 - https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b - https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw - https://securelist.com/evolution-of-jsworm-ransomware/102428/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet - https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/ - https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/ - https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/ - https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/ - https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/ - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html - https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/ - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/ - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/ - https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/ - https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/ - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/ - https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/ - https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf #### **Ransom note** * [📝 3 ransom notes](notes/nemty) ### _Victims_ > no victim found --- ## **netwalker** > NetWalker ransomware group operates by the threat actor known as "CIRCUS SPIDER". The NetWalker ransomware was discovered in 2019. The group mainly targeting the Asia Pacific region but can attack globally. The group uses common attacking tools like Mimikatz and other legitimate tools (LOLBINS) like PSTools, AnyDesk, TeamViewer, NLBrute, and more. The group knowing by targeting the healthcare sector. Finally, in January 2021, Netwalker was takedown by the authorities, the police have confiscated hundreds of thousands of dollars in ransom payments collected by the Netwalker group, and they seized servers and disrupted the infrastructure and the darknet websites of the Netwalker ransomware group. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion` | ❌ | #### **External information** - https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/ - https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html - https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/ - https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware - https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/ - https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf - https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf - https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf - https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/ - https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware - https://lopqto.me/posts/automated-dynamic-import-resolving - https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf - https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/ - https://sites.temple.edu/care/ci-rw-attacks/ - https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html - https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/ - https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/ - https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/ - https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game - https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/ - https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million - https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/ - https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/ - https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/ - https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/ - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/ - https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/ - https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/ - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.ic3.gov/media/news/2020/200929-2.pdf - https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas - https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware - https://www.justice.gov/usao-mdfl/press-release/file/1360846/download - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/ - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/ - https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/ - https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf - https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf - https://www.youtube.com/watch?v=q8of74upT_g - https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers - https://zengo.com/bitcoin-ransomware-detective-ucsf/ - https://zero2auto.com/2020/05/19/netwalker-re/ #### **Ransom note** * [📝 1 ransom note](notes/netwalker) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **nevada** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Error | 🔴 | 12/02/2023 16:12 | `http://nevbackvzwfu5yu3gszap77bg66koadds6eln37gxdhdk4jdsbkayrid.onion` | 📸 | | NEVADA | 🔴 | 21/04/2023 10:35 | `http://nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/nevada) ### _Victims_ > no victim found --- ## **nightsky** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Night Sky | 🔴 | 25/01/2022 05:22 | `http://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion` | ❌ | #### **External information** - https://twitter.com/cglyer/status/1480734487000453121 - https://twitter.com/cglyer/status/1480742363991580674 - https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/ - https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/ - https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - https://www.youtube.com/watch?v=Yzt_zOO8pDM ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-nightsky.png) ### _Victims_ > 2 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`AKIJ GROUP`](https://google.com/search?q=AKIJ+GROUP) | 04/01/2022 | | | | [`æ±äº¬ã³ã³ãã¥ã¼ã¿ãµã¼ãã¹`](https://google.com/search?q=%C3%A6%C2%9D%C2%B1%C3%A4%C2%BA%C2%AC%C3%A3%C2%82%C2%B3%C3%A3%C2%83%C2%B3%C3%A3%C2%83%C2%94%C3%A3%C2%83%C2%A5%C3%A3%C2%83%C2%BC%C3%A3%C2%82%C2%BF%C3%A3%C2%82%C2%B5%C3%A3%C2%83%C2%BC%C3%A3%C2%83%C2%93%C3%A3%C2%82%C2%B9) | 04/01/2022 | | | --- ## **noescape** 🔎 `ransomware.live`has an active parser for indexing noescape's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | NoEscape | 🔴 | 09/12/2023 09:40 | `http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion` | 📸 | | NoEscape | 🔴 | 09/12/2023 12:37 | `http://noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion` | 📸 | #### **Ransom note** * [📝 3 ransom notes](notes/noescape) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-noescape.png) ### _Victims_ > 126 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Science History Institute`](https://www.sciencehistory.org) | 26/11/2023 | The Science History Institute collects, preserves, interprets, and shares that past by exploring lesser-known and sometimes overlooked stories from the history of science a... | 📸 | | [`Grupo PRIDES`](https://www.grupoprides.com) | 26/11/2023 | Grupo Prides is an Information and Communication Technology (ICT) company with more than 39 years of experience in software development and marketing of software and teleco... | 📸 | | [`Nida Corp`](https://nida.com) | 26/11/2023 | Nida Corporation understands that a critical element of learning a technical skill involves working with the physical hardware. Our team of electrical, mechanical, and soft... | 📸 | | [`UF Resources`](https://www.ufresources.com) | 26/11/2023 | These UF Resources services include providing consolidated resources in the areas of finance, accounting, human resources, information technology, sales, marketing and othe... | 📸 | | [`TALENTUM Temporal SAS`](https://talentum.com.co) | 18/11/2023 | TALENTUM is an EMPLOYMENT SERVICE company, with approval from the Ministry of Labor since March 2005. We have a Guarantee policy to ensure the payment of salaries, social ... | 📸 | | [`Verdecora`](https://www.verdecora.es) | 18/11/2023 | Verdecora is an evolution, an advance, a new concept, a project in continuous growth that revolves around the plant world and the world of pets. A new concept that wants to... | 📸 | | [`PruittHealth`](https://pruitthealth.com) | 17/11/2023 | A family-owned organization for more than 50 years, PruittHealth provides a seamless network of post-acute care services and resources, offering skilled nursing care, home ... | 📸 | | [`Rc Moore Inc`](https://rcmoore.com) | 11/11/2023 | Headquartered in Scarborough, ME., R.C. Moore has created a substantial presence on the east coast and established themselves as a trusted partner in logistics for over 60 ... | 📸 | | [`Carespring`](https://www.carespring.com) | 10/11/2023 | We engage our patients on a personal level. Every patient in our communities is a part of our Carespring family. We get to know them-their stories, their families, what the... | 📸 | | [`Enware Australia Pty Ltd`](https://www.enware.com.au) | 10/11/2023 | Since 1937, Enware has been supplying specialist plumbing and safety equipment to a wide variety of commercial industries. With over 170 local employees specialising in des... | 📸 | ↪️ More victims [here](/group/noescape?id=posts) --- ## **nokoyawa** 🔎 `ransomware.live`has an active parser for indexing nokoyawa's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | NOKOYAWA Leaks | 🔴 | 11/07/2022 22:26 | `http://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion` | ❌ | | NOKOYAWA Leaks | 🔴 | 25/01/2023 21:03 | `http://6yofnrq7evqrtz3tzi3dkbrdovtywd35lx3iqbc5dyh367nrdh4jgfyd.onion` | 📸 | | none | 🔴 | 08/10/2023 08:17 | `http://noko65rmtaiqyt2cw2h4jrxe3u56t2k7ov3nd22hoji4c5vnfib2i4yd.onion` | 📸 | | Wall of Shame | 🔴 | 08/10/2023 08:17 | `http://nokoleakb76znymx443veg4n6fytx6spck6pc7nkr4dvfuygpub6jsid.onion` | 📸 | #### **External information** - https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html #### **Ransom note** * [📝 2 ransom notes](notes/nokoyawa) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-nokoyawa.png) ### _Victims_ > 36 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Studio Domaine LLC`](https://www.studiodomaine.com/) | 04/08/2023 | Studio Domaine is an innovative design firm dedicated to creating personalized interiors for residential and model homes. Our custom design services span broad styles and sensibilities providing our clients with their own "signature" style. What began in 1989 as Barbara's Interiors has now... | 📸 | | [`Roman Catholic Diocese of Albany`](https://www.rcda.org/) | 03/08/2023 | The Roman Catholic Diocese of Albany covers 14 counties in Eastern New York including the south west corner of a 15th county. Its Mother Church is the Cathedral of the Immaculate Conception in the city of Albany. | 📸 | | [`Pea River Electric Cooperative`](https://www.peariver.com) | 01/08/2023 | Pea River Electric Cooperative is a service-oriented, distribution electric utility that is owned by the members it serves. Pea River Electric provides electric service to members in portions of Barbour, Dale, Henry and Coffee counties in Alabama. The headquarters office is located at 1311 W. Roy... | 📸 | | [`One Health Solutions`](https://www.onehealthsolutions.com/) | 29/07/2023 | ONE HEALTH is a pioneering healthcare platform that is the result of a unique partnership between a group of visionaries from the healthcare and technology industry, spearheaded by professionals from around the world and built by thousands of individuals who sharethe belief that healthcare is truly... | 📸 | | [`Modern Eyez`](https://www.visionsource-moderneyez.com) | 29/07/2023 | Since 2003, Modern Eyez has been the leader and preferred provider of quality vision care products and personalized optometric services to our patients in Rio Rancho and the surrounding areas. Our experienced doctors and staff offer comprehensive vision examinations and specialize in the diagnosis... | 📸 | | [`Village Church of Barrington`](https://www.vcbweb.org/) | 29/07/2023 | The Village Church is an religious institution founded in 1977 and is based in Mound, Texas . The village was founded to bring glory to God by making disciples through gospel-centered worship, gospel-centered community, gospel-centered service and gospel-centered multiplication.We will... | 📸 | | [`AT&S`](https://www.atssh.com) | 29/07/2023 | AT&S was incorporated in Singapore in 2009 with the goal to provide the entire spectrum of products and services to the Oil & Gas and Marine sectors, bringing AquaTerra and SSH together in a synergistic manner. At formation, we became the only Singapore-based company and one of the largest in the... | 📸 | | [`Muncy Homes`](https://www.muncyhomes.com) | 29/07/2023 | Muncy Homes was founded in 1973 in the stable and skilled labor environment of North Central Pennsylvania. We are recognized as an industry leader of quality modular housing at competitive pricing and sales of over 500 houses annually. Our products are marketed through an independent builder... | 📸 | | [`CANAROPA Inc`](https://www.canaropa.com) | 20/07/2023 | Canaropa, founded in 1954 and headquartered in Quebec, Canada, is a leading provider of quality commercial and residential door locks that are secure, functional, and aesthetic. Canaropa offers a wide variety of exit devices for narrow and wide stiles with... | 📸 | | [`Tampa General Hospital`](https://www.tgh.org/) | 20/07/2023 | Tampa General Hospital is a private not-for-profit hospital and one of the most comprehensive medical facilities in West Central Florida serving a dozen counties with a population in excess of 4 million. As one of the largest hospitals in Florida, Tampa General is licensed for 1,040... | 📸 | ↪️ More victims [here](/group/nokoyawa?id=posts) --- ## **noname** 🔎 `ransomware.live`has an active parser for indexing noname's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Database Error | 🟢 | 30/07/2024 02:41 | `http://noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd.onion` | 📸 | #### **Ransom note** * [📝 2 ransom notes](notes/noname) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-noname.png) ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`onyx-fire.com`](https://google.com/search?q=onyx-fire.com) | 12/09/2023 | Onyx-Fire Protection Services Inc is a company that operates in the Security and Investigations industry 800 GB Financial documents (balance sheets, budget, PL reports, expense reports, bank statements, statements of payables and receivables, various tax forms and reports, audits, cashflow, and many other important financial documents) Employees (sin numbers, residential addresses, date of birth, salary, […] | 📸 | | [`selmi.com.br`](https://google.com/search?q=selmi.com.br) | 12/09/2023 | – Established in 1966; – Manufacturer of flour based products, such as dry pasta, traditional pasta, cookies, crackers, cakes and baking mixes; – Over 1,000 employees; – Two production sites; – Thirteen distribution centers across the country; – Owns a fleet of 37 vehicles and a partnership with carriers to ensure efficiency in delivery; – […] | 📸 | | [`nobleweb.com`](https://google.com/search?q=nobleweb.com) | 11/09/2023 | M Since 1992, The Noble Group has built a dedicated team of professionals all working together to revitalize neighborhoods, provide new homes for families and build a better future for our investors. 260GB lists with ssn numbers, residential addresses, date of birth, salary and tax information, contracts, and other confidential forms for employees budget, cash […] | 📸 | --- ## **onepercent** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onion` | ❌ | #### **External information** - https://www.ic3.gov/Media/News/2021/210823.pdf - https://www.csoonline.com/article/3630635/onepercent-ransomware-group-hits-companies-via-iceid-banking-trojan.html ### _Victims_ > no victim found --- ## **onyx** _`aka vsop`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | VSOP NEWS | 🔴 | 02/01/2023 05:00 | `http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-onyx.png) ### _Victims_ > 28 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`www.artisticstairs.com`](https://google.com/search?q=www.artisticstairs.com) | 21/11/2022 | | | | [`www.wayan.com.mx`](https://google.com/search?q=www.wayan.com.mx) | 21/11/2022 | | | | [`www.candcfarmsupply.com`](https://google.com/search?q=www.candcfarmsupply.com) | 21/11/2022 | | | | [`www.ackermanplumbinginc.com`](https://google.com/search?q=www.ackermanplumbinginc.com) | 21/11/2022 | | | | [`www.semaphorehq.com`](https://google.com/search?q=www.semaphorehq.com) | 21/11/2022 | | | | [`www.baltholding.eu`](https://google.com/search?q=www.baltholding.eu) | 21/11/2022 | | | | [`www.pacmaritime.com`](https://google.com/search?q=www.pacmaritime.com) | 21/11/2022 | | | | [`www.waynefamilypractice.com`](https://google.com/search?q=www.waynefamilypractice.com) | 21/11/2022 | | | | [`www.advantagedirectcare.com`](https://google.com/search?q=www.advantagedirectcare.com) | 21/11/2022 | | | | [`www.cucafresca.com.br`](https://google.com/search?q=www.cucafresca.com.br) | 21/11/2022 | | | ↪️ More victims [here](/group/onyx?id=posts) --- ## **pandora** > Pandora ransomware was obtained by vx-underground at 2022-03-14. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Pandora Data Leak | 🔴 | 03/05/2022 11:24 | `http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion` | ❌ | | none | 🔴 | 01/05/2021 00:00 | `http://pandoraxyz.xyz` | ❌ | #### **External information** - https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/ - https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/ - https://dissectingmalwa.re/blog/pandora/ - https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/ - https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques - https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-pandora.png) ### _Victims_ > 5 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Hearst`](https://google.com/search?q=Hearst) | 30/03/2022 | | | | [`United Cumberland`](https://google.com/search?q=United+Cumberland) | 30/03/2022 | | | | [`Jaffe Raitt Heuer & Weiss, P.C.`](https://google.com/search?q=Jaffe+Raitt+Heuer+%26+Weiss%2C+P.C.) | 17/03/2022 | | | | [`GlobalWafers Japan`](https://google.com/search?q=GlobalWafers+Japan) | 17/03/2022 | | | | [`Rosewd`](https://google.com/search?q=Rosewd) | 17/03/2022 | | | --- ## **pay2key** > Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July 2020, targetting mainly Israeli companies. Pay2Key has a darknet leak site to public stolen and sensitive information of their victims. Some of their victims: Intel - Habana Labs, IAI - Israel Aerospace Industries, Portnox - Network Security Solutions. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Pay2Key Leak Directory! | 🔴 | 15/03/2022 21:12 | `http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion` | ❌ | #### **External information** - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://research.checkpoint.com/2020/ransomware-alert-pay2key/ - https://twitter.com/TrendMicroRSRCH/status/1389422784808378370 - https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/ - https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf - https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`MT-LAW [Markman&Tomashin Law Firm]`](https://google.com/search?q=MT-LAW+%5BMarkman%26Tomashin+Law+Firm%5D) | 09/09/2021 | | | | [`INTER - InterElectric`](https://google.com/search?q=INTER+-+InterElectric) | 09/09/2021 | | | | [`InfiApps - Joyvoo`](https://google.com/search?q=InfiApps+-+Joyvoo) | 09/09/2021 | | | | [`Intel - Habana Labs`](https://google.com/search?q=Intel+-+Habana+Labs) | 09/09/2021 | | | | [`IAI - Israel Aerospace Industries`](https://google.com/search?q=IAI+-+Israel+Aerospace+Industries) | 09/09/2021 | | | | [`Portnox - Network Security Solutions`](https://google.com/search?q=Portnox+-+Network+Security+Solutions) | 09/09/2021 | | | --- ## **payloadbin** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Payload.bin | 🔴 | 28/08/2022 20:21 | `http://vbmisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onion` | ❌ | #### **External information** - https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/ ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-payloadbin.png) ### _Victims_ > 29 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`aquila.ch`](https://google.com/search?q=aquila.ch) | 06/01/2022 | | | | [`www.paw.eu`](https://google.com/search?q=www.paw.eu) | 01/01/2022 | | | | [`Serenity Homes SWFL`](https://google.com/search?q=Serenity+Homes+SWFL) | 01/01/2022 | | | | [`www.hillsdalefurniture.com`](https://google.com/search?q=www.hillsdalefurniture.com) | 23/12/2021 | | | | [`dawsoncountyne.org`](https://google.com/search?q=dawsoncountyne.org) | 19/10/2021 | | | | [`www.lockslaw.com`](https://google.com/search?q=www.lockslaw.com) | 16/10/2021 | | | | [`calautomotive.com`](https://google.com/search?q=calautomotive.com) | 30/09/2021 | | | | [`calsoft`](https://google.com/search?q=calsoft) | 30/09/2021 | | | | [`calsoft.com`](https://google.com/search?q=calsoft.com) | 30/09/2021 | | | | [`www.myyp.com`](https://google.com/search?q=www.myyp.com) | 25/09/2021 | | | ↪️ More victims [here](/group/payloadbin?id=posts) --- ## **play** > With its recent shift to a Ransomware-as-a-Service (RaaS) model, PLAY – also known as PlayCrypt – is now targeting Managed Service Providers (MSPs) worldwide, and has affected more than 300 entities. 