In a hacker forum monitored by SOCRadar, a new alleged source code leak is detected for a new ransomware. https://image.socradar.com/screenshots/2024/06/02/c6e360c4-0393-40ba-bbff-871081a93845.pngHello, I am BoykoBase and I present you my basic ransomware code in Python. FUNCTIONS Quote: - FUD - Encrypts every disk that it finds - Undetected by VirusTotal (NEEDS A FIX) - Disabled usage of TaskManager, CMD, Regedit - Disabled taskbar - Add to startup - Locking the keyboard while encrypting - Change the wallpaper - Delete everything from Desktop and create files with text To Do: - GUI - Encrypt the files fix ****

In a hacker forum monitored by SOCRadar, a new alleged PendroidLocker Android Ransomware tool share is detected. https://image.socradar.com/screenshots/2024/06/06/f5e2c947-edd4-4124-9a2b-2031dc5488a0.pngPendroidLocker Latest Version 2024 + Old Version You can choose freely between the latest version and the old one, which I still think is the best. Plus, setup video included Need: Java JDK, Android Studio 4, Hosting

  In a hacker forum monitored by SOCRadar, a new alleged source code sale is detected for INC Ransom. https://image.socradar.com/screenshots/2024/05/12/e2c01f04-23ba-4fba-9c45-e58b7cd44fee.pngI will sell the source code "inc ransom" in 3rd hands, through a guarantor. aes-ctr-128 + curve25519-donna IOCP, linux verisya to zhe samoe, est' esxi est' build'i pod vse system'i panel - react, backend - nodejs + typescript, vse obernyto v docker, razvorachivaetsya v odny commandy nikakogo gemora

In a hacker forum monitored by SOCRadar, a recruitment post is detected to conduct ransomware attacks. https://image.socradar.com/screenshots/2024/05/22/f18d987a-7b97-4311-bf19-9f1546e0ed9d.pngHello friends, I am looking for partners who are familiar obtaining access to enterprise windows networks, we will work on commission basis for system you bring me you get 80% profit of the ransom (I take 20% fee for developing the soft and negotiating with your victim). Few rules before starting work, only network in the following countries are taken: Guinea, Hungary, Paraguay, Ivory Coast, Tajikistan, Ethiopia, Serbia, Colombia, Mozambique, Cameroon, Azerbaijan, Saudi Arabia, Yemen, Algeria, Belarus, Jordan, Bhutan, Syria, Zimbabwe, Tanzania, Haiti, Iran, Indonesia, Mexico, Namibia, Bolivia, Malaysia, Central African Republic, Comoros, Bangladesh, Kazakhstan, Nigeria, Laos, Eswatini, Nepal, Sri Lanka, Morocco, Argentina, Kyrgyzstan, Vietnam, DR Congo, Botswana, China, Russia, Belize, Niger, Tunisia, Somalia, Egypt, India, Brazil, Papua New Guinea, Lebanon, Kuwait, Angola, Oman, Honduras, Malawi, Gambia, Brunei, Benin, Senegal, Ukraine, Ecuador, Republic of the Congo, Gabon, Bahrain, Suriname, Qatar, Turkey, Kenya, Mauritania, Nicaragua, Togo, Libya, Uganda, Cambodia, Pakistan, Lesotho, South Africa, Guyana, Ghana,Bosnia and Herzegovina, Burkina Faso, Sierra Leone, Burundi, Fiji, Liberia, Madagascar, Sudan, Iraq, Zambia, Rwanda, United Arab Emirates, Chad, Thailand, Philippines, Myanmar, Djibouti, Guatemala, Venezuela, El Salvador, Mali Furthermore do not work with healthcare or not for profit organizations. Locker works on windows, linux x86/x64/arm, esxi. Contact me via jabber: ********

 In a hacker forum monitored by SOCRadar, a new ransomware partnership searching post is detected. https://image.socradar.com/screenshots/2024/05/17/9f698c0e-f0ca-4b6b-a4b3-d17917f96a5d.pngHello friends Smile , I am looking for partners who are familiar obtaining access to enterprise windows networks, we will work on commission basis for system you bring me you get 80% profit of the ransom (I take 20% fee for developing the soft and negotiating with your victim). Few rules before starting work, only network in the following countries are taken: Code: Guinea, Hungary, Paraguay, Ivory Coast, Tajikistan, Ethiopia, Serbia, Colombia, Mozambique, Cameroon, Azerbaijan, Saudi Arabia, Yemen, Algeria, Belarus, Jordan, Bhutan, Syria, Zimbabwe, Tanzania, Haiti, Iran, Indonesia, Mexico, Namibia, Bolivia, Malaysia, Central African Republic, Comoros, Bangladesh, Kazakhstan, Nigeria, Laos, Eswatini, Nepal, Sri Lanka, Morocco, Argentina, Kyrgyzstan, Vietnam, DR Congo, Botswana, China, Russia, Belize, Niger, Tunisia, Somalia, Egypt, India, Brazil, Papua New Guinea, Lebanon, Kuwait, Angola, Oman, Honduras, Malawi, Gambia, Brunei, Benin, Senegal, Ukraine, Ecuador, Republic of the Congo, Gabon, Bahrain, Suriname, Qatar, Turkey, Kenya, Mauritania, Nicaragua, Togo, Libya, Uganda, Cambodia, Pakistan, Lesotho, South Africa, Guyana, Ghana,Bosnia and Herzegovina, Burkina Faso, Sierra Leone, Burundi, Fiji, Liberia, Madagascar, Sudan, Iraq, Zambia, Rwanda, United Arab Emirates, Chad, Thailand, Philippines, Myanmar, Djibouti, Guatemala, Venezuela, El Salvador, Mali Furthermore do not work with healthcare or not for profit organizations. Locker works on windows, linux x86/x64/arm, esxi. Contact me via jabber: **

In a hacker forum monitored by SOCRadar, a new alleged source code leak is detected for Jasmin Ransomware tool. https://image.socradar.com/screenshots/2024/04/17/e2d596fd-5618-4317-83d2-da07765a9df1.pngWarning: Clearnet link github dot com/********** Code: ********* ********* ********* *********

 In a hacker forum monitored by SOCRadar, a new alleged RaaS sale is detected. https://image.socradar.com/screenshots/2024/03/31/233cb3c0-92db-4dfc-8d47-62f4e165f679.pngI offer a locker for rent , standard chat, a partition, the locker itself negotiates, you conduct the money yourself, you accept the locker on your balances, I give it out only after checking the target, I will give it to work for 15%, who will show below, I will give it for 10%, good luck to everyone

