In a hacker forum monitored by SOCRadar, new alleged documents leak is detected for RA World Ransomware Group. https://image.socradar.com/screenshots/2024/03/18/4ada3e47-5c8b-445c-a635-7b8cbfc4e995.pngleaked documents from RA World Group, includes documents from 27 unpaid companies Compressed volume 5TB Content is now available, Team ***** wishes you good luck and anonymity! valid http://**************

  In a hacker forum monitored by SOCRadar, Kuiper ransomware sale is detected. https://image.socradar.com/screenshots/2024/03/15/7d18c8ff-ffe6-4892-81f4-7c01fbd58c2b.pngIf you are a security researcher, don't read this, hello everyone, maybe someone would be interested in buying the source code of the Kuiper ransomware, not very famous and not very well known, but it is written 100% in Golang, in addition to a web panel to make builds automatically. simple, the ransomware is quite fast, not like lockbit, but it has its own thing besides having aes encryption and chacha20 as an option, because I decided to sell this and not simply publish it, because it took time to program it, I'm not a genius, try to do the best, of the mistakes can be learned but as you all know, time is money, so if anyone is interested in the full code of both the ransomware and the web panel, send me a message by PM with your tox, tanks for all. and the builder support windows,linux and the ransomware payload support linux,windows,freebsd,etc reference:*****, Escrow Accepted!

In a hacker forum monitored by SOCRadar, the news is detected that, $10 million per head ALPHV/Blackcat: The US State Department announces a hunt for the leaders of a well-known group. https://image.socradar.com/screenshots/2024/03/13/3c5285ed-20a7-4b57-9bbb-be64a5682f25.pngThe US State Department has announced a reward of up to $10 million for any information that helps identify and capture the leaders of the ALPHV/Blackcat hacker group. The gang specializes in cyber extortion and has already attacked thousands of companies in recent years. An additional $5 million is promised for data on individuals who are about to join Blackcat's criminal activities. According to experts, this should scare off potential participants, depriving the group of support. From November 2021 to March 2022, Blackcat carried out more than 60 hacks worldwide, the FBI said. “The scale of their activities is amazing,” a bureau representative commented. According to the latest data, by September 2023, at least $300 million in ransoms had been received from more than 1,000 victims. “This is a huge amount of money, and we will make every effort to stop the criminals,” the State Department said. In a released statement, the State Department promised that "a reward will be paid for information regarding the location or identity of any of the key leaders of the group behind the development and distribution of the ALPHV/Blackcat ransomware." The payments will be made as part of the initiative to combat transnational organized crime. As the department noted, since 1986, more than $135 million has already been paid out under this program. To securely transmit information about Blackcat and other wanted criminals, the State Department launched a special encrypted server, Tor SecureDrop, on the darknet. According to department officials, this will help maintain the anonymity of informants. Recently, US authorities have stepped up efforts to find and apprehend cybercriminals. In January, a similar reward of $10 million was announced for data on the leaders of the Hive group. Previously, large sums were promised for information about those involved in Conti, REvil (Sodinokibi), Darkside and other dangerous hacker communities. According to experts, such measures will at a minimum make life more difficult for criminals and weaken their potential. • Source: ***

 In a hacker forum monitored by SOCRadar, Phobos ransomware sale is detected. https://image.socradar.com/screenshots/2023/12/02/e24168c8-09b9-4750-90cc-938484f7271f.pngSale RANSOMWARE PHOBOS - Admin panel in TOR, 24/7 support. - 80/20 in your direction. - Completely offline. - Does not require an Internet connection to work and does not send statistics. - When you turn off and turn on the PC or restart it, the software will automatically check for the presence connected external and network devices and encrypts them. - Easy to use and does not depend on any libraries. - The weight of the .exe file with an embedded html page is 54kb. Automatically added to startup, deletes system shadow copies and restore points. - Provides maximum speed by creating parallel multi-threaded encryption for each media - fast parallel work across all network disks and removable media. - All files except system files will be encrypted. The software kills the list of processes to completely encrypt the databases. - After encryption is complete, the program will create a file with your contacts for communication. - Test files are decrypted in your personal account (5 pieces). - Decryption of test files and key generation are available around the clock in automatic mode. - I will answer all questions. - $150, only through a guarantor. Tox: ****** Telegram: @ ****

In a hacker forum monitored by SOCRadar, a partnership post is detected fort AkitaCrypt Ransomware. https://image.socradar.com/screenshots/2023/12/06/49a181a5-d0da-4b49-aa29-fe5777f082cd.pngA Fully Featured Ransomware Solution Our team has been hard at work for the past 2 years on a cross-platform ransomware solution. We have tested it on more than 150 machines, fine tuning it along the way. We are proud to finally be able to unveil it. Introducing: AkitaCrypt, an astonishingly fast, fully undetectable ransomware solution for Windows and Linux written in rust. Features: AES-256 or AES-512 bit encryption options with configurable salts Windows UAC and Linux/GNU privilege escalation Fully undectable (FUD) upon build (on ALL Anti-Virus guaranteed) Bypasses EDR systems (Splunk, Palo Alto Cortex XDR, etc) Regular Updates Reports can be sent via discord web hooks or email Smart encryption (choose well known software to search for making targetted encryption easier) Manual encryption (choose directories you'd like to encrypt; can be used with smart encryption) Encrypt file by extension (choose file extensions to include or exclude) Toggle system file exclusion (exclude encryption of OS files so system remains functional) Configurable backdoor (regain remote access to your target in case they lock you out) Works on Windows 7 and later, Windows Server 2008 and later and all Linux/GNU distributions and Kernels and UNIX. MacOS coming soon! Affiliate Program Having poured so much of our time and effort into this and considering its capabilities (EDR Bypass, FUD on all AV including ESET, etc) it would be reckless for us to release this to anyone with the money to buy it. Therefor, we are launching an affiliate program for serious players only. Affiliates will start at 50/50 splits for each successful ransom negotiation. Affiliates with 10 or more successful negotiations will receive 75/25 splits. Top earners will receive 90/10 splits. How To Become An Affiliate To become an AkitaCrypt affiliate you need to have initial access to a Windows network or Linux server or any Windows or Linux infrastructure at a company or business that can be negotiated for ransom (no restrictions or rules what-so-ever. Any country, any institution, any business). Who we are looking for: Initial access brokers looking to directly profit from ransomware Hobbiest penetration testers/web-application hackers Bug bounty hunters Exploit developers Employees with internal access who have an understanding of information technology and OPSEC If you think you would be a good candidate, contact us with proof of initial access via DM or on telegram at https://t.me/******* or in our channel at https://t.me/********** Have the following prepared if you contact us or else you will be ignored: Access you have or can get immediately (not access that you THINK you can get, access you KNOW you can get) History gaining initial access to systems (have proof). Any prior affiliate programs you've been apart of if applicable (if no proof don't share this). Negotiations, ransom amounts, and files that are encrypted can be dictated by the affiliate or left to us.

Date of Report: November 29, 2023 Executive Summary The Play ransomware group's activities reached a significant peak on November 28, adding ten American companies to its victim list, marking the day with the most reported ransomware cases in November. Initially observed on June 22, 2022, when an individual reported file encryption with a ".play" extension on the BleepingComputer forum, the group has been primarily targeting Latin America, with Brazil as a focal point. https://image.socradar.com/screenshots/2023/11/29/b1b3dab2-db68-4f32-b3f2-cadaafa4cb90.pngLatest victims's announcement on Play's website. Their tactics, techniques, and procedures (TTPs) bear resemblance to known ransomware families like Hive and Nokayawa, particularly their use of the AdFind tool for gathering Active Directory data. Key Points: - Play ransomware has shifted to a Ransomware-as-a-Service (RaaS) model, exhibiting uniform attack patterns across sectors. - The ransomware uses legitimate account credentials, exposed RDP servers, and exploits specific FortiOS vulnerabilities for initial access. - They propagate their ransomware internally using Group Policy Objects, scheduled tasks, PsExec, or wmic, culminating in file encryption with the ".play" extension. - The cumulative number of ransomware incidents in November spiked, with 36 cases reported in a single day. - Businesses impacted include SinglePoint Outsourcing, Thillens, Elston-nationwide, AMERICAN INSULATED GLASS, MooreCo, Continental Shipping Line, Retailer Web Services, SurvTech Solutions, EDGE Realty Partners, and Noble Mountain Tree Farm. Assessment: Play ransomware's transition to a RaaS model and the replication of TTPs across attacks suggest a systematic approach and the possible use of a RaaS kit. The group's focus on smaller organizations, presumably due to their ability to meet ransom demands approximately $1 million, indicates a calculated targeting strategy. The recent spike in attacks on U.S. companies signifies an expansion beyond their usual Latin American targets. Outlook: The evolution of Play ransomware into a RaaS model could mean a broader reach and a higher frequency of attacks, posing a threat beyond the Latin American region. The specific targeting of organizations with the financial capacity to pay substantial ransoms underscores the need for enhanced security measures and awareness. Key Intelligence Gaps - Confirmation of the extent to which Play ransomware's TTPs align with other ransomware families. - Assessment of the impact of the RaaS model on the frequency and sophistication of Play ransomware attacks. - Evaluation of the risk to organizations based on the observed targeting profile of Play ransomware. Intelligence Requirements: - Investigation into the recent attacks to identify any evolving patterns or new TTPs employed by Play ransomware. - Development of threat mitigation strategies tailored to the specific vulnerabilities exploited by Play ransomware. - Strengthening defenses against RDP and FortiOS vulnerabilities to prevent initial access by threat actors.