🔎 `ransomware.live`has an active parser for indexing play's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | PLAY NEWS | 🟢 | 30/07/2024 02:41 | `http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion` | 📸 | | PLAY NEWS | 🟢 | 30/07/2024 02:42 | `http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion` | 📸 | | PLAY NEWS | 🟢 | 30/07/2024 02:42 | `http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion` | 📸 | #### **External information** - https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/ - https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65 - https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy - https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware - https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/ - https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/ - https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware - https://www.orangecyberdefense.com/global/blog/playing-the-game - https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/ - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play #### **Ransom note** * [📝 2 ransom notes](notes/play) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-play.png) ### _Victims_ > 552 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`The Computer Merchant`](https://www.itstaffing.com) | 25/07/2024 | United States | 📸 | | [`Williams Construction`](https://www.williamsconst.com) | 25/07/2024 | United States | 📸 | | [`Gateway Extrusions`](https://www.gwextrusions.com) | 25/07/2024 | United States | 📸 | | [`Gendron & Gendron`](https://www.gendroncorp.com) | 25/07/2024 | United States | 📸 | | [`Golden Business Machines`](https://www.goldenbusiness.com) | 25/07/2024 | United States | 📸 | | [`Odyssey Fitness Center`](https://www.odysseyfitnesscenter.com) | 25/07/2024 | United States | 📸 | | [`OfficeOps`](https://www.officeops.com) | 25/07/2024 | United States | 📸 | | [`Congoleum`](https://www.congoleum.com) | 17/07/2024 | United States | 📸 | | [`C???o???m`](https://www.c???o???m.com) | 17/07/2024 | United States | 📸 | | [`Hayden Power Group`](https://www.haydenpower.com) | 17/07/2024 | United States | 📸 | ↪️ More victims [here](/group/play?id=posts) --- ## **projectrelic** 🔎 `ransomware.live`has an active parser for indexing projectrelic's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Project Relic. Dumps, leaks, news, announcements | 🔴 | 03/06/2023 09:39 | `http://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-projectrelic.png) ### _Victims_ > 5 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Doctors Center Hospital`](https://google.com/search?q=Doctors+Center+Hospital) | 18/12/2022 | Doctors' Center Hospital is among the leaders in the hospital network of Puerto Rico. | | | [`Willis Klein`](https://google.com/search?q=Willis+Klein) | 11/11/2022 | Founded in 1960, Willis Klein has multiple divisions providing decorative plumbing, door hardware, custom bathroom cabinets and furniture, commercial hardware. | | | [`BroadMed Holding`](https://google.com/search?q=BroadMed+Holding) | 11/11/2022 | BroadMed Holding (BMH) is a company that specializes in healthcare related businesses. The range of experience stretches to supply the medical field with a wide | | | [`Turner & Associates, LLP`](https://google.com/search?q=Turner+%26+Associates%2C+LLP) | 11/11/2022 | Outstanding service to our clients is what makes Turner & Associates, LLP one of the leading CPA firms in the State of Florida. Our combined 75 years of Partner | | | [`Sterling Battery`](https://google.com/search?q=Sterling+Battery) | 11/11/2022 | Sterling Battery Co is a company that operates in the Automotive industry. | | --- ## **prolock** > PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop. _`aka pwndlocker`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion` | ❌ | #### **External information** - https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html - https://medium.com/s2wlab/operation-synctrek-e5013df8d167 - https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/ - https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/ - https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf - https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html - https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/ - https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/ - https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/ - https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/ - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.group-ib.com/blog/prolock - https://www.group-ib.com/blog/prolock_evolution - https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/ - https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/ - https://www.intrinsec.com/egregor-prolock/ - https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/ - https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/ ### _Victims_ > no victim found --- ## **prometheus** > Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://promethw27cbrcot.onion` | ❌ | #### **External information** - https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html - https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea - https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd - https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd - https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/ - https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/ - https://twitter.com/inversecos/status/1441252744258461699?s=20 - https://unit42.paloaltonetworks.com/prometheus-ransomware/ - https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware - https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/ #### **Ransom note** * [📝 1 ransom note](notes/prometheus) ### _Victims_ > no victim found --- ## **pysa** > Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Pysa's Partners | 🔴 | 22/02/2022 10:11 | `http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion` | ❌ | #### **External information** - http://www.secureworks.com/research/threat-profiles/gold-burlap - https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/ - https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat - https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ - https://twitter.com/campuscodi/status/1347223969984897026 - https://twitter.com/inversecos/status/1456486725664993287 - https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/ - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/ - https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/ - https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.ic3.gov/Media/News/2021/210316.pdf - https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/ - https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf - https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis - https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/ - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf - https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/ ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-pysa.png) ### _Victims_ > 308 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Î¤ÎÎ§ÎÎÎÎÎÎÎÎ Î ÎÎÎÎ ÎÎ£Î¤ÎÎÎÎ ÎÎ¥Î Î¡ÎÎ¥`](https://google.com/search?q=%C3%8E%C2%A4%C3%8E%C2%95%C3%8E%C2%A7%C3%8E%C2%9D%C3%8E%C2%9F%C3%8E%C2%9B%C3%8E%C2%9F%C3%8E%C2%93%C3%8E%C2%99%C3%8E%C2%9A%C3%8E%C2%9F+%C3%8E%C2%A0%C3%8E%C2%91%C3%8E%C2%9D%C3%8E%C2%95%C3%8E%C2%A0%C3%8E%C2%99%C3%8E%C2%A3%C3%8E%C2%A4%C3%8E%C2%97%C3%8E%C2%9C%C3%8E%C2%99%C3%8E%C2%9F+%C3%8E%C2%9A%C3%8E%C2%A5%C3%8E%C2%A0%C3%8E%C2%A1%C3%8E%C2%9F%C3%8E%C2%A5) | 20/09/2022 | | | | [`CHR Solutions`](https://google.com/search?q=CHR+Solutions) | 06/12/2021 | | | | [`The Skinners Kent Academy`](https://google.com/search?q=The+Skinners+Kent+Academy) | 08/11/2021 | | | | [`Kent County Council`](https://google.com/search?q=Kent+County+Council) | 08/11/2021 | | | | [`Rusty Hardin & Associates`](https://google.com/search?q=Rusty+Hardin+%26+Associates) | 08/11/2021 | | | | [`R.E. Pedrotti Co.`](https://google.com/search?q=R.E.+Pedrotti+Co.) | 08/11/2021 | | | | [`UEMOA`](https://google.com/search?q=UEMOA) | 08/11/2021 | | | | [`Skatetown`](https://google.com/search?q=Skatetown) | 08/11/2021 | | | | [`CHRYSO`](https://google.com/search?q=CHRYSO) | 08/11/2021 | | | | [`itimCloud`](https://google.com/search?q=itimCloud) | 08/11/2021 | | | ↪️ More victims [here](/group/pysa?id=posts) --- ## **qilin** > PYSA ransomware group operates as a ransomware-as-a-service (RaaS) model. PYSA stands for “Protect Your System Amigo”, The PYSA ransomware malware is a variant of the Mespinoza ransomware. It was first seen within open-source documents in December 2019, two months after Mespinoza ransomware was spotted in the wild. PYSA affiliates can customize their malware based on options provided by the RaaS platform, and deploy it as customized. PYSA usually exfiltrates data from its victims before encrypting the files to be ransomed. 🔎 `ransomware.live`has an active parser for indexing qilin's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Qilin | 🔴 | 17/02/2023 11:10 | `http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion` | 📸 | | Qilin blog | 🟢 | 30/07/2024 02:43 | `http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion` | 📸 | #### **External information** - https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v - https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/ - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt - https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html - https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html #### **Ransom note** * [📝 2 ransom notes](notes/qilin) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-qilin.png) ### _Victims_ > 139 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`ayurcan`](http:// www.ayurcann.com) | 26/07/2024 | Ayurcann is a leading post-harvest solutions provider with a focus on providing and creating custom processes and pharma grade products. Within 18 months of entering the recreational Canadian cannabis industry, our products have paved the wa ... | 📸 | | [`simple-solution-systems`](http://www.simsys.sg) | 24/07/2024 | Simple Solution Systems Pte Ltd is a company that operates in the Custom Software & IT Services industry. It employs 20to49 people and has 5Mto10M. At SIMSYS, we provide a wide range of Solution services ranging from Infrastructure Setups, T ... | 📸 | | [`EHS Partnerships`](http://www.ehsp.com) | 23/07/2024 | EHSP is a full service firm built around professionals and leaders in the field of environmental and occupational health and safety (EHS / OH&S). Originally incorporated under the Business Corporations Act on August 13, 1996, the company was ... | 📸 | | [`ZSZAALEJI.cz`](http://www.zszaaleji.cz) | 17/07/2024 | The history of the school began on September 1, 1975. Currently, the school provides education to more than 500 students in a modern, barrier-free and stimulating environment. Since 2014, classes with an educational approach according to Mari ... | 📸 | | [`Next step healthcar`](http://www.nextstephc.com) | 17/07/2024 | “Next step healthcare” (nextstephc.com) was attacked by our team, stay tuned. | 📸 | | [`KMLG`](http://www.kmlg.com) | 15/07/2024 | Established in 1953, Kohinoor Textile Mills (KTML) is a textile manufacturing company headquartered in Punjab, Pakistan. | 📸 | | [`pomalca.com.pe`](http://www.pomalca.com.pe) | 05/07/2024 | Empresa Agroindustrial Pomalca is a leading agribusiness company based in Chiclayo, Peru. It is one of the country's major sugar producers. The company has more than in sugar cane for production of sugar, molasses, and bagasse, in addition to ... | 📸 | | [`The Wacks Law Group`](http://www,wackslaw.net) | 05/07/2024 | The Wacks Law Group is a New Jersey-based law firm of dedicated attorneys who address clients’ issues with a deeply personal yet professional commitment. Our law firm serves clients throughout New Jersey and New York. Our extensive knowledg ... | 📸 | | [`YKS`](http://https://www.yks.com.tr/) | 25/06/2024 | YKS kendi ağının güvenliğini önemsemiyor. İçeri girdik ve her şeyi kilitledik. Gelin bizimle sohbette konuşun, aksi takdirde tekrar tekrar kilitlenme riskiyle karşı karşıya kalırsınız. YKS doesn't care about the security o ... | 📸 | | [`Wise Construction`](http://https://wiseconstruction.com) | 21/06/2024 | For nearly three decades, Wise Construction has distinguished itself through exceptional service to clients in the healthcare, education, biotechno logy and corporate sectors throughout the Greater Boston area. Leading names in each of these ... | 📸 | ↪️ More victims [here](/group/qilin?id=posts) --- ## **qiulong** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 22/07/2024 23:51 | `http://62brsjf2w77ihz5paods33cdgqnon54gjns5nmag3hmqv6fcwamtkmad.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-qiulong.png) ### _Victims_ > 8 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`www.concisa.eng.br`](https://google.com/search?q=www.concisa.eng.br) | 24/06/2024 | Com duas décadas de atuação em obras de pavimentação, saneamento, asfalto e terraplenagem, a Concisa Obras de Infraestrutura tornou-se referência no sul do Brasil pela qualidade dos serviços e pela transparência com que conduz seus negócios nos segmentos público e privado. Zoominfo: https://www.zoominfo.com/c/concisa-todos/562608830 CEO: Danilo ConteOffice Main Phone: (49) 3323-9591 DATA SIZE: 30GB CEO PERSONAL DOCUMENT: | 📸 | | [`www.indigoent.ca`](https://google.com/search?q=www.indigoent.ca) | 30/05/2024 | Indigo ENT Group is a company that operates in the Hospital & Health Care industry. The company is headquartered in Coquitlam, British Columbia, Canada. Zoominfo: https://www.zoominfo.com/c/indigo-ent-group/448092524 Office Main Phone: 604-941-8474 Email: coquitlam@indigoent.ca Doctors: Dr. Dewji, Dr. Gooi, Dr. Mah In the past few weeks, our group has been operating within the network of Indigo EST, stealing thousands of personal, confidential, and PHI, & PII data of patients. This is the first warning. Samples: | 📸 | | [`hospitalescultural.com.br`](https://google.com/search?q=hospitalescultural.com.br) | 26/04/2024 | No Hospital Escultural, acreditamos que cada mulher é uma obra-prima em potencial, esperando para ser revelada em toda sua glória. Liderados pelos renomados Dr. Eder Damacena e Dr. Eisenhower Damascena, nós nos especializamos em um espectro abrangente de procedimentos cirúrgicos e não-cirúrgicos, sempre com um toque de arte e um compromisso absoluto com a autenticidade. Hospital Escultural is a Brazilian hospital specializing in plastic surgery. CEO: Dr. Eisenhower Fonseca Damascena Business email: contato@hospitalescultural.com.brPhone: + 55 (62) 3225-2012 Data volume: 50 GB Data description: DATA WILL BE AVAILABLE SOON.CONTACT US BEFORE IS TOO LATE | 📸 | | [`hominemclinic.com.br`](https://google.com/search?q=hominemclinic.com.br) | 24/04/2024 | We are a medical clinic specialized in male sexual health care, focusing on the treatment of erectile dysfunction, premature ejaculation and andropause. Message to all men with sexual problems who are Hominem patients: THIS CLINIC DOES NOT PROTECT YOUR DATA AND YOUR PRIVACY, AND SOON EVERYONE WILL KNOW ABOUT YOUR PROBLEMS. In the past month, numerous attempts at contact were made, resulting in a total of zero responses and significant negligence on the part of the clinic’s staff. If silence persists, soon all friends and family of the patients will discover their sexual problems. CEO: Dr. Bruno Salomão Business email: atendimento@hominemclinic.com.brMobile Phone: : (31) 99351-4715 Data volume: 5 GB Data description: | 📸 | | [`www.drwilliansegalin.com.br`](https://google.com/search?q=www.drwilliansegalin.com.br) | 23/04/2024 | Yes, another outlaw plastic surgeon, who does not protect his patients’ privacy safely.Dr. Willian, if you care about your patients’ data and privacy, stop driving your Mustang around like a negligent doctor and avoid remaining silent. O Dr. Willian atua como Cirurgião Plástico em Passo Fundo, Frederico Westphalen e Serafina Corrêa dedicando-se as áreas de Cirurgia Estética, Reconstrutora e Implante capilar. Dr. Willian works as a Plastic Surgeon in Passo Fundo, Frederico Westphalen and Serafina Corrêa, dedicating himself to the areas of Aesthetic, Reconstructive Surgery and Hair Implants. Sua titulação é reconhecida pela Sociedade Brasileira de Cirurgia Plástica (SBCP), Associação Médica Brasileira (AMB) ,Conselho Federal de Medicina. (CRM) e Associação Brasileira de Cirurgia da Restauração Capilar ( ABCRC ). CEO: Willian Segallin Business email: contato@drwilliansegalin.com.brMobile Phone: : +5554999200030 Data volume: 20 GB Data description: DATA WILL BE PUBLISHED SOON | 📸 | | [`draandrearechia.com.br`](https://google.com/search?q=draandrearechia.com.br) | 22/04/2024 | Dr. Andrea Rechia is another Brazilian plastic surgeon who doesn’t care about the data and privacy of her patients. Numerous attempts were made to contact her; however, she chose to remain silent instead of protecting her patients’ privacy. Somos uma Clínica de Cirurgia Plástica com 15 anos de experiência e atuação na Região Central do Estado. Focamos no atendimento de qualidade, proporcionando o bem-estar e a melhora da auto-estima através do compromisso com a segurança e a qualidade de nosso trabalho. CEO: Dr. Andrea Rechia Business email: clinicarechia@outlook.comMobile Phone: WhatsApp: + 55 (51) 9 9812-1314 Data volume: 30 GB Data description: 2GB OF SAMPLES: https://mega.nz/folder/[REDACTED]#onogZ_SskDAIhD_rQtK8dA [+] Password found !!!URL: javascript:void(0);Login: clinicarechia@outlook.comPassword: Clinica1408!.[+] Password found !!!URL: https://login.live.com/Login: mariliaa2@hotmail.comPassword:[+] Password found !!!URL: https://seguro.unimedsm.com.br/tiss/index_login.phpLogin: 24952Password: a152349[+] Password found !!!URL: https://experimente.contaazul.com/form-trial/Login: andrearechia@hotmail.comPassword: Eutenho46.[+] Password found !!!URL: https://lis.labimed.com.br/shift/lis/labimed/elis/s01.iu.web.Login.clsLogin: P368130Password: 1HD36 | 📸 | | [`www.drlincoln.com.br`](https://google.com/search?q=www.drlincoln.com.br) | 19/04/2024 | If you are a patient of Dr. Lincoln Graça Neto, you should know that he doesn’t care about your data and your privacy. O consultório fica localizado na cidade de Curitiba no Batel, bairro nobre da capital paranaense, de fácil acesso e com moderna e agradável estrutura física. Possui ampla sala de espera, sala de consulta médica, duas salas de exame, estúdio fotográfico e administração. Para sua comodidade possuímos também convênio com o estacionamento ao lado. Dr. Lincoln is a Brazilian clinic specializing in plastic surgery CEO: Dr. Lincoln Graça Neto Business email: contato@drlincoln.com.brMobile Phone:+55 41 99994 2479 Data volume: 9 GB Data description: Download: https://mega.nz/folder/[REDACTED]#ZxPRh7ThnTZ-Y12izAOT9Q https://mega.nz/folder/[REDACTED]#bR2cF7WKd4qX3wNzT2ZoQw https://mega.nz/folder/[REDACTED]#N16qJ4h_uDp8Xny7ZxiCkw https://mega.nz/folder/[REDACTED]#wVDE1cpjha2DOcaHWzjB9A https://mega.nz/folder/[REDACTED]#T8xblHZh0jl4nd3SU_aOoQ | 📸 | | [`www.rosalvoautomoveis.com.br`](https://google.com/search?q=www.rosalvoautomoveis.com.br) | 19/04/2024 | A Rosalvo Automóveis foi fundada em 1988 com o objetivo de revolucionar o conceito de comercialização de veículos semi-novos. Data Available Soon | 📸 | --- ## **qlocker** _`login page, no posts`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 08/11/2022 04:04 | `http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion` | ❌ | #### **External information** - https://www.qnap.com/en/security-advisory/QSA-21-13 - https://www.qnap.com/static/landing/2021/qlocker/response/da-dk/ - https://www.bleepingcomputer.com/news/security/qlocker-ransomware-shuts-down-after-extorting-hundreds-of-qnap-users/ #### **Ransom note** * [📝 1 ransom note](notes/qlocker) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **quantum** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Quantum Blog | 🔴 | 16/01/2024 02:35 | `http://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onion` | 📸 | | Secure Chat | 🔴 | 29/08/2022 08:32 | `http://22rnyep2aa2exx3fdm26p4onwjfmhciodb55v5l3w4iny7e5bxpg3yad.onion` | ❌ | #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-quantum.png) ### _Victims_ > 68 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`ChemiFlex`](https://google.com/search?q=ChemiFlex) | 09/12/2022 | | | | [`Radical Sportscars`](https://google.com/search?q=Radical+Sportscars) | 09/12/2022 | | | | [`Orotex`](https://google.com/search?q=Orotex) | 09/12/2022 | | | | [`Acquarius Trust Group`](https://google.com/search?q=Acquarius+Trust+Group) | 09/12/2022 | | | | [`Pilenpak`](https://google.com/search?q=Pilenpak) | 09/12/2022 | | | | [`AHT Wisconsin Windows`](https://google.com/search?q=AHT+Wisconsin+Windows) | 09/12/2022 | | | | [`Midland Cogeneration Venture`](https://google.com/search?q=Midland+Cogeneration+Venture) | 13/11/2022 | | | | [`MCV Holding Company LLC `](https://google.com/search?q=MCV+Holding+Company+LLC+) | 02/11/2022 | | | | [`Midland Cogeneration Venture, Michigan`](https://google.com/search?q=Midland+Cogeneration+Venture%2C+Michigan) | 01/11/2022 | | | | [`Lightbank`](https://google.com/search?q=Lightbank) | 23/10/2022 | | | ↪️ More victims [here](/group/quantum?id=posts) --- ## **rabbithole** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Rabbit Hole | 🔴 | 12/04/2024 20:45 | `http://z5jixbfejdu5wtxd2baliu6hwzgcitlspnttr7c2eopl5ccfcjrhkqid.onion` | 📸 | ### _Victims_ > no victim found --- ## **ragnarlocker** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://rgleak7op734elep.onion` | ❌ | | none | 🔴 | 22/10/2023 08:18 | `http://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://p6o7m73ujalhgkiv.onion` | ❌ | | none | 🟢 | 30/07/2024 02:43 | `http://ragnarnwvli32xnmwudsvhbl7klzmofxeylyhcqfc5ifx5mbybq3ekqd.onion` | 📸 | #### **External information** - http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html - http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html - https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel - https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf - https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/ - https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html - https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/ - https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/ - https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html - https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/ - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf - https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html - https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/ - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ - https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://securelist.com/modern-ransomware-groups-ttps/106824/ - https://securelist.com/targeted-ransomware-encrypting-data/99255/ - https://seguranca-informatica.pt/ragnar-locker-malware-analysis/ - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://twitter.com/AltShiftPrtScn/status/1403707430765273095 - https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion - https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom - https://www.acronis.com/en-sg/articles/ragnar-locker/ - https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/ - https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/ - https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/ - https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/ - https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1 - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.ic3.gov/Media/News/2022/220307.pdf - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ - https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/ - https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html - https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf - https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/ #### **Ransom note** * [📝 2 ransom notes](notes/ragnarlocker) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ragnarlocker.png) ### _Victims_ > 124 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Eicon Controle Inteligentes`](https://google.com/search?q=Eicon+Controle+Inteligentes) | 11/10/2023 | | 📸 | | [`Scotbeef Ltd. - Leaks`](https://google.com/search?q=Scotbeef+Ltd.