Date of Report 28 March 2024 Executive Summary The ransomware group 8Base has allegedly targeted the United Nations Development Programme (UNDP), claiming a successful breach of their systems. This United Nations agency, pivotal in fostering poverty eradication and sustainable growth, may face significant data privacy concerns and operational disruptions if the breach is confirmed. The absence of data size specification or sample leaks from the threat actor leaves the claim's validity currently unverified, with a looming threat of data release pending ransom payment by the specified deadline. https://image.socradar.com/screenshots/2024/03/28/d219fa6f-d130-4fc8-bd9f-a9fb61cd52c0.pngThreat actor’s statement Key Points - 8Base ransomware group lists UNDP among its latest victims. - Claimed exfiltration of a wide array of sensitive documents and personal data. - No data samples have been provided to corroborate the breach. - A ransom demand has been made with a deadline set for April 3. Assessment If the breach is substantiated, the implications for the UNDP could be extensive, ranging from the exposure of sensitive employee and operational data to potential reputational damage and operational hindrances. The nature of the alleged exfiltrated data suggests that internal UNDP cybersecurity measures may have been compromised. Outlook The situation necessitates urgent attention to validate the claims, secure at-risk systems, and implement strategies to mitigate the effects of a potential data leak. The deadline set by the threat actor adds pressure to the situation, requiring prompt decision-making regarding the response to the ransom demand. Key Intelligence Gaps - Confirmation of the authenticity of the breach. - Detailed understanding of the data types and volumes affected. - Insight into the ransomware group's intentions and past behavior in similar incidents. Intelligence Requirements - Gathering further information on the specifics of the breach and the nature of the data involved. - Monitoring of the situation for any release of data or further communication from the threat actor. - Preparedness for potential data leak scenarios post-deadline if ransom demands are unmet. Who is 8Base? 8Base, identified as a ransomware group since April 2022, has quickly risen to prominence due to its aggressive tactics and the significant number of small and medium-sized businesses it has targeted across multiple sectors. The group's methods, identity, and motivations remain largely unknown, but similarities in communication styles have led to speculation that it may be an offshoot of the ransomware group RansomHouse. This connection is drawn from their shared strategy of exploiting compromised data for extortion. https://image.socradar.com/screenshots/2024/03/28/0d6da251-4ce9-4bd2-8e78-f54912cdef14.pngDon't forget to check out our blog for a detailed analysis and mitigation methods about the 8Base ransomware group. (https://socradar.io/dark-web-profile-8base-ransomware/)MITRE ATT&CK TTPs of 8Base Ransomware Technique: ID Reconnaissance: Active Scanning: T1595 Phishing for Information: T1598 Resource Development: Acquire Infrastructure: T1583 Develop Capabilities: T1587 Initial Access: Phishing: Spearphishing Attachment: T1566.001 Execution: Scheduled Task/Job: T1053 Command and Scripting Interpreter: T1059 Shared Modules: T1129 Persistence: Scheduled Task/Job: T1053 Boot or Logon Autostart Execution: T1547 Registry Run Keys / Startup Folder: T1547.001 Privilege Escalation: Scheduled Task/Job: T1053 Boot or Logon Autostart Execution: T1547 Registry Run Keys / Startup Folder: T1547.001 Defense Evasion: Masquerading: T1036 File Deletion: T1070.004 Modify Registry: T1112 Indirect Command Execution: T1202 File and Directory Permissions Modification: T1222 Virtualization/Sandbox Evasion: T1497 Impair Defenses: T1562 Disable or Modify Tools: T1562.001 Disable or Modify System Firewall: T1562.004 Hide Artifacts: T1564 Hidden Files and Directories: T1564.001 Credential Access: OS Credential Dumping: T1003 Input Capture: T1056 Discovery: Process Discovery: T1057 System Information Discovery: T1082 File and Directory Discovery: T1083 Virtualization/Sandbox Evasion: T1497 Security Software Discovery: T1518.001 Lateral Movement: Taint Shared Content: T1080 Collection: Data from Local System: T1005 Input Capture: T1056 Data Staged: T1074 Archive Collected Data: T1560 Command and Control: Application Layer Protocol: T1071 Web Protocols: T1071.001 Exfiltration: Exfiltration Over C2 Channel: T1041 Impact: Data Destruction: T1485 Inhibit System Recovery: T1490

In a hacker forum monitored by SOCRadar, a recruitment post is detected to conduct ransomware attacks. https://image.socradar.com/screenshots/2024/04/02/a5e0c9ed-f3b9-4e00-9366-55134dad37df.pngTo all Ransomware workers, We are happy to announce our new Ransomware associate program Our ransomware can Bypass Windows defender and encrypt all files. We hire anybody who can spread it in non CIS countries. Become an associate: $90 You will receive Payload and how to spread it, You can take care of negociations or we conveniently do it for you. We charge in ransom 30% only. For example: if the victim pays $ 1,000,000, We will only take $ 300,000 and you can make use of the whole $700,000 for your beautiful projects. This is of course an example because ransoms can range from $1000 to $100+m, Itdepends on the target 100%. We offer full support on Telegram. t.me/*********

In a hacker forum monitored by SOCRadar, new alleged documents leak is detected for RA World Ransomware Group. https://image.socradar.com/screenshots/2024/03/18/4ada3e47-5c8b-445c-a635-7b8cbfc4e995.pngleaked documents from RA World Group, includes documents from 27 unpaid companies Compressed volume 5TB Content is now available, Team ***** wishes you good luck and anonymity! valid http://**************

  In a hacker forum monitored by SOCRadar, Kuiper ransomware sale is detected. https://image.socradar.com/screenshots/2024/03/15/7d18c8ff-ffe6-4892-81f4-7c01fbd58c2b.pngIf you are a security researcher, don't read this, hello everyone, maybe someone would be interested in buying the source code of the Kuiper ransomware, not very famous and not very well known, but it is written 100% in Golang, in addition to a web panel to make builds automatically. simple, the ransomware is quite fast, not like lockbit, but it has its own thing besides having aes encryption and chacha20 as an option, because I decided to sell this and not simply publish it, because it took time to program it, I'm not a genius, try to do the best, of the mistakes can be learned but as you all know, time is money, so if anyone is interested in the full code of both the ransomware and the web panel, send me a message by PM with your tox, tanks for all. and the builder support windows,linux and the ransomware payload support linux,windows,freebsd,etc reference:*****, Escrow Accepted!

In a hacker forum monitored by SOCRadar, a partnership searching post is detected for a new Ransomware as a Service. https://image.socradar.com/screenshots/2024/03/01/65590cb2-9204-4cb8-b40d-92493ea4b3a4.pngI am seeking for a powerful ransomware on commission basis . Contact me if you have one Like Lockbit or anyother one . We can discuss on collobration terms  PM or contact on session

In a hacker forum monitored by SOCRadar, the news is detected that, $10 million per head ALPHV/Blackcat: The US State Department announces a hunt for the leaders of a well-known group. https://image.socradar.com/screenshots/2024/03/13/3c5285ed-20a7-4b57-9bbb-be64a5682f25.pngThe US State Department has announced a reward of up to $10 million for any information that helps identify and capture the leaders of the ALPHV/Blackcat hacker group. The gang specializes in cyber extortion and has already attacked thousands of companies in recent years. An additional $5 million is promised for data on individuals who are about to join Blackcat's criminal activities. According to experts, this should scare off potential participants, depriving the group of support. From November 2021 to March 2022, Blackcat carried out more than 60 hacks worldwide, the FBI said. “The scale of their activities is amazing,” a bureau representative commented. According to the latest data, by September 2023, at least $300 million in ransoms had been received from more than 1,000 victims. “This is a huge amount of money, and we will make every effort to stop the criminals,” the State Department said. In a released statement, the State Department promised that "a reward will be paid for information regarding the location or identity of any of the key leaders of the group behind the development and distribution of the ALPHV/Blackcat ransomware." The payments will be made as part of the initiative to combat transnational organized crime. As the department noted, since 1986, more than $135 million has already been paid out under this program. To securely transmit information about Blackcat and other wanted criminals, the State Department launched a special encrypted server, Tor SecureDrop, on the darknet. According to department officials, this will help maintain the anonymity of informants. Recently, US authorities have stepped up efforts to find and apprehend cybercriminals. In January, a similar reward of $10 million was announced for data on the leaders of the Hive group. Previously, large sums were promised for information about those involved in Conti, REvil (Sodinokibi), Darkside and other dangerous hacker communities. According to experts, such measures will at a minimum make life more difficult for criminals and weaken their potential. • Source: ***

 In a hacker forum monitored by SOCRadar, Phobos ransomware sale is detected. https://image.socradar.com/screenshots/2023/12/02/e24168c8-09b9-4750-90cc-938484f7271f.pngSale RANSOMWARE PHOBOS - Admin panel in TOR, 24/7 support. - 80/20 in your direction. - Completely offline. - Does not require an Internet connection to work and does not send statistics. - When you turn off and turn on the PC or restart it, the software will automatically check for the presence connected external and network devices and encrypts them. - Easy to use and does not depend on any libraries. - The weight of the .exe file with an embedded html page is 54kb. Automatically added to startup, deletes system shadow copies and restore points. - Provides maximum speed by creating parallel multi-threaded encryption for each media - fast parallel work across all network disks and removable media. - All files except system files will be encrypted. The software kills the list of processes to completely encrypt the databases. - After encryption is complete, the program will create a file with your contacts for communication. - Test files are decrypted in your personal account (5 pieces). - Decryption of test files and key generation are available around the clock in automatic mode. - I will answer all questions. - $150, only through a guarantor. Tox: ****** Telegram: @ ****