A recent investigation has unveiled a new strain of ransomware, dubbed MadCat, linked to a group of suspected scammers targeting fellow criminals on the dark web. The findings reveal a complex web of deception, fraud, and intricate cyber schemes. https://image.socradar.com/screenshots/2023/11/24/54afbc7c-de83-427e-bfd8-d1288ce4bcc7.PNGThe group’s leak website, stating that it will launch on 30 November, 2023 Recently an announcement of a new ransomware group, Mad Cat, seemed like a typical entry of a ransomware group into the cybercrime arena. However, further investigations have unraveled a more convoluted narrative. Deceptive Tactics on the Dark Web Cyber investigator Karol Pacoriek and the team at CSIRT KNF cybersecurity firm have linked Mad Cat to several dark web accounts known for fraudulent activities. These accounts, including @plessy(the one mentioned on the leak site), @rooted, and @whitevendor, were previously involved in the fake sale of stolen passport details, including a bogus offer of 246,000 screenshotted Polish passport pages. The CSIRT report detailed how these accounts operated scams on dark web platforms, deceiving other criminals with offers of illegal identity documents. One such incident involved @plessy offering an entire collection of these documents for $3,400. The report noted similarities in the writing style and methods of these accounts, suggesting they might be operated by the same individual or group. Ripple Effects Among Cybercriminals The deceptive practices have not gone unnoticed among other criminals. On BreachForums, a cybercriminal complained about being conned by @rooted in a scheme involving Japanese and Chinese passport details. This pattern of deception indicates a lack of trust even among cybercriminals. https://image.socradar.com/screenshots/2023/11/24/8583cd58-7176-47f9-893d-1cb6179dad1c.pngScam report for @rooted in a hacker forum Pacoriek’s investigation also unearthed links between these aliases and the MadCat ransomware group. The plessy[.]eu web address and associated Telegram channels pointed to a network of interconnected identities and criminal activities. The CSIRT report further established connections between these identities and MadCat's operations. Doubtful Future for MadCat With their deceptive practices exposed, the future of MadCat in the ransomware field seems uncertain. Pacoriek anticipates their downfall, comparing it to other short-lived cybercrime entities. The negative backlash and the abandonment of accounts by these actors indicate a possible retreat from their criminal endeavors. This case underscores the intricate and often duplicitous nature of the cybercrime world. It highlights the importance of continual vigilance and comprehensive investigation in understanding and combating the ever-evolving landscape of cyber threats.  To navigate the complex and deceptive landscape of cyber threats, SOCRadar Dark Web Monitoring provides essential tools and insights, enabling organizations to detect and counteract hidden cyber threats and protect their digital assets. This service offers unparalleled visibility into the dark web, helping to stay one step ahead of cybercriminals and their ever-evolving tactics. https://image.socradar.com/screenshots/2023/11/24/741fa8f1-4f4e-43a6-9fdb-9969564b4314.pngSOCRadar Dark Web Monitoring

 In a hacker forum monitored by SOCRadar, a new alleged source code sale is detected for qBit ransomware. https://image.socradar.com/screenshots/2023/11/27/c3824ed5-82f2-4ea1-a08a-e42b7f438626.pngHello friends, Well our product had a great response and feedback from users which was about the stealer and the ransomware built in Go lang. I would call it a success based on my plan of long term effect/usage. Speaking of researchers releasing blogs about it, specifically cloudsek: CloudSek qBit Article You've better explained the product more then me, haha. Thank you bablu kumar, a geek. If this doesn't seem to make sense for you as a buyer, and want for information on the product. Check out: http://** http://** Anyways, even if the language seems to be very versatile, efficient and very fast as proven on the video. The binaries seem to be much bigger which wouldn't be such an nuisance in this modern days. But we do love small binaries, much better for crypts and spreads. So, I've invested some time on RUST and C/C++ building cryptors behind the scenes and improving them for real world scenarios. Which brings me into this forum post. Basically, instead of selling it as an service. I will sell the full source code as it IS to the buyer for an fixed amount of price. (middleman accepted and is mandatory but fee is paid by the buyer). To the buyer, he/she will get support on using the source, building or if extra improvements is needed. It will be provided free of charge. This scheme of business might be suitable for those who want an fresh code of ransomware which is not skidded or stolen from any where else and personally suited to its core according to the buyer and is from an knowledgeable person who knows building/handling and maintaining the code. So, that's it for today folks. - Contact me at Session or Telegram for further more discussion, and ONLY message me if you're serious. Session ID: ** Telegram: @**

Petersen Health Care, a prominent healthcare provider in the United States, has reportedly been added to the Cactus ransomware group's data leak site.  https://image.socradar.com/screenshots/2023/11/22/9b16c7e4-6cec-49ab-aded-d1f3326df9ce.PNGCactus Ransomware’s victim listing on their leak blog Leaked Data Details The Cactus ransomware group has released a sample of the compromised data, which alarmingly includes scans of passports, driving licenses, and other sensitive personal documents. While the specific volume and types of all the data breached have not been detailed, the nature of the leaked sample points to a severe privacy and security violation. Implications of the Breach The leak of such sensitive personal information from a healthcare institution is particularly concerning. It jeopardizes patient privacy and exposes individuals to potential identity theft and fraud risks. https://image.socradar.com/screenshots/2023/11/22/5c0f0be7-c4a3-4ef4-af90-c1908c3feddb.PNGSample leak shared by Cactus Ransomware This incident underscores the growing threats faced by healthcare providers in the digital age. These organizations hold vast amounts of sensitive personal health information, making them attractive targets for cybercriminals. SOCRadar: Enhancing Cybersecurity The rapidly changing cybersecurity landscape necessitates a vigilant approach, especially in sensitive sectors like healthcare. In response to the escalating cyber threats facing critical industries, SOCRadar offers specialized monitoring and threat intelligence services. Our solutions are designed to help organizations proactively identify and mitigate cyber risks. https://image.socradar.com/screenshots/2023/11/22/5ac9021f-ab04-447d-a809-dc957069af36.pngOne such solution offered by SOCRadar is Attack Surface Management and Ransomware Check

In a hacker forum monitored by SOCRadar, a new alleged Catlogs malware sale is detected. https://image.socradar.com/screenshots/2023/11/18/2bae31e6-6f2d-4ced-88b8-022ad2f4d841.pngi'm selling Catlogs malware. Features: Browser Logins and cookie stealer Ransomeware(Encrypt/Decrypt with Custom key) RAT(Shell/System commands) Anti- Anlysis( Sandboxie, Virtual Machines, HoneyPots) and many more

In a hacker forum monitored by SOCRadar, a new alleged ransomware services sale is detected for RustCrypt. https://image.socradar.com/screenshots/2023/11/18/2f8c4837-35d1-42d5-ab05-3b94937b9a53.pngPreview https://image.socradar.com/screenshots/2023/11/18/ce06976b-64ed-4c8e-9538-539ac32561be.pngTOS: Refunds only within 24 hours of purchase and receipt of the utility. No refunds for One-Time Executables. We are not responsible for your uses of this utility. We release this as "For Educational Use Only" All issues and support requests will be routed through Telegram before being commented on this site. You may not resell or otherwise share your license key with other users. Limit of 10 slots at a time. If all 10 slots are full, we may deny sale until another opens up. These terms can be changed at any time with or without notification to the buyer. To get started, Choose if you want the builder software or just an exectuable to run and hold a computer at ransom. Email us at **** or Telegram at https://t.me/**** Profit.