+-+Leaks) | 11/10/2023 | | 📸 | | [`International Presence Ltd - Leaked`](https://google.com/search?q=International+Presence+Ltd+-+Leaked) | 06/10/2023 | | 📸 | | [`Learning Partnership West - Leaked`](https://google.com/search?q=Learning+Partnership+West+-+Leaked) | 05/10/2023 | | 📸 | | [`Groupe Fructa Partner - Leaked`](https://google.com/search?q=Groupe+Fructa+Partner+-+Leaked) | 03/10/2023 | | 📸 | | [`Astre - Leaked`](https://google.com/search?q=Astre+-+Leaked) | 30/09/2023 | | 📸 | | [`Network Pacific Real Estate - Leak`](https://google.com/search?q=Network+Pacific+Real+Estate+-+Leak) | 30/09/2023 | | 📸 | | [`Stratesys Full data leak`](https://google.com/search?q=Stratesys+Full+data+leak) | 25/09/2023 | | 📸 | | [`Announcement: COMECA Group going to be Leaked`](https://google.com/search?q=Announcement%3A+COMECA+Group+going+to+be+Leaked) | 22/09/2023 | | 📸 | | [`Announcement: Skatax Accounting company going to be leaked`](https://google.com/search?q=Announcement%3A+Skatax+Accounting+company+going+to+be+leaked) | 22/09/2023 | | 📸 | ↪️ More victims [here](/group/ragnarlocker?id=posts) --- ## **ragnarok** > According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA. _`shut down & offering a decryptor`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion` | ❌ | | Decrypt Site | 🔴 | 27/08/2021 00:03 | `http://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onion` | ❌ | #### **External information** - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf - https://news.sophos.com/en-us/2020/05/21/asnarok2/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/ - https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/ #### **Ransom note** * [📝 1 ransom note](notes/ragnarok) ### _Victims_ > 2 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`FNBNWFL Data leaked`](https://google.com/search?q=FNBNWFL+Data+leaked) | 30/12/2021 | | | | [`Decrypt`](https://google.com/search?q=Decrypt) | 09/09/2021 | | | --- ## **ragroup** 🔎 `ransomware.live`has an active parser for indexing ragroup's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | RA World | 🔴 | 08/01/2024 12:52 | `http://pa32ymaeu62yo5th5mraikgw5fcvznnsiiwti42carjliarodltmqcqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ragroup.png) ### _Victims_ > 42 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Di Martino Group `](https://google.com/search?q=Di+Martino+Group+) | 20/12/2023 | | 📸 | | [`Rockford Gastroenterology Associates `](https://google.com/search?q=Rockford+Gastroenterology+Associates+) | 20/12/2023 | | 📸 | | [`HALLIDAYS GROUP LIMITED `](https://google.com/search?q=HALLIDAYS+GROUP+LIMITED+) | 20/12/2023 | | 📸 | | [`Die Unfallkasse Thüringen `](https://google.com/search?q=Die+Unfallkasse+Th%C3%BCringen+) | 20/12/2023 | | 📸 | | [`NIDEC GPM GmbH `](https://google.com/search?q=NIDEC+GPM+GmbH+) | 20/12/2023 | | 📸 | | [`ALAB laboratoria `](https://google.com/search?q=ALAB+laboratoria+) | 26/11/2023 | | 📸 | | [`Al****ia `](https://google.com/search?q=Al%2A%2A%2A%2Aia+) | 19/11/2023 | | 📸 | | [`Aceromex `](https://google.com/search?q=Aceromex+) | 17/11/2023 | | 📸 | | [`Chung Hwa Chemical Industrial Works `](https://google.com/search?q=Chung+Hwa+Chemical+Industrial+Works+) | 17/11/2023 | | 📸 | | [`SUMMIT VETERINARY PHARMACEUTICALS LIMITED `](https://google.com/search?q=SUMMIT+VETERINARY+PHARMACEUTICALS+LIMITED+) | 17/11/2023 | | 📸 | ↪️ More victims [here](/group/ragroup?id=posts) --- ## **ramp** _`Forum`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion` | ❌ | | Log in - RAMP | 🟢 | 30/07/2024 02:44 | `http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://ramp4u5iz4xx75vmt6nk5xfrs5mrmtokzszqxhhkjqlk7pbwykaz7zid.onion` | ❌ | #### **External information** - https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/ - https://www.toolbox.com/tech/security/news/russian-darknet-forum-ramp-reemerges-with-chinese-speaking-hackers-at-the-wheel/ - https://www.linkedin.com/pulse/am-i-new-admin-cybercrime-forum-ramp-ayesha-prakash ### _Victims_ > no victim found --- ## **rancoz** 🔎 `ransomware.live`has an active parser for indexing rancoz's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Rancoz - Blog | 🔴 | 17/10/2023 08:23 | `http://ze677xuzard4lx4iul2yzf5ks4gqqzoulgj5u4n5n4bbbsxjbfr7eayd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/rancoz) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-rancoz.png) ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`DDB Unlimited (ddbunlimited.com)`](https://google.com/search?q=DDB+Unlimited+%28ddbunlimited.com%29) | 03/09/2023 | Manufactures | 📸 | | [`Rick Ramos Law (rickramoslaw.com)`](https://google.com/search?q=Rick+Ramos+Law+%28rickramoslaw.com%29) | 03/09/2023 | Legal Services industry | 📸 | | [`Industrial Heat Transfer (iht-inc.com)`](https://google.com/search?q=Industrial+Heat+Transfer+%28iht-inc.com%29) | 07/07/2023 | Custom Heat Exchanger Manufacturer | 📸 | | [`Air Comfort (aircomfort.ac)`](https://google.com/search?q=Air+Comfort+%28aircomfort.ac%29) | 14/06/2023 | Construction industry | 📸 | | [`RIC Electronics (ricelectronics.com)`](https://google.com/search?q=RIC+Electronics+%28ricelectronics.com%29) | 05/05/2023 | Electrical Equipment Manufacturing | 📸 | | [`TrueLogic (truelogiccompany.com)`](https://google.com/search?q=TrueLogic+%28truelogiccompany.com%29) | 05/05/2023 | Software and services company | 📸 | --- ## **ranion** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🟢 | 30/07/2024 02:44 | `http://ranionv3j2o7wrn3um6de33eccbchhg32mkgnnoi72enkpp7jc25h3ad.onion` | 📸 | ### _Victims_ > no victim found --- ## **ransomcartel** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Ransomware - Control Panel | 🔴 | 03/03/2022 18:21 | `http://u67aylig7i6l657wxmp274eoilaowhp3boljowa6bli63rxyzfzsbtyd.onion` | ❌ | | none | 🔴 | 01/05/2021 00:00 | `http://cartelirsn5l54ehcbalyyqtfb3j7be2rpvf6ujayaf5qqmg3vlwiayd.onion` | ❌ | | Ransom Cartel | 🔴 | 19/01/2023 17:17 | `http://cartelraqonekult2cxbzzz2ukiff7v6cav3w373uuhenybgqulxm5id.onion` | 📸 | #### **External information** - https://t.me/arvin_club/5075 - https://twitter.com/i/web/status/1476488238521065476 ### _Victims_ > no victim found --- ## **ransomcortex** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | offline | 🟢 | 30/07/2024 02:45 | `http://gg6owuhu72muoelkt2msjrp2llwr2on5634sk5v2xefzmobvryywbhid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ransomcortex.png) ### _Victims_ > 4 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`painproclinics.com`](https://google.com/search?q=painproclinics.com) | 12/07/2024 | Our uncompromising approach to healthcare is focused on pain relief, injury recovery, and movement performance. Getting fast effective results is… | 📸 | | [`www.donaanita.com`](https://google.com/search?q=www.donaanita.com) | 12/07/2024 | Find out more about the Medical Clinic. A reference in the region, Policlínica Dona Anita has been serving since 2010, always seeking… | 📸 | | [`perfeitaplastica.com.br`](https://google.com/search?q=perfeitaplastica.com.br) | 12/07/2024 | We are a plastic surgery clinic that was created with the aim of taking care of your body and its… | 📸 | | [`www.respirarlondrina.com.br`](https://google.com/search?q=www.respirarlondrina.com.br) | 12/07/2024 | The Instituto Respirar Londrina is a multidisciplinary hospital that provides services in the areas of Pneumology, Infectology, and Thoracic Surgery.… | 📸 | --- ## **ransomed** 🔎 `ransomware.live`has an active parser for indexing ransomed's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 07/09/2023 12:50 | `http://ransomed.vc` | 📸 | | 404 Not Found | 🔴 | 01/09/2023 10:54 | `http://k63fo4qmdnl4cbt54sso3g6s5ycw7gf7i6nvxl3wcf3u6la2mlawt5qd.onion` | ❌ | | Ransomedvc – Leading Agency In Digital Peace – Ran | 🔴 | 06/11/2023 06:57 | `http://f6amq3izzsgtna4vw24rpyhy3ofwazlgex2zqdssavevvkklmtudxjad.onion` | 📸 | | Ransomed | 🔴 | 18/11/2023 16:00 | `http://g6ocfx3bb3pvdfawbgrbt3fqoht5t6dwc3hfmmueo76hz46qepidnxid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ransomed.png) ### _Victims_ > 68 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`RANSOMEDVC is for sale`](https://google.com/search?q=RANSOMEDVC+is+for+sale) | 30/10/2023 | I do not want to continue being monitored by federal agencies and i would wish to sell the project to someone who will want to continue it. We are selling everything. IN PACKAGE: Domains 1 Ransomware Builder = 100% FUD – Bypassing all AV’s and automatically infecting all LAN device’s inside network.. – automatically escalate… | 📸 | | [`Ransomedvc Launches A forum`](https://google.com/search?q=Ransomedvc+Launches+A+forum) | 22/10/2023 | Visit us: http://g6ocfx3bb3pvdfawbgrbt3fqoht5t6dwc3hfmmueo76hz46qepidnxid.onion | 📸 | | [`We Hire Pentesters(5BTC Payout)`](https://google.com/search?q=We+Hire+Pentesters%285BTC+Payout%29) | 20/10/2023 | @RansomedSupport on telegram to join Ransomed.vc is in need of only advanced pentesters, our jobs are one of the highest paid you can ever find. If you have the skills, be so kind and come earn what you deserve. @RansomedSupport to join. | 📸 | | [`Ransomedvc Pentest Services!`](https://google.com/search?q=Ransomedvc+Pentest+Services%21) | 16/10/2023 | Ransomedvc now offers pentesting services! share your targets with us on @RansomedSupport on telegram. Guaranteed results! | 📸 | | [`RE : Clarification`](https://google.com/search?q=RE+%3A+Clarification) | 16/10/2023 | Third-party involvement in the editing of the last 2 posts cannot be more obvious, considering the English is far more fluent than previous posts made by RansomedVC. We have no direct, or indirect affiliation(s) with RansomedVC on an operational level. They have not been compensated financially or otherwise for this. We both share the sole… | 📸 | | [`Rob Lee Evidence : Sneak Peek`](https://google.com/search?q=Rob+Lee+Evidence+%3A+Sneak+Peek) | 16/10/2023 | Note : Threat actor Rob Lee has failed to cooperate with the demands made by us, including an admission of guilt & wrongdoing, and an immediate resignation. Therefore, we must expose Rob Lee for who he is – a threat actor working under the guise of a powerful executive, who is in this solely for… | 📸 | | [`Colonial Pipeline Company`](https://google.com/search?q=Colonial+Pipeline+Company) | 15/10/2023 | Threat actors – they hide amongst us. It is becoming increasingly difficult to differentiate these bad actors from our heroic cyber front-line responders, who work night & day to protect their clients from ever-growing cyber threats. In fact, as we’ll discuss here, some of these threat actors operate under the guise of powerful cyber-security executives.… | 📸 | | [`Accenture Breach Evidence & Debunking Rob Lee’s Lies`](https://google.com/search?q=Accenture+Breach+Evidence+%26+Debunking+Rob+Lee%E2%80%99s+Lies) | 15/10/2023 | How ironic! Rob Lee, the outed threat actor, working under the guise of a seasoned cyber-security professional, recently tweeted the above, in an attempt to throw shade at the various claims made about him. In one such email exchange, Rob asks Dragos colleague Nanci Uher for her thoughts on using stolen data from the Accenture… | 📸 | | [`webpag.com.br database leaked`](https://google.com/search?q=webpag.com.br+database+leaked) | 15/10/2023 | | 📸 | | [`Metroclub.org`](https://google.com/search?q=Metroclub.org) | 13/10/2023 | We successfully extracted the entire content of the metroclub.org website, belonging to Metroclub, a private club based in Washington, D.C. The extracted data amounts to 2.1 terabytes. The accompanying screenshot provides a glimpse of critical information, although we are still in the process of collecting additional data. Our haul includes the complete membership list, employee… | 📸 | ↪️ More victims [here](/group/ransomed?id=posts) --- ## **ransomexx** > RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777. 🔎 `ransomware.live`has an active parser for indexing ransomexx's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | RansomEXX – v2.0 | 🟢 | 30/07/2024 02:45 | `http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion` | 📸 | #### **External information** - https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html - https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://github.com/Bleeping/Ransom.exx - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701 - https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/ - https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/ - https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3 - https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4 - https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/ - https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/ - https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/ - https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/ - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/ - https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout - https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.ic3.gov/Media/News/2021/211101.pdf - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf - https://www.sentinelone.com/anthology/ransomexx/ - https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx - https://www.youtube.com/watch?v=qxPXxWMI2i4 #### **Ransom note** * [📝 5 ransom notes](notes/ransomexx) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ransomexx.png) ### _Victims_ > 63 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`LITEON`](https://google.com/search?q=LITEON) | 26/07/2024 | LITEON Technology Corporation, based in Taiwan, is a leading company in the electronics industry known for its diverse range of products. Founded in 1975, LITEON specializes in the development and manufacturing of optoelectronics, storage devices, and other electronic components. Its products include LED lighting solutions, semiconductors, automotive electronics, and smart healthcare devices. LITEON is recognized for its innovation and commitment to sustainability, providing high-quality technology solutions to global customers while emphasizing environmental responsibility. Leaked data size: 142GB. | 📸 | | [`Planet Group International`](https://google.com/search?q=Planet+Group+International) | 26/07/2024 | Planet Group International is a multinational corporation specializing in innovative technology solutions and consulting services. With a presence in numerous countries, the company focuses on digital transformation, IT infrastructure, software development, and data analytics. They cater to a diverse range of industries, providing tailored solutions to enhance operational efficiency and drive business growth. Planet Group International is known for its commitment to excellence, leveraging cutting-edge technologies to deliver high-quality services and support to its global clientele. Leaked data size: 4.9GB. | 📸 | | [`Wagner-Meinert`](https://google.com/search?q=Wagner-Meinert) | 08/07/2024 | Wagner-Meinert is a company that specializes in industrial refrigeration, food process systems, and mechanical contracting. They provide services such as design, installation, maintenance, and compliance support for industrial and commercial refrigeration systems. Their expertise often spans areas including ammonia refrigeration systems, food processing equipment, HVAC systems, and related industrial solutions. Leaked data size: 685.3GB. | 📸 | | [`Asteco`](https://google.com/search?q=Asteco) | 17/04/2024 | Asteco is a real estate services firm based in the United Arab Emirates (UAE), with its headquarters in Dubai. It offers a wide range of real estate services including property management, valuation, research, investment consultancy, and sales and leasing brokerage. Asteco has been a prominent player in the UAE’s real estate market for several years, providing services to both individual clients and corporate entities Leaked data size: 11.4GB. | 📸 | | [`Ministry of Defense of Peru`](https://google.com/search?q=Ministry+of+Defense+of+Peru) | 24/03/2024 | The Peruvian Ministry of Defense (Ministerio de Defensa del Perú) is the government agency responsible for overseeing the defense and security affairs of Peru. Leaked data size: 763.8GB. | | | [`Kenya Airways`](https://google.com/search?q=Kenya+Airways) | 30/12/2023 | Kenya Airways Ltd., more commonly known as Kenya Airways, is the flag carrier airline of Kenya. The company was founded in 1977, after the dissolution of East African Airways. Its head office is located in Embakasi, Nairobi, with its hub at Jomo Kenyatta International Airport. Accidents, IDs, cases, passports, staff death, etc. | 📸 | | [`AlJaber Engineering`](https://google.com/search?q=AlJaber+Engineering) | 26/11/2023 | AlJaber Engineering (JEC) is a leading general contractor based in the State of Qatar. | 📸 | | [`Admilla ELAP`](https://google.com/search?q=Admilla+ELAP) | 17/11/2023 | Elap (formerly Admilia) offers its expertise and support throughout the implementation of your budget and accounting solution. Huge clients, financial documents, contracts, personal data and a lot of confidential things belongs to their customers. If you wanna be one someday your data will be here. | 📸 | | [`Telecommunications Services of Trinidad and Tobago (tstt.co.tt)`](https://google.com/search?q=Telecommunications+Services+of+Trinidad+and+Tobago+%28tstt.co.tt%29) | 27/10/2023 | tstt.co.tt and bmobile.co.tt. 4293368 customer's lines, ID scans, gitlab projects, db dumps. | 📸 | | [`Telecommunications Services of Trinidad and Tobago`](https://google.com/search?q=Telecommunications+Services+of+Trinidad+and+Tobago) | 27/10/2023 | Telecommunications Services of Trinidad and Tobago (TSTT) is the primary telecommunications provider in the twin-island nation of Trinidad and Tobago. Leaked data size: 6GB. | 📸 | ↪️ More victims [here](/group/ransomexx?id=posts) --- ## **ransomhouse** 🔎 `ransomware.live`has an active parser for indexing ransomhouse's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | ©RansomHouse | 🔴 | 01/10/2022 13:32 | `http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion` | ❌ | | none | 🟢 | 30/07/2024 02:46 | `http://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onion` | 📸 | | Ransomhouse © | 🔴 | 14/01/2023 21:31 | `http://secxrosqawaefsio3biv2dmi2c5yunf3t7ilwf54czq3v4bi7w6mbfad.onion` | ❌ | #### **External information** - https://t.me/ransom_house #### **Ransom note** * [📝 2 ransom notes](notes/ransomhouse) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ransomhouse.png) ### _Victims_ > 101 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Valisana`](https://www.valisana.be) | 20/07/2024 | Valisana! Verantwoordelijkheid is de morele nood om aan onze eigen handelingen of die van anderen te beantwoorden. Bij Valisana leggen we de nadruk op het belang van ieders verantwoordelijkheid, maar eveneens op gedeelde verantwoordelijkheid. Dit houdt betrokkenheid, zelfstandigheid, erkenning van de anderen en samenwerking in. Wij streven naar wederzijds respect binnen de therapeutische relatie alsook respect voor zichzelf en oprechtheid en duidelijkheid van het project. Respect is een institutionele waarde die zowel patiënten als professionelen betreft. Wij willen openstaan voor verscheidenheid aan culturen, innovaties en leerprocessen. Wij streven naar zorg op maat van de patiënt anders dan standaardoplossingen. Elke patiënt, zonder uitzondering of onderscheid, moet in functie van zijn behoeften op een rechtvaardige en neutrale wijze behandeld worden. Hetzelfde is van toepassing voor de teamleden. Wij moedigen iedereen aan om rechtuit te spreken en werken aan een open feedback cultuur. Wij streven met onze collega’s en patiënten naar een therapeutisch gerichte samenwerking zonder vooroordeel of a priori. We streven naar erkenning en integratie in al onze reflecties, acties en beslissingen, zowel de eigen inbreng van elk teamlid als de specificiteit van elk van onze patiënten. | 📸 | | [`Sibanye-Stillwater`](https://www.sibanyestillwater.com) | 11/07/2024 | Sibanye-Stillwater is one of the world’s largest primary producers of platinum, palladium, and rhodium and is a top tier gold producer. It also produces and refines iridium and ruthenium, nickel, chrome, copper and cobalt. The Group has recently begun to diversify its asset portfolio into battery metals mining and processing and increase its presence in the circular economy by growing its recycling and tailings reprocessing exposure globally. | 📸 | | [`Infomedika`](https://www.infomedika.com) | 05/07/2024 | Experience of over 40 years.Our Mission: Support a wide variety of industries in their automation, efficiency, and operational optimization goals using the most advanced and cost-effective technology. Vision: To be the leaders in cutting-edge technology of information systems applications and services for the benefit of all the industries we serve. Infomedika is vanguard, stability, and commitment in a wide variety of industries, pursuing the best attention for patients and customers while ensuring efficiency of the revenue cycle process and the return of investment. Located in San Juan, Puerto Rico. 24/7 technical support. Wide catalog of world top of the line integrated solutions. Over 80 staff members to assist customers. Broad certifications to assure superb development. | 📸 | | [`RiverSoft`](https://www.riversoft.net) | 30/06/2024 | RiverSoft is the product of a design process that spans more than 20 years. It is designed to work for large agencies with thousands of patients, in multiple locations, with varied and ever-changing payer requirements (Medicare, Medicare Advantage, Medicaid, commercial insurances, HMO’s, and self-pays). The software has been optimized to work for large populations of employees and patients. All information relevant to the job at hand is shown together, all at once, to save the user’s time. RiverSoft offers something that no other home care software company offers: Industrial strength software that is customized through configuration and software changes to meet the UNIQUE demands of LARGER home care agencies. | 📸 | | [`Ronglian Group`](https://www.ronglian.com) | 29/06/2024 | One of the leaders of China digital revolution, helping customers for digital business transformation. Providing global and local expertise on technology and industry to the world wide nterprise customers. Offering IT products, solutions and services to multiple industries and fields for more than 20 years. Supporting China life science research industry since 2005 and developed to healthcare industry. Listed in Shenzhen Stock Exchange with stock code 002642. | 📸 | | [`KuiperCompagnons`](https://www.kuipercompagnons.nl) | 24/06/2024 | We learn from the past. For over 100 years, KuiperCompagnons has been looking ahead. Driven by a responsibility towards present and future generations, all our designs and advice contribute to a happy, healthy ans sustainable way of living, housing and working | 📸 | | [`Guaranteed Supply Company`](https://www.guaranteedsupply.com) | 11/06/2024 | Since 1964, Guaranteed Supply Company has grown to 15 locations. Along the way, we have expanded to feature product lines focused on Concrete Materials, Thermal and Moisture Protection, EIFS/Stucco Products and more. As well as building the largest, independently owned, custom rebar fabrication company in the Carolinas - JMS Rebar. Throughout this journey, Guaranteed Supply Company has kept the same attention to personal care and quality materials that started it all. | 📸 | | [`Lago Group Spa`](https://www.lagogroup.it/) | 04/06/2024 | Lago Group started to export in the early 90s though the birth of the export division came into being in 2002. Since then we have growing continuously reaching todays’ numbers: More than 50Mio/€ of annual revenue. Export to: +80 countries. 