campaign image
ESXiArgs: The Consequences of Infection
VMware ESXi Ransomware

ESXiArgs is a ransomware strain that has been reported to have infected over 3000 hosts in several countries, including France, Germany, the Netherlands, the U.K., and Ukraine. The ransomware is suspected to be based on the leaked Babuk ransomware code and is believed to be targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.

Domains Source Last Update
httpnevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion SOCRadar 2023-02-17
nevcorps5cvivjf6i2gm4uia7cxng5ploqny2rgrinctazjlnqr2yiyd.onion SOCRadar 2023-02-17
aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15
Hashes Source Last Update
1396ab93e9104faaf138ac64211471ba SOCRadar 2023-02-17
709ba88e758454f097959c3e62997000 SOCRadar 2023-02-17
fb5dcf0b880b57b10a2093f164f2ed27 SOCRadar 2023-02-17
f1f569c6e4f961007f7411fca131bbe0 SOCRadar 2023-02-17
5a9448964178a7ad3e8ac509c06762e418280c864c1d3c2c4230422df2c66722 SOCRadar 2023-02-17
99549bcea63af5f81b01decf427519af SOCRadar 2023-02-17
7f0ea6e4d18ac0c1051e7366c367b01c08e75afd17fc20df301c5b95373eb34f SOCRadar 2023-02-17
17eccc7e2ce38dafd41d68861da636d7c05290b95d4fd75ec87b819094702cf6 SOCRadar 2023-02-15
bdb4f2b6e44e97f989f3141bc1a35d5fed9e1a6721e851a72a5fcc05f3b31494 SOCRadar 2023-02-15
4f7d97bf4803bf1b15c5bec85af3dc8b7619fe5cfe019f760c9a25b1650f4b7c SOCRadar 2023-02-15
62cb24967c6ce18d35d2a23ebed4217889d796cf7799d9075c1aa7752b8d3967 SOCRadar 2023-02-15
203d2807df6ef531efbec7bfd109986de3e23df64c01ea4e337cbe5ba675248b SOCRadar 2023-02-15
14d53c3d675458863ee2b336a4203f680932181ff5db99bb2f1640ffd44947b5 SOCRadar 2023-02-15
9fce9ee85516533bae34fc1184a7cf31fa9f2c7889b13774f83d1df561708833 SOCRadar 2023-02-15
0165ff14fa840c0074a7ee5108858f8d SOCRadar 2023-02-15
2bee3f716b80273db9639376a296cf19cdba0f1a SOCRadar 2023-02-15
69d12572520122cb9bddc2d6793d97ab SOCRadar 2023-02-15
7a39324822941014609f0fd7d05f1adbbccc3f36d79103e2589251680f3b6c63 SOCRadar 2023-02-15
f78fdb894624b1388c1c3ec1600273d12d721da5171151d6606a625acf36ac30 SOCRadar 2023-02-15
319704f093b71286985716d87c6fb20d6ddc334be6f1ccc042de8c73f7f5df36 SOCRadar 2023-02-15
e2eb9029fd993a9ab386beb7ca4fa21a1871dc0c7568eb802cac1ea3c53cad8b SOCRadar 2023-02-15
4fd4fdedb11b76a24fba289e0b3a8ed07261f98d279932420c7af779663605f8 SOCRadar 2023-02-15
0d6c3de5aebbbe85939d7588150edf7b7bdc712fceb6a83d79e65b6f79bfc2ef SOCRadar 2023-02-15
7c79cd208b8d052bbc957d70b21dc4f548f2f48e2696005b99ff4ce5cf41f5d1 SOCRadar 2023-02-15
90e9bd336e51c88002e5e9a109c5fb0e57d2c90cd54d4bc7480b69fa302beb73 SOCRadar 2023-02-15
ff4fe3c3f2f6a65f43943b3326dd47686bc48c53a7c6714602c1b547a8e8b538 SOCRadar 2023-02-15
7385cc993ec169ad06a4e367b5ad65b9d6a231fe385d11fe8c3757d557932e8c SOCRadar 2023-02-15
11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66 SOCRadar 2023-02-15
a0a87db436f4dd580f730d7cbe7df9aa7d94a243aab1e600f01cde573c8d10b8 SOCRadar 2023-02-15
c4875bd0683467c1e5d44f80b1d5abf6ac9b6f5bf5b6750a1e653416a68ed006 SOCRadar 2023-02-15
4b3eb841b765c4aeb6b273e42a60e1f8ba3d3d94c613a27cd6446a354c2b7285 SOCRadar 2023-02-15
b363e038a6d6326e07a02e7ff99d82852f8ec2d2 SOCRadar 2023-02-15
4d7e2b3eeb7958a60f9ac7a572cb2c560504f11dbd656bcfd068685b69214508 SOCRadar 2023-02-15
474b800fa4f8c2638607b012029cb134b58534e7817fbf3658c9c1d8c78204fa SOCRadar 2023-02-15
32f17040ddaf3477008d844c8eb98410 SOCRadar 2023-02-15
10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459 SOCRadar 2023-02-15
3b5ff11fe11246c91d29cde511a22636524e91e29842dde6327fe92484e08f47 SOCRadar 2023-02-15
ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28 SOCRadar 2023-02-15
99692f5a1ca26b896d8c3220c42db7adc3007837a9b0d12d60d888f01f92fbbf SOCRadar 2023-02-15
5b8bf891808be44f24156cf5430730e610c0df6eaaa4b062623a7a675d234b62 SOCRadar 2023-02-15
e8f5fa12faea9430645853fbb24ce46a5a62cb906168dd17b62d865ddfe201e3 SOCRadar 2023-02-15
2cf56e6c050d0c9d8ada6cdb79a8ed2b8bbc25cd7d33ccc79aeedb31b5ad00df SOCRadar 2023-02-15
cd5b4bd824bad0be78e4cdf6d7fe8a950bd63f294713b8cb49de887d8a8410bc SOCRadar 2023-02-15
b64acb7dcc968b9a3a4909e3fddc2e116408c50079bba7678e85fee82995b0f4 SOCRadar 2023-02-15
d4dd79c97b091dd31791456c56d727eb0b30af9c0172dd221556d28495b8a50f SOCRadar 2023-02-15
4e54d7ed5055bc0e7858d49aaec17bd3ed69e8da94262c6a379ddd81abc31b5e SOCRadar 2023-02-15
f4553d3aa92d4c97353645451c531881e8f0991a SOCRadar 2023-02-15
Ipv4s Source Last Update SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15 SOCRadar 2023-02-15
Cves Source Last Update
CVE-2021-21974 SOCRadar 2023-02-17
Emails Source Last Update
[email protected] SOCRadar 2023-02-15
[email protected] SOCRadar 2023-02-15
[email protected] SOCRadar 2023-02-15
Domains Insert Date
Mitigations REF

Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see

CISA and FBI recommend all organizations: 

  • Temporarily remove connectivity for the associated ESXi server(s).
    • Upgrade your ESXi servers to the latest version of VMware ESXi software [CPG 5.1]. ESXi releases are cumulative, and the latest builds are documented in VMware’s article, Build numbers and versions of VMware ESXi/ESX.
    • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, which ESXiArgs may leverage. For more information on executing workarounds, see VMware’s guidance How to Disable/Enable the SLP Service on VMware ESXi
    • Ensure your ESXi hypervisor is not configured to be exposed to the public internet.

In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Ransomware

  • Maintain offline backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].

Mitigating and Preventing Ransomware

  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement allow-listing policies for applications and remote access that only allow systems to execute known and permitted programs.
  • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and the NIST’s Special Publication 800-63B: Digital Identity Guidelines for more information.
  • Require administrator credentials to install software [CPG 1.5].
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind [CPG 1.5].
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. 

Recovery Guidance REF

CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at

CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2] 

Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at; CISA will do our best to resolve concerns.

1. Quarantine or take affected hosts offline to ensure that repeat infection does not occur.

2. Download CISA’s recovery script and save it as <i>/tmp/</i>
For example, with<i> wget: wget -O /tmp/</i>

3. Give the script execute permissions: <i>chmod +x /tmp/</i>

4. Navigate to the folder of a VM you would like to recover and run <i>ls</i> to view the files.

Note: You may browse these folders by running ls /vmfs/volumes/datastore1. For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example.

5. View files by running ls. Note the name of the VM (via naming convention: [name].vmdk).

6. Run the recovery script with /tmp/ [name], where [name] is the name of the VM determined previously. 

a. If the VM is a thin format, run /tmp/ [name] thin.

b. If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.

7. If the script succeeded, re-register the VM.

a. If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)

  • Run <i>cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html.</i>
  • Run <i>cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html.</i>
  • Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.

b.    In the ESXi web interface, navigate to the Virtual Machines page.

  • If the VM you restored already exists, right click on the VM and select <i>Unregister</i> (see figure 1).

Figure 1: Unregistering the virtual machine.

  • Select Create / Register VM (see figure 2).
  • Select Register an existing virtual machine (see figure 2).

Figure 2: Registering the virtual machine, selecting machine to register.

  • Click <i>Select one or more virtual machines, a datastore or a directory</i> to navigate to the folder of the VM you restored. Select the <i>vmx</i> file in the folder (see figure 3).

Figure 3: Registering the virtual machine, finalizing registration.

  • Select Next and Finish. You should now be able to use the VM as normal.

8.    Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online. 

Additional Incident Response
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:
  1. Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
  2. Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.
If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at

Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.  

Additional resources for recovering <i>.vmdk</i> files can be found on a third-party researcher’s website.[2]
File Name Description Actions
aa23-039a-esxiargs-ransomware-virtual-machine-recovery-guidance.pdf The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs
APT Name Aliases Target Countries Source Countries Total IOCs
timeline History Timeline

  • Wed, 12 Jul 2023 13:35:40 GMT
    New Report Added

    ESXiArgs Ransomware Virtual Machine Recovery Guidance report added.