In a significant cybersecurity incident, the company "Asaf Technology" allegedly became the latest victim of a politically motivated ransomware attack. A recent Telegram post by the Tiger Electronic Unit indicates that they have successfully encrypted all data belonging to Asaf Technology, which they refer to as a "Zionist company." https://image.socradar.com/screenshots/2023/11/17/cac98513-c871-4e70-a57d-c58e79c8af81.pngElectronic Tiger Unit’s Telegram post The attackers claim to have gained full access to the company's data and have also compromised the accounts of engineers and officials within Asaf Technology. This attack is part of the broader cyber conflict related to the ongoing Israel-Hamas tensions. Context of the Cyber Conflict Recent months have seen an escalation in cyber activities related to the Israel-Palestine conflict. Various ransomware groups have been involved, targeting entities on both sides. Previously, in our blog posts, we highlighted the complex nature of the cyber conflict, where digital warfare is used as an extension of political and territorial disputes. A recent post from another hacker group, the TYG Team on Telegram, sheds light on the strategic use of ransomware in this conflict. The group emphasizes their ongoing efforts to compromise Israeli devices and infrastructure, using their software "GDS" for expanded attacks. They state their intention to use the accessed data strategically rather than publicizing it, indicating a focused approach to cyber warfare. https://image.socradar.com/screenshots/2023/11/17/bd853c14-7131-44ae-9a76-8329c70c96e5.pngT.Y.G Team’s statement on their Telegram channels These incidents underscore the evolving nature of cyber threats within this conflict, where political motivations can drive targeted attacks against specific nations or entities. For further analysis, check out our latest blog about the conflict. (https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/)Stay Protected with SOCRadar In response to these growing threats, SOCRadar offers advanced monitoring and threat intelligence services. Our platform helps organizations stay ahead of potential cyber threats, ensuring timely and effective responses to emerging risks. As the situation evolves, SOCRadar continues to provide real-time updates and insights into the latest developments in this ongoing cyber conflict. Stay informed and prepared with our comprehensive threat intelligence and monitoring solutions. https://image.socradar.com/screenshots/2023/11/17/efd7e937-c707-47e4-82c7-d6b22bc9a3a5.pngSOCRadar Dark Web Monitoring

In a hacker forum monitored by SOCRadar, a recruitment post is detected to conduct ransomware attacks. https://image.socradar.com/screenshots/2023/11/29/329bc704-93e0-41c3-9fec-7cf34680089c.pngHi. Im looking for pentesters/active directory hackers to assist with ransomwares for Billion dollar companies. I have network access but further scans from inside the network will need to be carried out. I am of course also working on some of these networks but it's too much networks for me to handle right now on my own and therefore a few partners would be nice to have. I am an admin at a high ranking cybercriminal group and we've spent time building a name and reputation for our group and so we have good chances for successful negotiations and our telegram group has over 15K followers (no i will not link the group channel link on this post..) I am also a pentester and I do everything from access to exfiltration to putting lockers finally in the end. What you will get: -Good team to partner with -Use our custom locker with 0 Anti-Virus detections. and with SmartCrypt abilities to prioritize fast and successful locks over whole OS. -Ask questions and learn more and ability to make connections with some dope ass people with big reach. -good % and we dont treat u like shit -we're still in our early ransomware phases and so you have a chance of becoming an OG member and someone the group looks up to if you remain competent

 In a hacker telegram channel monitored by SOCRadar, the hacking announcement is detected for UAE Digital Almighty. https://image.socradar.com/screenshots/2023/10/31/fd263e1e-e946-4bdc-a9da-26f98fe6b486.pngHacking the UAE company Digital Almighty. And withdraw all data and encrypt the site. https://www.digitalalmighty.com/ ** ** ** ** https://image.socradar.com/screenshots/2023/10/31/2c08539f-e84a-49e6-8283-e4b68573d31b.png

 In a hacker forum channel monitored by SOCRadar, a new ransomware builder selling is detected. https://image.socradar.com/screenshots/2023/10/30/dd1c5575-767a-466c-ba0e-f46ec3e1b78b.pngI am the sole author of the Ransomware. Ransomware itself is a ransomware project that is entirely in C++/WinAPI. By itself, it does not require any internet connection and all information is kept private - nothing is sent abroad. You can attack any type of country, organization, companies, etc. It is 100% safe and no one has ever recovered their files without paying as Ransomware uses very secure algorithms for encryption. If you decide to use my Ransomware, rest assured you will not be tricked - it uses a key scheme where the decryption key is protected by both my private key and yours Private build key that you generate. It is dynamically multithreaded (depends on the number of cores/disks) and runs only on Windows OS, in versions after Windows XP, on x86 and x64, with support for both overwriting and destroying encryption methods. The ransomware also automatically deletes backups and logs twice - before and after encryption. It also encrypts any network drive vailable on the network automatically. The only two requirements to run an embedded Ransomware executable on a computer they are: - disable antivirus software - have administrator access (running the executable as administrator) There are many more features and changes - if you are interested, if you have any questions please contact me on Telegram: @Jacobs1822 Don't contact me asking how to spread ransomware - you need to learn this yourself or pay me to do it Smile Some characteristics of Ransomware - Added new mandatory test file decryption with payment of developer fee to prevent fraud the victim - The number of encryption/decryption threads now depends on the number of disks - Prevents the system from going to sleep/hibernation while the encryption/decryption process is active - Increased speed of deleting unwanted software - Added option to disable taskmgr/regedit on target system (re-enabled after decryption) - Added new encryption method - replace instead of copy/encrypt/destroy the original method - Produces the same results, but may cause file corruption if the Ransomware is stopped before the encryption process is complete, but it should be a little faster and does not require additional space - Shredding now always deletes the fragmented file - Improved file destruction speed - Decryption always uses the replacement method - user should not stop Decrypter until it finishes - Added option to decrypt multiple Redeemer Public Keys received from the victim on once (for large computer networks encrypted with the same version of Ransomware and the same Redeemer Private Build Key, value and campaign ID) - Different options renamed in Toolkit/Decrypter - Better encryption/decryption speed Telegram: @****

 In a hacker forum monitored by SOCRadar, a recruitment post is detected for Super Mega Ransom LLC. https://image.socradar.com/screenshots/2023/11/06/1a75d62d-af73-4e5f-8552-51b0c9931e85.pngHello everyone! I am recruiting pentesters for the team to master this area! Since the team is new and does not yet have a reputation, I will consider all applications without exception! -> You are required to be able to work with accesses (mining, mining). -> Open to cooperation with comrades without experience. ;) -> We work on favorable terms! The software is ready for use and continues to be improved. For the first contact - PM. We do not work in the CIS! The software is ready for use and continues to be improved. https://image.socradar.com/screenshots/2023/11/06/c215945e-3271-49c3-bd2c-5d668db3733c.png-By the wayi what's the name of your new group? +Super Mega Ransom LLC. lmao For serious, this is just a formality that doesn't bother me that much at this stage 

In a hacker forum monitored by SOCRadar, a new recruitment post is detected for Qilin Ransomware Group. https://image.socradar.com/screenshots/2023/11/06/eb117522-8d91-468a-bdbe-e70e90c65033.pngGood day to all! We are recruiting teams of experienced pentesters for our partner program. Briefly about the available functionality: Reliable encryption algorithms (chacha20\AES) + RSA4096 Customizable encryption modes to select the ideal balance of encryption speed and cryptographic strength 4 modes of software operation:normal - completely encrypts the filestep-skip - encrypts in spots with a fixed size of the spot and the skipped partfast - encrypts the beginning of the filepercent - encrypts in spots with a fixed spot size and a dynamic skip portion based on file size Ability to reboot the machine in safe-mode with automatic login and file launch Directed encryption (drives\folders by specifying the path, remote machines by specifying the machine’s IP) Ability to disable various filters when running a file if necessary (functionality at your own peril and risk) Killing the most important services and processes for the most effective encryption and eliminating the possibility of decryption Freeing files occupied by services and processes Cleaning log systems and deleting shadow copies Ability to distribute the file over the network (subject to the credentials transferred during assembly) A proven preset of settings in the panel, but if necessary, you can add parameters specific to your network The build does not store all the credentials for the company to enter the landing, which will exclude “left people” when conducting a dialogue with the company And many more different features that you will get acquainted with during the work Panel: Build Configurator Guest access (with the ability to limit the rights of guests to various actions) Full support of dialogues with your targets (if you wish, you can do this yourself) You will also have access to dialing/SMS spam services 24/7. The written software is a unique project, and not just another fork of the source codes of other software lying around in the public domain. Under win, the build will be pure Rust, which immediately gives it an advantage in speed and security. For LINUX/ESXi systems this is pure C. First PM contact We work with English speakers only after an interview. We do not work in CIS countries

In a hacker forum monitored by SOCRadar, a new version ransomware is detected which Knight Ransomware. https://image.socradar.com/screenshots/2023/11/06/720710bc-66fd-44d2-bde8-67b4bcb5f98e.pngWe have updated version 3.0, after several months of practice we made the third upgrade, and the third upgrade is a very significant upgrade, including the panel and the locker, compared to the version 2.0, added a lot of features. The encryption speed of the 3.0 version of locker is very fast, of course you can use any organization's locker to compare with us, in 3.0 locker we make the following updates: Added more kinds of SMB laterally, and added automatic extraction of HASH of credentials of logged-in shared networks for SMB laterally! Updated the algorithm to increase the encryption speed, increasing the encryption speed by about 40%, and we provide -fast (fast encryption header) and -thread (custom thread encryption) parameters in version 3.0. Updated:Replace all files' icons of the target computers. Rewrote ESXI using C to support version 5 and above.5.Priority execution directories have been added, and multiple priority directories can be entered when generating online.6.Added random obfuscation to make locker more difficult to detect by AV7.Added more system support, Windows 7 & above,Linux(include Debian,*bsd,solaris,android and other.),MacOs, All systems have been tested.Panel Feature Support: 1.Assign each target a separate TOR domain while we provide a high strength encrypted chat room to assign separate chat sessions to different computers under the same target. 2.Each target is equipped with a separate wallet address, 2 level affiliates can directly add their own wallet address, and individual "offer" feature is provided (separate offer can be made for each different chat session) 3.Added chat room session status for the target (you can see when it was last accessed and whether it is online or not). 4.The BypassAV function is provided in the panel, You can upload files for secondary obfuscation encryption (tested to bypass 90% of the AV). 5.Added Team Collaboration allows you to share separate target chat rooms with your team members and work together to get the job done. 6.Changed the target page to support automatically displaying the wallet address and receiving offers online, will automatically detect if it is the correct amount after payment, and will automatically provide key and decryptor download options after payment. We are still looking for partners, but we don't need inexperienced people at the moment, and we will set certain conditions to filter analysts in the forums. Tox:**