In a hacker forum monitored by SOCRadar, a partnership post is detected fort AkitaCrypt Ransomware. https://image.socradar.com/screenshots/2023/12/06/49a181a5-d0da-4b49-aa29-fe5777f082cd.pngA Fully Featured Ransomware Solution Our team has been hard at work for the past 2 years on a cross-platform ransomware solution. We have tested it on more than 150 machines, fine tuning it along the way. We are proud to finally be able to unveil it. Introducing: AkitaCrypt, an astonishingly fast, fully undetectable ransomware solution for Windows and Linux written in rust. Features: AES-256 or AES-512 bit encryption options with configurable salts Windows UAC and Linux/GNU privilege escalation Fully undectable (FUD) upon build (on ALL Anti-Virus guaranteed) Bypasses EDR systems (Splunk, Palo Alto Cortex XDR, etc) Regular Updates Reports can be sent via discord web hooks or email Smart encryption (choose well known software to search for making targetted encryption easier) Manual encryption (choose directories you'd like to encrypt; can be used with smart encryption) Encrypt file by extension (choose file extensions to include or exclude) Toggle system file exclusion (exclude encryption of OS files so system remains functional) Configurable backdoor (regain remote access to your target in case they lock you out) Works on Windows 7 and later, Windows Server 2008 and later and all Linux/GNU distributions and Kernels and UNIX. MacOS coming soon! Affiliate Program Having poured so much of our time and effort into this and considering its capabilities (EDR Bypass, FUD on all AV including ESET, etc) it would be reckless for us to release this to anyone with the money to buy it. Therefor, we are launching an affiliate program for serious players only. Affiliates will start at 50/50 splits for each successful ransom negotiation. Affiliates with 10 or more successful negotiations will receive 75/25 splits. Top earners will receive 90/10 splits. How To Become An Affiliate To become an AkitaCrypt affiliate you need to have initial access to a Windows network or Linux server or any Windows or Linux infrastructure at a company or business that can be negotiated for ransom (no restrictions or rules what-so-ever. Any country, any institution, any business). Who we are looking for: Initial access brokers looking to directly profit from ransomware Hobbiest penetration testers/web-application hackers Bug bounty hunters Exploit developers Employees with internal access who have an understanding of information technology and OPSEC If you think you would be a good candidate, contact us with proof of initial access via DM or on telegram at https://t.me/******* or in our channel at https://t.me/********** Have the following prepared if you contact us or else you will be ignored: Access you have or can get immediately (not access that you THINK you can get, access you KNOW you can get) History gaining initial access to systems (have proof). Any prior affiliate programs you've been apart of if applicable (if no proof don't share this). Negotiations, ransom amounts, and files that are encrypted can be dictated by the affiliate or left to us.

Date of Report: November 29, 2023 Executive Summary The Play ransomware group's activities reached a significant peak on November 28, adding ten American companies to its victim list, marking the day with the most reported ransomware cases in November. Initially observed on June 22, 2022, when an individual reported file encryption with a ".play" extension on the BleepingComputer forum, the group has been primarily targeting Latin America, with Brazil as a focal point. https://image.socradar.com/screenshots/2023/11/29/b1b3dab2-db68-4f32-b3f2-cadaafa4cb90.pngLatest victims's announcement on Play's website. Their tactics, techniques, and procedures (TTPs) bear resemblance to known ransomware families like Hive and Nokayawa, particularly their use of the AdFind tool for gathering Active Directory data. Key Points: - Play ransomware has shifted to a Ransomware-as-a-Service (RaaS) model, exhibiting uniform attack patterns across sectors. - The ransomware uses legitimate account credentials, exposed RDP servers, and exploits specific FortiOS vulnerabilities for initial access. - They propagate their ransomware internally using Group Policy Objects, scheduled tasks, PsExec, or wmic, culminating in file encryption with the ".play" extension. - The cumulative number of ransomware incidents in November spiked, with 36 cases reported in a single day. - Businesses impacted include SinglePoint Outsourcing, Thillens, Elston-nationwide, AMERICAN INSULATED GLASS, MooreCo, Continental Shipping Line, Retailer Web Services, SurvTech Solutions, EDGE Realty Partners, and Noble Mountain Tree Farm. Assessment: Play ransomware's transition to a RaaS model and the replication of TTPs across attacks suggest a systematic approach and the possible use of a RaaS kit. The group's focus on smaller organizations, presumably due to their ability to meet ransom demands approximately $1 million, indicates a calculated targeting strategy. The recent spike in attacks on U.S. companies signifies an expansion beyond their usual Latin American targets. Outlook: The evolution of Play ransomware into a RaaS model could mean a broader reach and a higher frequency of attacks, posing a threat beyond the Latin American region. The specific targeting of organizations with the financial capacity to pay substantial ransoms underscores the need for enhanced security measures and awareness. Key Intelligence Gaps - Confirmation of the extent to which Play ransomware's TTPs align with other ransomware families. - Assessment of the impact of the RaaS model on the frequency and sophistication of Play ransomware attacks. - Evaluation of the risk to organizations based on the observed targeting profile of Play ransomware. Intelligence Requirements: - Investigation into the recent attacks to identify any evolving patterns or new TTPs employed by Play ransomware. - Development of threat mitigation strategies tailored to the specific vulnerabilities exploited by Play ransomware. - Strengthening defenses against RDP and FortiOS vulnerabilities to prevent initial access by threat actors.

A recent investigation has unveiled a new strain of ransomware, dubbed MadCat, linked to a group of suspected scammers targeting fellow criminals on the dark web. The findings reveal a complex web of deception, fraud, and intricate cyber schemes. https://image.socradar.com/screenshots/2023/11/24/54afbc7c-de83-427e-bfd8-d1288ce4bcc7.PNGThe group’s leak website, stating that it will launch on 30 November, 2023 Recently an announcement of a new ransomware group, Mad Cat, seemed like a typical entry of a ransomware group into the cybercrime arena. However, further investigations have unraveled a more convoluted narrative. Deceptive Tactics on the Dark Web Cyber investigator Karol Pacoriek and the team at CSIRT KNF cybersecurity firm have linked Mad Cat to several dark web accounts known for fraudulent activities. These accounts, including @plessy(the one mentioned on the leak site), @rooted, and @whitevendor, were previously involved in the fake sale of stolen passport details, including a bogus offer of 246,000 screenshotted Polish passport pages. The CSIRT report detailed how these accounts operated scams on dark web platforms, deceiving other criminals with offers of illegal identity documents. One such incident involved @plessy offering an entire collection of these documents for $3,400. The report noted similarities in the writing style and methods of these accounts, suggesting they might be operated by the same individual or group. Ripple Effects Among Cybercriminals The deceptive practices have not gone unnoticed among other criminals. On BreachForums, a cybercriminal complained about being conned by @rooted in a scheme involving Japanese and Chinese passport details. This pattern of deception indicates a lack of trust even among cybercriminals. https://image.socradar.com/screenshots/2023/11/24/8583cd58-7176-47f9-893d-1cb6179dad1c.pngScam report for @rooted in a hacker forum Pacoriek’s investigation also unearthed links between these aliases and the MadCat ransomware group. The plessy[.]eu web address and associated Telegram channels pointed to a network of interconnected identities and criminal activities. The CSIRT report further established connections between these identities and MadCat's operations. Doubtful Future for MadCat With their deceptive practices exposed, the future of MadCat in the ransomware field seems uncertain. Pacoriek anticipates their downfall, comparing it to other short-lived cybercrime entities. The negative backlash and the abandonment of accounts by these actors indicate a possible retreat from their criminal endeavors. This case underscores the intricate and often duplicitous nature of the cybercrime world. It highlights the importance of continual vigilance and comprehensive investigation in understanding and combating the ever-evolving landscape of cyber threats.  To navigate the complex and deceptive landscape of cyber threats, SOCRadar Dark Web Monitoring provides essential tools and insights, enabling organizations to detect and counteract hidden cyber threats and protect their digital assets. This service offers unparalleled visibility into the dark web, helping to stay one step ahead of cybercriminals and their ever-evolving tactics. https://image.socradar.com/screenshots/2023/11/24/741fa8f1-4f4e-43a6-9fdb-9969564b4314.pngSOCRadar Dark Web Monitoring

 In a hacker forum monitored by SOCRadar, a new alleged source code sale is detected for qBit ransomware. https://image.socradar.com/screenshots/2023/11/27/c3824ed5-82f2-4ea1-a08a-e42b7f438626.pngHello friends, Well our product had a great response and feedback from users which was about the stealer and the ransomware built in Go lang. I would call it a success based on my plan of long term effect/usage. Speaking of researchers releasing blogs about it, specifically cloudsek: CloudSek qBit Article You've better explained the product more then me, haha. Thank you bablu kumar, a geek. If this doesn't seem to make sense for you as a buyer, and want for information on the product. Check out: http://** http://** Anyways, even if the language seems to be very versatile, efficient and very fast as proven on the video. The binaries seem to be much bigger which wouldn't be such an nuisance in this modern days. But we do love small binaries, much better for crypts and spreads. So, I've invested some time on RUST and C/C++ building cryptors behind the scenes and improving them for real world scenarios. Which brings me into this forum post. Basically, instead of selling it as an service. I will sell the full source code as it IS to the buyer for an fixed amount of price. (middleman accepted and is mandatory but fee is paid by the buyer). To the buyer, he/she will get support on using the source, building or if extra improvements is needed. It will be provided free of charge. This scheme of business might be suitable for those who want an fresh code of ransomware which is not skidded or stolen from any where else and personally suited to its core according to the buyer and is from an knowledgeable person who knows building/handling and maintaining the code. So, that's it for today folks. - Contact me at Session or Telegram for further more discussion, and ONLY message me if you're serious. Session ID: ** Telegram: @**