  • Fri, 17 Feb 2023 13:20:21 GMT
    New IOC's Added

    Total 10 IOC's added.

  • Wed, 15 Feb 2023 17:05:19 GMT
    New IOC's Added

    Total 230 IOC's added.

  • Wed, 15 Feb 2023 12:02:00 GMT

    New Campaign created.

  • Wed, 08 Feb 2023 00:00:00 GMT
    CISA Releases Recovery Script for ESXiArgs Ransomware
    A recovery script has been made available by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to help decrypt VMware ESXi servers affected by the ESXiArgs ransomware attacks. Go to Link
  • Wed, 08 Feb 2023 00:00:00 GMT
    New ESXiArgs ransomware version prevents VMware ESXi recovery
    New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. Go to Link
  • Fri, 03 Feb 2023 00:00:00 GMT
    Over 120 VMware ESXi Servers Globally Compromised in New Ransomware Attack
    A search on Shodan reveals that the ransomware campaign has already affected over 120 VMware ESXi servers globally that are vulnerable to CVE-2021-21974. The ransomware notes analyzed in the attacks suggest that a new ransomware group is behind the attacks. 
  • Wed, 12 Oct 2022 00:00:00 GMT
    VMware ESXi Servers Globally Hit By Ransomware Attack.
    Infections were initially detected on October 12, 2022, long before the campaign began gaining momentum in February 2023. However, on January 31, 2023, Researchers discovered a revised version of the ransom notes on two hosts, which corresponds to the ones used in the current wave. Go to Link
newspaper Dark Web News

dark web image
$10 Million Per Head ALPHV/Blackcat: The US State Department Announces a Hunt For The Leaders of a Well-Known Group

In a hacker forum monitored by SOCRadar, the news is detected that, $10 million per head ALPHV/Blackcat: The US State Department announces a hunt for the leaders of a well-known group. US State Department has announced a reward of up to $10 million for any information that helps identify and capture the leaders of the ALPHV/Blackcat hacker group. The gang specializes in cyber extortion and has already attacked thousands of companies in recent years. An additional $5 million is promised for data on individuals who are about to join Blackcat's criminal activities. According to experts, this should scare off potential participants, depriving the group of support. From November 2021 to March 2022, Blackcat carried out more than 60 hacks worldwide, the FBI said. “The scale of their activities is amazing,” a bureau representative commented. According to the latest data, by September 2023, at least $300 million in ransoms had been received from more than 1,000 victims. “This is a huge amount of money, and we will make every effort to stop the criminals,” the State Department said. In a released statement, the State Department promised that "a reward will be paid for information regarding the location or identity of any of the key leaders of the group behind the development and distribution of the ALPHV/Blackcat ransomware." The payments will be made as part of the initiative to combat transnational organized crime. As the department noted, since 1986, more than $135 million has already been paid out under this program. To securely transmit information about Blackcat and other wanted criminals, the State Department launched a special encrypted server, Tor SecureDrop, on the darknet. According to department officials, this will help maintain the anonymity of informants. Recently, US authorities have stepped up efforts to find and apprehend cybercriminals. In January, a similar reward of $10 million was announced for data on the leaders of the Hive group. Previously, large sums were promised for information about those involved in Conti, REvil (Sodinokibi), Darkside and other dangerous hacker communities. According to experts, such measures will at a minimum make life more difficult for criminals and weaken their potential. • Source: ***

dark web image
New Partnership Post is Detected for AkitaCrypt Ransomware

In a hacker forum monitored by SOCRadar, a partnership post is detected fort AkitaCrypt Ransomware. Fully Featured Ransomware Solution Our team has been hard at work for the past 2 years on a cross-platform ransomware solution. We have tested it on more than 150 machines, fine tuning it along the way. We are proud to finally be able to unveil it. Introducing: AkitaCrypt, an astonishingly fast, fully undetectable ransomware solution for Windows and Linux written in rust. Features: AES-256 or AES-512 bit encryption options with configurable salts Windows UAC and Linux/GNU privilege escalation Fully undectable (FUD) upon build (on ALL Anti-Virus guaranteed) Bypasses EDR systems (Splunk, Palo Alto Cortex XDR, etc) Regular Updates Reports can be sent via discord web hooks or email Smart encryption (choose well known software to search for making targetted encryption easier) Manual encryption (choose directories you'd like to encrypt; can be used with smart encryption) Encrypt file by extension (choose file extensions to include or exclude) Toggle system file exclusion (exclude encryption of OS files so system remains functional) Configurable backdoor (regain remote access to your target in case they lock you out) Works on Windows 7 and later, Windows Server 2008 and later and all Linux/GNU distributions and Kernels and UNIX. MacOS coming soon! Affiliate Program Having poured so much of our time and effort into this and considering its capabilities (EDR Bypass, FUD on all AV including ESET, etc) it would be reckless for us to release this to anyone with the money to buy it. Therefor, we are launching an affiliate program for serious players only. Affiliates will start at 50/50 splits for each successful ransom negotiation. Affiliates with 10 or more successful negotiations will receive 75/25 splits. Top earners will receive 90/10 splits. How To Become An Affiliate To become an AkitaCrypt affiliate you need to have initial access to a Windows network or Linux server or any Windows or Linux infrastructure at a company or business that can be negotiated for ransom (no restrictions or rules what-so-ever. Any country, any institution, any business). Who we are looking for: Initial access brokers looking to directly profit from ransomware Hobbiest penetration testers/web-application hackers Bug bounty hunters Exploit developers Employees with internal access who have an understanding of information technology and OPSEC If you think you would be a good candidate, contact us with proof of initial access via DM or on telegram at******* or in our channel at********** Have the following prepared if you contact us or else you will be ignored: Access you have or can get immediately (not access that you THINK you can get, access you KNOW you can get) History gaining initial access to systems (have proof). Any prior affiliate programs you've been apart of if applicable (if no proof don't share this). Negotiations, ransom amounts, and files that are encrypted can be dictated by the affiliate or left to us.

dark web image
Play Ransomware Escalates: Ten US Firms Hit in a Single Day

Date of Report: November 29, 2023 Executive Summary The Play ransomware group's activities reached a significant peak on November 28, adding ten American companies to its victim list, marking the day with the most reported ransomware cases in November. Initially observed on June 22, 2022, when an individual reported file encryption with a ".play" extension on the BleepingComputer forum, the group has been primarily targeting Latin America, with Brazil as a focal point. victims's announcement on Play's website. Their tactics, techniques, and procedures (TTPs) bear resemblance to known ransomware families like Hive and Nokayawa, particularly their use of the AdFind tool for gathering Active Directory data. Key Points: - Play ransomware has shifted to a Ransomware-as-a-Service (RaaS) model, exhibiting uniform attack patterns across sectors. - The ransomware uses legitimate account credentials, exposed RDP servers, and exploits specific FortiOS vulnerabilities for initial access. - They propagate their ransomware internally using Group Policy Objects, scheduled tasks, PsExec, or wmic, culminating in file encryption with the ".play" extension. - The cumulative number of ransomware incidents in November spiked, with 36 cases reported in a single day. - Businesses impacted include SinglePoint Outsourcing, Thillens, Elston-nationwide, AMERICAN INSULATED GLASS, MooreCo, Continental Shipping Line, Retailer Web Services, SurvTech Solutions, EDGE Realty Partners, and Noble Mountain Tree Farm. Assessment: Play ransomware's transition to a RaaS model and the replication of TTPs across attacks suggest a systematic approach and the possible use of a RaaS kit. The group's focus on smaller organizations, presumably due to their ability to meet ransom demands approximately $1 million, indicates a calculated targeting strategy. The recent spike in attacks on U.S. companies signifies an expansion beyond their usual Latin American targets. Outlook: The evolution of Play ransomware into a RaaS model could mean a broader reach and a higher frequency of attacks, posing a threat beyond the Latin American region. The specific targeting of organizations with the financial capacity to pay substantial ransoms underscores the need for enhanced security measures and awareness. Key Intelligence Gaps - Confirmation of the extent to which Play ransomware's TTPs align with other ransomware families. - Assessment of the impact of the RaaS model on the frequency and sophistication of Play ransomware attacks. - Evaluation of the risk to organizations based on the observed targeting profile of Play ransomware. Intelligence Requirements: - Investigation into the recent attacks to identify any evolving patterns or new TTPs employed by Play ransomware. - Development of threat mitigation strategies tailored to the specific vulnerabilities exploited by Play ransomware. - Strengthening defenses against RDP and FortiOS vulnerabilities to prevent initial access by threat actors.

dark web image
MadCat Ransomware: Scammers in Disguise:

A recent investigation has unveiled a new strain of ransomware, dubbed MadCat, linked to a group of suspected scammers targeting fellow criminals on the dark web. The findings reveal a complex web of deception, fraud, and intricate cyber schemes. group’s leak website, stating that it will launch on 30 November, 2023 Recently an announcement of a new ransomware group, Mad Cat, seemed like a typical entry of a ransomware group into the cybercrime arena. However, further investigations have unraveled a more convoluted narrative. Deceptive Tactics on the Dark Web Cyber investigator Karol Pacoriek and the team at CSIRT KNF cybersecurity firm have linked Mad Cat to several dark web accounts known for fraudulent activities. These accounts, including @plessy(the one mentioned on the leak site), @rooted, and @whitevendor, were previously involved in the fake sale of stolen passport details, including a bogus offer of 246,000 screenshotted Polish passport pages. The CSIRT report detailed how these accounts operated scams on dark web platforms, deceiving other criminals with offers of illegal identity documents. One such incident involved @plessy offering an entire collection of these documents for $3,400. The report noted similarities in the writing style and methods of these accounts, suggesting they might be operated by the same individual or group. Ripple Effects Among Cybercriminals The deceptive practices have not gone unnoticed among other criminals. On BreachForums, a cybercriminal complained about being conned by @rooted in a scheme involving Japanese and Chinese passport details. This pattern of deception indicates a lack of trust even among cybercriminals. report for @rooted in a hacker forum Pacoriek’s investigation also unearthed links between these aliases and the MadCat ransomware group. The plessy[.]eu web address and associated Telegram channels pointed to a network of interconnected identities and criminal activities. The CSIRT report further established connections between these identities and MadCat's operations. Doubtful Future for MadCat With their deceptive practices exposed, the future of MadCat in the ransomware field seems uncertain. Pacoriek anticipates their downfall, comparing it to other short-lived cybercrime entities. The negative backlash and the abandonment of accounts by these actors indicate a possible retreat from their criminal endeavors. This case underscores the intricate and often duplicitous nature of the cybercrime world. It highlights the importance of continual vigilance and comprehensive investigation in understanding and combating the ever-evolving landscape of cyber threats.  To navigate the complex and deceptive landscape of cyber threats, SOCRadar Dark Web Monitoring provides essential tools and insights, enabling organizations to detect and counteract hidden cyber threats and protect their digital assets. This service offers unparalleled visibility into the dark web, helping to stay one step ahead of cybercriminals and their ever-evolving tactics. Dark Web Monitoring

dark web image
Source Code of qBit Ransomware is on Sale

 In a hacker forum monitored by SOCRadar, a new alleged source code sale is detected for qBit ransomware. friends, Well our product had a great response and feedback from users which was about the stealer and the ransomware built in Go lang. I would call it a success based on my plan of long term effect/usage. Speaking of researchers releasing blogs about it, specifically cloudsek: CloudSek qBit Article You've better explained the product more then me, haha. Thank you bablu kumar, a geek. If this doesn't seem to make sense for you as a buyer, and want for information on the product. Check out: http://** http://** Anyways, even if the language seems to be very versatile, efficient and very fast as proven on the video. The binaries seem to be much bigger which wouldn't be such an nuisance in this modern days. But we do love small binaries, much better for crypts and spreads. So, I've invested some time on RUST and C/C++ building cryptors behind the scenes and improving them for real world scenarios. Which brings me into this forum post. Basically, instead of selling it as an service. I will sell the full source code as it IS to the buyer for an fixed amount of price. (middleman accepted and is mandatory but fee is paid by the buyer). To the buyer, he/she will get support on using the source, building or if extra improvements is needed. It will be provided free of charge. This scheme of business might be suitable for those who want an fresh code of ransomware which is not skidded or stolen from any where else and personally suited to its core according to the buyer and is from an knowledgeable person who knows building/handling and maintaining the code. So, that's it for today folks. - Contact me at Session or Telegram for further more discussion, and ONLY message me if you're serious. Session ID: ** Telegram: @**

dark web image
Cactus Ransomware Group Targets Petersen Health Care in the USA

Petersen Health Care, a prominent healthcare provider in the United States, has reportedly been added to the Cactus ransomware group's data leak site. Ransomware’s victim listing on their leak blog Leaked Data Details The Cactus ransomware group has released a sample of the compromised data, which alarmingly includes scans of passports, driving licenses, and other sensitive personal documents. While the specific volume and types of all the data breached have not been detailed, the nature of the leaked sample points to a severe privacy and security violation. Implications of the Breach The leak of such sensitive personal information from a healthcare institution is particularly concerning. It jeopardizes patient privacy and exposes individuals to potential identity theft and fraud risks. leak shared by Cactus Ransomware This incident underscores the growing threats faced by healthcare providers in the digital age. These organizations hold vast amounts of sensitive personal health information, making them attractive targets for cybercriminals. SOCRadar: Enhancing Cybersecurity The rapidly changing cybersecurity landscape necessitates a vigilant approach, especially in sensitive sectors like healthcare. In response to the escalating cyber threats facing critical industries, SOCRadar offers specialized monitoring and threat intelligence services. Our solutions are designed to help organizations proactively identify and mitigate cyber risks. such solution offered by SOCRadar is Attack Surface Management and Ransomware Check

dark web image
Ransomware Attack on Asaf Technology in Support of Palestine

In a significant cybersecurity incident, the company "Asaf Technology" allegedly became the latest victim of a politically motivated ransomware attack. A recent Telegram post by the Tiger Electronic Unit indicates that they have successfully encrypted all data belonging to Asaf Technology, which they refer to as a "Zionist company." Tiger Unit’s Telegram post The attackers claim to have gained full access to the company's data and have also compromised the accounts of engineers and officials within Asaf Technology. This attack is part of the broader cyber conflict related to the ongoing Israel-Hamas tensions. Context of the Cyber Conflict Recent months have seen an escalation in cyber activities related to the Israel-Palestine conflict. Various ransomware groups have been involved, targeting entities on both sides. Previously, in our blog posts, we highlighted the complex nature of the cyber conflict, where digital warfare is used as an extension of political and territorial disputes. A recent post from another hacker group, the TYG Team on Telegram, sheds light on the strategic use of ransomware in this conflict. The group emphasizes their ongoing efforts to compromise Israeli devices and infrastructure, using their software "GDS" for expanded attacks. They state their intention to use the accessed data strategically rather than publicizing it, indicating a focused approach to cyber warfare. Team’s statement on their Telegram channels These incidents underscore the evolving nature of cyber threats within this conflict, where political motivations can drive targeted attacks against specific nations or entities. For further analysis, check out our latest blog about the conflict. ( Protected with SOCRadar In response to these growing threats, SOCRadar offers advanced monitoring and threat intelligence services. Our platform helps organizations stay ahead of potential cyber threats, ensuring timely and effective responses to emerging risks. As the situation evolves, SOCRadar continues to provide real-time updates and insights into the latest developments in this ongoing cyber conflict. Stay informed and prepared with our comprehensive threat intelligence and monitoring solutions. Dark Web Monitoring

dark web image
A New Ransomware Builder is on Sale

 In a hacker forum channel monitored by SOCRadar, a new ransomware builder selling is detected. am the sole author of the Ransomware. Ransomware itself is a ransomware project that is entirely in C++/WinAPI. By itself, it does not require any internet connection and all information is kept private - nothing is sent abroad. You can attack any type of country, organization, companies, etc. It is 100% safe and no one has ever recovered their files without paying as Ransomware uses very secure algorithms for encryption. If you decide to use my Ransomware, rest assured you will not be tricked - it uses a key scheme where the decryption key is protected by both my private key and yours Private build key that you generate. It is dynamically multithreaded (depends on the number of cores/disks) and runs only on Windows OS, in versions after Windows XP, on x86 and x64, with support for both overwriting and destroying encryption methods. The ransomware also automatically deletes backups and logs twice - before and after encryption. It also encrypts any network drive vailable on the network automatically. The only two requirements to run an embedded Ransomware executable on a computer they are: - disable antivirus software - have administrator access (running the executable as administrator) There are many more features and changes - if you are interested, if you have any questions please contact me on Telegram: @Jacobs1822 Don't contact me asking how to spread ransomware - you need to learn this yourself or pay me to do it Smile Some characteristics of Ransomware - Added new mandatory test file decryption with payment of developer fee to prevent fraud the victim - The number of encryption/decryption threads now depends on the number of disks - Prevents the system from going to sleep/hibernation while the encryption/decryption process is active - Increased speed of deleting unwanted software - Added option to disable taskmgr/regedit on target system (re-enabled after decryption) - Added new encryption method - replace instead of copy/encrypt/destroy the original method - Produces the same results, but may cause file corruption if the Ransomware is stopped before the encryption process is complete, but it should be a little faster and does not require additional space - Shredding now always deletes the fragmented file - Improved file destruction speed - Decryption always uses the replacement method - user should not stop Decrypter until it finishes - Added option to decrypt multiple Redeemer Public Keys received from the victim on once (for large computer networks encrypted with the same version of Ransomware and the same Redeemer Private Build Key, value and campaign ID) - Different options renamed in Toolkit/Decrypter - Better encryption/decryption speed Telegram: @****

dark web image
New Recruitment Post is Detected for Qilin Ransomware Group

In a hacker forum monitored by SOCRadar, a new recruitment post is detected for Qilin Ransomware Group. day to all! We are recruiting teams of experienced pentesters for our partner program. Briefly about the available functionality: Reliable encryption algorithms (chacha20\AES) + RSA4096 Customizable encryption modes to select the ideal balance of encryption speed and cryptographic strength 4 modes of software operation:normal - completely encrypts the filestep-skip - encrypts in spots with a fixed size of the spot and the skipped partfast - encrypts the beginning of the filepercent - encrypts in spots with a fixed spot size and a dynamic skip portion based on file size Ability to reboot the machine in safe-mode with automatic login and file launch Directed encryption (drives\folders by specifying the path, remote machines by specifying the machine’s IP) Ability to disable various filters when running a file if necessary (functionality at your own peril and risk) Killing the most important services and processes for the most effective encryption and eliminating the possibility of decryption Freeing files occupied by services and processes Cleaning log systems and deleting shadow copies Ability to distribute the file over the network (subject to the credentials transferred during assembly) A proven preset of settings in the panel, but if necessary, you can add parameters specific to your network The build does not store all the credentials for the company to enter the landing, which will exclude “left people” when conducting a dialogue with the company And many more different features that you will get acquainted with during the work Panel: Build Configurator Guest access (with the ability to limit the rights of guests to various actions) Full support of dialogues with your targets (if you wish, you can do this yourself) You will also have access to dialing/SMS spam services 24/7. The written software is a unique project, and not just another fork of the source codes of other software lying around in the public domain. Under win, the build will be pure Rust, which immediately gives it an advantage in speed and security. For LINUX/ESXi systems this is pure C. First PM contact We work with English speakers only after an interview. We do not work in CIS countries