The BianLian ransomware group, under constant surveillance by the SOCRadar Dark Web Team, has announced its latest victim on its dark web platform: a Canadian-based aviation firm. https://image.socradar.com/screenshots/2023/10/12/48d125e1-0255-4ff3-b38a-252bc105eaa9.pngBianLian’s claim post about Air Canada The group alleges to have exfiltrated 210GB of files from the Canadian aviation firm Air Canada, adding the company to their victim list. Established in 1937, Air Canada is Canada's largest airline and its official flag carrier, renowned for its pivotal role in the global aviation sector. https://image.socradar.com/screenshots/2023/10/12/549c812a-f7ca-4201-b3a5-ff6db08749d7.jpgDescription of allegedly stolen data shared by BianLian According to BianLian's claims, the stolen data includes technical and operational data from Air Canada spanning 2008 through 2023, SQL backups, confidential documents, and more. Who is BianLian? BianLian is a threat actor that runs a ransomware operation with the same name BianLian ransomware. It first appeared as an Android banking trojan in 2019. However, like its namesake, the traditional Chinese art of “face-changing,” BianLian has demonstrated remarkable adaptability, shifting its operations to focus on ransomware attacks and becoming a ransomware strain first observed in July 2022. https://image.socradar.com/screenshots/2023/10/12/6dd8416c-70bb-452a-bbd8-eb0c8571e246.pngThreat Actor Card of BianLian You can read the “Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group” here. (https://socradar.io/threat-actor-profile-bianlian-the-shape-shifting-ransomware-group/)Stay Updated with SOCRadar You can stay up to date with the latest Dark Web news via using the Dark Web News page in SOCRadar XTI’s CTI Module. Additionally, follow posts from various ransomware groups in the Ransomware News section under the Dark Web News page. https://image.socradar.com/screenshots/2023/10/12/ffbf59f8-1489-44da-b351-15977ae05270.pngSOCRadar XTI’s CTI Module’s Dark Web News / Ransomware News Page

The threat group known as GhostSec officially established a Telegram channel for its new tool, GhostLocker, on October 8, 2023. In the ever-expanding threat landscape, GhostLocker emerges as yet another entity that organizations should vigilantly watch out for.  https://image.socradar.com/screenshots/2023/10/09/12c0c027-9c6e-4412-94b9-15e9721d2ed4.jpgGhostLocker RaaS In a bold move, the threat actor labeled their new ransomware service as the "new generation of RaaS" and asserted that its ransomware offers military-grade encryption on runtime, ensuring that victims cannot decrypt the software through decompilation or obtain the decryption key by inspecting web requests or in the case of server exposure. The ransomware is also "fully undetectable," and the threat actor boasts a zero detection rate for all major antivirus software. The GhostLocker Telegram channel swiftly amassed over 100 subscribers, gaining traction in GhostSec's official channel as well. Some users have expressed interest in a demo to further promote the tool, particularly in a business context. Although the service comes with a substantial price tag – initially priced at $999 during the beta phase and later at $4,999 – the threat actor only requests a 15% commission fee from all revenue after the one-time payment. Furthermore, they offer to manage all negotiations for their affiliates while providing a web panel for monitoring negotiations should affiliates wish to intervene at any point. The threat actor has also noted that this is an early version and is committed to significant improvements in the future, with plans to reduce its size and enhance encryption speed as the first step. Similarities in Ransom Note Additionally, GhostSec posted a video demonstration showcasing GhostLocker's functionality. There is one particularly striking detail in the video: the ransom note of GhostLocker is designed similarly to that of LockBit Ransomware. https://image.socradar.com/screenshots/2023/10/09/3c1f5402-a912-4790-a231-f0ee653c39e1.jpgGhostLocker ransom note Who is GhostSec? GhostSec, also known as Ghost Security, emerged onto the digital scene in 2015 as a self-proclaimed vigilante group. Its inception can be traced back to the well-known hacktivist collective, Anonymous. While Anonymous is known for its diverse range of operations, GhostSec assumed a more specific and targeted mission – the active combat against online terrorism and violent extremism. The group is acknowledged for its actions against ISIS-affiliated websites that disseminated Islamic extremism, as part of the campaign recognized as #OpISIS. In addition to its primary objective, GhostSec has engaged in the promotion of human rights and the defense of online freedom in various countries, most notably Cuba. The group has also participated in the Russia-Ukraine conflict, executing a series of cyberattacks against the Russian government. Track Threat Actors with SOCRadar SOCRadar's Threat Actor Tracking module equips organizations with a comprehensive perspective on both known and emerging threat actors, empowering them to swiftly and efficiently recognize and counter threats. The platform encompasses a wealth of information on threat actors, including their Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IOCs), and infrastructure, among other critical details. https://image.socradar.com/screenshots/2023/10/09/d6f9e177-1d0a-4498-9641-fddeddec0ec8.pngSOCRadar Threat Actor Tracking

In a hacker forum monitored by SOCRadar, a new alleged source code  leak is detected for Hello Kitty ransomware. https://image.socradar.com/screenshots/2023/10/30/a3541473-0a12-4094-b589-ada6fc0f0274.pngThe source code of the HelloKitty Ransomware Pass:******* Download: *************************************

In recent dark web developments monitored by the SOCRadar Dark Web Team, two prominent ransomware groups have announced their latest victims, both based in the U.S. Play Ransomware Threatens Security Instrument Play Ransomware continues its relentless attacks. After claiming to breach 25 firms in September, Play now says it infiltrated the systems of the U.S.-based company Security Instrument. https://image.socradar.com/screenshots/2023/10/05/80e71a9e-e3a0-4b9f-961d-b57296fe1bea.pngPlay’s announcement Founded in 1960, the privately owned U.S. entity, Security Instrument Corporation, offers electronic security, life safety detection, and related monitoring services. Play Ransomware now threatens to release sensitive data allegedly they seized from the company. This data supposedly includes private and personal confidential data, client and employee records, IDs, payroll, contracts, and financial data. However, Play Ransomware hasn't disclosed the extent of the breach or presented any sample data. Qilin Ransomware Targets DiTRONICS Financial Services Discovered in August 2022 and also known as Agenda, Qilin announces its latest victim, the U.S.-based DiTRONICS Financial Services. https://image.socradar.com/screenshots/2023/10/05/27c8b36c-42e2-4bcb-8017-98b1ae4dfb1a.pngQilin’s announcement Since its foundation in 1998, DiTRONICS has positioned itself as a leading source of cutting-edge technologies and high-end funds access services. With a vast database of gaming patrons and annual processing of billions, DiTRONICS provides a wide array of services. Their portfolio includes ATMs, Ticket Redemption Kiosks, Check Guarantee Software, Cash Advance Software, and a new Title 31 compliance solution. While Qilin hasn't stated the exact volume of the data breach, they have shared 19 images allegedly belonging to the company. They claim these images contain breached business contracts, financial papers, and other confidential company documents. How Can SOCRadar Help? SOCRadar’s Threat Feed and IoC Management module helps organizations manage their threat intelligence feeds and indicators of compromise (IoCs). https://image.socradar.com/screenshots/2023/10/05/dddff4be-a75f-4648-aafd-ccff81ba17c0.pngSOCRadar Threat Feed / IoC tab Also, SOCRadar’s Threat Actor Tracking module provides organizations with a comprehensive view of known and emerging threat actors, including their TTPs, IOCs, and infrastructure. This information can be used to identify and respond to threats more quickly and effectively. https://image.socradar.com/screenshots/2023/10/05/c6d8f07f-977b-4c56-b261-039e8d6e5ce5.pngSOCRadar Threat Actors tab

In a hacker forum monitored by SOCRadar, new ransomware selling is detected which is called qBit. https://image.socradar.com/screenshots/2023/09/29/81c428b4-b7d5-4287-b1bb-c1c304dc80eb.pngHello friends, I'm excited to introduce you to a new ransomware made from scratch. It's written in Go with the functionalities of efficient concurrency. Meaning faster speed, low detection's and versatility. From the early days of Ransomware, we've been many players recruit affiliates with a business model of RaaS. Which is Ransomware as a Service. The recruits are very specific and many of us can't join them even if we're skilled. So, this product will be but not limited to: Affordable, usable and customizable. As it's brand new, the detection's are much lower and obviously the build shared will be obscured for much low detection's rate. The buyer don't need to worry about using a crypter. Each build is unique. Enough rambling, what's in the package? Fast Encryption with a Hybrid Logic - Salsa20 + RSA 2046 Intermittent Algorithm's - Full, Partial & Smart Mode Timely Mannered Execution Obscured binaries leading to much harder for analysts Anti-Analysis Direct Syscalls Multi-Threaded Decryption tool In case the buyer wants a pre-execution shell-code injection, files exfiltration or personalized information about the target computer to be sent to his C2, it can be done without any extra cost to the purchase! It has a beautiful UI if enabled with -log parameters though it isn't optimal. Below two videos, 1st = Log View + Partial Encryption Mode - Demo Video<- 2nd, No Log View + Smart Encryption Mode - Demo Video <- If you're interested in buying or working together to customize it even further feel free to contact me at Session or DM here! - Peace out!