1 subsidiary company in the USA. Key countries: USA, Mexico, Spain & Portugal, UK, Israel, Oman, Saudi Arabia, China, South Korea, Australia. Today we take part to the most important fairs of the food industry in all continents. | 📸 | | [`Creative Realities`](https://www.cri.com) | 02/06/2024 | Creative Realities, Inc. respects your privacy and is committed to protecting it through compliance with this privacy policy (“Privacy Policy”).This Privacy Policy applies to information collected from this Site; email, text, and other electronic communication between you and CRI. | 📸 | | [`Virum Apotek`](https://apoteket-online.dk) | 01/06/2024 | Apoteket tilbyder en lang række sundhedsydelser til for eksempel borgere, hjemmeplejen, plejehjem og bosteder. Med udgangspunkt i den lægemiddelfaglige viden tilbyder apotekets personale blandt andet undervisning, medicingennemgang og kvalitetssikring af medicinhåndtering. | 📸 | ↪️ More victims [here](/group/ransomhouse?id=posts) --- ## **ransomhub** 🔎 `ransomware.live`has an active parser for indexing ransomhub's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | RansomHub - Home | 🟢 | 30/07/2024 02:46 | `http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion` | 📸 | | Index of / | 🔴 | 19/04/2024 07:12 | `http://ransomgxjnwmu5ceqwo2jrjssxpoicolmgismfpnslaixg3pgpe5qcad.onion` | 📸 | | Index of / | 🟢 | 30/07/2024 02:47 | `http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion` | 📸 | #### **Ransom note** * [📝 3 ransom notes](notes/ransomhub) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ransomhub.png) ### _Victims_ > 214 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`labor-koblenz.de`](https://google.com/search?q=labor-koblenz.de) | 29/07/2024 | | 📸 | | [`www.castelligroup.com`](https://google.com/search?q=www.castelligroup.com) | 26/07/2024 | | 📸 | | [`www.whittakersystem.com`](https://google.com/search?q=www.whittakersystem.com) | 26/07/2024 | | 📸 | | [`mrhme.org`](https://google.com/search?q=mrhme.org) | 25/07/2024 | | 📸 | | [`baytoti.com`](https://google.com/search?q=baytoti.com) | 25/07/2024 | | 📸 | | [`cminsulation.com`](https://google.com/search?q=cminsulation.com) | 25/07/2024 | | 📸 | | [`panitchlaw.com`](https://google.com/search?q=panitchlaw.com) | 25/07/2024 | | 📸 | | [`oficina.oficinadasfinancas.com.br`](https://google.com/search?q=oficina.oficinadasfinancas.com.br) | 24/07/2024 | | 📸 | | [`bpjaguar.com`](https://google.com/search?q=bpjaguar.com) | 23/07/2024 | | 📸 | | [`ach.co.th`](https://google.com/search?q=ach.co.th) | 23/07/2024 | | 📸 | ↪️ More victims [here](/group/ransomhub?id=posts) --- ## **ranstreet** 🔎 `ransomware.live`has an active parser for indexing ranstreet's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | RANSTREET - STORMOUS Ransomware | 🔴 | 27/12/2023 03:56 | `http://ransekgbpijp56bflufgxptwn5hej2rztx423v6sim2zrzz7xetnr2qd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-ranstreet.png) ### _Victims_ > 1 victim found | victim | date | Description | Screenshot | |---|---|---|---| | [`zonesoft.pt`](https://google.com/search?q=zonesoft.pt) | 21/12/2023 | | | --- ## **ranzy** > Ranzy Locker, Former known as ThunderX. The group hosting a data leak site in the darknet where they posting sensitive information of victims who do not pay the ransom. ThunderX was launched at the end of August 2020. Soon after launching, weaknesses were found in the code, that allowed decrypting the files that the malware encrypted. The group has fixed the code and publish a new version, then released it under the name Ranzy Locker. The Tor onion URL used by the Ranzy Leak site is the same as the one used by Ako Ransomware. The use of the same URL could indicate that both groups merged, or they are cooperating similarly to the Maze cartel. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion` | ❌ | #### **External information** - https://blog.malwarebytes.com/ransomware/2021/10/threat-profile-ranzy-locker-ransomware/ - https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/ - https://www.ic3.gov/Media/News/2021/211026.pdf #### **Ransom note** * [📝 1 ransom note](notes/ranzy) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20201015| 💬 | |20210223| 💬 | ### _Victims_ > no victim found --- ## **raworld** > RA Group, also known as RA World, first surfaced in April 2023, utilizing a custom variant of the Babuk ransomware. 🔎 `ransomware.live`has an active parser for indexing raworld's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | RA World | 🟢 | 30/07/2024 02:47 | `http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/raworld) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-raworld.png) ### _Victims_ > 62 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Ascent Group`](https://google.com/search?q=Ascent+Group) | 28/07/2024 | | 📸 | | [`Kusum Group of Companies`](https://google.com/search?q=Kusum+Group+of+Companies) | 24/07/2024 | | 📸 | | [`TheLutheranFoundation`](https://google.com/search?q=TheLutheranFoundation) | 24/07/2024 | | 📸 | | [`Melchers Singapore`](https://google.com/search?q=Melchers+Singapore) | 24/07/2024 | | 📸 | | [`As****fs`](https://google.com/search?q=As%2A%2A%2A%2Afs) | 24/07/2024 | | 📸 | | [`GWF Frankenwein`](https://google.com/search?q=GWF+Frankenwein) | 02/05/2024 | | 📸 | | [`Reederei Jüngerhans`](https://google.com/search?q=Reederei+J%C3%BCngerhans) | 02/05/2024 | | 📸 | | [`Gr****en`](https://google.com/search?q=Gr%2A%2A%2A%2Aen) | 02/05/2024 | | 📸 | | [`Me****ng`](https://google.com/search?q=Me%2A%2A%2A%2Ang) | 02/05/2024 | | 📸 | | [`Po****`](https://google.com/search?q=Po%2A%2A%2A%2A) | 02/05/2024 | | 📸 | ↪️ More victims [here](/group/raworld?id=posts) --- ## **raznatovic** > RANSOMED.VC aka Raznatovic #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 404 Not Found | 🔴 | 28/05/2024 05:35 | `http://ransomed.vc` | 📸 | | none | 🔴 | 07/06/2024 21:19 | `http://ransomed.vc` | 📸 | | none | 🔴 | 07/06/2024 21:19 | `http://f6amq3izzsgtna4vw24rpyhy3ofwazlgex2zqdssavevvkklmtudxjad.onion` | 📸 | | 404 Not Found | 🔴 | 07/06/2024 21:19 | `http://f6amq3izzsgtna4vw24rpyhy3ofwazlgex2zqdssavevvkklmtudxjad.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-raznatovic.png) ### _Victims_ > 5 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Flash-Motors Last Warning`](https://google.com/search?q=Flash-Motors+Last+Warning) | 07/01/2024 | This is our final warning, if you do not provide us the required payment within the next 14 days the Cyprus GDPR agency will be forced to enforce Regulation (EU) 2016/679 and possibly other laws that aim the complete protection of the citzens of the EU. Proof of breach: Here. We require a ransom of $150,000 | 📸 | | [`Regarding FM`](https://google.com/search?q=Regarding+FM) | 26/12/2023 | Hello dear FM, did you think we will let you chill because of the holidays? nah we will make you suffer specially today or you can pay us and it all will be gone like a bad dream. Pay or Contact Us | | | [`TechKids aka MindX`](https://google.com/search?q=TechKids+aka+MindX) | 17/12/2023 | Data contains 600 million lines, almost 20gb. 5 files. contains bank information and other PII sample: TechKids.txt Buy | | | [`SKF.com`](https://google.com/search?q=SKF.com) | 17/12/2023 | Maybe Next time you will learn paying a ransomw will cost you less :) Data is around 50gb, including user data and chat logs. Download | 📸 | | [`Colonial Pipeline`](https://google.com/search?q=Colonial+Pipeline) | 17/12/2023 | Colonial Pipiline files, hey rob lee? Remember us! With much of love Download | 📸 | --- ## **redalert** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Board of shame | 🔴 | 08/12/2022 07:24 | `http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhuqhas355janyd.onion` | 📸 | | Login | 🔴 | 31/12/2022 16:23 | `http://je2yizds7r4uidk6uixfxwjj5w7or2agit4aj66l4lrhdbrvr3lsymid.onion` | 📸 | #### **External information** - https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/ #### **Ransom note** * [📝 1 ransom note](notes/redalert) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-redalert.png) ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`www.bbadmin.com`](https://google.com/search?q=www.bbadmin.com) | 22/09/2022 | | | | [`groupg4.com`](https://google.com/search?q=groupg4.com) | 13/09/2022 | | | | [`coarc.org`](https://google.com/search?q=coarc.org) | 28/07/2022 | | | | [`keystonelegal.co.uk`](https://google.com/search?q=keystonelegal.co.uk) | 20/07/2022 | | | | [`vahanen.com`](https://google.com/search?q=vahanen.com) | 15/07/2022 | | | | [`syredis.fr`](https://google.com/search?q=syredis.fr) | 14/07/2022 | | | --- ## **redransomware** 🔎 `ransomware.live`has an active parser for indexing redransomware's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Red Ransomware Group - Wall of shame | 🟢 | 30/07/2024 02:48 | `http://33zo6hifw4usofzdnz74fm2zmhd3zsknog5jboqdgblcbwrmpcqzzbid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-redransomware.png) ### _Victims_ > 16 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Kutes.com`](https://google.com/search?q=Kutes.com) | 11/06/2024 | Building Materials | | | [`Aircod.com`](https://google.com/search?q=Aircod.com) | 28/05/2024 | Cloud-based Digitalization Platform | | | [`Sullairargentina.com`](https://google.com/search?q=Sullairargentina.com) | 17/05/2024 | Industrial Machinery & Equipment | | | [`Targus.com`](https://google.com/search?q=Targus.com) | 19/04/2024 | Computer Equipment & Peripherals | | | [`Thors-Data.dk`](https://google.com/search?q=Thors-Data.dk) | 05/03/2024 | Holding Companies & Conglomerates | | | [`Saglobal.com`](https://google.com/search?q=Saglobal.com) | 05/03/2024 | sa.global is the leading Microsoft global implementation partner for project-based cloud ERP solutions that leverage the Microsoft Cloud | | | [`Solucionesls.com`](https://google.com/search?q=Solucionesls.com) | 05/03/2024 | Solucionesls.com | | | [`Tecnolite.com`](https://google.com/search?q=Tecnolite.com) | 05/03/2024 | We are the biggest venetian blinds wood slat manufacturer in Europe, strong of a total vertically integrated production that starts with the tree and finishes. | | | [`Baystate.edu`](https://google.com/search?q=Baystate.edu) | 05/03/2024 | Bay State College is a private, career-focused college with campuses in Boston's Back Bay, Taunton, MA and Online | | | [`Kogok.com`](https://google.com/search?q=Kogok.com) | 05/03/2024 | Kogok Corporation is an industry leader in performance and customer satisfaction by continually understanding and addressing the needs of our ... | | ↪️ More victims [here](/group/redransomware?id=posts) --- ## **revil** > Sodinokibi ransomware group also known as REvil (Ransomware Evil) operates as a ransomware-as-a-service (RaaS) model. After the group compromised his victims, they would threaten to publish the victim's sensitive data on their darknet blog named 'Happy Blog', unless the ransom is paid. The ransomware malware code used by REvil is pretty similar to the ransomware code used by DarkSide - a different threat actor. REvil group claims to steal information after a successful attack on the supplier of the tech giant Apple and stole confidential schematics of their upcoming products. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 404 Not Found | 🔴 | 19/08/2022 12:16 | `http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion` | ❌ | | 404 Not Found | 🔴 | 19/08/2022 12:17 | `http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion` | ❌ | | Blog | 🔴 | 06/01/2023 15:05 | `http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion` | 📸 | #### **External information** - http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html - http://www.secureworks.com/research/threat-profiles/gold-southfield - https://analyst1.com/file-assets/History-of-REvil.pdf - https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf - https://asec.ahnlab.com/ko/19640/ - https://asec.ahnlab.com/ko/19860/ - https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/ - https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/ - https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/ - https://blog.amossys.fr/sodinokibi-malware-analysis.html - https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/ - https://blog.group-ib.com/REvil_RaaS - https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/ - https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/ - https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack - https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html - https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/ - https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html - https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ - https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit - https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics - https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope - https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus - https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html - https://community.riskiq.com/article/3315064b - https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf - https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version - https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/ - https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021 - https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b - https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf - https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view - https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf - https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf - https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://hatching.io/blog/ransomware-part2 - https://home.treasury.gov/news/press-releases/jy0471 - https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf - https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf - https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89 - https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf - https://intel471.com/blog/changes-in-revil-ransomware-version-2-2 - https://isc.sans.edu/diary/27012 - https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf - https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40 - https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/ - https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/ - https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/ - https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/ - https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/ - https://ke-la.com/will-the-revils-story-finally-be-over/ - https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/ - https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/ - https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/ - https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/ - https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023 - https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80 - https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317 - https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f - https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/ - https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/ - https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/ - https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/ - https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v - https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt - https://redcanary.com/blog/uncompromised-kaseya/ - https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/ - https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/ - https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf - https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo - https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process - https://securelist.com/ransomware-world-in-2021/102169/ - https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/ - https://securelist.com/sodin-ransomware/91473/ - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/ - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ - https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html - https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/ - https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/ - https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware - https://sites.temple.edu/care/ci-rw-attacks/ - https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf - https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos - https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf - https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/ - https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/ - https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html - https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/ - https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/ - https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/ - https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/ - https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/ - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ - https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/ - https://threatintel.blog/OPBlueRaven-Part1/ - https://threatpost.com/ransomware-revil-sites-disappears/167745/ - https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20 - https://twitter.com/Jacob_Pimental/status/1391055792774729728 - https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20 - https://twitter.com/LloydLabs/status/1411098844209819648 - https://twitter.com/R3MRUM/status/1412064882623713283 - https://twitter.com/SophosLabs/status/1412056467201462276 - https://twitter.com/SophosLabs/status/1413616952313004040?s=20 - https://twitter.com/SyscallE/status/1411074271875670022 - https://twitter.com/VK_Intel/status/1374571480370061312?s=20 - https://twitter.com/VK_Intel/status/1411066870350942213 - https://twitter.com/_alex_il_/status/1412403420217159694 - https://twitter.com/fwosar/status/1411281334870368260 - https://twitter.com/fwosar/status/1420119812815138824 - https://twitter.com/resecurity_com/status/1412662343796813827 - https://twitter.com/svch0st/status/1411537562380816384 - https://unit42.paloaltonetworks.com/prometheus-ransomware/ - https://unit42.paloaltonetworks.com/revil-threat-actors/ - https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/ - https://us-cert.cisa.gov/ncas/alerts/aa20-345a - https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa - https://velzart.nl/blog/ransomeware/ - https://vimeo.com/449849549 - https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/ - https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf - https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion - https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom - https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/ - https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities - https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs - https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights - https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent - https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel - https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil - https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom - https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045 - https://www.bbc.com/news/technology-59297187 - https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf - https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/ - https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/ - https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/ - https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/ - https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/ - https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/ - https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/ - https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/ - https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/ - https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/ - https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/ - https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/ - https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/ - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/ - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/ - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/ - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/ - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/ - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/ - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/ - https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/ - https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf - https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ - https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2 - https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/ - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf - https://www.certego.net/en/news/malware-tales-sodinokibi/ - https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html - https://www.connectwise.com/resources/revil-profile - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware - https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/ - https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ - https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/ - https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/ - https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/ - https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/ - https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/ - https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/ - https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.cyjax.com/2021/07/09/revilevolution/ - https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend - https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/ - https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/ - https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/ - https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/ - https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/ - https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422 - https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego - https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide - https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter - https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain - https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment - https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged - https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin - https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf - https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/ - https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/ - https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/ - https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/ - https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/ - https://www.flashpoint-intel.com/blog/revil-disappears-again/ - https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/ - https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions - https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis - https://www.grahamcluley.com/travelex-paid-ransom/ - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states - https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling - https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident - https://www.ironnet.com/blog/ransomware-graphic-blog - https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas - https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya - https://www.kaseya.com/potential-attack-on-kaseya-vsa/ - https://www.kpn.com/security-blogs/Tracking-REvil.htm - https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.netskope.com/blog/netskope-threat-coverage-revil - https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf - https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf - https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware - https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf - https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/ - https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/ - https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/ - https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801 - https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released - https://www.secureworks.com/blog/revil-the-gandcrab-connection - https://www.secureworks.com/research/lv-ransomware - https://www.secureworks.com/research/revil-sodinokibi-ransomware - https://www.secureworks.com/research/threat-profiles/gold-southfield - https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html - https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html - https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html - https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf - https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004 - https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html - https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html - https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html - https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html - https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/ - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/ - https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html - https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf - https://www.youtube.com/watch?v=LUxOcpIRxmg - https://www.youtube.com/watch?v=P8o6GItci5w - https://www.youtube.com/watch?v=QYQQUUpU04s - https://www.youtube.com/watch?v=l2P5CMH9TE0 - https://www.youtube.com/watch?v=tZVFMVm5GAk - https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/ - https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/ - https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload #### **Ransom note** * [📝 3 ransom notes](notes/revil) #### **Crypto Wallet** * 💰 Crypto wallet(s) available #### ** Negotiation chats** | Name | Link | |---|---| |20201014| 💬 | |20201104| 💬 | |20201126| 💬 | |20210320| 💬 | |20210329| 💬 | |20210331| 💬 | |20210401| 💬 | |20210407| 💬 | |20210413| 💬 | |20210603| 💬 | |20210604| 💬 | |20210609| 💬 | |20210613| 💬 | |20210616| 💬 | |20210617| 💬 | |20210622| 💬 | |20210628| 💬 | |20210630| 💬 | |20210708| 💬 | |20210709| 💬 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-revil.png) ### _Victims_ > 41 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`kusd.edu`](https://google.com/search?q=kusd.edu) | 28/11/2022 | | | | [`Sunknowledge Services Inc`](https://google.com/search?q=Sunknowledge+Services+Inc) | 28/11/2022 | | | | [`medibank.com.au`](https://google.com/search?q=medibank.com.au) | 07/11/2022 | | | | [`Midea Group`](https://google.com/search?q=Midea+Group) | 01/09/2022 | | | | [`Doosan Group`](https://google.com/search?q=Doosan+Group) | 02/08/2022 | | | | [`OptiProERP is a leading global provider of industry-specific ERP solutions for manufacture`](https://google.com/search?q=OptiProERP+is+a+leading+global+provider+of+industry-specific+ERP+solutions+for+manufacture) | 25/07/2022 | | | | [`Ludwig Freytag Group`](https://google.com/search?q=Ludwig+Freytag+Group) | 12/05/2022 | | | | [`Unicity International`](https://google.com/search?q=Unicity+International) | 03/05/2022 | | | | [`Stratford University`](https://google.com/search?q=Stratford+University) | 22/04/2022 | | | | [`Asfaltproductienijmegen`](https://google.com/search?q=Asfaltproductienijmegen) | 21/04/2022 | | | ↪️ More victims [here](/group/revil?id=posts) --- ## **rhysida** 🔎 `ransomware.live`has an active parser for indexing rhysida's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Rhysida | 🟢 | 30/07/2024 02:49 | `http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion` | 📸 | | none | 🟢 | 30/07/2024 02:49 | `http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion` | 📸 | | none | 🟢 | 30/07/2024 02:50 | `http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion` | 📸 | | Rhysida | 🟢 | 30/07/2024 02:50 | `http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion` | 📸 | #### **External information** - https://blog.talosintelligence.com/rhysida-ransomware/ - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ - https://www.linkedin.com/posts/prodaft_organic-relationship-between-rhysida-vice-activity-7091777236663427072-NQEs - https://www.secplicity.org/2023/05/23/scratching-the-surface-of-rhysida-ransomware/ - https://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/ - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html #### **Ransom note** * [📝 1 ransom note](notes/rhysida) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-rhysida.png) ### _Victims_ > 117 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`New Jersey City University`](https://google.com/search?q=New+Jersey+City+University) | 27/07/2024 | New Jersey City University | | | [`Computer Networking Solutions`](https://google.com/search?q=Computer+Networking+Solutions) | 27/07/2024 | Computer Networking Solutions Computer Networking Solutions, dba LightSpeed DataLinks (LDL) is a small business located in Columbus, Georgia. LDL has been in business since 1998 and is an active Cisco reseller. | | | [`Community Care Alliance`](https://google.com/search?q=Community+Care+Alliance) | 26/07/2024 | Community Care Alliance Community Care Alliance is a unified human service agency integrating resources, supports and programs to strengthen families. | | | [`LawDepot`](https://google.com/search?q=LawDepot) | 23/07/2024 | LawDepot | | | [`Queens County Public Administrator`](https://google.com/search?q=Queens+County+Public+Administrator) | 20/07/2024 | Queens County Public Administrator There is a Public Administrator in every county in the City of New York. | | | [`Law Offices of the Public Defender - New Mexico`](https://google.com/search?q=Law+Offices+of+the+Public+Defender+-+New+Mexico) | 19/07/2024 | Law Offices of the Public Defender - New Mexico As the state's largest law firm, we represent low-income people facing criminal charges in New Mexico. | | | [`Gandara Center`](https://google.com/search?q=Gandara+Center) | 17/07/2024 | Gandara Center Gandara Center was founded in Springfield in 1977 to advocate and provide for equal and culturally competent services in behavioral health for the Hispanic community. | | | [`Goede, DeBoest & Cross, PLLC.`](https://google.com/search?q=Goede%2C+DeBoest+%26+Cross%2C+PLLC.) | 15/07/2024 | Goede, DeBoest & Cross, PLLC. Since its founding, the firm has grown to a mid-size law firm where the partners have a genuine camaraderie and a dynamic and young vibe amongst its staff. There is a team mentality, a family atmosphere and a shared desire to help clients. | | | [`BrownWinick`](https://google.com/search?q=BrownWinick) | 14/07/2024 | BrownWinick 1951, a tax-law specialty firm opened its doors in downtown Des Moines, Iowa. Its modest size hid lofty ambitions: to help its clients build on a strong foundation, and to put businesses from Iowa, the Midwest and around the country on a powerful footing for growth and competitive success. | | | [`MYC Media`](https://google.com/search?q=MYC+Media) | 07/07/2024 | MYC Media MYC Media is your national creative agency providing full-service marketing to businesses looking to expand their brand�s reach and make an impact. | | ↪️ More victims [here](/group/rhysida?id=posts) --- ## **robinhood** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Trending topics on Tumblr | 🟢 | 30/07/2024 02:51 | `http://robinhoodleaks.tumblr.com` | 📸 | #### **External information** - https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/ - https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/ - https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - https://goggleheadedhacker.com/blog/post/12 - https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/ - https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/ - https://twitter.com/VK_Intel/status/1121440931759128576 - https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/ - https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/ - https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf - https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf - https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ - https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/ - https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/ - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ ### _Victims_ > 1 victim found | victim | date | Description | Screenshot | |---|---|---|---| | [`Besson Seguros`](https://google.com/search?q=Besson+Seguros) | 06/12/2021 | | | --- ## **rook** > According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note (HowToRestoreYourFiles.txt). Rook renames files by appending the .Rook extension. For example, it renames 1.jpg to 1.jpg.Rook, 2.jpg to 2.jpg.Rook. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | We Are Rook!!! | 🔴 | 26/01/2022 15:24 | `http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion` | ❌ | #### **External information** - https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/ - https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/ - https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md - https://seguranca-informatica.pt/rook-ransomware-analysis/ - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/ #### **Ransom note** * [📝 1 ransom note](notes/rook) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-rook.png) ### _Victims_ > 9 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Abdi ibrahim`](https://google.com/search?q=Abdi+ibrahim) | 08/01/2022 | | | | [`Evalueserve`](https://google.com/search?q=Evalueserve) | 28/12/2021 | | | | [`DENSO`](https://google.com/search?q=DENSO) | 28/12/2021 | | | | [`Data breach summary`](https://google.com/search?q=Data+breach+summary) | 26/12/2021 | | | | [`Rossell Techsys(Data will be given tomorrow)`](https://google.com/search?q=Rossell+Techsys%28Data+will+be+given+tomorrow%29) | 18/12/2021 | | | | [`KMG Prestige, Inc. (Data will be given tomorrow)`](https://google.com/search?q=KMG+Prestige%2C+Inc.+%28Data+will+be+given+tomorrow%29) | 18/12/2021 | | | | [`Rosendahl Design Group`](https://google.com/search?q=Rosendahl+Design+Group) | 14/12/2021 | | | | [`Rossell Techsys`](https://google.com/search?q=Rossell+Techsys) | 14/12/2021 | | | | [`KMG Prestige, Inc.`](https://google.com/search?q=KMG+Prestige%2C+Inc.) | 07/12/2021 | | | --- ## **royal** > According to Trendmicro, Royal ransomware was first observed in September 2022, and the threat actors behind it are believed to be seasoned cybercriminals who used to be part of Conti Team One. 🔎 `ransomware.live`has an active parser for indexing royal's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Royal | 🔴 | 16/10/2023 12:57 | `http://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onion` | 📸 | | none | 🔴 | 16/10/2023 14:20 | `http://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onion` | 📸 | #### **External information** - https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/ - https://unit42.paloaltonetworks.com/royal-ransomware/ - https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html #### **Ransom note** * [📝 1 ransom note](notes/royal) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-royal.png) ### _Victims_ > 211 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Braintree Public Schools`](http://www.braintreema.gov) | 19/07/2023 | Braintree Public Schools is an independent public school district which serves the kindergarten through high school educational needs of the city of Braintree, Massachusetts and the surrounding areas. | 📸 | | [`Tachi-S Engineering USA`](http://www.tachi-s.com) | 11/06/2023 | Global Seat System CreatorAt Tachi-S, we help automotive manufacturers launch their cars, trucks and SUVs by designing, developing, testing and manufacturing high-quality automotive seats that are functional, safe, stylish and most importantly comfortable.Each year, Tachi-S delivers over 3 million complete automotive seats and over 4 million seat components to the global automotive market. Our success is based on being responsive, flexible and easy to work with to help assure that every automotive seating program is completed on-time, on-budget and delivered with high quality. That’s how we do business…and that’s why we have been a continuously selected company in the automotive industry. | 📸 | | [`PENNCREST School District`](http://www.penncrest.org) | 09/06/2023 | PENNCREST School District provides resources and opportunities that challenge students, assess their educational progress, provide a system of support and empower all to become confident lifelong learners. This organization like many other does not hold student information in safe. We are going to upload everything we got from them here soon. Personal information of students and employees as well as schools' financial data are pretty detailed. Everything is of 164GB.Stay in touch! | 📸 | | [`Grange Packing Solutions`](http://www.co-pack.co.uk) | 26/05/2023 | In April 2021 Speciality consortium completed the final stage of the takeover of Grange packing solutions. Speciality consortium group was developed as an off shore consortium of manufacturing companies producing plastic packaging goods and machinery, based in a nu.Total downloaded data - 3gb | 📸 | | [`Haworth Tompkins`](http://www.haworthtompkins.com) | 26/05/2023 | Haworth Tompkins is a Stirling Prize-winning architectural studio with an international reputation for intelligent, purposeful design.Total downloaded data - 100gb | 📸 | | [`Colrich`](http://www.colrich.com) | 26/05/2023 | From South Africa to Southern California, the ColRich story is a decades-long journey of growth, continuous reinvention and a culture of caring.Through generations of family ownership, the ColRich brand has evolved, but the company’s foundation remains the same today as in the beginning – build lasting communities through a culture centered around innovation, humility, perseverance, and a commitment to helping others.In 1977, business colleagues and friends Richard Gabriel, Barry Galgut and Colin Seid moved from Johannesburg to San Diego, leaving the unrest of apartheid-era South Africa for a more stable environment to raise their families. The trio quickly formed a San Diego-based partnership to pursue development and investment opportunities in Southern California. The business achieved notable success over more than two decades – largely due to continual reinvention and the team’s ability to leverage the peaks and troughs of the cyclical real estate industry.Gabriel’s sons, Graeme and Danny, took the helm in 2003 to build the next iteration of ColRich, creating a diverse residential platform that leverages a unique homebuilding background, renovation expertise, sophisticated in-house construction and design teams brought together in private capital partnerships. Today, ColRich is recognized as an industry leader for integrating design and value into both for-sale and multifamily rental properties.Total downloaded data - 560gb | 📸 | | [`Volt`](http://www.volt.com) | 26/05/2023 | Volt Information Sciences, Inc. provides staffing and information technology (IT) infrastructure services in the United States and internationally.Total downloaded data - 249gb | 📸 | | [`AFG Holdings`](http://www.afgholdings.com) | 26/05/2023 | AFG Holdings, Inc. is a fully integrated OEM providing differentiated technology, products, and services. The Company maintains a market-leading position in many of its businesses, including aerospace, general industrial, oil and gas, and power generation.Total downloaded data - 319gb | 📸 | | [`Mitutoyo`](http://www.mitutoyo.ch) | 26/05/2023 | Mitutoyo is one of the world's leading manufacturers of high-quality precision length measurement technology. The portfolio of the full-service provider includes a wide range of products from micrometers, calipers and dial gauges to hardness testers, measuring microscopes and much more.Total downloaded data - 254gb | 📸 | | [`The Best Connection`](http://www.thebestconnection.co.uk) | 26/05/2023 | Headquartered in Bromsgrove, United Kingdom, The Best Connection is a independent provider of flexible workforce solutions to the driving, industrial, warehouse & distribution and retail sectors.Total downloaded data - 1.4tb | 📸 | ↪️ More victims [here](/group/royal?id=posts) --- ## **rransom** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 14/04/2023 05:40 | `http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion` | 📸 | ### _Victims_ > no victim found --- ## **sabbath** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | BLOG | 🔴 | 13/11/2021 03:45 | `http://54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion` | ❌ | | none | 🔴 | 13/04/2022 03:32 | `http://54bb47h.blog` | 📸 | #### **External information** - https://www.mandiant.com/resources/sabbath-ransomware-affiliate ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-sabbath.png) ### _Victims_ > 17 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`aria-label=Google>`](https://google.com/search?q=aria-label%3DGoogle%3E) | 28/02/2022 | | | | [`JALEEL TRADERS LLC`](https://google.com/search?q=JALEEL+TRADERS+LLC) | 15/01/2022 | | | | [`ASL Napoli 3 Sud Network Seized`](https://google.com/search?q=ASL+Napoli+3+Sud+Network+Seized) | 14/01/2022 | | | | [`Protected: PRIVATE POST ITALY`](https://google.com/search?q=Protected%3A+PRIVATE+POST++ITALY) | 12/01/2022 | | | | [`Summit College`](https://google.com/search?q=Summit+College) | 04/01/2022 | | | | [`Close drawer`](https://google.com/search?q=Close+drawer) | 04/01/2022 | | | | [`Close search modal`](https://google.com/search?q=Close+search+modal) | 04/01/2022 | | | | [`TRIGYN 2 0 Data Leak`](https://google.com/search?q=TRIGYN+2+0+%7C+Data+Leak) | 28/12/2021 | | | | [`Prenax`](https://google.com/search?q=Prenax) | 20/12/2021 | | | | [`Social Enterprise (SEC)`](https://google.com/search?q=Social+Enterprise+%28SEC%29) | 12/12/2021 | | | ↪️ More victims [here](/group/sabbath?id=posts) --- ## **shadow** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | DuckDuckGo — Privacy, simplified. | 🔴 | 06/09/2023 17:23 | `http://lc65fb3wrvox6xlyn4hklwjcojau55diqxxylqs4qsfng23ftzijnxad.