dark web image
New Version of Knight Ransomware is Detected

In a hacker forum monitored by SOCRadar, a new version ransomware is detected which Knight Ransomware. have updated version 3.0, after several months of practice we made the third upgrade, and the third upgrade is a very significant upgrade, including the panel and the locker, compared to the version 2.0, added a lot of features. The encryption speed of the 3.0 version of locker is very fast, of course you can use any organization's locker to compare with us, in 3.0 locker we make the following updates: Added more kinds of SMB laterally, and added automatic extraction of HASH of credentials of logged-in shared networks for SMB laterally! Updated the algorithm to increase the encryption speed, increasing the encryption speed by about 40%, and we provide -fast (fast encryption header) and -thread (custom thread encryption) parameters in version 3.0. Updated:Replace all files' icons of the target computers. Rewrote ESXI using C to support version 5 and above.5.Priority execution directories have been added, and multiple priority directories can be entered when generating online.6.Added random obfuscation to make locker more difficult to detect by AV7.Added more system support, Windows 7 & above,Linux(include Debian,*bsd,solaris,android and other.),MacOs, All systems have been tested.Panel Feature Support: 1.Assign each target a separate TOR domain while we provide a high strength encrypted chat room to assign separate chat sessions to different computers under the same target. 2.Each target is equipped with a separate wallet address, 2 level affiliates can directly add their own wallet address, and individual "offer" feature is provided (separate offer can be made for each different chat session) 3.Added chat room session status for the target (you can see when it was last accessed and whether it is online or not). 4.The BypassAV function is provided in the panel, You can upload files for secondary obfuscation encryption (tested to bypass 90% of the AV). 5.Added Team Collaboration allows you to share separate target chat rooms with your team members and work together to get the job done. 6.Changed the target page to support automatically displaying the wallet address and receiving offers online, will automatically detect if it is the correct amount after payment, and will automatically provide key and decryptor download options after payment. We are still looking for partners, but we don't need inexperienced people at the moment, and we will set certain conditions to filter analysts in the forums. Tox:**

dark web image
BianLian is Targeting Aviation Industry in Canada

The BianLian ransomware group, under constant surveillance by the SOCRadar Dark Web Team, has announced its latest victim on its dark web platform: a Canadian-based aviation firm.’s claim post about Air Canada The group alleges to have exfiltrated 210GB of files from the Canadian aviation firm Air Canada, adding the company to their victim list. Established in 1937, Air Canada is Canada's largest airline and its official flag carrier, renowned for its pivotal role in the global aviation sector. of allegedly stolen data shared by BianLian According to BianLian's claims, the stolen data includes technical and operational data from Air Canada spanning 2008 through 2023, SQL backups, confidential documents, and more. Who is BianLian? BianLian is a threat actor that runs a ransomware operation with the same name BianLian ransomware. It first appeared as an Android banking trojan in 2019. However, like its namesake, the traditional Chinese art of “face-changing,” BianLian has demonstrated remarkable adaptability, shifting its operations to focus on ransomware attacks and becoming a ransomware strain first observed in July 2022. Actor Card of BianLian You can read the “Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group” here. ( Updated with SOCRadar You can stay up to date with the latest Dark Web news via using the Dark Web News page in SOCRadar XTI’s CTI Module. Additionally, follow posts from various ransomware groups in the Ransomware News section under the Dark Web News page. XTI’s CTI Module’s Dark Web News / Ransomware News Page

dark web image
GhostSec Unleashes ‘GhostLocker’ RaaS: A Stealthy Ransomware Service

The threat group known as GhostSec officially established a Telegram channel for its new tool, GhostLocker, on October 8, 2023. In the ever-expanding threat landscape, GhostLocker emerges as yet another entity that organizations should vigilantly watch out for. RaaS In a bold move, the threat actor labeled their new ransomware service as the "new generation of RaaS" and asserted that its ransomware offers military-grade encryption on runtime, ensuring that victims cannot decrypt the software through decompilation or obtain the decryption key by inspecting web requests or in the case of server exposure. The ransomware is also "fully undetectable," and the threat actor boasts a zero detection rate for all major antivirus software. The GhostLocker Telegram channel swiftly amassed over 100 subscribers, gaining traction in GhostSec's official channel as well. Some users have expressed interest in a demo to further promote the tool, particularly in a business context. Although the service comes with a substantial price tag – initially priced at $999 during the beta phase and later at $4,999 – the threat actor only requests a 15% commission fee from all revenue after the one-time payment. Furthermore, they offer to manage all negotiations for their affiliates while providing a web panel for monitoring negotiations should affiliates wish to intervene at any point. The threat actor has also noted that this is an early version and is committed to significant improvements in the future, with plans to reduce its size and enhance encryption speed as the first step. Similarities in Ransom Note Additionally, GhostSec posted a video demonstration showcasing GhostLocker's functionality. There is one particularly striking detail in the video: the ransom note of GhostLocker is designed similarly to that of LockBit Ransomware. ransom note Who is GhostSec? GhostSec, also known as Ghost Security, emerged onto the digital scene in 2015 as a self-proclaimed vigilante group. Its inception can be traced back to the well-known hacktivist collective, Anonymous. While Anonymous is known for its diverse range of operations, GhostSec assumed a more specific and targeted mission – the active combat against online terrorism and violent extremism. The group is acknowledged for its actions against ISIS-affiliated websites that disseminated Islamic extremism, as part of the campaign recognized as #OpISIS. In addition to its primary objective, GhostSec has engaged in the promotion of human rights and the defense of online freedom in various countries, most notably Cuba. The group has also participated in the Russia-Ukraine conflict, executing a series of cyberattacks against the Russian government. Track Threat Actors with SOCRadar SOCRadar's Threat Actor Tracking module equips organizations with a comprehensive perspective on both known and emerging threat actors, empowering them to swiftly and efficiently recognize and counter threats. The platform encompasses a wealth of information on threat actors, including their Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IOCs), and infrastructure, among other critical details. Threat Actor Tracking

dark web image
Play and Qilin Ransomware Groups Announce New Victims: U.S. Security and Financial Firms Allegedly Breached

In recent dark web developments monitored by the SOCRadar Dark Web Team, two prominent ransomware groups have announced their latest victims, both based in the U.S. Play Ransomware Threatens Security Instrument Play Ransomware continues its relentless attacks. After claiming to breach 25 firms in September, Play now says it infiltrated the systems of the U.S.-based company Security Instrument.’s announcement Founded in 1960, the privately owned U.S. entity, Security Instrument Corporation, offers electronic security, life safety detection, and related monitoring services. Play Ransomware now threatens to release sensitive data allegedly they seized from the company. This data supposedly includes private and personal confidential data, client and employee records, IDs, payroll, contracts, and financial data. However, Play Ransomware hasn't disclosed the extent of the breach or presented any sample data. Qilin Ransomware Targets DiTRONICS Financial Services Discovered in August 2022 and also known as Agenda, Qilin announces its latest victim, the U.S.-based DiTRONICS Financial Services.’s announcement Since its foundation in 1998, DiTRONICS has positioned itself as a leading source of cutting-edge technologies and high-end funds access services. With a vast database of gaming patrons and annual processing of billions, DiTRONICS provides a wide array of services. Their portfolio includes ATMs, Ticket Redemption Kiosks, Check Guarantee Software, Cash Advance Software, and a new Title 31 compliance solution. While Qilin hasn't stated the exact volume of the data breach, they have shared 19 images allegedly belonging to the company. They claim these images contain breached business contracts, financial papers, and other confidential company documents. How Can SOCRadar Help? SOCRadar’s Threat Feed and IoC Management module helps organizations manage their threat intelligence feeds and indicators of compromise (IoCs). Threat Feed / IoC tab Also, SOCRadar’s Threat Actor Tracking module provides organizations with a comprehensive view of known and emerging threat actors, including their TTPs, IOCs, and infrastructure. This information can be used to identify and respond to threats more quickly and effectively. Threat Actors tab

dark web image
New qBit Ransomware is on Sale

In a hacker forum monitored by SOCRadar, new ransomware selling is detected which is called qBit. friends, I'm excited to introduce you to a new ransomware made from scratch. It's written in Go with the functionalities of efficient concurrency. Meaning faster speed, low detection's and versatility. From the early days of Ransomware, we've been many players recruit affiliates with a business model of RaaS. Which is Ransomware as a Service. The recruits are very specific and many of us can't join them even if we're skilled. So, this product will be but not limited to: Affordable, usable and customizable. As it's brand new, the detection's are much lower and obviously the build shared will be obscured for much low detection's rate. The buyer don't need to worry about using a crypter. Each build is unique. Enough rambling, what's in the package? Fast Encryption with a Hybrid Logic - Salsa20 + RSA 2046 Intermittent Algorithm's - Full, Partial & Smart Mode Timely Mannered Execution Obscured binaries leading to much harder for analysts Anti-Analysis Direct Syscalls Multi-Threaded Decryption tool In case the buyer wants a pre-execution shell-code injection, files exfiltration or personalized information about the target computer to be sent to his C2, it can be done without any extra cost to the purchase! It has a beautiful UI if enabled with -log parameters though it isn't optimal. Below two videos, 1st = Log View + Partial Encryption Mode - Demo Video<- 2nd, No Log View + Smart Encryption Mode - Demo Video <- If you're interested in buying or working together to customize it even further feel free to contact me at Session or DM here! - Peace out!