The SOCRadar Dark Web research team recently identified a new entry on a dark web platform associated with the Ransomed[.]vc group, and it involves none other than the renowned Japanese multinational conglomerate, Sony Group Corporation. https://image.socradar.com/screenshots/2023/09/25/3d33808a-5ac5-4046-81be-ef0ecfdf0689.pngRansomed[.]vc's claim about Sony Ransomed[.]vc alleges a successful compromise of Sony's comprehensive systems. The threat group asserts that Sony has refrained from meeting their financial demands, leading them to decide to auction the sensitive data. The group claims that the unwillingness of Sony to pay the ransom has prompted them to expose and market the acquired data. https://image.socradar.com/screenshots/2023/09/25/7ae930a1-a83f-4642-b64d-5a85cafdc197.pngSample data shared by Ransomed[.]vc To substantiate their assertions, Ransomed[.]vc released a selection of what they purport to be authentic data from Sony. Among these files were a PowerPoint presentation, allegedly created by Sony, along with internal screenshots and Java files. https://image.socradar.com/screenshots/2023/09/25/9e203842-baea-415f-8559-d2954e39a1dd.pngThreat actor's post on a hacker forum The SOCRadar Dark Web Team has identified the threat group actively marketing unauthorized access to what they claim are compromised systems of Sony Group Corporation on a hacker forum. This covert marketplace is significantly dominated by Russian cyber threat entities, suggesting potential interest or involvement of these actors in procuring the breached data. This year, Sony fell victim to the CL0P Ransomware group's darkweb portal after the MOVEit vulnerability was exploited. (https://socradar.io/attackers-exploit-critical-zero-day-vulnerability-in-moveit-transfer/)Alleged Cyber Attack on Lockheed Martin and US Army Transport Corp by KillNet The KillNet threat group recently announced on their Telegram channel that they've targeted Lockheed Martin and the US Army Transport Corp. They pointed to the U.S. government's decision to deliver ATACMS missiles to Ukraine as their motivation behind the attack. https://image.socradar.com/screenshots/2023/09/25/d1ece487-e332-4706-9998-02f8ee33b463.pngAnnouncement of KillNet Killnet is a pro-Russian hacktivist group known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year. DDoS is the primary type of cyber-attack that can cause thousands of connection requests and packets to be sent to the target server or website per minute, slowing down or even stopping vulnerable systems. Enhance Your Defense with SOCRadar SOCRadar XTI platform’s comprehensive solutions empower you to swiftly identify, assess, and remediate vulnerabilities in real-time. SOCRadar's Vulnerability Intelligence enhances security by continuously monitoring vulnerabilities. This module allows you to search for vulnerabilities, access their details and related activities, and monitor hacker trends. https://image.socradar.com/screenshots/2023/09/25/8f4e3ecb-1aa3-415b-be32-c3318396c289.pngSOCRadar’s Vulnerability Intelligence Furthermore, the Attack Surface Management module enables you to securely monitor your asset's status and receive notifications about emerging vulnerabilities https://image.socradar.com/screenshots/2023/09/25/2468fba9-1d45-4550-8bc4-8e7f9fcfb682.pngSOCRadar Company Vulnerabilities

In a hacker forum monitored by SOCRadar, new ransomware selling is detected which is called Kuiper Ransomware. https://image.socradar.com/screenshots/2023/09/25/951e18de-0005-40ae-80d8-ee345b23f776.pngWe introduce our partnership affiliate raas program KUIPER Developed in Golang , written from scratch with no external sources from other software. WARE: -Encryption algorithm AES-CFB with random key/IV ( AES key encryption with RSA-4096 ) -Customization of binaries for every attack and network if needed for better deployment and higher success % of damage caused in attack. -Arguments through terminal typing --help available: -p PATH ( set path to crypt ) Default: "/A-Z" disks ( Windows related ), root = "/" | non-root = "/home" ( *NIX related ) -reboot yes/no ( Default: yes ) Reboot system after crypt process. -note yes/no ( Default: yes) Leave note while (yes) or after (no) crypt. -name yes/no ( Default: yes ) .kuiper extension changes while (yes) or after (no) crypt. -Unique key for each network. -No dependencies needed. -Critical system folders and extensions excluded for crypt. -Self deletion of binary after crypt process is finished ( Windows related ). Before crypt process is finished ( *NIX related ) -Stop and kill services and processes on loop to avoid interruptions ( including AVs, EDRs, SIEMs, blue team tools and defenses related) before and meanwhile crypt. -Removal of shadow copies and local backups before and after crypt process. -Windows Defender deactivation through multiple functions before crypt process is started. -Memory clean after crypt process is finished. -Highly obfuscated, polymorphic code, anti-reverse methods used, evasion techniques applied, manually crypt binaries (can provide better manually customized evasion depending on attack if needed**) , x64 build is UD for most AVs/EDRs in Windows related (x86 build less evasion), FUD for *NIX related. OS: Windows Server 2008 to 2022+ Windows desktop 7 to 11+ *NIX > Linux, ESXi, NAS, (+)** EXTRA: Will provide unlimited exfiltration servers on demand. Can provide a workspace for you when needed and necessary**. Can provide our scripts/tools/techniques to perform exfiltration,lateral and deployment when needed. Can provide help through post-exp operations when needed or required. Our communications with clients are through TOX + mail. Leaks blog, control panel and chat not yet available. ( Already coded and ready to be uploaded** ) DDoS/Spam/Social extortion available ( only HQ targets** ) We offer cleaning your crypto when needed. 24/7 support for affiliates. RULES: In depth interview needed. Prohibited CIS attacks. ROLES: Currently providing corporation targets to be worked. Post-exp operators/groups needed. Initial access providers/groups needed. Extortion/Social experts needed. CONDITIONS: We take 10% if you provide target + post-exp. We take 40% if we provide target + ransomware + extortion + negotiations**. ** = needs to be previously discussed. Constant updates, upgrades and new versions will be accomplished over time and will also be posted here. We are open for suggestions and appreciate constructive criticisms.

In a hacker forum monitored by SOCRadar, new ransomware selling is detected, which is called Ergon. https://image.socradar.com/screenshots/2023/09/20/4cba23b9-d35f-4559-a959-8cd83e8f9545.pngErgon by ** is enterprise grade ransomware which is the best on the market and your #1 companion for attacking major companies. It is written completely from scratch by a team of experienced malware developers who have made many known pieces of malware. Features: Fully undetectable (Scores 0 detections on every single online AV service like kleenscan, antiscan, etc.) Extremly fast Advanced encryption key mechanism, generating a new key each time it is ran. Not only do we offer a custom piece of malware which is tailor-made to your needs, we also offer support in your attack. This ransomware has been used in multiple attacks with extremly high success rate. Price: 0.5 BTC per compile, support included Source Code: 2.5 BTC We can show proof, videos etc if proof of funds is shown to us. Contact: me onsite or Telegram **

In a hacker forum monitored by SOCRadar, Chaos ransomware builder v4 sale is detected. https://image.socradar.com/screenshots/2023/09/26/7a95edec-b4b1-4fba-a4d9-825b32c46450.pngContact: https://image.socradar.com/screenshots/2023/09/26/c4c03ea0-2533-4989-9a68-532f93a2e09f.pngJUST 150$ for chaos ransomware builder v4