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/shadow) ### _Victims_ > no victim found --- ## **shaoleaks** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Shao leaks team | 🔴 | 01/11/2022 16:55 | `http://crptd5sv5bdz6hovrbkac6mnp3rt7zij62njsqwh5a6ldd3asxdd22qd.onion` | ❌ | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-shaoleaks.png) ### _Victims_ > 4 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Welcome to new customers!`](https://google.com/search?q=Welcome+to+new+customers%21) | 01/11/2022 | | | | [`Some of our customers was not payed to us for data decryption. So we publish some of his d`](https://google.com/search?q=Some+of+our+customers+was+not+payed+to+us+for+data+decryption.+So+we+publish+some+of+his+d) | 01/11/2022 | | | | [`Update for boxerproperty`](https://google.com/search?q=Update+for+boxerproperty) | 01/11/2022 | | | | [`Greetings to havi.com and tmsw.com`](https://google.com/search?q=Greetings+to+havi.com+and+tmsw.com) | 01/11/2022 | | | --- ## **siegedsec** > Not a ransomware group but a hacktivist group that appeared coincidentally days before Russia’s invasion of Ukraine 🔎 `ransomware.live`has an active parser for indexing siegedsec's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 25/03/2024 16:06 | `http://nv5p2mmpctvyqdyyi5zwh4gnifq2uxdx4etvnmaheqlrw6ordrjwxryd.onion` | 📸 | #### **External information** - https://socradar.io/threat-actor-profile-siegedsec/ - https://www.darkowl.com/blog-content/darkowl-cyber-group-spotlight-siegedsec-and-leaked-data/ ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-siegedsec.png) ### _Victims_ > 19 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Colombian National Registry`](https://google.com/search?q=Colombian+National+Registry) | 09/12/2023 | corrective measures, police | | | [`Deqing County`](https://google.com/search?q=Deqing+County) | 09/12/2023 | chinese citizens | | | [`Staples`](https://google.com/search?q=Staples) | 09/12/2023 | retail | | | [`Portland Government & United states government`](https://google.com/search?q=Portland+Government+%26+United+states+government) | 09/12/2023 | governmental | | | [`National Office for centralized procurement`](https://google.com/search?q=National+Office+for+centralized+procurement) | 09/12/2023 | romanian government | | | [`Technical University of Mombasa`](https://google.com/search?q=Technical+University+of+Mombasa) | 09/12/2023 | kenyan education | | | [`Telerad`](https://google.com/search?q=Telerad) | 09/12/2023 | healthcare | | | [`OpTransRights - 2`](https://google.com/search?q=OpTransRights+-+2) | 09/12/2023 | healthcare | | | [`Grupo Televisa`](https://google.com/search?q=Grupo+Televisa) | 26/11/2023 | mass media, entertainment, media corporation | 📸 | | [`NATO Leak - 1`](https://google.com/search?q=NATO+Leak+-+1) | 26/11/2023 | intergovernmental, military alliance | 📸 | ↪️ More victims [here](/group/siegedsec?id=posts) --- ## **slug** 🔎 `ransomware.live`has an active parser for indexing slug's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | slug | 🔴 | 11/03/2024 10:03 | `http://3ytm3d25hfzvbylkxiwyqmpvzys5of7l4pbosm7ol7czlkplgukjq6yd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/slug) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-slug.png) ### _Victims_ > 1 victim found | victim | date | Description | Screenshot | |---|---|---|---| | [`aercap.com`](https://google.com/search?q=aercap.com) | 15/01/2024 | About aercap: Our commitment to excellence is manifested by our comprehensive, innovative and tailor-made solutions that are unrivaled in the leasing industry. We are the worldâs largest owners of commercial aircraft and leader in aviation leasing, providing airlines with long-term access to the most in-demand passenger and cargo aircraft, engines and helicopters. | 📸 | --- ## **snatch** > Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload. 🔎 `ransomware.live`has an active parser for indexing snatch's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | News | 🔴 | 02/11/2023 06:54 | `http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion` | 📸 | | Access Denied | 🔴 | 29/01/2023 17:17 | `http://snatch.press` | 📸 | | News | 🔴 | 13/09/2023 02:27 | `http://snatchteam.top` | 📸 | | Just a moment... | 🟢 | 30/07/2024 02:51 | `http://snatchteam.cc` | 📸 | | Just a moment... | 🟢 | 30/07/2024 02:52 | `http://snatchnews.top` | 📸 | #### **External information** - https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/ - https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md - https://intel471.com/blog/a-brief-history-of-ta505 - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf - https://twitter.com/VK_Intel/status/1191414501297528832 - https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/ - https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/ - https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/ - https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access #### **Ransom note** * [📝 1 ransom note](notes/snatch) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-snatch.png) ### _Victims_ > 142 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Neovia`](https://google.com/search?q=Neovia) | 15/05/2024 | La société néovia a été crée en 2003 par trois ingénieurs informaticiens ayant occupé pendant plus de 10 ans des postes de consultant et de management au sein de diverses sociétés de services. | | | [`UK government`](https://google.com/search?q=UK+government) | 01/05/2024 | More information in our telegram channel https://t.me/snatch_teamRishi Sunak, Prime Minister of the UKGrant Shapps, Secretary of State for DefenceJeremy Hunt, Chancellor of the ExchequerAlexander Boris de Pfeffel Johnson, former Prime Minister of the UKRichard Moore, the Chief of MI6, the UK Secret Intelligence ServiceFelicity Oswald OBE, Interim Chief Executive OfficerSir Mark Peter Rowley QPM, head of London police | | | [`The Royal Family of Great Britain`](https://google.com/search?q=The+Royal+Family+of+Great+Britain) | 16/04/2024 | More information in our telegram channel https://t.me/snatch_teamCharles III, the KingCamilla, the QueenWilliam, Prince of WalesCatherine, the Princess of WalesPrince George of WalesPrincess Charlotte of WalesPrince Louis of WalesPrince Henry, Duke of SussexMeghan, Duchess of SussexPrince Archie of SussexPrincess Lilibet os SussexPrince Edward Duke | | | [`Miki Travel Limited`](https://google.com/search?q=Miki+Travel+Limited) | 26/03/2024 | MIKI Travel has a dedicated team of hundreds of multilingual, professional staff, providing sales, customer service, ground operations, finance and IT support to our trade clients around the globe. Our affiliate offices around the world are managed and staffed by carefully selected industry professionals. | | | [`Retirement Line`](https://google.com/search?q=Retirement+Line) | 19/03/2024 | Retirement Line is the UK's largest pension income broker*. We are committed to helping you make the most of your pension savings. We have the experience and expertise to make a real difference to your annuity income in retirement. We offer specialist annuity guidance and | | | [`Butler, Lavanceau & Sober`](https://www.blscpafirm.com) | 17/03/2024 | Butler, Lavanceau & Sober, LLC is a certified public accounting firm centrally located in Columbia, Maryland. Our seasoned accountants have over 200 years of combined expertise and are ready to meet your individual and business accounting, tax, and consulting needs. | | | [`Dörr Group`](https://www.doerrgroup.com) | 12/03/2024 | Dürfen wir uns vorstellen? Wir sind Evelyn und Rainer Dörr. Wir sind Spezialisten für Supersportwagen – aber eigentlich geht es uns vor allem um Sie und was Sie vorhaben. Motorsport? Touren? Tolle Menschen treffen? Benzingespräche führen? Experten sprechen? Wir hätten da einige Ideen. Ideen, die | | | [`Seven Seas Group`](https://sevenseasgroup.com) | 04/03/2024 | Seven Seas is a global maritime services group that specializes in providing general ship supplies, stores, provisions, and leading technical maritime brands through its extensive global network. Over five decades, Seven Seas has strived to be a trusted partner to our customers. Founded in 1971, | | | [`HSPG & Associates`](https://www.hspgcpas.com) | 28/02/2024 | 180 GB , 205,877 Files, 25,598 Folders of confidential information has been moved to our servers.database backups Professional Tax Software - Tax Preparer Software - Intuit ProSeries | | | [`Frencken`](https://frenckengroup.com) | 28/02/2024 | More information in our telegram channel https://t.me/snatch_team Persons responsible for data leakage:Head of City Council Of Penang Island Rajendran P. Anthony.DATO' Ir. RAJENDRAN A/L P. ANTHONY D.S.P.N., A.M.N., B.C.N., P.K.T., P.J.K.;Rajendran P. Anthony, a distinguished figure in the administration of Penang Island, has recently | | ↪️ More victims [here](/group/snatch?id=posts) --- ## **solidbit** > Ransomware, written in .NET. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | SOLIDBIT LOGIN | 🔴 | 27/08/2022 10:45 | `http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion` | ❌ | #### **External information** - https://www.trendmicro.com/en_us/research/22/h/solidbit-ransomware-enters-the-raas-scene-and-takes-aim-at-gamer.html ### _Victims_ > no victim found --- ## **spacebears** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Space Bears | 🟢 | 30/07/2024 02:52 | `http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-spacebears.png) ### _Victims_ > 25 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Stienemann`](https://stienemann-wp.de/) | 24/07/2024 | We at the Stienemann tax consultancy firm in Witten take care of your tax-related issues with a focus on trades, real estate, engineers and consultants. We support you with tax returns, take care of your accounting and prepare your annual financial statements.As a pioneer, we also accompany you on your individual entrepreneurial path with expert tax knowledge. An indispensable support – digital but still close.Do you have questions about income tax, inheritance and gift tax or digitalization? You can also benefit from our knowledge here. Receive advice tailored to your needs so that you can achieve the best result on the tax side. https://stienemann-wp.de/ | 📸 | | [`Un Museau`](https://unmuseau.com/) | 04/07/2024 | The Clinique Un Museau vaut mille Mots offers speech therapy and language stimulation services to children, adolescents and adults. Our expertise in telespeech therapy allows us to make speech therapy assessments and services even more accessible, throughout Quebec, to people who would like to benefit from an assessment or follow-up in the comfort of their own home. The Un Museau vaut mille Mots clinic is a member of the Haylem network , a company that created the specialized software for reading and writing difficulties, Lexibar.Financial reports, database, patient histories, patient personal data. https://unmuseau.com/ | 📸 | | [`Haylem`](https://www.haylem.ca/) | 03/07/2024 | Haylem is engineering and technological innovation at the service of people who have difficulty reading and writing. Expertise in software development specializing in the field of written language, which mainly targets the education sector.Financial reports, database, personal information of employees. https://www.haylem.ca/ | 📸 | | [`ARISTA`](https://www.aristaint.com/) | 02/07/2024 | Arista is a company with a wide experience in work spaces, with excellent customer service. Consulting, selling, installing and adaptation of furniture and constructive elements for offices and commercial environments. SQL, other valuable files! https://www.aristaint.com/ | 📸 | | [`Gokals Consumer Electronics & Computers Retail · Fiji`](https://www.gokals.com.fj/) | 18/06/2024 | GOKALS is the leading consumer electronics retailer and distributor in the South Pacific - be it small Home Appliances; Audio Visual products or White Goods. Revenue: $5.3 MillionFinancial reports, Data Bases and other Valuable Informationdoc, docx, xls, pdf... etc https://www.gokals.com.fj/ | 📸 | | [`Sun City Pediatrics PA (USA, TX)`](https://leetrevinodental.com/) | 12/06/2024 | Sun City Children's Clinic provides a high quality comprehensive approach in treating its patients and educating their parents. Revenue: <5MContents:- Patient Data (e-mail addresses, residential addresses, telephone numbers)- Patient Photo - Patient Medical Histories- Stuff Personal Data (including salary and position data)- Financial Reports- Databases- Other Valuable and Confidential Documentation https://leetrevinodental.com/ | 📸 | | [`Lee Trevino Dental (USA,TX)`](https://leetrevinodental.com/) | 11/06/2024 | Dental clinic Lee Trevino Dental, opened in 1977 and positions itself as a "Family Dentistry Clinic", that offer the latest in general and cosmetic procedures. Revenue: <5M.Contents:- Patient Data (e-mail addresses, residential addresses, telephone numbers)- Patient Photo - Patient Medical Histories- Stuff Personal Data (including salary and position data)- Financial Reports- Databases- Other Valuable and Confidential Documentation https://leetrevinodental.com/ | 📸 | | [`SAWA INTERNATIONAL`](https://sawainternational.com/) | 04/06/2024 | SAWA International is an authorized partner of DU providing personalized at your door telecom plans to Homes and Corporates in the UAE. Revenue: $10.2 Million.Data Bases, Financial Reports and other Valuable and Confidential InformationPersonal Information (Photo, ID's.. etc)Contractsxls, docx, pdf... etc... https://sawainternational.com/ | 📸 | | [`Hytera US Inc`](https://www.hytera.us/) | 25/05/2024 | Hytera US Inc is an industry leader in research and development, state-of-the-art manufacturing, and bringing next-generation radio technology to the market. We regard ourselves as a solution provider whose core area of expertise is providing cost-effective radio systems of the highest reliability, durability, and quality.Hytera US Inc has an experienced staff of dedicated radio professionals that have been implementing innovative radio communication solutions in the US for more than 15 years and are established specialists in DMR, Push-to-Talk over Cellular, and related communications technologies.The database contains SQL, SAP, financial documents. https://www.hytera.us/ | 📸 | | [`GIANNI CUCUINI`](https://www.cuccuini.it/) | 20/05/2024 | Italian multi-brand clothing and accessories store.Revenue: <$5 MillionPersonal Information (models photo, ID's.. etc)ContractsData Bases, Financial Reports and other Valuable and Confidential Informationxls, docx, pdf... etc... https://www.cuccuini.it/ | 📸 | ↪️ More victims [here](/group/spacebears?id=posts) --- ## **sparta** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Blog | 🔴 | 01/10/2022 15:29 | `http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onion` | ❌ | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-sparta.png) ### _Victims_ > 16 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`GRUPO COPISA`](https://google.com/search?q=GRUPO+COPISA) | 22/09/2022 | | | | [`MR. WONDERFUL`](https://google.com/search?q=MR.+WONDERFUL) | 14/09/2022 | | | | [`AUTO88`](https://google.com/search?q=AUTO88) | 14/09/2022 | | | | [`FONT PACKAGING`](https://google.com/search?q=FONT+PACKAGING) | 14/09/2022 | | | | [`Gallery Hotels`](https://google.com/search?q=Gallery+Hotels) | 13/09/2022 | | | | [`Auto88`](https://google.com/search?q=Auto88) | 13/09/2022 | | | | [`Font Packaging`](https://google.com/search?q=Font+Packaging) | 13/09/2022 | | | | [`Ferrer&Ojeda`](https://google.com/search?q=Ferrer%26Ojeda) | 13/09/2022 | | | | [`Tema Litoclean Group`](https://google.com/search?q=Tema+Litoclean+Group) | 13/09/2022 | | | | [`Grupo Galilea`](https://google.com/search?q=Grupo+Galilea) | 13/09/2022 | | | ↪️ More victims [here](/group/sparta?id=posts) --- ## **spook** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Spook | 🔴 | 26/10/2021 02:30 | `http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion` | ❌ | ### _Victims_ > 35 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`North Island`](https://google.com/search?q=North+Island) | 19/10/2021 | | | | [`All County Surveying Inc`](https://google.com/search?q=All+County+Surveying+Inc) | 19/10/2021 | | | | [`Page Automation`](https://google.com/search?q=Page+Automation) | 19/10/2021 | | | | [`Toos Asphalt Company`](https://google.com/search?q=Toos+Asphalt+Company) | 18/10/2021 | | | | [`Grupo Vía`](https://google.com/search?q=Grupo+V%C3%ADa) | 18/10/2021 | | | | [`NOF CORPORATION`](https://google.com/search?q=NOF+CORPORATION) | 16/10/2021 | | | | [`Apex Filling Systems`](https://google.com/search?q=Apex+Filling+Systems) | 16/10/2021 | | | | [`Princess Yachts International`](https://google.com/search?q=Princess+Yachts+International) | 13/10/2021 | | | | [`Neofidelys`](https://google.com/search?q=Neofidelys) | 12/10/2021 | | | | [`Paris Society`](https://google.com/search?q=Paris+Society) | 12/10/2021 | | | ↪️ More victims [here](/group/spook?id=posts) --- ## **stormous** 🔎 `ransomware.live`has an active parser for indexing stormous's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Database Shop | 🔴 | 09/05/2022 22:27 | `http://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onion` | ❌ | | Stormous _ official Site | 🔴 | 30/09/2023 21:58 | `http://h3reihqb2y7woqdary2g3bmk3apgtxuyhx4j2ftovbhe3l5svev7bdyd.onion` | 📸 | | Page Not Found! | 🔴 | 04/03/2024 21:40 | `http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion` | 📸 | | StormouS.X BLOG - Official blog | 🔴 | 29/02/2024 02:37 | `http://stmxylixiz4atpmkspvhkym4xccjvpcv3v67uh3dze7xwwhtnz4faxid.onion` | 📸 | | StormouS.X BLOG - Official blog | 🔴 | 29/07/2024 01:32 | `http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-stormous.png) ### _Victims_ > 109 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`intrama-bg`](https://intrama-bg.com) | 28/07/2024 | Bulgaria | | | [`HITC.VN`](https://hitc.vn) | 30/06/2024 | Vietnam | | | [`Barid soft`](https://baridsoft.ir) | 10/05/2024 | Iran | | | [`kidx`](https://kidx.ae) | 02/05/2024 | UAE | | | [`Bayanat`](https://Bayanat.ae) | 02/05/2024 | UAE | | | [`fanr.gov.ae`](https://fanr.gov.ae) | 02/05/2024 | UAE | | | [`tdra`](https://tdra.gov.ae) | 02/05/2024 | UAE | | | [`sharik`](https://sharik.ae) | 02/05/2024 | UAE | | | [`casio india`](https://casio.co.in) | 05/04/2024 | India | | | [`paginesi`](https://www.paginesi.it) | 17/03/2024 | Italie | | ↪️ More victims [here](/group/stormous?id=posts) --- ## **sugar** > Ransomware, written in Delphi. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 17/12/2022 20:37 | `http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion` | 📸 | #### **External information** - https://cyware.com/news/newly-found-sugar-ransomware-is-now-being-offered-as-raas-641cfa69 - https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49 - https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb #### **Ransom note** * [📝 1 ransom note](notes/sugar) ### _Victims_ > no victim found --- ## **suncrypt** > #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | News | 🔴 | 02/05/2023 09:44 | `http://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onion` | 📸 | | none | 🔴 | 01/05/2021 00:00 | `http://nbzzb6sa6xuura2z.onion` | ❌ | #### **External information** - https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel - https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf - https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer - https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022 - https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf - https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3 - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/ - https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83 - https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc - https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a - https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/ - https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/ - https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion - https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/ - https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/ - https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/ - https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound - https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/ - https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt - https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html - https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/ - https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html #### **Ransom note** * [📝 1 ransom note](notes/suncrypt) #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-suncrypt.png) ### _Victims_ > 30 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`SOCOTEC`](https://google.com/search?q=SOCOTEC) | 18/06/2022 | | | | [`Northeastern Technical College`](https://google.com/search?q=Northeastern+Technical+College) | 04/06/2022 | | | | [`Co-opbank Pertama`](https://google.com/search?q=Co-opbank+Pertama) | 24/04/2022 | | | | [`DJS associate`](https://google.com/search?q=DJS+associate) | 16/04/2022 | | | | [`Gemeente Buren`](https://google.com/search?q=Gemeente+Buren) | 14/04/2022 | | | | [`Atlas Copco`](https://google.com/search?q=Atlas+Copco) | 14/04/2022 | | | | [`Oklahoma City Indian Clinic`](https://google.com/search?q=Oklahoma+City+Indian+Clinic) | 28/03/2022 | | | | [`FitFlop Ltd.`](https://google.com/search?q=FitFlop+Ltd.) | 17/03/2022 | | | | [`Migros`](https://google.com/search?q=Migros) | 16/03/2022 | | | | [`Royal Smilde`](https://google.com/search?q=Royal+Smilde) | 21/02/2022 | | | ↪️ More victims [here](/group/suncrypt?id=posts) --- ## **synack** > _`no longer in operation - rebrand`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | end of game | 🔴 | 18/08/2021 00:02 | `http://xqkz2rmrqkeqf6sjbrb47jfwnqxcd4o2zvaxxzrpbh2piknms37rw2ad.onion` | ❌ | #### **External information** - https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/ - https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/ #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **threeam** 🔎 `ransomware.live`has an active parser for indexing threeam's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | ThreeAM Blog | 🟢 | 30/07/2024 02:53 | `http://threeamkelxicjsaf2czjyz2lc4q3ngqkxhhlexyfcp2o6raw4rphyad.