Petersen Health Care, a prominent healthcare provider in the United States, has reportedly been added to the Cactus ransomware group's data leak site.  https://image.socradar.com/screenshots/2023/11/22/9b16c7e4-6cec-49ab-aded-d1f3326df9ce.PNGCactus Ransomware’s victim listing on their leak blog Leaked Data Details The Cactus ransomware group has released a sample of the compromised data, which alarmingly includes scans of passports, driving licenses, and other sensitive personal documents. While the specific volume and types of all the data breached have not been detailed, the nature of the leaked sample points to a severe privacy and security violation. Implications of the Breach The leak of such sensitive personal information from a healthcare institution is particularly concerning. It jeopardizes patient privacy and exposes individuals to potential identity theft and fraud risks. https://image.socradar.com/screenshots/2023/11/22/5c0f0be7-c4a3-4ef4-af90-c1908c3feddb.PNGSample leak shared by Cactus Ransomware This incident underscores the growing threats faced by healthcare providers in the digital age. These organizations hold vast amounts of sensitive personal health information, making them attractive targets for cybercriminals. SOCRadar: Enhancing Cybersecurity The rapidly changing cybersecurity landscape necessitates a vigilant approach, especially in sensitive sectors like healthcare. In response to the escalating cyber threats facing critical industries, SOCRadar offers specialized monitoring and threat intelligence services. Our solutions are designed to help organizations proactively identify and mitigate cyber risks. https://image.socradar.com/screenshots/2023/11/22/5ac9021f-ab04-447d-a809-dc957069af36.pngOne such solution offered by SOCRadar is Attack Surface Management and Ransomware Check

In a hacker forum monitored by SOCRadar, a new alleged Catlogs malware sale is detected. https://image.socradar.com/screenshots/2023/11/18/2bae31e6-6f2d-4ced-88b8-022ad2f4d841.pngi'm selling Catlogs malware. Features: Browser Logins and cookie stealer Ransomeware(Encrypt/Decrypt with Custom key) RAT(Shell/System commands) Anti- Anlysis( Sandboxie, Virtual Machines, HoneyPots) and many more

In a hacker forum monitored by SOCRadar, a new alleged ransomware services sale is detected for RustCrypt. https://image.socradar.com/screenshots/2023/11/18/2f8c4837-35d1-42d5-ab05-3b94937b9a53.pngPreview https://image.socradar.com/screenshots/2023/11/18/ce06976b-64ed-4c8e-9538-539ac32561be.pngTOS: Refunds only within 24 hours of purchase and receipt of the utility. No refunds for One-Time Executables. We are not responsible for your uses of this utility. We release this as "For Educational Use Only" All issues and support requests will be routed through Telegram before being commented on this site. You may not resell or otherwise share your license key with other users. Limit of 10 slots at a time. If all 10 slots are full, we may deny sale until another opens up. These terms can be changed at any time with or without notification to the buyer. To get started, Choose if you want the builder software or just an exectuable to run and hold a computer at ransom. Email us at **** or Telegram at https://t.me/**** Profit.

In a significant cybersecurity incident, the company "Asaf Technology" allegedly became the latest victim of a politically motivated ransomware attack. A recent Telegram post by the Tiger Electronic Unit indicates that they have successfully encrypted all data belonging to Asaf Technology, which they refer to as a "Zionist company." https://image.socradar.com/screenshots/2023/11/17/cac98513-c871-4e70-a57d-c58e79c8af81.pngElectronic Tiger Unit’s Telegram post The attackers claim to have gained full access to the company's data and have also compromised the accounts of engineers and officials within Asaf Technology. This attack is part of the broader cyber conflict related to the ongoing Israel-Hamas tensions. Context of the Cyber Conflict Recent months have seen an escalation in cyber activities related to the Israel-Palestine conflict. Various ransomware groups have been involved, targeting entities on both sides. Previously, in our blog posts, we highlighted the complex nature of the cyber conflict, where digital warfare is used as an extension of political and territorial disputes. A recent post from another hacker group, the TYG Team on Telegram, sheds light on the strategic use of ransomware in this conflict. The group emphasizes their ongoing efforts to compromise Israeli devices and infrastructure, using their software "GDS" for expanded attacks. They state their intention to use the accessed data strategically rather than publicizing it, indicating a focused approach to cyber warfare. https://image.socradar.com/screenshots/2023/11/17/bd853c14-7131-44ae-9a76-8329c70c96e5.pngT.Y.G Team’s statement on their Telegram channels These incidents underscore the evolving nature of cyber threats within this conflict, where political motivations can drive targeted attacks against specific nations or entities. For further analysis, check out our latest blog about the conflict. (https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/)Stay Protected with SOCRadar In response to these growing threats, SOCRadar offers advanced monitoring and threat intelligence services. Our platform helps organizations stay ahead of potential cyber threats, ensuring timely and effective responses to emerging risks. As the situation evolves, SOCRadar continues to provide real-time updates and insights into the latest developments in this ongoing cyber conflict. Stay informed and prepared with our comprehensive threat intelligence and monitoring solutions. https://image.socradar.com/screenshots/2023/11/17/efd7e937-c707-47e4-82c7-d6b22bc9a3a5.pngSOCRadar Dark Web Monitoring

In a hacker forum monitored by SOCRadar, a recruitment post is detected to conduct ransomware attacks. https://image.socradar.com/screenshots/2023/11/29/329bc704-93e0-41c3-9fec-7cf34680089c.pngHi. Im looking for pentesters/active directory hackers to assist with ransomwares for Billion dollar companies. I have network access but further scans from inside the network will need to be carried out. I am of course also working on some of these networks but it's too much networks for me to handle right now on my own and therefore a few partners would be nice to have. I am an admin at a high ranking cybercriminal group and we've spent time building a name and reputation for our group and so we have good chances for successful negotiations and our telegram group has over 15K followers (no i will not link the group channel link on this post..) I am also a pentester and I do everything from access to exfiltration to putting lockers finally in the end. What you will get: -Good team to partner with -Use our custom locker with 0 Anti-Virus detections. and with SmartCrypt abilities to prioritize fast and successful locks over whole OS. -Ask questions and learn more and ability to make connections with some dope ass people with big reach. -good % and we dont treat u like shit -we're still in our early ransomware phases and so you have a chance of becoming an OG member and someone the group looks up to if you remain competent

 In a hacker telegram channel monitored by SOCRadar, the hacking announcement is detected for UAE Digital Almighty. https://image.socradar.com/screenshots/2023/10/31/fd263e1e-e946-4bdc-a9da-26f98fe6b486.pngHacking the UAE company Digital Almighty. And withdraw all data and encrypt the site. https://www.digitalalmighty.com/ ** ** ** ** https://image.socradar.com/screenshots/2023/10/31/2c08539f-e84a-49e6-8283-e4b68573d31b.png

 In a hacker forum channel monitored by SOCRadar, a new ransomware builder selling is detected. https://image.socradar.com/screenshots/2023/10/30/dd1c5575-767a-466c-ba0e-f46ec3e1b78b.pngI am the sole author of the Ransomware. Ransomware itself is a ransomware project that is entirely in C++/WinAPI. By itself, it does not require any internet connection and all information is kept private - nothing is sent abroad. You can attack any type of country, organization, companies, etc. It is 100% safe and no one has ever recovered their files without paying as Ransomware uses very secure algorithms for encryption. If you decide to use my Ransomware, rest assured you will not be tricked - it uses a key scheme where the decryption key is protected by both my private key and yours Private build key that you generate. It is dynamically multithreaded (depends on the number of cores/disks) and runs only on Windows OS, in versions after Windows XP, on x86 and x64, with support for both overwriting and destroying encryption methods. The ransomware also automatically deletes backups and logs twice - before and after encryption. It also encrypts any network drive vailable on the network automatically. The only two requirements to run an embedded Ransomware executable on a computer they are: - disable antivirus software - have administrator access (running the executable as administrator) There are many more features and changes - if you are interested, if you have any questions please contact me on Telegram: @Jacobs1822 Don't contact me asking how to spread ransomware - you need to learn this yourself or pay me to do it Smile Some characteristics of Ransomware - Added new mandatory test file decryption with payment of developer fee to prevent fraud the victim - The number of encryption/decryption threads now depends on the number of disks - Prevents the system from going to sleep/hibernation while the encryption/decryption process is active - Increased speed of deleting unwanted software - Added option to disable taskmgr/regedit on target system (re-enabled after decryption) - Added new encryption method - replace instead of copy/encrypt/destroy the original method - Produces the same results, but may cause file corruption if the Ransomware is stopped before the encryption process is complete, but it should be a little faster and does not require additional space - Shredding now always deletes the fragmented file - Improved file destruction speed - Decryption always uses the replacement method - user should not stop Decrypter until it finishes - Added option to decrypt multiple Redeemer Public Keys received from the victim on once (for large computer networks encrypted with the same version of Ransomware and the same Redeemer Private Build Key, value and campaign ID) - Different options renamed in Toolkit/Decrypter - Better encryption/decryption speed Telegram: @****