In a recent dark web revelation monitored by the SOCRadar Dark Web Team, Everest Ransomware Group has added a prominent U.S.-based insurance company, State Farm, to its list of victims. The group claims to have successfully breached State Farm's network and stolen a vast database containing the records of 400 million insurance customers. https://image.socradar.com/screenshots/2023/09/04/23638afb-8ebe-474f-bea8-1b1eb1c630bf.pngEverest Ransomware Group dark web platform Who is Everest Ransomware Group? The Everest Ransomware group is a cybercriminal group that has been active since December 2020 and is observed operating on various platforms such as XSS Forum and Breached. Everest is known for carrying out data extortion, ransomware activities, and significant incidents such as the sale of network access to the Argentina Ministry of Economy. https://image.socradar.com/screenshots/2023/09/04/f3b83418-8d39-40a2-ac58-4b02e5d433ea.pngEverest's announcement on BreachForums about the Argentina Ministry of Economy (Source: Daily Dark Web) The Stolen Data: What's at Risk? Everest Ransomware Group has not provided specific details about the contents of the stolen database, but it is likely to include a wide range of sensitive information, such as: - Personally Identifiable Information (PII): Names, dates of birth, Social Security numbers. - Policy Details: Information about insurance policies held by customers. - Payment and Billing Information: Credit card details and payment history. - Vehicle Information (for auto insurance): Vehicle identification numbers, make, model, and more. - Property Information (for home insurance): Property values, locations, and other details. Potential Threats and Misuse of the Stolen Data The stolen data presents a goldmine for cybercriminals, who may exploit it in various malicious ways: Identity Theft: Armed with PII, threat actors can engage in identity theft, committing fraudulent activities in the victim's name. Phishing and Social Engineering: Personalized phishing attacks can deceive recipients into revealing more sensitive information or clicking on malicious links. Insurance Fraud: Policy details and claims history can be used for fraudulent insurance claims, resulting in financial losses for the insurance company. Extortion: High-profile individuals may be targeted for extortion, leveraging the stolen data. Targeted Scams: Scammers can pose as insurance agents, offering fake policy upgrades or discounts, thereby tricking customers into making payments to fraudulent accounts. Credential Stuffing: Cybercriminals can use stolen email addresses and personal information to gain unauthorized access to other online accounts, especially if individuals reuse passwords. Data Brokerage: The stolen data might be sold on the dark web or to other malicious actors, enabling further fraud and illicit activities. Fraudulent Loans and Credit Applications: Access to personal and financial data, including credit scores, can lead to fraudulent loan and credit card applications, causing financial losses for individuals and institutions. Protecting Yourself Against Data Breaches In light of this breach, individuals should take immediate steps to safeguard their information: - Monitor financial accounts for suspicious activity. - Change passwords and enable two-factor authentication for online accounts. - Be cautious of unsolicited communications and verify their authenticity. - Report any unusual activity to law enforcement and relevant organizations. SOCRadar continuously monitors the entire web, including surface and deep/dark web sources, to identify and track Personally Identifiable Information (PII). Among the sensitive data relevant to your organization are compromised account credentials, credit card numbers, and other information pertinent to your organization. By swiftly detecting such information, SOCRadar helps protect your organization against identity theft, fraud, and data breaches. https://image.socradar.com/screenshots/2023/09/04/f1c9bef6-d3f5-488f-a0ff-a16c67417477.pngSOCRadar Dark Web Monitoring Focusing resources on the most critical security incidents is essential in the ever-evolving threat landscape. SOCRadar's historical precision and extensive database enable analysts to filter through the noise and pinpoint relevant security items. By prioritizing incidents, SOCRadar ensures that your security team can allocate their time and energy where it matters most, mitigating risks effectively.

The SOCRadar Dark Web Team closely monitors obscured sections of the dark web to uncover potential threats that could harm global organizations. Here are the findings concerning France. Hacktivist Groups Launch Coordinated Cyber Attacks Targeting French Critical Infrastructure In a recent development that has sent shockwaves through the cybersecurity community, hacktivist groups have launched a series of coordinated cyberattacks aimed at crippling critical infrastructure and institutions in France. The attacks, claimed by Islamic-based hacktivist groups Team Insane PK, Mysterious Team Bangladesh, and Team Herox, highlight the growing sophistication and collaboration among such threat actors on the dark web. The SOCRadar Dark Web Team, renowned for its vigilance in monitoring hidden corners of the internet, has been closely following the activities of these groups. Their reports reveal that the attacks primarily took the form of Distributed Denial of Service (DDoS) attacks, designed to overwhelm the targeted websites and services, rendering them temporarily inaccessible. Escalation Triggered by Political Events https://image.socradar.com/screenshots/2023/08/31/80779973-a6e3-4263-9d4b-01c2249c51c2.pngTelegram announcement of threat actor One of the targeted groups, Mysterious Team Bangladesh, made an ominous announcement on August 23 through its Telegram channel, stating its intention to launch cyber attacks on France's critical infrastructure in response to political events unfolding in Africa. This marked the beginning of a series of assaults on various French websites. The Sequence of Attacks https://image.socradar.com/screenshots/2023/08/31/b59659f9-764f-4638-8ca4-ca43a7528bd1.pngTeam Insane Pk claims to have crashed France's Official Government website. Shortly after the announcement, Team Herox claimed responsibility for disabling a transportation website through DDoS attacks. Team Insane PK followed suit, asserting that it had rendered the official visa website for France unavailable. The magnitude of these claims, if verified, could significantly impact France's online operations and services. Rising Tide of Attacks and Solidarity Call Perhaps the most concerning aspect of this wave of attacks is the escalation observed after August 29. These groups intensified their claims of successful attacks and called all Muslim hacktivists, activists, and journalists to rally behind their cyber campaign. Their motivation for this increased aggression is reportedly the recent ban on the Burqa in French schools, which has ignited a wave of debate and reactions. https://image.socradar.com/screenshots/2023/08/31/5d6ca8b5-b1d5-4a4a-9449-74eab25a1e44.pngThreat actors' explanation of why they are targeting France and announcements of support The affected websites span various sectors, from transportation and education to commerce and healthcare. Notable targets include the official websites of several French airports, prominent educational institutions, government agencies, and even France's version of Amazon. https://image.socradar.com/screenshots/2023/08/31/2f9f8bbc-594b-4b47-bb32-264e901c757c.pngTeam Insane Pk claims to have crashed Amazon France. Anonymous Sudan Joins Cyber Targeting In a concerning development, the hacktivist group Anonymous Sudan has turned its attention towards France. Employing tactics similar to other hacktivist groups, Anonymous Sudan targets various services within the country. https://image.socradar.com/screenshots/2023/08/31/1dbcfcca-4414-4822-99bd-25295f7be9f1.pngAnonymous Sudan’s announcement The Resilience Challenge As these hacktivist groups continue to exploit the interconnected nature of the digital world, concerns grow regarding the resilience of critical infrastructure to such attacks. While the impact of DDoS attacks is often temporary, their ability to disrupt vital services and create chaos cannot be underestimated. Enhance your organization’s defense against Denial-of-Service (DoS) threats with SOCRadar Labs’ DoS Resilience module. DoS Resilience allows you to test your domain’s or subnet’s ability to resist DoS attacks. https://image.socradar.com/screenshots/2023/08/31/0ac3849e-6c8f-47ea-82dc-581d5d69a238.pngSOCRadar Labs DDoS Resilience LockBit Ransomware Group: Resurgence Amid Alleged Struggles In a surprising turn of events, the LockBit ransomware group has emerged from a period of relative dormancy to list more than 20 victims within a mere day. This rapid resurgence follows widespread discussions about the group's alleged operational struggles, raising questions about the authenticity of their recent actions. https://image.socradar.com/screenshots/2023/08/31/1742cb3e-0e4f-4921-b933-3fb43e344993.pngVictims of LockBit shown in group’s dark web platform Amidst claims of internal challenges, LockBit's recent actions appear to be aimed at disproving these assertions while safeguarding their tarnished reputation. By swiftly revealing a list of victims, including seven prominent French firms, the group seeks to demonstrate its continued capability to execute successful cyberattacks. Notably, the leaked victim list encompasses diverse entities, including French firms operating in construction, automotive, industrial machinery and equipment, transportation, and even a town hall administration. Who is LockBit Ransomware? LockBit 3.0 is a Ransomware-as-a-Service (RaaS) group that continues the legacy of LockBit and LockBit 2.0. From January 2020, LockBit adopted an affiliate-based ransomware approach, where its affiliates use various tactics to target a wide range of businesses and critical infrastructure organizations. LockBit has been highly active in deploying models such as double extortion, initial access broker affiliates, and advertising on hacker forums. They have even been known to recruit insiders and make contests in forums for recruiting skilled hackers; such expansionist policies have attracted numerous affiliates, have victimized thousands of entities, and continue their malicious acts. https://image.socradar.com/screenshots/2023/08/31/261ecdeb-a8a0-4be5-ba59-e455daa8b2cf.pngYou can read the “Dark Web Profile: LockBit 3.0 Ransomware” here. (https://socradar.io/dark-web-profile-lockbit-3-0-ransomware/)