Sony Group Corporation Targeted by Dark Web Cybercriminals

The SOCRadar Dark Web research team recently identified a new entry on a dark web platform associated with the Ransomed[.]vc group, and it involves none other than the renowned Japanese multinational conglomerate, Sony Group Corporation.[.]vc's claim about Sony Ransomed[.]vc alleges a successful compromise of Sony's comprehensive systems. The threat group asserts that Sony has refrained from meeting their financial demands, leading them to decide to auction the sensitive data. The group claims that the unwillingness of Sony to pay the ransom has prompted them to expose and market the acquired data. data shared by Ransomed[.]vc To substantiate their assertions, Ransomed[.]vc released a selection of what they purport to be authentic data from Sony. Among these files were a PowerPoint presentation, allegedly created by Sony, along with internal screenshots and Java files. actor's post on a hacker forum The SOCRadar Dark Web Team has identified the threat group actively marketing unauthorized access to what they claim are compromised systems of Sony Group Corporation on a hacker forum. This covert marketplace is significantly dominated by Russian cyber threat entities, suggesting potential interest or involvement of these actors in procuring the breached data. This year, Sony fell victim to the CL0P Ransomware group's darkweb portal after the MOVEit vulnerability was exploited. ( Cyber Attack on Lockheed Martin and US Army Transport Corp by KillNet The KillNet threat group recently announced on their Telegram channel that they've targeted Lockheed Martin and the US Army Transport Corp. They pointed to the U.S. government's decision to deliver ATACMS missiles to Ukraine as their motivation behind the attack. of KillNet Killnet is a pro-Russian hacktivist group known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack that can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems. Enhance Your Defense with SOCRadar SOCRadar XTI platform’s comprehensive solutions empower you to swiftly identify, assess, and remediate vulnerabilities in real-time. SOCRadar's Vulnerability Intelligence enhances security by continuously monitoring vulnerabilities. This module allows you to search for vulnerabilities, access their details and related activities, and monitor hacker trends.’s Vulnerability Intelligence Furthermore, the Attack Surface Management module enables you to securely monitor your asset's status and receive notifications about emerging vulnerabilities Company Vulnerabilities

dark web image
Kuiper Ransomware is on Sale

In a hacker forum monitored by SOCRadar, new ransomware selling is detected which is called Kuiper Ransomware. introduce our partnership affiliate raas program KUIPER Developed in Golang , written from scratch with no external sources from other software. WARE: -Encryption algorithm AES-CFB with random key/IV ( AES key encryption with RSA-4096 ) -Customization of binaries for every attack and network if needed for better deployment and higher success % of damage caused in attack. -Arguments through terminal typing --help available: -p PATH ( set path to crypt ) Default: "/A-Z" disks ( Windows related ), root = "/" | non-root = "/home" ( *NIX related ) -reboot yes/no ( Default: yes ) Reboot system after crypt process. -note yes/no ( Default: yes) Leave note while (yes) or after (no) crypt. -name yes/no ( Default: yes ) .kuiper extension changes while (yes) or after (no) crypt. -Unique key for each network. -No dependencies needed. -Critical system folders and extensions excluded for crypt. -Self deletion of binary after crypt process is finished ( Windows related ). Before crypt process is finished ( *NIX related ) -Stop and kill services and processes on loop to avoid interruptions ( including AVs, EDRs, SIEMs, blue team tools and defenses related) before and meanwhile crypt. -Removal of shadow copies and local backups before and after crypt process. -Windows Defender deactivation through multiple functions before crypt process is started. -Memory clean after crypt process is finished. -Highly obfuscated, polymorphic code, anti-reverse methods used, evasion techniques applied, manually crypt binaries (can provide better manually customized evasion depending on attack if needed**) , x64 build is UD for most AVs/EDRs in Windows related (x86 build less evasion), FUD for *NIX related. OS: Windows Server 2008 to 2022+ Windows desktop 7 to 11+ *NIX > Linux, ESXi, NAS, (+)** EXTRA: Will provide unlimited exfiltration servers on demand. Can provide a workspace for you when needed and necessary**. Can provide our scripts/tools/techniques to perform exfiltration,lateral and deployment when needed. Can provide help through post-exp operations when needed or required. Our communications with clients are through TOX + mail. Leaks blog, control panel and chat not yet available. ( Already coded and ready to be uploaded** ) DDoS/Spam/Social extortion available ( only HQ targets** ) We offer cleaning your crypto when needed. 24/7 support for affiliates. RULES: In depth interview needed. Prohibited CIS attacks. ROLES: Currently providing corporation targets to be worked. Post-exp operators/groups needed. Initial access providers/groups needed. Extortion/Social experts needed. CONDITIONS: We take 10% if you provide target + post-exp. We take 40% if we provide target + ransomware + extortion + negotiations**. ** = needs to be previously discussed. Constant updates, upgrades and new versions will be accomplished over time and will also be posted here. We are open for suggestions and appreciate constructive criticisms.

dark web image
Everest Ransomware Group Claims Access to 400 Million Insurance Customer Records

In a recent dark web revelation monitored by the SOCRadar Dark Web Team, Everest Ransomware Group has added a prominent U.S.-based insurance company, State Farm, to its list of victims. The group claims to have successfully breached State Farm's network and stolen a vast database containing the records of 400 million insurance customers. Ransomware Group dark web platform Who is Everest Ransomware Group? The Everest Ransomware group is a cybercriminal group that has been active since December 2020 and is observed operating on various platforms such as XSS Forum and Breached. Everest is known for carrying out data extortion, ransomware activities, and significant incidents such as the sale of network access to the Argentina Ministry of Economy.'s announcement on BreachForums about the Argentina Ministry of Economy (Source: Daily Dark Web) The Stolen Data: What's at Risk? Everest Ransomware Group has not provided specific details about the contents of the stolen database, but it is likely to include a wide range of sensitive information, such as: - Personally Identifiable Information (PII): Names, dates of birth, Social Security numbers. - Policy Details: Information about insurance policies held by customers. - Payment and Billing Information: Credit card details and payment history. - Vehicle Information (for auto insurance): Vehicle identification numbers, make, model, and more. - Property Information (for home insurance): Property values, locations, and other details. Potential Threats and Misuse of the Stolen Data The stolen data presents a goldmine for cybercriminals, who may exploit it in various malicious ways: Identity Theft: Armed with PII, threat actors can engage in identity theft, committing fraudulent activities in the victim's name. Phishing and Social Engineering: Personalized phishing attacks can deceive recipients into revealing more sensitive information or clicking on malicious links. Insurance Fraud: Policy details and claims history can be used for fraudulent insurance claims, resulting in financial losses for the insurance company. Extortion: High-profile individuals may be targeted for extortion, leveraging the stolen data. Targeted Scams: Scammers can pose as insurance agents, offering fake policy upgrades or discounts, thereby tricking customers into making payments to fraudulent accounts. Credential Stuffing: Cybercriminals can use stolen email addresses and personal information to gain unauthorized access to other online accounts, especially if individuals reuse passwords. Data Brokerage: The stolen data might be sold on the dark web or to other malicious actors, enabling further fraud and illicit activities. Fraudulent Loans and Credit Applications: Access to personal and financial data, including credit scores, can lead to fraudulent loan and credit card applications, causing financial losses for individuals and institutions. Protecting Yourself Against Data Breaches In light of this breach, individuals should take immediate steps to safeguard their information: - Monitor financial accounts for suspicious activity. - Change passwords and enable two-factor authentication for online accounts. - Be cautious of unsolicited communications and verify their authenticity. - Report any unusual activity to law enforcement and relevant organizations. SOCRadar continuously monitors the entire web, including surface and deep/dark web sources, to identify and track Personally Identifiable Information (PII). Among the sensitive data relevant to your organization are compromised account credentials, credit card numbers, and other information pertinent to your organization. By swiftly detecting such information, SOCRadar helps protect your organization against identity theft, fraud, and data breaches. Dark Web Monitoring Focusing resources on the most critical security incidents is essential in the ever-evolving threat landscape. SOCRadar's historical precision and extensive database enable analysts to filter through the noise and pinpoint relevant security items. By prioritizing incidents, SOCRadar ensures that your security team can allocate their time and energy where it matters most, mitigating risks effectively.