 In a hacker forum monitored by SOCRadar, a recruitment post is detected for Super Mega Ransom LLC. https://image.socradar.com/screenshots/2023/11/06/1a75d62d-af73-4e5f-8552-51b0c9931e85.pngHello everyone! I am recruiting pentesters for the team to master this area! Since the team is new and does not yet have a reputation, I will consider all applications without exception! -> You are required to be able to work with accesses (mining, mining). -> Open to cooperation with comrades without experience. ;) -> We work on favorable terms! The software is ready for use and continues to be improved. For the first contact - PM. We do not work in the CIS! The software is ready for use and continues to be improved. https://image.socradar.com/screenshots/2023/11/06/c215945e-3271-49c3-bd2c-5d668db3733c.png-By the wayi what's the name of your new group? +Super Mega Ransom LLC. lmao For serious, this is just a formality that doesn't bother me that much at this stage 

In a hacker forum monitored by SOCRadar, a new recruitment post is detected for Qilin Ransomware Group. https://image.socradar.com/screenshots/2023/11/06/eb117522-8d91-468a-bdbe-e70e90c65033.pngGood day to all! We are recruiting teams of experienced pentesters for our partner program. Briefly about the available functionality: Reliable encryption algorithms (chacha20\AES) + RSA4096 Customizable encryption modes to select the ideal balance of encryption speed and cryptographic strength 4 modes of software operation:normal - completely encrypts the filestep-skip - encrypts in spots with a fixed size of the spot and the skipped partfast - encrypts the beginning of the filepercent - encrypts in spots with a fixed spot size and a dynamic skip portion based on file size Ability to reboot the machine in safe-mode with automatic login and file launch Directed encryption (drives\folders by specifying the path, remote machines by specifying the machine’s IP) Ability to disable various filters when running a file if necessary (functionality at your own peril and risk) Killing the most important services and processes for the most effective encryption and eliminating the possibility of decryption Freeing files occupied by services and processes Cleaning log systems and deleting shadow copies Ability to distribute the file over the network (subject to the credentials transferred during assembly) A proven preset of settings in the panel, but if necessary, you can add parameters specific to your network The build does not store all the credentials for the company to enter the landing, which will exclude “left people” when conducting a dialogue with the company And many more different features that you will get acquainted with during the work Panel: Build Configurator Guest access (with the ability to limit the rights of guests to various actions) Full support of dialogues with your targets (if you wish, you can do this yourself) You will also have access to dialing/SMS spam services 24/7. The written software is a unique project, and not just another fork of the source codes of other software lying around in the public domain. Under win, the build will be pure Rust, which immediately gives it an advantage in speed and security. For LINUX/ESXi systems this is pure C. First PM contact We work with English speakers only after an interview. We do not work in CIS countries

In a hacker forum monitored by SOCRadar, a new version ransomware is detected which Knight Ransomware. https://image.socradar.com/screenshots/2023/11/06/720710bc-66fd-44d2-bde8-67b4bcb5f98e.pngWe have updated version 3.0, after several months of practice we made the third upgrade, and the third upgrade is a very significant upgrade, including the panel and the locker, compared to the version 2.0, added a lot of features. The encryption speed of the 3.0 version of locker is very fast, of course you can use any organization's locker to compare with us, in 3.0 locker we make the following updates: Added more kinds of SMB laterally, and added automatic extraction of HASH of credentials of logged-in shared networks for SMB laterally! Updated the algorithm to increase the encryption speed, increasing the encryption speed by about 40%, and we provide -fast (fast encryption header) and -thread (custom thread encryption) parameters in version 3.0. Updated:Replace all files' icons of the target computers. Rewrote ESXI using C to support version 5 and above.5.Priority execution directories have been added, and multiple priority directories can be entered when generating online.6.Added random obfuscation to make locker more difficult to detect by AV7.Added more system support, Windows 7 & above,Linux(include Debian,*bsd,solaris,android and other.),MacOs, All systems have been tested.Panel Feature Support: 1.Assign each target a separate TOR domain while we provide a high strength encrypted chat room to assign separate chat sessions to different computers under the same target. 2.Each target is equipped with a separate wallet address, 2 level affiliates can directly add their own wallet address, and individual "offer" feature is provided (separate offer can be made for each different chat session) 3.Added chat room session status for the target (you can see when it was last accessed and whether it is online or not). 4.The BypassAV function is provided in the panel, You can upload files for secondary obfuscation encryption (tested to bypass 90% of the AV). 5.Added Team Collaboration allows you to share separate target chat rooms with your team members and work together to get the job done. 6.Changed the target page to support automatically displaying the wallet address and receiving offers online, will automatically detect if it is the correct amount after payment, and will automatically provide key and decryptor download options after payment. We are still looking for partners, but we don't need inexperienced people at the moment, and we will set certain conditions to filter analysts in the forums. Tox:**

The BianLian ransomware group, under constant surveillance by the SOCRadar Dark Web Team, has announced its latest victim on its dark web platform: a Canadian-based aviation firm. https://image.socradar.com/screenshots/2023/10/12/48d125e1-0255-4ff3-b38a-252bc105eaa9.pngBianLian’s claim post about Air Canada The group alleges to have exfiltrated 210GB of files from the Canadian aviation firm Air Canada, adding the company to their victim list. Established in 1937, Air Canada is Canada's largest airline and its official flag carrier, renowned for its pivotal role in the global aviation sector. https://image.socradar.com/screenshots/2023/10/12/549c812a-f7ca-4201-b3a5-ff6db08749d7.jpgDescription of allegedly stolen data shared by BianLian According to BianLian's claims, the stolen data includes technical and operational data from Air Canada spanning 2008 through 2023, SQL backups, confidential documents, and more. Who is BianLian? BianLian is a threat actor that runs a ransomware operation with the same name BianLian ransomware. It first appeared as an Android banking trojan in 2019. However, like its namesake, the traditional Chinese art of “face-changing,” BianLian has demonstrated remarkable adaptability, shifting its operations to focus on ransomware attacks and becoming a ransomware strain first observed in July 2022. https://image.socradar.com/screenshots/2023/10/12/6dd8416c-70bb-452a-bbd8-eb0c8571e246.pngThreat Actor Card of BianLian You can read the “Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group” here. (https://socradar.io/threat-actor-profile-bianlian-the-shape-shifting-ransomware-group/)Stay Updated with SOCRadar You can stay up to date with the latest Dark Web news via using the Dark Web News page in SOCRadar XTI’s CTI Module. Additionally, follow posts from various ransomware groups in the Ransomware News section under the Dark Web News page. https://image.socradar.com/screenshots/2023/10/12/ffbf59f8-1489-44da-b351-15977ae05270.pngSOCRadar XTI’s CTI Module’s Dark Web News / Ransomware News Page