In a harrowing development, the Rhysida ransomware group has stepped forward to take credit for the recent crippling cyberattack that targeted Prospect Medical Holdings, a prominent healthcare organization operating multiple hospitals and clinics across several states. The attack has sent shockwaves through the healthcare industry and raised concerns about the escalating threat of ransomware attacks on critical institutions. https://image.socradar.com/screenshots/2023/08/25/503500c8-7347-453e-989b-c724d4bdf4cc.pngRhysida ransomware's dark web announcement Attack Details Prospect Medical Holdings, responsible for managing 16 hospitals and over 165 clinics and outpatient centers, primarily in Connecticut, Pennsylvania, Rhode Island, and Southern California, fell victim to a sophisticated ransomware assault in early August. This attack disrupted vital healthcare services, leaving medical professionals struggling to care for patients and underscoring the vulnerability of crucial healthcare infrastructure to malicious cyber threats. Rhysida Ransomware Group Claims Responsibility The Rhysida ransomware group claimed responsibility for the attack approximately three weeks after the initial disruption. The group, which has gained notoriety for its previous attacks on education and healthcare entities, asserted that it had compromised Prospect Medical Holdings' systems. https://image.socradar.com/screenshots/2023/08/25/fb6e727e-3604-4c4a-9a22-ae99927895a1.pngScreenshots of sample data published by the threat actor The threat actor boasted of their extensive haul, claiming that they had accessed and stolen a data trove of sensitive information. The stolen data reportedly includes more than half a million Social Security Numbers (SNNs), passports, driver's licenses, patient files encompassing profiles and medical histories, and financial and legal documents. Ransom Demand and Data Exposure Threat The Rhysida ransomware group issued a ransom demand of 50 BTC (Bitcoin) to monetize their illicit gains. The threat actor has warned that they will expose the stolen data to the public unless the demanded ransom is paid. They have highlighted the enormity of their loot, revealing that it comprises a staggering one terabyte of unique files alongside a 1.3 terabyte SQL database. The group shared screenshots of purportedly acquired documents as a teaser of the compromised information. Who is Rhysida? Rhysida is a Ransomware-as-a-Service (RaaS) group that emerged at the end of May 2023. Despite being a newcomer, the group has quickly established itself as a significant ransomware operation. Their first high-profile attack was against the Chilean Army, marking a trend of ransomware groups targeting Latin American government institutions. On June 15, 2023, the group leaked files stolen from the Chilean Army, which turned the group’s claim as true. https://image.socradar.com/screenshots/2023/08/25/aa1542ed-e36d-4872-9842-8d2e7f8a3672.pngTo comprehensively understand Rhysida ransomware and its recent activities, consider exploring the insights provided in the 'Threat Profile: Rhysida Ransomware' blog. (https://socradar.io/threat-profile-rhysida-ransomware/)The group positions themselves as a “cybersecurity team” who are doing their victims a favor by targeting their systems and highlighting the supposed potential ramifications of the involved security issues. How Can SOCRadar Help? SOCRadar offers continuous monitoring of digital assets, promptly generating alarms for any emerging threats. This proactive approach strengthens overall security and ensures prompt detection of potential exposures or vulnerabilities affecting your assets. You can monitor organizational assets and efficiently manage alarms using SOCRadar’s Attack Surface Management (ASM) module. https://image.socradar.com/screenshots/2023/08/25/3c6af4e6-871f-4d84-8c33-a528fad21173.pngSOCRadar’s Attack Surface Management (ASM) module

The LockBit ransomware group, which is under constant surveillance by the SOCRadar Dark Web Team, has reportedly added an Australian-based company to its list of victims on their dark web platform. https://image.socradar.com/screenshots/2023/08/24/3a981a8b-262d-4d1e-acba-f85374545383.pngLockBit Ransomware's Dark Web Announcement The LockBit ransomware group has claimed that they successfully breached the systems of APD Parcel Delivery and subsequently added the company to their list of victims. APD Parcel Delivery is renowned as one of South Australia's most prestigious parcel delivery companies. The company provides a versatile and straightforward solution for the transportation of parcels and freight. Their services span from same-day courier options to express and overnight parcel deliveries, as well as extensive national and break-bulk freight offerings. To date, LockBit has refrained from disclosing any specifics regarding the volume or nature of the compromised data. However, the threat actors have warned that they will release data related to APD Parcel Delivery if the demanded ransom is not settled by September 12. Who is LockBit Ransomware? LockBit 3.0 is a Ransomware-as-a-Service (RaaS) group that continues the legacy of LockBit and LockBit 2.0. From January 2020, LockBit adopted an affiliate-based ransomware approach, where its affiliates use various tactics to target a wide range of businesses and critical infrastructure organizations. LockBit has been highly active in deploying models such as double extortion, initial access broker affiliates, and advertising on hacker forums. They have even been known to recruit insiders and make contests in forums for recruiting skilled hackers; such expansionist policies have attracted numerous affiliates, have victimized thousands of entities, and continue their malicious acts. https://image.socradar.com/screenshots/2023/08/24/505c4fe0-be07-49da-999e-1e6d57aed3d8.pngYou can read the “Dark Web Profile: LockBit 3.0 Ransomware” here. (https://socradar.io/dark-web-profile-lockbit-3-0-ransomware/)Find Indicators of Compromise on SOCRadar SOCRadar continuously monitors threat actors and malware, offering comprehensive insights encompassing their latest mentions, activities, and indicators of compromise (IOCs). Leveraging the Threat Actor Tracking feature of SOCRadar, users can access this information. https://image.socradar.com/screenshots/2023/08/24/e76254d4-0b31-4da7-b257-51cd2e45cd37.pngThreat Actors on SOCRadar platform By harnessing the power of SOCRadar, organizations can obtain actionable intelligence and define use cases more effectively to facilitate the detection and prevention of malicious activities, bolstering their cybersecurity defenses. Furthermore, SOCRadar’s External Attack Surface Management (EASM) functionality provides timely alerts regarding potential threats to digital assets, ensuring your organization is not exposed to attacks. https://image.socradar.com/screenshots/2023/08/24/52bf9f83-4f21-4eff-81b7-f799874c7bbd.pngCompany Vulnerabilities on SOCRadar platform

BlackBasta Ransomware Group Adds 20 New Victims to Their Dark Web Portal In a world where cybersecurity threats are an ever-present danger, new claims have emerged that sends a cautionary reminder to organizations worldwide. Firstly, The BlackBasta ransomware group, known for its malicious activities, has recently claimed to have added 20 new victims to their dark web platform, namely the USA (12), Germany (6), Netherlands (1), and India (1), alleging that their systems have been infiltrated. https://image.socradar.com/screenshots/2023/08/18/3c6d21ee-0af9-4803-a7c8-e24255499821.pngBlackBasta’s Dark Web Platform United States - Twin Towers Trading Inc - SynQuest Laboratories - Alliance Solutions Group LLC - Winger Companies - Lehigh Construction Group Inc - Phillips Staffing - Shield Packaging Co Inc - Adams Bank & Trust - Arrow Aviation - Raleigh Housing Authority - Andromeda Systems Incorporated - Estech Systems Inc Germany - Deutsche Leasing Gruppe - Heidelberg Materials - SELLWERK - Bühnenbau Schnakenberg - Maxim Markenprodukte GmbH & Co. KG - DELTEC Automotive GmbH & Co. KG Netherlands - Van der Ven Auto's India - Prestige Group The threat actor, BlackBasta, has shared explicit examples of the data it claims to have compromised. The disclosed data includes highly sensitive information such as identity photos, driver's license photos, credit card photos, bank documents, as well as official and confidential documents Metaencryptor Team’s Ransom Claims Another batch of ransomware victim listings came from Metaencrpytor Team. The group, which posted its manifesto as in the below figure in 2022, just posted this week after more than a year, added 12 companies to its victims on August 16; despite the attacks being from different times, they listed their victims in one go. https://image.socradar.com/screenshots/2023/08/18/969a25d0-299a-48c6-a2af-ab4d9cb427c2.PNGMetaencryptor Team’s data leak blog. On the leak site, which has both onion and clear web links, the chat logs can be viewed, and the leak files can be browsed. Their victims are as follows: - Münchner Verlagsgruppe GmbH, Germany -Schwälbchen Molkerei AG, Germany -Heilmann AG, Germany -ICON Creative Studio, Canada - CVO Antwerpen, Belgium - Autohaus Ebert GmbH, Belgium - Kraiburg Austria GmbH, Austria - Seoul Semiconductor Co Ltd, South Korea - Bob Automotive Group GmbH, Germany - Coswell SpA, Italy - Epicure, Canada - Dillon Supply Company, US Use SOCRadar Platform to Track Threat Actors Utilizing the Threat Actor/Malware tab within the SOCRadar Platform offers you extensive capabilities to delve into the subject matter. Through this tab, you can conduct thorough research, gathering insights and in-depth information about the threat actors. Furthermore, it enables you to access and retrieve IoCs, providing valuable data points that help identify potential threats and compromised elements. https://image.socradar.com/screenshots/2023/08/18/1f54e321-e0b7-415d-be91-ae62095a2cc4.pngSOCRadar Cyber Threat Intelligence Module, Threat Actor Tab