dark web image
France’s Decision on Banning Burqa Unveiling New Cyber Attacks

The SOCRadar Dark Web Team closely monitors obscured sections of the dark web to uncover potential threats that could harm global organizations. Here are the findings concerning France. Hacktivist Groups Launch Coordinated Cyber Attacks Targeting French Critical Infrastructure In a recent development that has sent shockwaves through the cybersecurity community, hacktivist groups have launched a series of coordinated cyberattacks aimed at crippling critical infrastructure and institutions in France. The attacks, claimed by Islamic-based hacktivist groups Team Insane PK, Mysterious Team Bangladesh, and Team Herox, highlight the growing sophistication and collaboration among such threat actors on the dark web. The SOCRadar Dark Web Team, renowned for its vigilance in monitoring hidden corners of the internet, has been closely following the activities of these groups. Their reports reveal that the attacks primarily took the form of Distributed Denial of Service (DDoS) attacks, designed to overwhelm the targeted websites and services, rendering them temporarily inaccessible. Escalation Triggered by Political Events announcement of threat actor One of the targeted groups, Mysterious Team Bangladesh, made an ominous announcement on August 23 through its Telegram channel, stating its intention to launch cyber attacks on France's critical infrastructure in response to political events unfolding in Africa. This marked the beginning of a series of assaults on various French websites. The Sequence of Attacks Insane Pk claims to have crashed France's Official Government website. Shortly after the announcement, Team Herox claimed responsibility for disabling a transportation website through DDoS attacks. Team Insane PK followed suit, asserting that it had rendered the official visa website for France unavailable. The magnitude of these claims, if verified, could significantly impact France's online operations and services. Rising Tide of Attacks and Solidarity Call Perhaps the most concerning aspect of this wave of attacks is the escalation observed after August 29. These groups intensified their claims of successful attacks and called all Muslim hacktivists, activists, and journalists to rally behind their cyber campaign. Their motivation for this increased aggression is reportedly the recent ban on the Burqa in French schools, which has ignited a wave of debate and reactions. actors' explanation of why they are targeting France and announcements of support The affected websites span various sectors, from transportation and education to commerce and healthcare. Notable targets include the official websites of several French airports, prominent educational institutions, government agencies, and even France's version of Amazon. Insane Pk claims to have crashed Amazon France. Anonymous Sudan Joins Cyber Targeting In a concerning development, the hacktivist group Anonymous Sudan has turned its attention towards France. Employing tactics similar to other hacktivist groups, Anonymous Sudan targets various services within the country. Sudan’s announcement The Resilience Challenge As these hacktivist groups continue to exploit the interconnected nature of the digital world, concerns grow regarding the resilience of critical infrastructure to such attacks. While the impact of DDoS attacks is often temporary, their ability to disrupt vital services and create chaos cannot be underestimated. Enhance your organization’s defense against Denial-of-Service (DoS) threats with SOCRadar Labs’ DoS Resilience module. DoS Resilience allows you to test your domain’s or subnet’s ability to resist DoS attacks. Labs DDoS Resilience LockBit Ransomware Group: Resurgence Amid Alleged Struggles In a surprising turn of events, the LockBit ransomware group has emerged from a period of relative dormancy to list more than 20 victims within a mere day. This rapid resurgence follows widespread discussions about the group's alleged operational struggles, raising questions about the authenticity of their recent actions. of LockBit shown in group’s dark web platform Amidst claims of internal challenges, LockBit's recent actions appear to be aimed at disproving these assertions while safeguarding their tarnished reputation. By swiftly revealing a list of victims, including seven prominent French firms, the group seeks to demonstrate its continued capability to execute successful cyberattacks. Notably, the leaked victim list encompasses diverse entities, including French firms operating in construction, automotive, industrial machinery and equipment, transportation, and even a town hall administration. Who is LockBit Ransomware? LockBit 3.0 is a Ransomware-as-a-Service (RaaS) group that continues the legacy of LockBit and LockBit 2.0. From January 2020, LockBit adopted an affiliate-based ransomware approach, where its affiliates use various tactics to target a wide range of businesses and critical infrastructure organizations. LockBit has been highly active in deploying models such as double extortion, initial access broker affiliates, and advertising on hacker forums. They have even been known to recruit insiders and make contests in forums for recruiting skilled hackers; such expansionist policies have attracted numerous affiliates, have victimized thousands of entities, and continue their malicious acts. can read the “Dark Web Profile: LockBit 3.0 Ransomware” here. (

dark web image
Rhysida Ransomware Group Claims Responsibility for Prospect Medical Holdings Attack

In a harrowing development, the Rhysida ransomware group has stepped forward to take credit for the recent crippling cyberattack that targeted Prospect Medical Holdings, a prominent healthcare organization operating multiple hospitals and clinics across several states. The attack has sent shockwaves through the healthcare industry and raised concerns about the escalating threat of ransomware attacks on critical institutions. ransomware's dark web announcement Attack Details Prospect Medical Holdings, responsible for managing 16 hospitals and over 165 clinics and outpatient centers, primarily in Connecticut, Pennsylvania, Rhode Island, and Southern California, fell victim to a sophisticated ransomware assault in early August. This attack disrupted vital healthcare services, leaving medical professionals struggling to care for patients and underscoring the vulnerability of crucial healthcare infrastructure to malicious cyber threats. Rhysida Ransomware Group Claims Responsibility The Rhysida ransomware group claimed responsibility for the attack approximately three weeks after the initial disruption. The group, which has gained notoriety for its previous attacks on education and healthcare entities, asserted that it had compromised Prospect Medical Holdings' systems. of sample data published by the threat actor The threat actor boasted of their extensive haul, claiming that they had accessed and stolen a data trove of sensitive information. The stolen data reportedly includes more than half a million Social Security Numbers (SNNs), passports, driver's licenses, patient files encompassing profiles and medical histories, and financial and legal documents. Ransom Demand and Data Exposure Threat The Rhysida ransomware group issued a ransom demand of 50 BTC (Bitcoin) to monetize their illicit gains. The threat actor has warned that they will expose the stolen data to the public unless the demanded ransom is paid. They have highlighted the enormity of their loot, revealing that it comprises a staggering one terabyte of unique files alongside a 1.3 terabyte SQL database. The group shared screenshots of purportedly acquired documents as a teaser of the compromised information. Who is Rhysida? Rhysida is a Ransomware-as-a-Service (RaaS) group that emerged at the end of May 2023. Despite being a newcomer, the group has quickly established itself as a significant ransomware operation. Their first high-profile attack was against the Chilean Army, marking a trend of ransomware groups targeting Latin American government institutions. On June 15, 2023, the group leaked files stolen from the Chilean Army, which turned the group’s claim as true. comprehensively understand Rhysida ransomware and its recent activities, consider exploring the insights provided in the 'Threat Profile: Rhysida Ransomware' blog. ( group positions themselves as a “cybersecurity team” who are doing their victims a favor by targeting their systems and highlighting the supposed potential ramifications of the involved security issues. How Can SOCRadar Help? SOCRadar offers continuous monitoring of digital assets, promptly generating alarms for any emerging threats. This proactive approach strengthens overall security and ensures prompt detection of potential exposures or vulnerabilities affecting your assets. You can monitor organizational assets and efficiently manage alarms using SOCRadar’s Attack Surface Management (ASM) module.’s Attack Surface Management (ASM) module

dark web image
LockBit Ransomware Targets Australia's Parcel Delivery Company

The LockBit ransomware group, which is under constant surveillance by the SOCRadar Dark Web Team, has reportedly added an Australian-based company to its list of victims on their dark web platform. Ransomware's Dark Web Announcement The LockBit ransomware group has claimed that they successfully breached the systems of APD Parcel Delivery and subsequently added the company to their list of victims. APD Parcel Delivery is renowned as one of South Australia's most prestigious parcel delivery companies. The company provides a versatile and straightforward solution for the transportation of parcels and freight. Their services span from same-day courier options to express and overnight parcel deliveries, as well as extensive national and break-bulk freight offerings. To date, LockBit has refrained from disclosing any specifics regarding the volume or nature of the compromised data. However, the threat actors have warned that they will release data related to APD Parcel Delivery if the demanded ransom is not settled by September 12. Who is LockBit Ransomware? LockBit 3.0 is a Ransomware-as-a-Service (RaaS) group that continues the legacy of LockBit and LockBit 2.0. From January 2020, LockBit adopted an affiliate-based ransomware approach, where its affiliates use various tactics to target a wide range of businesses and critical infrastructure organizations. LockBit has been highly active in deploying models such as double extortion, initial access broker affiliates, and advertising on hacker forums. They have even been known to recruit insiders and make contests in forums for recruiting skilled hackers; such expansionist policies have attracted numerous affiliates, have victimized thousands of entities, and continue their malicious acts. can read the “Dark Web Profile: LockBit 3.0 Ransomware” here. ( Indicators of Compromise on SOCRadar SOCRadar continuously monitors threat actors and malware, offering comprehensive insights encompassing their latest mentions, activities, and indicators of compromise (IOCs). Leveraging the Threat Actor Tracking feature of SOCRadar, users can access this information. Actors on SOCRadar platform By harnessing the power of SOCRadar, organizations can obtain actionable intelligence and define use cases more effectively to facilitate the detection and prevention of malicious activities, bolstering their cybersecurity defenses. Furthermore, SOCRadar’s External Attack Surface Management (EASM) functionality provides timely alerts regarding potential threats to digital assets, ensuring your organization is not exposed to attacks. Vulnerabilities on SOCRadar platform