The threat group known as GhostSec officially established a Telegram channel for its new tool, GhostLocker, on October 8, 2023. In the ever-expanding threat landscape, GhostLocker emerges as yet another entity that organizations should vigilantly watch out for.  https://image.socradar.com/screenshots/2023/10/09/12c0c027-9c6e-4412-94b9-15e9721d2ed4.jpgGhostLocker RaaS In a bold move, the threat actor labeled their new ransomware service as the "new generation of RaaS" and asserted that its ransomware offers military-grade encryption on runtime, ensuring that victims cannot decrypt the software through decompilation or obtain the decryption key by inspecting web requests or in the case of server exposure. The ransomware is also "fully undetectable," and the threat actor boasts a zero detection rate for all major antivirus software. The GhostLocker Telegram channel swiftly amassed over 100 subscribers, gaining traction in GhostSec's official channel as well. Some users have expressed interest in a demo to further promote the tool, particularly in a business context. Although the service comes with a substantial price tag – initially priced at $999 during the beta phase and later at $4,999 – the threat actor only requests a 15% commission fee from all revenue after the one-time payment. Furthermore, they offer to manage all negotiations for their affiliates while providing a web panel for monitoring negotiations should affiliates wish to intervene at any point. The threat actor has also noted that this is an early version and is committed to significant improvements in the future, with plans to reduce its size and enhance encryption speed as the first step. Similarities in Ransom Note Additionally, GhostSec posted a video demonstration showcasing GhostLocker's functionality. There is one particularly striking detail in the video: the ransom note of GhostLocker is designed similarly to that of LockBit Ransomware. https://image.socradar.com/screenshots/2023/10/09/3c1f5402-a912-4790-a231-f0ee653c39e1.jpgGhostLocker ransom note Who is GhostSec? GhostSec, also known as Ghost Security, emerged onto the digital scene in 2015 as a self-proclaimed vigilante group. Its inception can be traced back to the well-known hacktivist collective, Anonymous. While Anonymous is known for its diverse range of operations, GhostSec assumed a more specific and targeted mission – the active combat against online terrorism and violent extremism. The group is acknowledged for its actions against ISIS-affiliated websites that disseminated Islamic extremism, as part of the campaign recognized as #OpISIS. In addition to its primary objective, GhostSec has engaged in the promotion of human rights and the defense of online freedom in various countries, most notably Cuba. The group has also participated in the Russia-Ukraine conflict, executing a series of cyberattacks against the Russian government. Track Threat Actors with SOCRadar SOCRadar's Threat Actor Tracking module equips organizations with a comprehensive perspective on both known and emerging threat actors, empowering them to swiftly and efficiently recognize and counter threats. The platform encompasses a wealth of information on threat actors, including their Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IOCs), and infrastructure, among other critical details. https://image.socradar.com/screenshots/2023/10/09/d6f9e177-1d0a-4498-9641-fddeddec0ec8.pngSOCRadar Threat Actor Tracking

In a hacker forum monitored by SOCRadar, a new alleged source code  leak is detected for Hello Kitty ransomware. https://image.socradar.com/screenshots/2023/10/30/a3541473-0a12-4094-b589-ada6fc0f0274.pngThe source code of the HelloKitty Ransomware Pass:******* Download: *************************************

In recent dark web developments monitored by the SOCRadar Dark Web Team, two prominent ransomware groups have announced their latest victims, both based in the U.S. Play Ransomware Threatens Security Instrument Play Ransomware continues its relentless attacks. After claiming to breach 25 firms in September, Play now says it infiltrated the systems of the U.S.-based company Security Instrument. https://image.socradar.com/screenshots/2023/10/05/80e71a9e-e3a0-4b9f-961d-b57296fe1bea.pngPlay’s announcement Founded in 1960, the privately owned U.S. entity, Security Instrument Corporation, offers electronic security, life safety detection, and related monitoring services. Play Ransomware now threatens to release sensitive data allegedly they seized from the company. This data supposedly includes private and personal confidential data, client and employee records, IDs, payroll, contracts, and financial data. However, Play Ransomware hasn't disclosed the extent of the breach or presented any sample data. Qilin Ransomware Targets DiTRONICS Financial Services Discovered in August 2022 and also known as Agenda, Qilin announces its latest victim, the U.S.-based DiTRONICS Financial Services. https://image.socradar.com/screenshots/2023/10/05/27c8b36c-42e2-4bcb-8017-98b1ae4dfb1a.pngQilin’s announcement Since its foundation in 1998, DiTRONICS has positioned itself as a leading source of cutting-edge technologies and high-end funds access services. With a vast database of gaming patrons and annual processing of billions, DiTRONICS provides a wide array of services. Their portfolio includes ATMs, Ticket Redemption Kiosks, Check Guarantee Software, Cash Advance Software, and a new Title 31 compliance solution. While Qilin hasn't stated the exact volume of the data breach, they have shared 19 images allegedly belonging to the company. They claim these images contain breached business contracts, financial papers, and other confidential company documents. How Can SOCRadar Help? SOCRadar’s Threat Feed and IoC Management module helps organizations manage their threat intelligence feeds and indicators of compromise (IoCs). https://image.socradar.com/screenshots/2023/10/05/dddff4be-a75f-4648-aafd-ccff81ba17c0.pngSOCRadar Threat Feed / IoC tab Also, SOCRadar’s Threat Actor Tracking module provides organizations with a comprehensive view of known and emerging threat actors, including their TTPs, IOCs, and infrastructure. This information can be used to identify and respond to threats more quickly and effectively. https://image.socradar.com/screenshots/2023/10/05/c6d8f07f-977b-4c56-b261-039e8d6e5ce5.pngSOCRadar Threat Actors tab

In a hacker forum monitored by SOCRadar, new ransomware selling is detected which is called qBit. https://image.socradar.com/screenshots/2023/09/29/81c428b4-b7d5-4287-b1bb-c1c304dc80eb.pngHello friends, I'm excited to introduce you to a new ransomware made from scratch. It's written in Go with the functionalities of efficient concurrency. Meaning faster speed, low detection's and versatility. From the early days of Ransomware, we've been many players recruit affiliates with a business model of RaaS. Which is Ransomware as a Service. The recruits are very specific and many of us can't join them even if we're skilled. So, this product will be but not limited to: Affordable, usable and customizable. As it's brand new, the detection's are much lower and obviously the build shared will be obscured for much low detection's rate. The buyer don't need to worry about using a crypter. Each build is unique. Enough rambling, what's in the package? Fast Encryption with a Hybrid Logic - Salsa20 + RSA 2046 Intermittent Algorithm's - Full, Partial & Smart Mode Timely Mannered Execution Obscured binaries leading to much harder for analysts Anti-Analysis Direct Syscalls Multi-Threaded Decryption tool In case the buyer wants a pre-execution shell-code injection, files exfiltration or personalized information about the target computer to be sent to his C2, it can be done without any extra cost to the purchase! It has a beautiful UI if enabled with -log parameters though it isn't optimal. Below two videos, 1st = Log View + Partial Encryption Mode - Demo Video<- 2nd, No Log View + Smart Encryption Mode - Demo Video <- If you're interested in buying or working together to customize it even further feel free to contact me at Session or DM here! - Peace out!

The SOCRadar Dark Web research team recently identified a new entry on a dark web platform associated with the Ransomed[.]vc group, and it involves none other than the renowned Japanese multinational conglomerate, Sony Group Corporation. https://image.socradar.com/screenshots/2023/09/25/3d33808a-5ac5-4046-81be-ef0ecfdf0689.pngRansomed[.]vc's claim about Sony Ransomed[.]vc alleges a successful compromise of Sony's comprehensive systems. The threat group asserts that Sony has refrained from meeting their financial demands, leading them to decide to auction the sensitive data. The group claims that the unwillingness of Sony to pay the ransom has prompted them to expose and market the acquired data. https://image.socradar.com/screenshots/2023/09/25/7ae930a1-a83f-4642-b64d-5a85cafdc197.pngSample data shared by Ransomed[.]vc To substantiate their assertions, Ransomed[.]vc released a selection of what they purport to be authentic data from Sony. Among these files were a PowerPoint presentation, allegedly created by Sony, along with internal screenshots and Java files. https://image.socradar.com/screenshots/2023/09/25/9e203842-baea-415f-8559-d2954e39a1dd.pngThreat actor's post on a hacker forum The SOCRadar Dark Web Team has identified the threat group actively marketing unauthorized access to what they claim are compromised systems of Sony Group Corporation on a hacker forum. This covert marketplace is significantly dominated by Russian cyber threat entities, suggesting potential interest or involvement of these actors in procuring the breached data. This year, Sony fell victim to the CL0P Ransomware group's darkweb portal after the MOVEit vulnerability was exploited. (https://socradar.io/attackers-exploit-critical-zero-day-vulnerability-in-moveit-transfer/)Alleged Cyber Attack on Lockheed Martin and US Army Transport Corp by KillNet The KillNet threat group recently announced on their Telegram channel that they've targeted Lockheed Martin and the US Army Transport Corp. They pointed to the U.S. government's decision to deliver ATACMS missiles to Ukraine as their motivation behind the attack. https://image.socradar.com/screenshots/2023/09/25/d1ece487-e332-4706-9998-02f8ee33b463.pngAnnouncement of KillNet Killnet is a pro-Russian hacktivist group known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack that can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems. Enhance Your Defense with SOCRadar SOCRadar XTI platform’s comprehensive solutions empower you to swiftly identify, assess, and remediate vulnerabilities in real-time. SOCRadar's Vulnerability Intelligence enhances security by continuously monitoring vulnerabilities. This module allows you to search for vulnerabilities, access their details and related activities, and monitor hacker trends. https://image.socradar.com/screenshots/2023/09/25/8f4e3ecb-1aa3-415b-be32-c3318396c289.pngSOCRadar’s Vulnerability Intelligence Furthermore, the Attack Surface Management module enables you to securely monitor your asset's status and receive notifications about emerging vulnerabilities https://image.socradar.com/screenshots/2023/09/25/2468fba9-1d45-4550-8bc4-8e7f9fcfb682.pngSOCRadar Company Vulnerabilities