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-threeam.png) ### _Victims_ > 31 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`thermalsolutionsllc.com`](https://thermalsolutionsllc.com) | 16/05/2024 | Thermal Solutions LLC is also a proud family-owned and operated HVAC-R business. Our heating and AC repairs include new equipment installations if needed. We help by walking you through all of the issues faced with your equipment and give you... | 📸 | | [`escriba.com.br`](https://escriba.com.br) | 16/05/2024 | Somos a maior empresa em sistemas e soluções para cartórios extrajudiciais. Atuamos no desenvolvimento de softwares e soluções inovadoras para a gestão de cartórios extrajudiciais, tabelionato de notas, tabelionato de protestos, ofício de... | 📸 | | [`compagniedephalsbourg.com`](https://compagniedephalsbourg.com) | 15/04/2024 | Compagnie de Phalsbourg is a real estate development, investment and management company. Founded in 1989, it ranks among the leaders of the French retail real estate market. Compagnie de Phalsbourg develops... | 📸 | | [`kh.org`](https://kh.org) | 25/03/2024 | Founded in 1966, Kootenai Health is a hospital that provides patient care services for people in Idaho, Montana, and Eastern Washington. They are based in Coeur d'Alene, Idaho. ... | 📸 | | [`moore-tibbits.co.uk`](https://moore-tibbits.co.uk) | 27/02/2024 | Moore & Tibbits is a well respected law firm, with more than 188 years of legal service in the centre of Warwick. Our reputation is based on a reliable, flexible, personal, first class service combined with the use of modern technology which... | 📸 | | [`mtmrobotics.com`](https://mtmrobotics.com) | 22/02/2024 | As an Airbus Robotics Company, MTM Robotics is a trusted global provider of high-quality automation systems, software systems, and engineering services for the aerospace and aircraft manufacturing industries. | 📸 | | [`abcor.com.au`](https://abcor.com.au) | 22/02/2024 | Preston General Engineering (PGE), a division of ABCOR Pty Ltd, is the industry leader in the fabrication and assembly of metal, aluminium and stainless steel parts. PGE has a strong commitment of service to provide quality products that are... | 📸 | | [`doneff.com`](https://doneff.com) | 21/02/2024 | From luxury apartments and exclusive active adult housing to affordable, moderate family living, Doneff Companies LLC has built and manages more than 1,056 apartment homes across central and eastern Wisconsin. | 📸 | | [`garonproducts.com`](https://garonproducts.com) | 12/02/2024 | For over 60 years, Garon Products, Inc. has defined what it means to be a trusted concrete coating supplier. Our top-quality concrete floor repair products and floor coatings meet the demands of even the most challenging industrial,... | 📸 | | [`etsolutions.com.mx`](https://etsolutions.com.mx) | 01/02/2024 | Somos una empresa 100% mexicana dedicada a la implementación de soluciones de infraestructura y seguridad en procesos de operación crítica. Nuestro equipo está formado por profesionales, especialistas y tecnicos certificados para ofrecer... | 📸 | ↪️ More victims [here](/group/threeam?id=posts) --- ## **toufan** > Pro-Palestinian Group 🔎 `ransomware.live`has an active parser for indexing toufan's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Cyber Toufan Operations - Backup - سايبر طوفان الأ | 🔴 | 30/07/2024 01:27 | `http://t.me/s/CyberToufanBackup` | 📸 | | Telegram: Contact @CyberToufan | 🔴 | 28/07/2024 09:01 | `http://t.me/s/CyberToufan` | ❌ | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-toufan.png) ### _Victims_ > 117 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`ecom.gov.il`](http://ecom.gov.il/) | 27/12/2023 | | | | [`maytronics.com`](http://maytronics.com/) | 27/12/2023 | | | | [`carolinalemke.com`](http://carolinalemke.com/) | 26/12/2023 | | | | [`ari.co.il`](http://ari.co.il/) | 26/12/2023 | | | | [`allot.com`](http://allot.com/) | 23/12/2023 | | | | [`bconnect.co.il`](http://bconnect.co.il/) | 23/12/2023 | | | | [`super-pharm.co.il`](http://super-pharm.co.il/) | 23/12/2023 | | | | [`teldor.com`](http://teldor.com/) | 22/12/2023 | | | | [`erco.co.il`](http://erco.co.il/) | 22/12/2023 | | | | [`tefentech.com`](http://tefentech.com/) | 20/12/2023 | | | ↪️ More victims [here](/group/toufan?id=posts) --- ## **trigona** > According to PCrisk, Trigona is ransomware that encrypts files and appends the ._locked extension to filenames. Also, it drops the how_to_decrypt.hta file that opens a ransom note. An example of how Trigona renames files: it renames 1.jpg to 1.jpg._locked, 2.png to 2.png._locked, and so forth.It embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files. 🔎 `ransomware.live`has an active parser for indexing trigona's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Trigona is Gone | 🔴 | 18/10/2023 06:56 | `http://3x55o3u2b7cjs54eifja5m3ottxntlubhjzt6k6htp5nrocjmsxxh7ad.onion` | 📸 | | Blog | 🔴 | 26/06/2023 10:51 | `http://6n5tfadusp4sarzuxntz34q4ohspiaya2mc6aw6uhlusfqfsdomavyyd.onion` | 📸 | | Trigona is Gone | 🔴 | 18/10/2023 06:57 | `http://trigonax2zb3fw34rbaap4cqep76zofxs53zakrdgcxzq6xzt24l5lqd.onion` | 📸 | | Blog | 🔴 | 10/04/2024 20:59 | `http://krsbhaxbki6jr4zvwblvkaqzjkircj7cxf46qt3na5o5sj2hpikbupqd.onion` | 📸 | #### **External information** - https://asec.ahnlab.com/en/51343/ - https://unit42.paloaltonetworks.com/trigona-ransomware-update/ - https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware - https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html #### **Ransom note** * [📝 1 ransom note](notes/trigona) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-trigona.png) ### _Victims_ > 49 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Claro`](https://www.claro.com/) | 30/03/2024 | Claro, a subsidiary of América Móvil, stands at the forefront of telecommunications innovation, recognizing the vital role of connectivity in shaping a better world. Originating from a public telephone company, Claro has evolved into a global connectivity, communication, and Information Technology solutions provider, driven by a commitment to continuous innovation and customer-centric services. | 📸 | | [`South Star Electronics`](https://www.south-star.com.cn/) | 20/03/2024 | South Star Electronics Co., Ltd. is a prominent electronics company based in Dongguan City, China. Specializing in the design, manufacturing, and distribution of electronic products, SouthStar Electronics has established itself as a leading player in the industry. | 📸 | | [`Topa Partners`](https://www.topa.co.nz/) | 16/03/2024 | Topa Electrical, led by Electrical Inspector Jeff Zhao, boasts a rich legacy of over a decade in providing top-notch electrical services to the Canterbury region in New Zealand. With a steadfast commitment to excellence and a focus on building enduring relationships with clients, Topa Electrical has emerged as a trusted name in the industry. | 📸 | | [`Bwizer`](https://www.bwizer.com/pt/) | 16/03/2024 | Bwizer is a prominent entity known for its dedication to advancing the fields of healthcare and wellness education. With a stronghold in Portugal, Bwizer has emerged as a leading platform providing comprehensive educational resources and training programs tailored to professionals in the healthcare and wellness sectors. Founded with a vision to bridge the gap between traditional education and the evolving needs of modern healthcare practices, Bwizer offers a diverse range of courses, workshops, and events designed to empower professionals with the latest knowledge and skills. | 📸 | | [`Indoarsip`](https://indoarsip.co.id/) | 16/03/2024 | Indoarsip is a leading provider of archival solutions, dedicated to preserving and managing critical documents and records for organizations across Indonesia. With a strong presence in the archiving industry, Indoarsip offers comprehensive services and innovative technologies to meet the diverse needs of its clients. | 📸 | | [`Hotel Avenida, Hostal Espoz y Mina, Hostal Arriazu, Pension Alemana`](https://www.hotelavenidapalace.pt/, https://hostalalemana.com/, https://engine.witbooking.com/hostalespozymina.com/, https://hostalalemana.com/) | 28/02/2024 | Welcome to the Boutique Hospitality Collection, where every property offers a unique and unforgettable experience for guests seeking comfort, convenience, and charm. From the cosmopolitan streets of Lisbon to the historic city center of Pamplona, our collection of hotels and hostels promises exceptional accommodations and personalized service. | 📸 | | [`Dinamic Oil`](https://www.dinamicoil.com/) | 28/02/2024 | Established in 1970, Dinamic Oil S.p.A. is a renowned Italian manufacturer specializing in hoisting winches and planetary gearboxes. With its headquarters in Modena, the company has flourished over the years, solidifying its position in the global market through three production units, eight subsidiaries across Europe, the Americas, and Asia, and an extensive network of distributors worldwide. | 📸 | | [`ATMCo`](https://www.atmco.net/) | 21/02/2024 | ATMCo is a reputable tax management company based in Broken Arrow, Oklahoma. With a commitment to simplifying tax-related processes for businesses and individuals, ATMCo offers comprehensive services in tax preparation, bookkeeping, and accounting. Company is headquartered at 2220 W Houston St Ste A, Broken Arrow, Oklahoma. Situated in a convenient location, the company is easily accessible to clients seeking professional tax management services. | 📸 | | [`Daher Contracting`](https://www.dahercontracting.net/) | 30/01/2024 | Daher Contracting stands as the foremost excavation and site development contractor serving Okaloosa and Walton County. With roots dating back to January 1998, Daher has consistently upheld a commitment to delivering superior quality, cost-efficient results, and meeting even the most rigorous project schedules. | 📸 | | [`CMG Drainage Engineering`](https://www.cmgdrainage.com/) | 30/01/2024 | Established in 1986, CMG Drainage Engineering stands as a prominent Civil Engineering consulting firm nestled in Tucson, Arizona, United States. For over three decades, CMG has been dedicated to providing exceptional water resource engineering services to both public and private sectors across Central and Southern Arizona. Strategically headquartered at 3555 North Mountain Avenue in Tucson, CMG oversees and manages a wide array of projects, offering comprehensive solutions tailored to meet the diverse needs of its clientele. | 📸 | ↪️ More victims [here](/group/trigona?id=posts) --- ## **trinity** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Trinity | 🟢 | 30/07/2024 02:55 | `http://txtggyng5euqkyzl2knbejwpm4rlq575jn2egqldu27osbqytrj6ruyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-trinity.png) ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`sgvfr.com`](https://sgvfr.com) | 12/06/2024 | sgvfr.com - Revenue: 5kk - Publication date: 2024-06-30 | 📸 | | [`CBSTRAINING`](https://cbstraining.com) | 12/06/2024 | CBSTRAINING - Publication date: 2024-06-30 | 📸 | | [`filmetrics corporation`](https://www.filmetrics.com.ph) | 06/06/2024 | www.filmetrics.com.ph | 📸 | --- ## **trisec** 🔎 `ransomware.live`has an active parser for indexing trisec's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 21/02/2024 04:11 | `http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion` | 📸 | | Index of / | 🔴 | 11/04/2024 13:28 | `http://orfc3joknhrzscdbuxajypgrvlcawtuagbj7f44ugbosuvavg3dc3zid.onion` | 📸 | | none | 🔴 | 21/02/2024 00:00 | `http://pkk4gbz7lsbgeja6s6iwsan2ce364sqioici65swwt65uhicke65uyid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-trisec.png) ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`aivi.it`](https://google.com/search?q=aivi.it) | 19/02/2024 | | 📸 | | [`ki.se`](https://google.com/search?q=ki.se) | 19/02/2024 | | 📸 | | [`www.cogans.ie`](https://google.com/search?q=www.cogans.ie) | 16/02/2024 | | 📸 | --- ## **u-bomb** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | U-bomb | 🔴 | 29/02/2024 05:40 | `http://contiuevxdgdhn3zl2kubpajtfgqq4ssj2ipv6ujw7fwhggev3rk6hqd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/u-bomb) ### _Victims_ > no victim found --- ## **underground** _`ioc - hash : 0a08d9b027457da99725968eb4566eb836a7d503219ad5690f851caecabce93d`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | SignIn - Chat | 🔴 | 30/09/2023 11:26 | `http://undgrddapc4reaunnrdrmnagvdelqfvmgycuvilgwb5uxm25sxawaoqd.onion` | 📸 | | All data - Underground store | 🟢 | 30/07/2024 02:55 | `http://47glxkuxyayqrvugfumgsblrdagvrah7gttfscgzn56eyss5wg3uvmqd.onion` | 📸 | #### **External information** - https://www.glimps.fr/underground-ransomware/ #### **Ransom note** * [📝 1 ransom note](notes/underground) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-underground.png) ### _Victims_ > 18 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`ramservices.com`](https://google.com/search?q=ramservices.com) | 03/07/2024 | Revenue:$162M - Country :USA | 📸 | | [`Ethypharm`](https://google.com/search?q=Ethypharm) | 01/07/2024 | Revenue:$ 670M - Country :France | 📸 | | [`A-Line Staffing Solutions`](https://google.com/search?q=A-Line+Staffing+Solutions) | 17/06/2024 | Revenue:$96.1M - Country :USA | 📸 | | [`CentralSecurities.com`](https://google.com/search?q=CentralSecurities.com) | 27/05/2024 | Revenue:$230M - Country :USA | | | [`www.belcherpharma.com`](https://google.com/search?q=www.belcherpharma.com) | 15/05/2024 | Revenue:$25.7M - Country :USA | 📸 | | [`belcherpharma.com`](https://google.com/search?q=belcherpharma.com) | 15/05/2024 | Revenue:$25.7M - Country :USA | 📸 | | [`cochraneglobal.com`](https://google.com/search?q=cochraneglobal.com) | 01/05/2024 | Revenue:$270.8 Million - Country :United Arab Emir... | 📸 | | [`Skender Construction`](https://google.com/search?q=Skender+Construction) | 09/04/2024 | Revenue:$318.3 Million - Country :USA | 📸 | | [`Creative Business Interiors`](https://google.com/search?q=Creative+Business+Interiors) | 09/04/2024 | Revenue:$27M - Country :USA | 📸 | | [`Y. Hata & Co., Ltd.`](https://google.com/search?q=Y.+Hata+%26+Co.%2C+Ltd.) | 25/03/2024 | Revenue:$268M - Country :USA | 📸 | ↪️ More victims [here](/group/underground?id=posts) --- ## **unknown** _`nodes or hosts with no current attribution or identification`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onion` | ❌ | | none | 🔴 | 01/05/2021 00:00 | `http://darktorhvabc652txfc575oendhykqcllb7bh7jhhsjduocdlyzdbmqd.onion` | ❌ | ### _Victims_ > no victim found --- ## **unsafe** > A group which seems to recycle leak from other ransomware groups 🔎 `ransomware.live`has an active parser for indexing unsafe's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Home - UnSafeBlog | 🔴 | 11/04/2024 16:28 | `http://unsafeipw6wbkzzmj7yqp7bz6j7ivzynggmwxsm6u2wwfmfqrxqrrhyd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-unsafe.png) ### _Victims_ > 14 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`SPARTAN Light Metal Products`](https://https://spartanlmp.com) | 14/01/2024 | country: US - revenue: 311.00M | | | [`Hartl European Transport Company`](https://www.hartlconnect.com) | 14/01/2024 | country: CH - revenue: 46.00M | | | [`American International College`](https://www.aic.edu) | 14/01/2024 | country: US - revenue: 135.00M | | | [`TAG Aviation`](https://tagaviation.com) | 09/06/2023 | country: CH - revenue: 326.60M | | | [`SPARTAN Light Metal Products Inc`](https://spartanlmp.com) | 17/04/2023 | country: US - revenue: 311.00M | | | [`Invenergy`](https://invenergy.com) | 13/04/2023 | country: US - revenue: 10 | | | [`G.R. Sponaugle`](https://grsponaugle.com) | 21/12/2022 | country: US - revenue: 22.00M | | | [`Horwitz Horwitz & Associates`](https://www.horwitzlaw.com) | 21/12/2022 | country: US - revenue: 8.00M | | | [`Wings Etc`](https://wingsetc.com) | 21/12/2022 | country: US - revenue: 145.00M | | | [`Dooly County School System`](https://dooly.k12.ga.us) | 21/12/2022 | country: US - revenue: 20.00M | | ↪️ More victims [here](/group/unsafe?id=posts) --- ## **vanirgroup** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | VANIR GROUP | 🟢 | 30/07/2024 02:56 | `http://6xdpj3sb5kekvq5ulym5qqmzsv6ektjgvpmajns3qrafgxtyxrhokfqd.onion` | 📸 | | VANIR GROUP | 🟢 | 30/07/2024 02:56 | `http://6xdpj3sb5kekvq5ulym5qqmzsv6ektjgvpmajns3qrafgxtyxrhokfqd.onion` | 📸 | | none | 🟢 | 30/07/2024 02:57 | `http://6xdpj3sb5kekvq5ulym5qqmzsv6ektjgvpmajns3qrafgxtyxrhokfqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-vanirgroup.png) ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Beowulfchain`](https://google.com/search?q=Beowulfchain) | 10/07/2024 | Beowulfchain is the decentralized communication and data network enabling businesses to communicate without barriers. They were exfiltrated and locked by Vanir on the 7th of July 2024 | | | [`Qinao`](https://google.com/search?q=Qinao) | 10/07/2024 | Qniao is a leading provider in paper manufacturing and environmental solutions. They have been exfiltrated and locked by Vanir. | | | [`Athlon`](https://google.com/search?q=Athlon) | 10/07/2024 | Athlon is an international provider of operational vehicle leasing and mobility solutions. They were exfiltrated and locked by Vanir on the 3rd of June 2024 | | --- ## **vendetta** > Ransomware, which appears to be a rebranding of win.cuba. _`V is Vendetta a new blog from Cuba Ransomware`_ 🔎 `ransomware.live`has an active parser for indexing vendetta's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Vendetta | 🔴 | 08/02/2024 10:18 | `http://test.cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion` | 📸 | #### **External information** - https://www.malwarebytes.com/blog/threat-intelligence/2023/03/ransomware-review-march-2023 ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-vendetta.png) ### _Victims_ > 3 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Chowtaifook`](https://google.com/search?q=Chowtaifook) | 27/02/2023 | Chow Tai Fook “Lodestar” CollectionCelebrate a Lustrous Love Story2023-01-26This Valentine's Day, let the “Lodestar” Collection shine upon your journey to everlasting love, commemorated by the traceable T... | | | [`Highwealth`](https://google.com/search?q=Highwealth) | 21/02/2023 | In the best location, build the best house, the best homeMore than 30 years ago, we started our business in Kaohsiung. After laying the foundation, we developed all the way north and expanded to Tainan, Taichung, Hsinchu, Taipei, New... | | | [`albouyassociesconsult`](https://google.com/search?q=albouyassociesconsult) | 12/02/2023 | Nos originesCréée en 1946, l'entreprise a durant les trois premières décennies, développé sa notoriété dans le secteur de la coopération agricole sur le plan... | | --- ## **vfokx** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onion` | ❌ | | none | 🔴 | 01/05/2021 00:00 | `http://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onion` | ❌ | ### _Victims_ > no victim found --- ## **vicesociety** > Vice Society ransomware appends the .v-society extension when encrypting Linux machines. Running a leak site on the darkweb, Possible relations with "HelloKitty" _`ecdmr42axxx.onion - fileserver`_ 🔎 `ransomware.live`has an active parser for indexing vicesociety's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://4hzyuotli6maqa4u.onion` | ❌ | | Vice Society - Official Site | 🔴 | 14/12/2023 20:28 | `http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion` | 📸 | | there is nothing... | 🔴 | 21/09/2022 17:27 | `http://ecdmr42a34qovoph557zotkfvth4fsz56twvwgiylstjup4r5bpc4oad.onion` | ❌ | | Vice Society - Official Site | 🔴 | 14/12/2023 20:29 | `http://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onion` | 📸 | | Vice Society - Official Site | 🔴 | 14/12/2023 20:30 | `http://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onion` | 📸 | | Vice Society - Official Site | 🔴 | 14/12/2023 18:59 | `http://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onion` | 📸 | #### **External information** - https://blog.talosintelligence.com/2021/08/vice-society-ransomware-printnightmare.html #### **Ransom note** * [📝 1 ransom note](notes/vicesociety) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-vicesociety.png) ### _Victims_ > 187 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`SSV Architects`](http://www.ssv-architekten.de/) | 20/06/2023 | Our office realizes a wide range of different construction tasks. We design buildings that are natural, individual and clearly designed. These include both new buildings and the majority of conversions of mostly listed buildings. | | | [`Bogleboo`](http://www.bogleboo.se/) | 13/06/2023 | Bogleboo develops and maintains customized systems in the fashion industry. We have many years of experience in IT solutions for the retail industry with a special focus on the fashion industry and an extensive knowledge of the specific processes in the area. | | | [`Nerim`](http://www.nerim.com/) | 04/06/2023 | Nerim is a full service operator fulfilling the full range of communications needs of SMBs and local government since 1999. Nerim offers broadband connectivity, enterprise telephony, server hosting and network security services. | 📸 | | [`Adsboll`](http://www.ads.dk/) | 29/05/2023 | Adsboll - is a national construction company. Nationwide, we are skilled in residential and commercial construction for both private and public clients, including housing associations. We have our own production of concrete, masonry and sewer work, which we carry out regionally in Kolding and the surrounding area. | | | [`Cafpi`](http://www.cafpi.fr/) | 22/05/2023 | Cafpi is the undisputed leader of the profession it created: that of Mortgage Broker. Prominent in the mortgage market for nearly 4 decades, CAFPI has developed wide-ranging expertise, and a vast network of partners. | | | [`Aneka Tambang`](http://www.antam.com/) | 17/05/2023 | With operations spread throughout the mineral-rich Indonesian archipelago, ANTAM undertakes all activities from exploration, excavation, processing through to marketing of nickel ore, ferronickel, gold, silver, bauxite and coal. | | | [`DATALAN`](http://www.datalan.sk/) | 11/05/2023 | DATALAN is more than 220 experts who are united by strong know-how and enthusiasm for technology. We have been on the market for more than 30 years and are among the top Slovak technology companies. | | | [`Brighton Hill Community School`](http://www.brightonhill.hants.sch.uk/) | 02/05/2023 | Brighton Hill Community School is a coeducational secondary school located in Brighton Hill, Basingstoke in the county of Hampshire in the south of England. | | | [`CMC Group`](http://www.centurylabel.com/) | 30/04/2023 | Located in Bowling Green, Ohio, Century Label (a CMC Group company) has over 40 years of experience printing custom labels and packaging. | 📸 | | [`Neptune Lines`](http://www.neptunelines.com/) | 22/04/2023 | It is Neptune Lines' mission to be the most trusted car carrier company in the areas we operate, always delivering flexible and tailor-made solutions to our client-partners by investing in our most valuable asset, our people. | | ↪️ More victims [here](/group/vicesociety?id=posts) --- ## **wannacry** > WannaCry ransomware is a cyber attack that spreads by exploiting vulnerabilities in the Windows operating system. At its peak in May 2017, WannaCry became a global threat. Cybercriminals used the ransomware to hold an organization's data hostage and extort money in the form of cryptocurrency. WannaCry spreads using EternalBlue, an exploit leaked from the National Security Agency (NSA). EternalBlue enables attackers to use a zero-day vulnerability to gain access to a system. It targets Windows computers that use a legacy version of the Server Message Block (SMB) protocol. #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://none.