2 Ransomware Groups Shared Collective Victim Listings, Attacks are Getting More Frequent.

BlackBasta Ransomware Group Adds 20 New Victims to Their Dark Web Portal In a world where cybersecurity threats are an ever-present danger, new claims have emerged that sends a cautionary reminder to organizations worldwide. Firstly, The BlackBasta ransomware group, known for its malicious activities, has recently claimed to have added 20 new victims to their dark web platform, namely the USA (12), Germany (6), Netherlands (1), and India (1), alleging that their systems have been infiltrated.’s Dark Web Platform United States - Twin Towers Trading Inc - SynQuest Laboratories - Alliance Solutions Group LLC - Winger Companies - Lehigh Construction Group Inc - Phillips Staffing - Shield Packaging Co Inc - Adams Bank & Trust - Arrow Aviation - Raleigh Housing Authority - Andromeda Systems Incorporated - Estech Systems Inc Germany - Deutsche Leasing Gruppe - Heidelberg Materials - SELLWERK - Bühnenbau Schnakenberg - Maxim Markenprodukte GmbH & Co. KG - DELTEC Automotive GmbH & Co. KG Netherlands - Van der Ven Auto's India - Prestige Group The threat actor, BlackBasta, has shared explicit examples of the data it claims to have compromised. The disclosed data includes highly sensitive information such as identity photos, driver's license photos, credit card photos, bank documents, as well as official and confidential documents Metaencryptor Team’s Ransom Claims Another batch of ransomware victim listings came from Metaencrpytor Team. The group, which posted its manifesto as in the below figure in 2022, just posted this week after more than a year, added 12 companies to its victims on August 16; despite the attacks being from different times, they listed their victims in one go. Team’s data leak blog. On the leak site, which has both onion and clear web links, the chat logs can be viewed, and the leak files can be browsed. Their victims are as follows: - Münchner Verlagsgruppe GmbH, Germany -Schwälbchen Molkerei AG, Germany -Heilmann AG, Germany -ICON Creative Studio, Canada - CVO Antwerpen, Belgium - Autohaus Ebert GmbH, Belgium - Kraiburg Austria GmbH, Austria - Seoul Semiconductor Co Ltd, South Korea - Bob Automotive Group GmbH, Germany - Coswell SpA, Italy - Epicure, Canada - Dillon Supply Company, US Use SOCRadar Platform to Track Threat Actors Utilizing the Threat Actor/Malware tab within the SOCRadar Platform offers you extensive capabilities to delve into the subject matter. Through this tab, you can conduct thorough research, gathering insights and in-depth information about the threat actors. Furthermore, it enables you to access and retrieve IoCs, providing valuable data points that help identify potential threats and compromised elements. Cyber Threat Intelligence Module, Threat Actor Tab

dark web image
NoEscape Ransomware Claims to Have Breached an Australian Organization's System

The NoEscape ransomware has evolved, and it's becoming a severe threat that can no longer be ignored. Just recently, SOCRadar's Dark Web Team discovered that NoEscape targeted .au Domain Administration Limited (auDA), a non-profit organization responsible for Australia's .au top-level domain. dark web platform NoEscape claims to have stolen more than 15 GB of sensitive data, including legal documents, personal information, medical reports, bank account access, and much more. They haven't shared any examples of the data. NoEscape Affiliate Program On May 22nd, a SOCRadar dark analyst detected a post introducing the "NoEscape Affiliate Program." The threat actor behind the program developed ransomware in C++, showcasing advanced encryption methods such as ChaCha20 and RSA algorithms. The software supports Windows safe mode, incorporates an automated TOR admin panel, and is even compatible with various Windows versions, Linux distributions, and ESXi. However, the program excludes CIS (Commonwealth of Independent States) countries. screenshot from SOCRadar Dark Web News The affiliate program's escalating percentage-based payout structure, ranging from 75% to 85%, also caught our attention. This indicates a planned, scalable approach to extending the ransomware's reach and effectiveness. Why You Should Care The continuous evolution of NoEscape's complexity and reach isn't just a matter of concern for organizations in Australia. The ransomware's new capabilities demonstrate an increasing threat that we must all recognize and confront. The breach of auDA is a stark reminder that we must remain vigilant and proactive in implementing robust cybersecurity measures. We must also stay informed about the latest developments in the cyber threat landscape. What Can We Do? It's not enough to simply react to these threats. We must take proactive steps: Monitor and Assess: Keep an eye on suspicious activities and potential threats. Regular assessments can identify vulnerabilities before they become a problem. Upgrade Security Protocols: Implement advanced security protocols that can counter sophisticated encryption methods. Educate and Train: Make sure that everyone within the organization understands the risks and knows how to recognize potential threats. Enhancing Vulnerability Management and Digital Asset Protection with SOCRadar At SOCRadar, we’ve designed our Vulnerability Intelligence to give you full support in effectively managing vulnerability issues and prioritizing essential patches. Our platform lets you easily search for and access detailed information about vulnerabilities, helping you stay ahead of potential threats. Vulnerability Intelligence Furthermore, our External Attack Surface Management (EASM) is a key player in safeguarding your digital assets. Through this advanced system, we carefully discover and monitor your digital landscape. We’ll quickly let you know if any issues arise that might pose a security risk. With SOCRadar, you can trust that we’re here to provide proactive protection for your online presence. Company Vulnerabilities

dark web image
Medusa Team Claims to Have Breached Postel SpA Systems

In an alarming move, the notorious Medusa Team ransomware group has announced that it has successfully breached the systems of Postel SpA, a key player in Italy's document management services and data-driven marketing communications sector. This breach is a chilling reminder of the relentless advancement of cyber threats that continue to plague businesses worldwide. Team dark web platform The announcement of this cyberattack was made on Medusa Team's dark web platform, where they not only declared their infiltration of Postel SpA's systems but also showcased some of the data they claim to have stolen. This data includes sensitive identity documents such as passports, as well as e-mails and administrative documents. According to the threat actors, a ransom of $500,000 has been demanded for the deletion of this stolen data. The group has even set a timer for August 24, after which they claim to publish all the stolen information if their demands are not met. Who is the Medusa Team? Medusa Team has become a name synonymous with cyber terror, engaging in ransomware activities and targeting various organizations across the globe. Their modus operandi usually involves breaching systems, stealing sensitive data, and then demanding a hefty ransom for the deletion of this data. Mitigate Ransomware Threats with SOCRadar SOCRadar Extended Threat Intelligence (XTI) provides its users with the most recent feed. The platform continuously tracks both existing and emerging threats and alerts your organization in the event of any impact. You can view information about threat actors, updates in their activity, and all malware threats on the Threat Actors tab on the SOCRadar platform. Threat Actors tab

dark web image
Cl0p Ransomware Gang Leaks Data Allegedly from 16 Organizations

The Cl0p ransomware gang, which is regularly monitored by the SOCRadar Dark Web team, continues to come up with a new series of threats and announcements. The announcement was made on the Cl0p ransomware gang's dark web platform. The gang announced that it published sensitive data, which it claimed belonged to 16 organizations it added to its victim list, on its Torrent site. ransomware gang's ultimatum On August 10, the Cl0p ransomware outfit issued a grim ultimatum, ratcheting up the pressure on its victims. The gang explicitly warned that it would leak data from organizations that failed to engage with them. First Revelations and Identified Victims Post-Ultimatum Come August 15, the deadline day for the ultimatum, Cl0p commenced the disclosures of organizations that had not negotiated with their operators. Data alleged to belong to these organizations was posted on the torrent site. Actor's Announcement on August 15 SOCRadar dark web analysts identified the affected organizations, which included household names such as Norton LifeLock (141.57GB), Stockman Bank (7.03GB), Baesman (9.10GB), Siemens-Energy (83.74GB), The University of California, Los Angeles (53.94GB), TrellisWare Technologies (334.1MB), Encore Capital Group (179.6MB), and Cadence Bank (161.92GB). Actor's Announcement on August 16 The ominous revelations continued into August 16, with the threat actor allegedly leaking data from eight more victims. This new wave included organizations such as Cognizant (28.83 GB), Netscout (299.39GB), Energy Transfer LP (2.79GB), Level 8 Solutions Ltd (6.11GB), AutoZone (1.10GB), Crowe LLP (99.34GB), Westat (33.48GB), and visionware[.]ca (18.31GB).'s Torrent site It's imperative to underline that the data was disseminated by a threat actor, and as of now, these are only allegations. Who is CLOP Ransomware? CLOP, aka CL0P, Ransomware, a member of the well-known Cryptomix ransomware family, is a dangerous file-encrypting malware that intentionally exploits vulnerable systems and encrypts saved files with the “.Clop” extension. The word clop comes from the Russian word “klop,” which means “bed bug,” a Cimex-like insect that feeds on human blood at night (mosquito). A distinguishing feature of CLOP is the string “Don’t Worry C|0P” found in the ransom notes. a deeper insight into the workings, tactics, and history of Cl0p ransomware, we invite you to explore our comprehensive blog, "Dark Web Threat Profile: CLOP Ransomware". Delve into this detailed analysis for more information, and stay informed about this evolving threat landscape. (

dark web image
Beyond the Shadows: Cl0p's Ultimatum and LockBit's Indiscriminate Attacks