In a hacker forum monitored by SOCRadar, new ransomware selling is detected which is called Kuiper Ransomware. https://image.socradar.com/screenshots/2023/09/25/951e18de-0005-40ae-80d8-ee345b23f776.pngWe introduce our partnership affiliate raas program KUIPER Developed in Golang , written from scratch with no external sources from other software. WARE: -Encryption algorithm AES-CFB with random key/IV ( AES key encryption with RSA-4096 ) -Customization of binaries for every attack and network if needed for better deployment and higher success % of damage caused in attack. -Arguments through terminal typing --help available: -p PATH ( set path to crypt ) Default: "/A-Z" disks ( Windows related ), root = "/" | non-root = "/home" ( *NIX related ) -reboot yes/no ( Default: yes ) Reboot system after crypt process. -note yes/no ( Default: yes) Leave note while (yes) or after (no) crypt. -name yes/no ( Default: yes ) .kuiper extension changes while (yes) or after (no) crypt. -Unique key for each network. -No dependencies needed. -Critical system folders and extensions excluded for crypt. -Self deletion of binary after crypt process is finished ( Windows related ). Before crypt process is finished ( *NIX related ) -Stop and kill services and processes on loop to avoid interruptions ( including AVs, EDRs, SIEMs, blue team tools and defenses related) before and meanwhile crypt. -Removal of shadow copies and local backups before and after crypt process. -Windows Defender deactivation through multiple functions before crypt process is started. -Memory clean after crypt process is finished. -Highly obfuscated, polymorphic code, anti-reverse methods used, evasion techniques applied, manually crypt binaries (can provide better manually customized evasion depending on attack if needed**) , x64 build is UD for most AVs/EDRs in Windows related (x86 build less evasion), FUD for *NIX related. OS: Windows Server 2008 to 2022+ Windows desktop 7 to 11+ *NIX > Linux, ESXi, NAS, (+)** EXTRA: Will provide unlimited exfiltration servers on demand. Can provide a workspace for you when needed and necessary**. Can provide our scripts/tools/techniques to perform exfiltration,lateral and deployment when needed. Can provide help through post-exp operations when needed or required. Our communications with clients are through TOX + mail. Leaks blog, control panel and chat not yet available. ( Already coded and ready to be uploaded** ) DDoS/Spam/Social extortion available ( only HQ targets** ) We offer cleaning your crypto when needed. 24/7 support for affiliates. RULES: In depth interview needed. Prohibited CIS attacks. ROLES: Currently providing corporation targets to be worked. Post-exp operators/groups needed. Initial access providers/groups needed. Extortion/Social experts needed. CONDITIONS: We take 10% if you provide target + post-exp. We take 40% if we provide target + ransomware + extortion + negotiations**. ** = needs to be previously discussed. Constant updates, upgrades and new versions will be accomplished over time and will also be posted here. We are open for suggestions and appreciate constructive criticisms.

In a hacker forum monitored by SOCRadar, new ransomware selling is detected, which is called Ergon. https://image.socradar.com/screenshots/2023/09/20/4cba23b9-d35f-4559-a959-8cd83e8f9545.pngErgon by ** is enterprise grade ransomware which is the best on the market and your #1 companion for attacking major companies. It is written completely from scratch by a team of experienced malware developers who have made many known pieces of malware. Features: Fully undetectable (Scores 0 detections on every single online AV service like kleenscan, antiscan, etc.) Extremly fast Advanced encryption key mechanism, generating a new key each time it is ran. Not only do we offer a custom piece of malware which is tailor-made to your needs, we also offer support in your attack. This ransomware has been used in multiple attacks with extremly high success rate. Price: 0.5 BTC per compile, support included Source Code: 2.5 BTC We can show proof, videos etc if proof of funds is shown to us. Contact: me onsite or Telegram **

In a hacker forum monitored by SOCRadar, Chaos ransomware builder v4 sale is detected. https://image.socradar.com/screenshots/2023/09/26/7a95edec-b4b1-4fba-a4d9-825b32c46450.pngContact: https://image.socradar.com/screenshots/2023/09/26/c4c03ea0-2533-4989-9a68-532f93a2e09f.pngJUST 150$ for chaos ransomware builder v4

In a recent dark web revelation monitored by the SOCRadar Dark Web Team, Everest Ransomware Group has added a prominent U.S.-based insurance company, State Farm, to its list of victims. The group claims to have successfully breached State Farm's network and stolen a vast database containing the records of 400 million insurance customers. https://image.socradar.com/screenshots/2023/09/04/23638afb-8ebe-474f-bea8-1b1eb1c630bf.pngEverest Ransomware Group dark web platform Who is Everest Ransomware Group? The Everest Ransomware group is a cybercriminal group that has been active since December 2020 and is observed operating on various platforms such as XSS Forum and Breached. Everest is known for carrying out data extortion, ransomware activities, and significant incidents such as the sale of network access to the Argentina Ministry of Economy. https://image.socradar.com/screenshots/2023/09/04/f3b83418-8d39-40a2-ac58-4b02e5d433ea.pngEverest's announcement on BreachForums about the Argentina Ministry of Economy (Source: Daily Dark Web) The Stolen Data: What's at Risk? Everest Ransomware Group has not provided specific details about the contents of the stolen database, but it is likely to include a wide range of sensitive information, such as: - Personally Identifiable Information (PII): Names, dates of birth, Social Security numbers. - Policy Details: Information about insurance policies held by customers. - Payment and Billing Information: Credit card details and payment history. - Vehicle Information (for auto insurance): Vehicle identification numbers, make, model, and more. - Property Information (for home insurance): Property values, locations, and other details. Potential Threats and Misuse of the Stolen Data The stolen data presents a goldmine for cybercriminals, who may exploit it in various malicious ways: Identity Theft: Armed with PII, threat actors can engage in identity theft, committing fraudulent activities in the victim's name. Phishing and Social Engineering: Personalized phishing attacks can deceive recipients into revealing more sensitive information or clicking on malicious links. Insurance Fraud: Policy details and claims history can be used for fraudulent insurance claims, resulting in financial losses for the insurance company. Extortion: High-profile individuals may be targeted for extortion, leveraging the stolen data. Targeted Scams: Scammers can pose as insurance agents, offering fake policy upgrades or discounts, thereby tricking customers into making payments to fraudulent accounts. Credential Stuffing: Cybercriminals can use stolen email addresses and personal information to gain unauthorized access to other online accounts, especially if individuals reuse passwords. Data Brokerage: The stolen data might be sold on the dark web or to other malicious actors, enabling further fraud and illicit activities. Fraudulent Loans and Credit Applications: Access to personal and financial data, including credit scores, can lead to fraudulent loan and credit card applications, causing financial losses for individuals and institutions. Protecting Yourself Against Data Breaches In light of this breach, individuals should take immediate steps to safeguard their information: - Monitor financial accounts for suspicious activity. - Change passwords and enable two-factor authentication for online accounts. - Be cautious of unsolicited communications and verify their authenticity. - Report any unusual activity to law enforcement and relevant organizations. SOCRadar continuously monitors the entire web, including surface and deep/dark web sources, to identify and track Personally Identifiable Information (PII). Among the sensitive data relevant to your organization are compromised account credentials, credit card numbers, and other information pertinent to your organization. By swiftly detecting such information, SOCRadar helps protect your organization against identity theft, fraud, and data breaches. https://image.socradar.com/screenshots/2023/09/04/f1c9bef6-d3f5-488f-a0ff-a16c67417477.pngSOCRadar Dark Web Monitoring Focusing resources on the most critical security incidents is essential in the ever-evolving threat landscape. SOCRadar's historical precision and extensive database enable analysts to filter through the noise and pinpoint relevant security items. By prioritizing incidents, SOCRadar ensures that your security team can allocate their time and energy where it matters most, mitigating risks effectively.