` | ❌ | #### **External information** - http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ - http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html - https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html - https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today - https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d - https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e - https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58 - https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign - https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf - https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ - https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html - https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware - https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 - https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf - https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf - https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/ - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf - https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1 - https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/ - https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/ - https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/ - https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf - https://securelist.com/big-threats-using-code-similarity-part-1/97239/ - https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/ - https://sites.temple.edu/care/ci-rw-attacks/ - https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf - https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1 - https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984 - https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/ - https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf - https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html - https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ - https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/ - https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf - https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group - https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf - https://www.youtube.com/watch?v=Q90uZS3taG0 #### **Crypto Wallet** * 💰 Crypto wallet(s) available ### _Victims_ > no victim found --- ## **werewolves** 🔎 `ransomware.live`has an active parser for indexing werewolves's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | werewolves.pro | 🟢 | 30/07/2024 02:57 | `http://werewolves.pro` | 📸 | | Default Web Site Page | 🟢 | 30/07/2024 02:58 | `http://weerwolven.biz` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-werewolves.png) ### _Victims_ > 26 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`vsexshop.ru`](https://google.com/search?q=vsexshop.ru) | 04/03/2024 | Компания VsexShop.Ru существует на рынке уже более 10 лет. За это время услугами нашего онлайн секс шопа воспользовались более 500 тысяч человек. Мы работаем для Вас: довольный клиент - это то, к чему мы стремимся! А у нас есть личные данные из базы очень не простых клиентов компании.70000$ | 📸 | | [`davidsbridal.com`](https://google.com/search?q=davidsbridal.com) | 14/02/2024 | David's Bridal — известная американская сеть свадебных магазинов, известная своим широким ассортиментом свадебных платьев, платьев для подружек невесты и платьев для особых случаев. Основанная в 1950 году, компания выросла из единственного магазина во Флориде до обширной сети, насчитывающей более 300 магазинов в США, Канаде, Великобритании, а также франчайзинговых магазинов в Мексике.Выручка компании оценивается в $2,2 млрд.На текущий момент мы обладаем очень ценными и важными данными, охватывающими значительный объем личной и корпоративной информации.850000$. | 📸 | | [`solveindustrial.com`](https://google.com/search?q=solveindustrial.com) | 22/12/2023 | Клиенты из самых разных отраслей обращаются к Solve Industrial Motion Group™ за подшипниками и компонентами передачи мощности, которые выдерживают даже самые тяжелые условия. У компании более 25 000 наименований позиций, а также собственный инженерный отдел, который может не только разрабатывать, но и производить компоненты в точном соответствии со спецификациями. Компания помогает OEM-производителям и конечным пользователям по всему миру двигаться вперед. | 📸 | | [`vasexperts.ru`](https://google.com/search?q=vasexperts.ru) | 17/12/2023 | Компания VAS Experts — разработчик программного обеспечения для контроля и анализа трафика. Компания присутствует на IT-рынке с 2013 года. За время ее существования было произведено более 1500 инсталляций в СНГ и за рубежом.За время работы у компании сформирован достаточно объемный репозитарий,содержащий как уникальные разработки компании,так и дистрибутивы,исходные коды программного обеспечения партнеров компании.Наша организация с пониманием относится к ценности подобных массивов данных,однако халатное отношение к хранению и обработке,привело к утечке.Критическая оценка скомпрометированных данных позволяет нам оценивать инцедент как фатальный для многих аспектов деятельности компании.Объем массива 250 тб.Стоимость не разглашения 640000$. | 📸 | | [`forabank.ru`](https://google.com/search?q=forabank.ru) | 15/12/2023 | АКБ «ФОРА-БАНК» (АО) зарегистрирован Банком России на рынке финансовых услуг 27 мая 1992 г. Входит в реестр системы обязательного страхования вкладов. Организация позиционируется как крупный универсальный финансовый институт. АКБ «ФОРА-БАНК» (АО) осуществляет расчетно-кассовое обслуживание и предоставляет широкий спектр услуг для физических и юридических лиц, проводит операции на валютном и фондовом рынках. АКБ «ФОРА-БАНК» (АО) является участником международных платежных систем VISA и MasterСard.Стоимость не публикации и удаления всей скомпрометрованной информации составляет 450000$. | 📸 | | [`auditexpertnn.ru`](https://google.com/search?q=auditexpertnn.ru) | 02/11/2023 | Центр бухгалтерских услуг «АУДИТ-ЭКСПЕРТ» принимает желание заказчика работать эффективно как профессиональный ориентир.Оказывая бухгалтерские услуги удаленно в Нижнем Новгороде и Нижегородской области, специалисты компании «АУДИТ-ЭКСПЕРТ» работают в ваших интересах.Интересно,что базы данных клиентов,находящиеся на серверах компании абсолютно не защищены.Равно как ключи доступа к онлайн банкингам,например.Так или иначе-мы все опубликуем,почему бы клиентам компании не узнать с кем они имеют дело? | 📸 | | [`promproektspb.ru`](https://google.com/search?q=promproektspb.ru) | 02/11/2023 | Компания была основана с целью занять достойное место на рынке экспертных услуг в сфере промышленной безопасности. ПРОМПРОЕКТ прочно опирается на технические компетенции сотрудников и европейский подход к менеджменту.Компания учавствовала в крупных международных проектах строительства газопроводов «Северный поток 1» и «Южный поток» и в сотрудничестве с такими компаниями, как Nord Stream AG, South Stream Transport B.V., Saipem, Siemens, Rosen Europe B.V., PetrolValves и многими другими.Уязвимые версии серверов,отсутствие безопасной парольной политики и решений защиты сетевого периметра привели к утечке данных весьма серьезных клиентов компании.Все данные будут опубликованы на зеркалах нашего сайта и в сети TOR. | 📸 | | [`kailos.ru`](https://google.com/search?q=kailos.ru) | 14/10/2023 | Агентство деловых услуг "Кайлос" начало свою работу 28 ноября 2007 года с одного маленького офиса и цеха площадью 20 кв. м. в составе 4-х человек (директора, главного бухгалтера, мастера цеха и менеджера). На сегодняшний день работает 24 специалиста, 2 офиса по работе с клиентами, 3 производственных цеха общей площадью 250 кв. м.Агентство входит в холдинг, что позволяет ему стабильно работать. Компания динамично развивается, ежегодно увеличивая оборот на 30 %.При этом агентство совершенно не заботит утечка и утеря данных в колоссальных масштабах. | 📸 | | [`gaztranscom.ru`](https://google.com/search?q=gaztranscom.ru) | 14/10/2023 | Общество с ограниченной ответственностью «Газотранспортная компания» зарегистрировано Межрайонной инспекцией Федеральной налоговой службы № 18 по РТ 18.08.2014 г., на основании принятого 07 августа 2014 года решения Общего собрания учредителей Общества о его создании.Главной целью производственной деятельности ООО «ГТК» является создание и эксплуатация газораспределительной системы для обеспечения природным газом предприятий ГК ТАИФ. Со II половины 2014 г. и до 2017 г. были выполнены работы по проектированию, строительству и наладке объекта: «Газопровод высокого давления Ду 1220 от ГРС-2 г. Нижнекамск».С 2017 г. ООО «ГТК» осуществляет эксплуатацию газопровода и транспортирует природный газ от ГРС-2 г. Нижнекамск ООО «Газпром трансгаз Казань» предприятиям ГК ТАИФ в г. Нижнекамск. Соучредителем компании является Группа ТАЙФ,Новый состав Группы ТАИФ объединяет 17 компаний, в которых работает более 8 тысяч человек. На сегодняшний день компании Группы ТАИФ задействованы во многих секторах экономики Российской Федерации. Инвестиционный портфель АО «ТАИФ» широко диверсифицирован и сбалансирован и состоит из акций и долей участия в российских компаниях в таких отраслях, как нефтегазопереработка, оптовая и розничная реализация нефтепродуктов, строительство и производство строительных материалов, деловая авиация, деятельность СМИ, инвестиционно-финансовые, комплексные и прочие услуги.Данные компании и клиентов не защищены и будут опубликованы для всех желающих.Халатное отношение и хранению информации,отсутствие внятной политики СЗИ,защиты сетевого периметра.Устаревшие сервера и оборудование.Похоже единственное,что заботит руководителя-как конвертировать 20000 евро в манаты. | 📸 | | [`atol.ru`](https://google.com/search?q=atol.ru) | 04/10/2023 | АТОЛ – IT-компания, ведущий российский производитель оборудования и разработчик программного обеспечения для автоматизации таких сфер как ритейл, e-commerce, услуги, включая HoReCa, транспорт, ЖКХ и многое другое.Облачный сервис компании, «АТОЛ Онлайн», является первым и одним из самых крупных в РФ среди KaaS-решений («касса как сервис») по занимаемой доле рынка. Также АТОЛ поставляет POS-оборудование и решения для автоматизации склада. Сервера баз данных скомпрометированы.Данные клиентов,программное обеспечение,персональные данные похищены.Стоимость не публикации и удаления всей скомпрометрованной информации составляет 450000$. | 📸 | ↪️ More victims [here](/group/werewolves?id=posts) --- ## **x001xs** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | BITCARDS - Prepaid cards | 🔴 | 29/07/2024 22:37 | `http://nalr2uqsave7y2r235am5jsfiklfjh5h4jc5nztu3rzvmhklwt5j6kid.onion` | 📸 | ### _Victims_ > no victim found --- ## **xinglocker** _`xing use a custom mountlocker exe`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | 星Team News | 🔴 | 24/01/2022 06:12 | `http://xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion` | ❌ | #### **External information** - https://www.izoologic.com/2021/06/19/xing-locker-team-ransomgroup-is-on-a-roll-they-recently-hit-sharafi-group-investments - https://itsecuritywire.com/quick-bytes/xinglocker-spreading-worm-using-mountlocker ### _Victims_ > 21 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Wayne Automatic Fire Sprinklers, Inc.`](https://google.com/search?q=Wayne+Automatic+Fire+Sprinklers%2C+Inc.) | 26/10/2021 | | | | [`Tilia GmbH. TILIA GROUP`](https://google.com/search?q=Tilia+GmbH.+TILIA+GROUP) | 08/10/2021 | | | | [`J.Irwin Company`](https://google.com/search?q=J.Irwin+Company) | 17/08/2021 | | | | [`DiaSorin`](https://google.com/search?q=DiaSorin) | 08/07/2021 | | | | [`Greenwood Fabricating & Plating`](https://google.com/search?q=Greenwood+Fabricating+%26+Plating) | 03/06/2021 | | | | [`Positive Promotions, Inc.`](https://google.com/search?q=Positive+Promotions%2C+Inc.) | 02/06/2021 | | | | [`AQUALUNG`](https://google.com/search?q=AQUALUNG) | 02/06/2021 | | | | [`Sharafi Group Investments`](https://google.com/search?q=Sharafi+Group+Investments) | 27/05/2021 | | | | [`Coastal Family Health Center`](https://google.com/search?q=Coastal+Family+Health+Center) | 24/05/2021 | | | | [`T.I.S. Group`](https://google.com/search?q=T.I.S.+Group) | 24/05/2021 | | | ↪️ More victims [here](/group/xinglocker?id=posts) --- ## **xinof** _`aka fonix`_ #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | none | 🔴 | 01/05/2021 00:00 | `http://wj3b2wtj7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onion` | ❌ | #### **External information** - https://www.bleepingcomputer.com/news/security/fonix-ransomware-shuts-down-and-releases-master-decryption-key/ - https://www.sentinelone.com/labs/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/ ### _Victims_ > no victim found --- ## **yanluowang** > According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the README.txt file containing a ransom note. It appends the .yanluowang extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted). #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Yanluowang | 🔴 | 01/11/2022 16:59 | `http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion` | ❌ | #### **External information** - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html - https://de.darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics - https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang - https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware - https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/ - https://twitter.com/CryptoInsane/status/1586967110504398853 - https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/ - https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf #### **Ransom note** * [📝 1 ransom note](notes/yanluowang) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-yanluowang.png) ### _Victims_ > 6 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`Hot news straight from Cisco`](https://google.com/search?q=Hot+news+straight+from+Cisco) | 10/08/2022 | | | | [`Shorr.com leakage`](https://google.com/search?q=Shorr.com+leakage) | 02/07/2022 | | | | [`Greetings to havi.com and tmsw.com`](https://google.com/search?q=Greetings+to+havi.com+and+tmsw.com) | 02/07/2022 | | | | [`Big data dump from various organizations`](https://google.com/search?q=Big+data+dump+from+various+organizations) | 02/07/2022 | | | | [`Walmart was encrypted`](https://google.com/search?q=Walmart+was+encrypted) | 02/07/2022 | | | | [`Cincinnati bell didn’t pay the ransom`](https://google.com/search?q=Cincinnati+bell+didn%E2%80%99t+pay+the+ransom) | 02/07/2022 | | | --- ## **zeon** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | ZEON.Recovery - Enter the key | 🔴 | 28/02/2023 09:11 | `http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion` | 📸 | #### **External information** - https://id-ransomware.blogspot.com/2022/02/zeon-ransomware.html #### **Ransom note** * [📝 1 ransom note](notes/zeon) ### _Victims_ > no victim found --- ## **zerotolerance** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Zero Tolerance | 🔴 | 20/05/2024 07:23 | `http://zhuobnfsddn2myfxxdqtpxk367dqnntjf3kq7mrzdgienfxjyllq4rqd.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-zerotolerance.png) ### _Victims_ > 1 victim found | victim | date | Description | Screenshot | |---|---|---|---| | [`Banco central argentina`](https://google.com/search?q=Banco+central+argentina) | 05/05/2024 | May 5th 2024, 5:53:55 am Banco central of argentina, suffered a databreach in 2024. Compromissing names, ID etc. Download link: https://gofile.io/d/[REDACTED] By Zero Tolerance | 📸 | --- ## **madliberator** #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | MAD LIBERATOR - LEAKED FILES | 🟢 | 30/07/2024 02:59 | `http://k67ivvik3dikqi4gy4ua7xa6idijl4si7k5ad5lotbaeirfcsx4sgbid.onion` | 📸 | ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-madliberator.png) ### _Victims_ > 9 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`orbinox.com`](https://google.com/search?q=orbinox.com) | 25/07/2024 | ORBINOX was founded in Tolosa in 1964, manufacturing industrial valves to fulfil the increasing demand of the local paper industry. ORBINOX is the leading European knife gate valve manufacturer. Our continued market leadership is the result of staying true to our Mission, Vision and Values. We offer a wide range of valves, penstocks/sluice gates and dampers which cover a variety of applications. We have a highly qualified and experienced team providing the best solutions to suit the needs of our customers. | 📸 | | [`ORBINOX`](https://google.com/search?q=ORBINOX) | 24/07/2024 | ORBINOX was founded in Tolosa in 1964, manufacturing industrial valves to fulfil the increasing demand of the local paper industry. ORBINOX is the leading European knife gate valve manufacturer. Our continued market leadership is the result of staying true to our Mission, Vision and Values. We offer a wide range of valves, penstocks/sluice gates and dampers which cover a variety of applications. We have a highly qualified and experienced team providing the best solutions to suit the needs of our customers. | 📸 | | [`vrd.be`](https://google.com/search?q=vrd.be) | 24/07/2024 | VRD is een modern transportbedrijf waarbij kwaliteit, flexibiliteit en klantgerichtheid voorop staan. Wij staan in voor het vervoer van containers en trailers, zowel nationaal als internationaal en zorgen voor een aanpak op maat voor iedere klant. Uw goederen veilig, op het juiste moment, op de juiste plaats en tegen een correcte prijs afleveren is waar we bij VRD voor bekend staan. | 📸 | | [`zb.co.zw`](https://zb.co.zw) | 17/07/2024 | In 1972, the company changed its name from The Netherlands Bank of Rhodesia Limited to Rhodesia Banking Corporation Limited and then to Rhobank in 1979. It changed its name once again in 1981 to Zimbabwe Banking Corporation after the Government purchased the majority shareholding. ZB Financial Holdings is one of the most diversified financial services counter on the Zimbabwe Stock Exchange. | 📸 | | [`VITALDENT`](https://vitaldent.com) | 16/07/2024 | Vitaldent is a dental company founded in 1989. Today, it has more than 400 clinics in Spain , has treated more than 8 million patients and has a large team of 3,500 professionals and 2,000 collaborating dentists. Its turnover is around 300 million euros. Advent International one of the most relevant and experienced private equity firms in the world, is the majority shareholder of Vitaldent... | 📸 | | [`crosswear.co.uk`](https://crosswear.co.uk) | 12/07/2024 | Crosswear has been trading since 1972 and business has evolved to become very much focused on wholesale distribution to the partyware and greeting card trades. | 📸 | | [`sacities.net`](https://sacities.net) | 12/07/2024 | Our vision and mission is crucial to the work we do. Integral to the South African Cities Network is the promotion of good governance and management of South African cities.We analyse strategic challenges facing South African cities, particularly in the context of global economic integration and national development; collect, collate, analyse, disseminate and apply the experience of large city government in a South African context; and promote a shared-learning partnership between different spheres of government to... | 📸 | | [`BENICULTURALI.IT`](https://BENICULTURALI.IT) | 12/07/2024 | Il Ministero per i Beni Culturali e Ambientali fu istituito da Giovanni Spadolini, (con decreto-legge 14 dicembre 1974, n. 657 [ atto originario | atto originario con aggiornamenti], convertito nella legge 29 gennaio 1975, n. 5 [atto originario | atto originario con aggiornamenti]- G.U. 14 febbraio 1975, n. 43), con il compito di affidare unitariamente alla specifica competenza di un Ministero appositamente costituito la gestione del patrimonio culturale e dell'ambiente al fine di assicurare l'organica tutela... | 📸 | | [`MONTERO & SEGURA`](https://msprocuradores.es) | 12/07/2024 | Segura Procuradores SLP es una sociedad profesional, dedicada al ejercicio de la procura a nivel nacional, con despachos abiertos en Barcelona, Madrid. Su sede central, en Barcelona, está ubicada en el enclave judicial construido al efecto, lo cual nos permite ofrecer una rápida respuesta a nuestros clientes y abogados, hasta el último minuto de cierre de los juzgados.Cuenta entre sus clientes con importantes Bancos, Establecimientos Financieros de Crédito, Organismos Públicos y empresas .... | 📸 | --- ## **lynx** 🔎 `ransomware.live`has an active parser for indexing lynx's victims #### **URLs** | Title | Available | Last visit | fqdn | Screenshot |---|---|---|---|---| | Lynx | 🟢 | 30/07/2024 02:59 | `http://lynxblog.net` | 📸 | | Lynx | 🟢 | 30/07/2024 03:00 | `http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion` | 📸 | #### **Ransom note** * [📝 1 ransom note](notes/lynx) ### _Total Attacks Over Time_ ![Statistics](/graphs/stats-lynx.png) ### _Victims_ > 2 victims found | victim | date | Description | Screenshot | |---|---|---|---| | [`True Blue Environmental`](https://www.trueblueenvironmental.com/) | 17/07/2024 | True Blue Environmental Services is a full-service environmental and constructio... | 📸 | | [`The Greenhouse People`](https://www.greenhousepeople.co.uk/) | 17/07/2024 | The Greenhouse People Ltd have been selling greenhouses since 1989 - many of the... | 📸 | --- Last update : _Tuesday 30/07/2024 03.04 (UTC)_