Ransomware attacks continue to alarm many organizations around the world. The Cl0p ransomware gang posted a new announcement on the dark web platform to further escalate their threat and intensify the pressure. In addition, 14 new victims have been added to the LockBit ransomware list, once again demonstrating the seriousness of the situation. Cl0p Ransomware: A New Warning and an Ongoing Battle The aftermath of the MOVEit vulnerability exploited by the Cl0p ransomware gang continues to unfold, with new developments emerging. of Cl0p ransomware The announcement from the Cl0p ransomware group on the dark web portal indicates a strategic move to pressure companies that have been targeted. By posting the names of the companies along with the claim of possessing their sensitive data, the threat actors are attempting to publicize these companies and force them into taking action. The announcement suggests that some companies have not responded or engaged with the ransomware operators, leading Cl0p to issue an ultimatum: companies that do not initiate contact by August 15th will have their data published on both clear web and dark web platforms. The goal behind sharing this announcement could be multi-fold: Pressure and Leverage: By publicly naming companies and threatening to publish their data, Cl0p is leveraging the fear of reputational damage and potential legal consequences. This pressure could lead some companies to comply with their demands and engage in negotiations. Demonstration of Capability: Cl0p is showcasing its capability to breach organizations' security and access sensitive data. This serves as a warning to other potential targets and could create a sense of urgency for companies to enhance their cybersecurity measures. Creating Urgency: The specific date mentioned (August 15th) creates a sense of urgency, pressuring companies to make a quick decision rather than delay or seek alternative solutions. In summary, sharing this announcement may allow Cl0p to put pressure on targeted companies, demonstrate their capabilities and potentially increase their financial gains through negotiations or compliance. However, it is important for organizations to focus on sound cybersecurity practices and incident response planning to prevent and mitigate such threats. You can read the “Dark Web Threat Profile: CLOP Ransomware” here. ( Ransomware: A Global Alarm The SOCRadar Dark Web team recently uncovered a concerning announcement on the LockBit ransomware's dark web portal. The notorious LockBit 3.0 ransomware group has declared the successful compromise of 14 new victims on its blog site. These victims represent a diverse range of companies hailing from various countries, industries, and sizes. ransomware dark web platform The scope of this revelation paints a stark picture of LockBit's widespread impact. The victims span multiple countries and sectors, showcasing the ransomware's indiscriminate targeting strategy. The list includes a blend of global economic powerhouses and burgeoning economies, highlighting the ransomware's global reach. - United States (4) - Germany (3) - United Kingdom (2) - Canada (1) - South Africa (1) - Thailand (1) - Egypt (1) - Turkey (1) This announcement underscores the relentless evolution of ransomware tactics and the escalating need for robust cybersecurity measures. The LockBit 3.0 group's audacious attack on such a varied pool of victims is a clear indicator of the sophistication of modern cyber threats. It is imperative for organizations across the globe to bolster their security protocols and remain vigilant against the evolving landscape of cybercrime. You can read the “Dark Web Profile: LockBit 3.0 Ransomware” here. ( Indicators of Compromise on SOCRadar SOCRadar continuously monitors threat actors and malware, offering comprehensive insights encompassing their latest mentions, activities, and indicators of compromise (IOCs). Leveraging the Threat Actor Tracking feature of SOCRadar, users can access this information. Actors on SOCRadar platform By harnessing the power of SOCRadar, organizations can obtain actionable intelligence and define use cases more effectively to facilitate the detection and prevention of malicious activities, bolstering their cybersecurity defenses. Furthermore, SOCRadar’s External Attack Surface Management (EASM) functionality provides timely alerts regarding potential threats to digital assets, ensuring your organization is not exposed to attacks. Vulnerabilities on SOCRadar platform

Play Ransomware Gang Strikes Again: U.S. and Canadian Victims Added to List

The Play Ransomware gang has once again raised alarm bells, claiming new victims from the U.S. and Canada on their dark web platform, as reported by the SOCRadar Dark Web Team. victims of Play Ransomware The group claims to have successfully breached the systems of five organizations, adding three US and two Canadian companies to its list of victims. The victims come from a variety of industries, including a hotel in Florida, an engineering firm in Texas, a law firm in Alaska, a construction company in Ontario, Canada, and a personal care products manufacturer also based in Ontario. Breaches Across U.S. Entities: Varied Sensitive Data Compromised Three organizations from the U.S. have fallen victim to this cyber threat group. These victims span a variety of sectors, including a hotel in Florida, a Texas-based engineering firm, and an Alaska-based law firm. The gang allegedly compromised a broad spectrum of sensitive data at the Florida hotel, including private and personal confidential data, client and employee documents, client databases, client scans, and financial records. Similar data breaches reportedly occurred at the Texas engineering firm and the Alaska law firm. Despite these claims, the cybercriminals did not disclose the size of the compromised data or provide examples. Canadian Organizations Also Targeted Shifting focus to Canada, the gang asserts that it infiltrated two Ontario-based companies: a construction company and a personal care products manufacturer. The compromised data allegedly includes private and personal confidential data, client and employee documents, as well as financial and tax-related information. Once again, the cybercriminals remained silent about the size of the data breach and didn't share any examples of the compromised data. Who is Play Ransomware? On Jun 22, 2022, in the BleepingComputer forum, someone wrote that his files were encrypted with the extension “Play.” Afterward, Trend Micro published an analysis article about the new ransomware variant, Play Ransomware. The main target of Play Ransomware is the Latin American region, and Brazil is at the top of the list. Even though they seem like a new ransomware group, their identified TTPs look like Hive and Nokayawa ransomware families. One of the similar behaviors that make them look similar are they use AdFind, a command-line query tool capable of collecting information from Active Directory. For more information about the threat actor, see the "Dark Web Profile: Play Ransomware" blog. (

dark web image
Cl0p Ransomware Gang Adds 71 Victims in Single Day

The Cl0p ransomware gang added 71 victims to its rapidly growing list in a single day, according to the latest reports from the SOCRadar Dark Web Team. screenshot from Cl0p’s dark web platform The cybercriminal group, infamous for its strategy of exploiting system vulnerabilities and breaching major organizations, has taken full advantage of the MOVEit vulnerability, leaving a wake of destruction and anxiety in its path. Among the recent victims are some of the biggest names in various industries, including Deloitte, Flutter Plc., and Virgin Pulse. These attacks are a part of a growing trend where cybercriminals are turning their attention towards larger and more lucrative targets, including major organizations. distribution of the organizations that the group alleges have had their systems breached, by country. Geographically, the United States has borne the brunt of these cyber onslaughts with 38 victims, followed by the United Kingdom with 7, while Switzerland and the Netherlands each had 3 victims. The grim tally of victims breached due to the MOVEit vulnerability has crossed 500. This chilling statistic is a stark reminder of the importance of timely patching of known vulnerabilities and the implementation of strong cybersecurity measures. In conclusion, the recent spike in cyberattacks, especially by the Clop ransomware gang, underscores the urgent need for proactive cybersecurity measures. Organizations must consistently patch system vulnerabilities, i and adopt proactive detection strategies to identify threats before they can be exploited. How Can SOCRadar Help? SOCRadar’s Threat Feed and IoC Management module helps organizations manage their threat intelligence feeds and Indicators of Compromise (IoCs). Threat Feed / IoC tab Also, SOCRadar’s Threat Actor Tracking module provides organizations with a comprehensive view of known and emerging threat actors, including their TTPs, IoCs, and infrastructure. This information can be used to identify and respond to threats more quickly and effectively. Threat Actors tab

dark web image
The Italian Asset Management Company, Azimut, Has Been Targeted in a Ransomware Attack

Italian asset management company Azimut, responsible for managing assets worth over $87 billion, fell victim to a ransomware attack. The hacker group BlackCat aka ALPHV has taken credit for the attack and asserted that they had acquired approximately 500 GB of potentially sensitive data. The group has demanded an undisclosed sum of money, likely in cryptocurrency, from Azimut. However, the company has chosen not to acquiesce to the ransomware group's demands, as stated in a public announcement on July 24.’s Ransom Announcement BlackCat's ransom letter allegedly includes sensitive photos of customer data, and they claim to possess comprehensive financial information about numerous clients, such as company reports, stock details, and antique purchases. The hacker group threatens to expose this information unless their demands are met, cautioning Azimut about the severe consequences of not taking them seriously. Notwithstanding the threats, the asset management company stands its ground and announces its refusal to comply with the attacker's demands. Azimut reassures its customers that their data remains secure and unaffected by the breach. The firm confirms that BlackCat was unable to access any personal or financial information of clients, and no unauthorized transactions were carried out. To learn more about BlackCat, visit our blog. ( Your Security with SOCRadar’s Attack Surface Management As cyber threats continue to rise, it becomes crucial for organizations to identify their publicly accessible assets and be vigilant about potential vulnerabilities in their infrastructure. This awareness enables them to prioritize security measures, fortify exposed assets, and proactively address weaknesses before they become targets for exploitation. By actively managing their attack surface, organizations can bolster their security defenses and minimize the risk of falling victim to cyber-attacks. Attack Surface Management Module

dark web image
Ransomware Evolution: Cl0p's New Extortion Tactics

The ransomware landscape continues to evolve in troubling ways as groups, such as the notorious Cl0p ransomware group, are becoming more audacious with their tactics. PwC, one of the world's largest auditing and consulting firms, appears to be one of the recent victims of the group's extortion tactics. From the Dark Web to the Surface Web The Cl0p group has apparently used a novel strategy, previously seen in the playbook of the ALPHV/BlackCat ransomware group, involving the creation of surface web URLs to host and publicize the stolen data. This new strategy takes a worrying turn from the conventional modus operandi, where the stolen data was typically released on the .onion websites in the dark web. the case of PwC, the ransomware group is believed to have allegedly released the company's files unencrypted on the open web, thus making them available to anyone with the URL. method of leveraging clear web URLs mirrors the tactics of the ALPHV/BlackCat group, further highlighting the increasingly symbiotic and evolving nature of the cyber threat landscape. Growing List of Victims In addition to PwC, SOCRadar Dark Web Team reported that the Cl0p ransomware group has added 10 new victims to their dark web portal. Eight of these victims are based in the U.S., with high-profile entities such as American Airlines, Jonas Fitness Inc., SMC3, ITT Inc., Allegiant Air, Estée Lauder Inc., Bluefin Payment Systems, and Ventiv Technology on the list. The other two victims are ComReg from Ireland and Ofcom from the United Kingdom. another worrisome development, the MEDUSA ransomware group has reportedly added two new victims to their dark web portal - Health Springs Medical Center and Nini Collection Ltd., both based in the U.S. The continuing advancement of ransomware groups and their increasingly daring strategies underscore the significant threat they pose to both businesses and consumers. As these groups continue to innovate, their targets must similarly evolve their defensive strategies. Cybersecurity isn't a static field; it's a continual cat-and-mouse game. These incidents serve as a critical reminder for organizations to stay proactive in their defense, regularly updating and testing their cybersecurity infrastructure, and fostering a culture of security awareness among their employees. Mitigate Ransomware Threats with SOCRadar SOCRadar Extended Threat Intelligence (XTI) provides its users with the most recent feed. The platform continuously tracks both existing and emerging threats and alerts your organization in the event of any impact. You can view information about threat actors, updates in their activity, and all malware threats on the Threat Actor/Malware tab on the SOCRadar platform. Threat Actors page