The SOCRadar Dark Web Team closely monitors obscured sections of the dark web to uncover potential threats that could harm global organizations. Here are the findings concerning France. Hacktivist Groups Launch Coordinated Cyber Attacks Targeting French Critical Infrastructure In a recent development that has sent shockwaves through the cybersecurity community, hacktivist groups have launched a series of coordinated cyberattacks aimed at crippling critical infrastructure and institutions in France. The attacks, claimed by Islamic-based hacktivist groups Team Insane PK, Mysterious Team Bangladesh, and Team Herox, highlight the growing sophistication and collaboration among such threat actors on the dark web. The SOCRadar Dark Web Team, renowned for its vigilance in monitoring hidden corners of the internet, has been closely following the activities of these groups. Their reports reveal that the attacks primarily took the form of Distributed Denial of Service (DDoS) attacks, designed to overwhelm the targeted websites and services, rendering them temporarily inaccessible. Escalation Triggered by Political Events https://image.socradar.com/screenshots/2023/08/31/80779973-a6e3-4263-9d4b-01c2249c51c2.pngTelegram announcement of threat actor One of the targeted groups, Mysterious Team Bangladesh, made an ominous announcement on August 23 through its Telegram channel, stating its intention to launch cyber attacks on France's critical infrastructure in response to political events unfolding in Africa. This marked the beginning of a series of assaults on various French websites. The Sequence of Attacks https://image.socradar.com/screenshots/2023/08/31/b59659f9-764f-4638-8ca4-ca43a7528bd1.pngTeam Insane Pk claims to have crashed France's Official Government website. Shortly after the announcement, Team Herox claimed responsibility for disabling a transportation website through DDoS attacks. Team Insane PK followed suit, asserting that it had rendered the official visa website for France unavailable. The magnitude of these claims, if verified, could significantly impact France's online operations and services. Rising Tide of Attacks and Solidarity Call Perhaps the most concerning aspect of this wave of attacks is the escalation observed after August 29. These groups intensified their claims of successful attacks and called all Muslim hacktivists, activists, and journalists to rally behind their cyber campaign. Their motivation for this increased aggression is reportedly the recent ban on the Burqa in French schools, which has ignited a wave of debate and reactions. https://image.socradar.com/screenshots/2023/08/31/5d6ca8b5-b1d5-4a4a-9449-74eab25a1e44.pngThreat actors' explanation of why they are targeting France and announcements of support The affected websites span various sectors, from transportation and education to commerce and healthcare. Notable targets include the official websites of several French airports, prominent educational institutions, government agencies, and even France's version of Amazon. https://image.socradar.com/screenshots/2023/08/31/2f9f8bbc-594b-4b47-bb32-264e901c757c.pngTeam Insane Pk claims to have crashed Amazon France. Anonymous Sudan Joins Cyber Targeting In a concerning development, the hacktivist group Anonymous Sudan has turned its attention towards France. Employing tactics similar to other hacktivist groups, Anonymous Sudan targets various services within the country. https://image.socradar.com/screenshots/2023/08/31/1dbcfcca-4414-4822-99bd-25295f7be9f1.pngAnonymous Sudan’s announcement The Resilience Challenge As these hacktivist groups continue to exploit the interconnected nature of the digital world, concerns grow regarding the resilience of critical infrastructure to such attacks. While the impact of DDoS attacks is often temporary, their ability to disrupt vital services and create chaos cannot be underestimated. Enhance your organization’s defense against Denial-of-Service (DoS) threats with SOCRadar Labs’ DoS Resilience module. DoS Resilience allows you to test your domain’s or subnet’s ability to resist DoS attacks. https://image.socradar.com/screenshots/2023/08/31/0ac3849e-6c8f-47ea-82dc-581d5d69a238.pngSOCRadar Labs DDoS Resilience LockBit Ransomware Group: Resurgence Amid Alleged Struggles In a surprising turn of events, the LockBit ransomware group has emerged from a period of relative dormancy to list more than 20 victims within a mere day. This rapid resurgence follows widespread discussions about the group's alleged operational struggles, raising questions about the authenticity of their recent actions. https://image.socradar.com/screenshots/2023/08/31/1742cb3e-0e4f-4921-b933-3fb43e344993.pngVictims of LockBit shown in group’s dark web platform Amidst claims of internal challenges, LockBit's recent actions appear to be aimed at disproving these assertions while safeguarding their tarnished reputation. By swiftly revealing a list of victims, including seven prominent French firms, the group seeks to demonstrate its continued capability to execute successful cyberattacks. Notably, the leaked victim list encompasses diverse entities, including French firms operating in construction, automotive, industrial machinery and equipment, transportation, and even a town hall administration. Who is LockBit Ransomware? LockBit 3.0 is a Ransomware-as-a-Service (RaaS) group that continues the legacy of LockBit and LockBit 2.0. From January 2020, LockBit adopted an affiliate-based ransomware approach, where its affiliates use various tactics to target a wide range of businesses and critical infrastructure organizations. LockBit has been highly active in deploying models such as double extortion, initial access broker affiliates, and advertising on hacker forums. They have even been known to recruit insiders and make contests in forums for recruiting skilled hackers; such expansionist policies have attracted numerous affiliates, have victimized thousands of entities, and continue their malicious acts. https://image.socradar.com/screenshots/2023/08/31/261ecdeb-a8a0-4be5-ba59-e455daa8b2cf.pngYou can read the “Dark Web Profile: LockBit 3.0 Ransomware” here. (https://socradar.io/dark-web-profile-lockbit-3-0-ransomware/)

In a harrowing development, the Rhysida ransomware group has stepped forward to take credit for the recent crippling cyberattack that targeted Prospect Medical Holdings, a prominent healthcare organization operating multiple hospitals and clinics across several states. The attack has sent shockwaves through the healthcare industry and raised concerns about the escalating threat of ransomware attacks on critical institutions. https://image.socradar.com/screenshots/2023/08/25/503500c8-7347-453e-989b-c724d4bdf4cc.pngRhysida ransomware's dark web announcement Attack Details Prospect Medical Holdings, responsible for managing 16 hospitals and over 165 clinics and outpatient centers, primarily in Connecticut, Pennsylvania, Rhode Island, and Southern California, fell victim to a sophisticated ransomware assault in early August. This attack disrupted vital healthcare services, leaving medical professionals struggling to care for patients and underscoring the vulnerability of crucial healthcare infrastructure to malicious cyber threats. Rhysida Ransomware Group Claims Responsibility The Rhysida ransomware group claimed responsibility for the attack approximately three weeks after the initial disruption. The group, which has gained notoriety for its previous attacks on education and healthcare entities, asserted that it had compromised Prospect Medical Holdings' systems. https://image.socradar.com/screenshots/2023/08/25/fb6e727e-3604-4c4a-9a22-ae99927895a1.pngScreenshots of sample data published by the threat actor The threat actor boasted of their extensive haul, claiming that they had accessed and stolen a data trove of sensitive information. The stolen data reportedly includes more than half a million Social Security Numbers (SNNs), passports, driver's licenses, patient files encompassing profiles and medical histories, and financial and legal documents. Ransom Demand and Data Exposure Threat The Rhysida ransomware group issued a ransom demand of 50 BTC (Bitcoin) to monetize their illicit gains. The threat actor has warned that they will expose the stolen data to the public unless the demanded ransom is paid. They have highlighted the enormity of their loot, revealing that it comprises a staggering one terabyte of unique files alongside a 1.3 terabyte SQL database. The group shared screenshots of purportedly acquired documents as a teaser of the compromised information. Who is Rhysida? Rhysida is a Ransomware-as-a-Service (RaaS) group that emerged at the end of May 2023. Despite being a newcomer, the group has quickly established itself as a significant ransomware operation. Their first high-profile attack was against the Chilean Army, marking a trend of ransomware groups targeting Latin American government institutions. On June 15, 2023, the group leaked files stolen from the Chilean Army, which turned the group’s claim as true. https://image.socradar.com/screenshots/2023/08/25/aa1542ed-e36d-4872-9842-8d2e7f8a3672.pngTo comprehensively understand Rhysida ransomware and its recent activities, consider exploring the insights provided in the 'Threat Profile: Rhysida Ransomware' blog. (https://socradar.io/threat-profile-rhysida-ransomware/)The group positions themselves as a “cybersecurity team” who are doing their victims a favor by targeting their systems and highlighting the supposed potential ramifications of the involved security issues. How Can SOCRadar Help? SOCRadar offers continuous monitoring of digital assets, promptly generating alarms for any emerging threats. This proactive approach strengthens overall security and ensures prompt detection of potential exposures or vulnerabilities affecting your assets. You can monitor organizational assets and efficiently manage alarms using SOCRadar’s Attack Surface Management (ASM) module. https://image.socradar.com/screenshots/2023/08/25/3c6af4e6-871f-4d84-8c33-a528fad21173.pngSOCRadar’s Attack Surface Management (ASM) module