The NoEscape ransomware has evolved, and it's becoming a severe threat that can no longer be ignored. Just recently, SOCRadar's Dark Web Team discovered that NoEscape targeted .au Domain Administration Limited (auDA), a non-profit organization responsible for Australia's .au top-level domain. https://image.socradar.com/screenshots/2023/08/18/d29a39b6-4bf3-4047-b5ca-537c31570deb.pngNoEscape dark web platform NoEscape claims to have stolen more than 15 GB of sensitive data, including legal documents, personal information, medical reports, bank account access, and much more. They haven't shared any examples of the data. NoEscape Affiliate Program On May 22nd, a SOCRadar dark analyst detected a post introducing the "NoEscape Affiliate Program." The threat actor behind the program developed ransomware in C++, showcasing advanced encryption methods such as ChaCha20 and RSA algorithms. The software supports Windows safe mode, incorporates an automated TOR admin panel, and is even compatible with various Windows versions, Linux distributions, and ESXi. However, the program excludes CIS (Commonwealth of Independent States) countries. https://image.socradar.com/screenshots/2023/08/18/bc76c9e1-48a0-49dc-9b45-1944e6c6fc83.pngA screenshot from SOCRadar Dark Web News The affiliate program's escalating percentage-based payout structure, ranging from 75% to 85%, also caught our attention. This indicates a planned, scalable approach to extending the ransomware's reach and effectiveness. Why You Should Care The continuous evolution of NoEscape's complexity and reach isn't just a matter of concern for organizations in Australia. The ransomware's new capabilities demonstrate an increasing threat that we must all recognize and confront. The breach of auDA is a stark reminder that we must remain vigilant and proactive in implementing robust cybersecurity measures. We must also stay informed about the latest developments in the cyber threat landscape. What Can We Do? It's not enough to simply react to these threats. We must take proactive steps: Monitor and Assess: Keep an eye on suspicious activities and potential threats. Regular assessments can identify vulnerabilities before they become a problem. Upgrade Security Protocols: Implement advanced security protocols that can counter sophisticated encryption methods. Educate and Train: Make sure that everyone within the organization understands the risks and knows how to recognize potential threats. Enhancing Vulnerability Management and Digital Asset Protection with SOCRadar At SOCRadar, we’ve designed our Vulnerability Intelligence to give you full support in effectively managing vulnerability issues and prioritizing essential patches. Our platform lets you easily search for and access detailed information about vulnerabilities, helping you stay ahead of potential threats. https://image.socradar.com/screenshots/2023/08/18/6e5f3d76-1e11-4002-ae3c-aedef3adc186.pngSOCRadar Vulnerability Intelligence Furthermore, our External Attack Surface Management (EASM) is a key player in safeguarding your digital assets. Through this advanced system, we carefully discover and monitor your digital landscape. We’ll quickly let you know if any issues arise that might pose a security risk. With SOCRadar, you can trust that we’re here to provide proactive protection for your online presence. https://image.socradar.com/screenshots/2023/08/18/9e5735b8-66f6-43f8-884b-ac3fbccdd43d.pngSOCRadar Company Vulnerabilities

In an alarming move, the notorious Medusa Team ransomware group has announced that it has successfully breached the systems of Postel SpA, a key player in Italy's document management services and data-driven marketing communications sector. This breach is a chilling reminder of the relentless advancement of cyber threats that continue to plague businesses worldwide. https://image.socradar.com/screenshots/2023/08/16/75238499-cae3-456d-ae42-85ec4cea88af.pngMedusa Team dark web platform The announcement of this cyberattack was made on Medusa Team's dark web platform, where they not only declared their infiltration of Postel SpA's systems but also showcased some of the data they claim to have stolen. This data includes sensitive identity documents such as passports, as well as e-mails and administrative documents. According to the threat actors, a ransom of $500,000 has been demanded for the deletion of this stolen data. The group has even set a timer for August 24, after which they claim to publish all the stolen information if their demands are not met. Who is the Medusa Team? Medusa Team has become a name synonymous with cyber terror, engaging in ransomware activities and targeting various organizations across the globe. Their modus operandi usually involves breaching systems, stealing sensitive data, and then demanding a hefty ransom for the deletion of this data. Mitigate Ransomware Threats with SOCRadar SOCRadar Extended Threat Intelligence (XTI) provides its users with the most recent feed. The platform continuously tracks both existing and emerging threats and alerts your organization in the event of any impact. You can view information about threat actors, updates in their activity, and all malware threats on the Threat Actors tab on the SOCRadar platform. https://image.socradar.com/screenshots/2023/08/16/5879c7eb-d522-492c-a418-7f99f8370345.pngSOCRadar Threat Actors tab

The Cl0p ransomware gang, which is regularly monitored by the SOCRadar Dark Web team, continues to come up with a new series of threats and announcements. The announcement was made on the Cl0p ransomware gang's dark web platform. The gang announced that it published sensitive data, which it claimed belonged to 16 organizations it added to its victim list, on its Torrent site. https://image.socradar.com/screenshots/2023/08/16/3365f875-bf14-45fc-a272-072c630aa81c.pngCl0p ransomware gang's ultimatum On August 10, the Cl0p ransomware outfit issued a grim ultimatum, ratcheting up the pressure on its victims. The gang explicitly warned that it would leak data from organizations that failed to engage with them. First Revelations and Identified Victims Post-Ultimatum Come August 15, the deadline day for the ultimatum, Cl0p commenced the disclosures of organizations that had not negotiated with their operators. Data alleged to belong to these organizations was posted on the torrent site. https://image.socradar.com/screenshots/2023/08/16/87ce8f2b-30ef-4ff6-98aa-c0d63cce2804.pngThreat Actor's Announcement on August 15 SOCRadar dark web analysts identified the affected organizations, which included household names such as Norton LifeLock (141.57GB), Stockman Bank (7.03GB), Baesman (9.10GB), Siemens-Energy (83.74GB), The University of California, Los Angeles (53.94GB), TrellisWare Technologies (334.1MB), Encore Capital Group (179.6MB), and Cadence Bank (161.92GB). https://image.socradar.com/screenshots/2023/08/16/0bf58507-cff5-4191-b925-24d3dee4e149.pngThreat Actor's Announcement on August 16 The ominous revelations continued into August 16, with the threat actor allegedly leaking data from eight more victims. This new wave included organizations such as Cognizant (28.83 GB), Netscout (299.39GB), Energy Transfer LP (2.79GB), Level 8 Solutions Ltd (6.11GB), AutoZone (1.10GB), Crowe LLP (99.34GB), Westat (33.48GB), and visionware[.]ca (18.31GB). https://image.socradar.com/screenshots/2023/08/16/354a6a89-79a6-48e1-a2b2-a26440536f02.jpgCl0p's Torrent site It's imperative to underline that the data was disseminated by a threat actor, and as of now, these are only allegations. Who is CLOP Ransomware? CLOP, aka CL0P, Ransomware, a member of the well-known Cryptomix ransomware family, is a dangerous file-encrypting malware that intentionally exploits vulnerable systems and encrypts saved files with the “.Clop” extension. The word clop comes from the Russian word “klop,” which means “bed bug,” a Cimex-like insect that feeds on human blood at night (mosquito). A distinguishing feature of CLOP is the string “Don’t Worry C|0P” found in the ransom notes. https://image.socradar.com/screenshots/2023/08/16/d6cb457f-f43d-4c78-862a-3549f39f5a19.pngFor a deeper insight into the workings, tactics, and history of Cl0p ransomware, we invite you to explore our comprehensive blog, "Dark Web Threat Profile: CLOP Ransomware". Delve into this detailed analysis for more information, and stay informed about this evolving threat landscape. (https://socradar.io/dark-web-threat-profile-clop-ransomware/)

Ransomware attacks continue to alarm many organizations around the world. The Cl0p ransomware gang posted a new announcement on the dark web platform to further escalate their threat and intensify the pressure. In addition, 14 new victims have been added to the LockBit ransomware list, once again demonstrating the seriousness of the situation. Cl0p Ransomware: A New Warning and an Ongoing Battle The aftermath of the MOVEit vulnerability exploited by the Cl0p ransomware gang continues to unfold, with new developments emerging. https://image.socradar.com/screenshots/2023/08/10/d8278c38-7178-40fa-b5a8-c51e0331a18c.pngAnnouncement of Cl0p ransomware The announcement from the Cl0p ransomware group on the dark web portal indicates a strategic move to pressure companies that have been targeted. By posting the names of the companies along with the claim of possessing their sensitive data, the threat actors are attempting to publicize these companies and force them into taking action. The announcement suggests that some companies have not responded or engaged with the ransomware operators, leading Cl0p to issue an ultimatum: companies that do not initiate contact by August 15th will have their data published on both clear web and dark web platforms. The goal behind sharing this announcement could be multi-fold: Pressure and Leverage: By publicly naming companies and threatening to publish their data, Cl0p is leveraging the fear of reputational damage and potential legal consequences. This pressure could lead some companies to comply with their demands and engage in negotiations. Demonstration of Capability: Cl0p is showcasing its capability to breach organizations' security and access sensitive data. This serves as a warning to other potential targets and could create a sense of urgency for companies to enhance their cybersecurity measures. Creating Urgency: The specific date mentioned (August 15th) creates a sense of urgency, pressuring companies to make a quick decision rather than delay or seek alternative solutions. In summary, sharing this announcement may allow Cl0p to put pressure on targeted companies, demonstrate their capabilities and potentially increase their financial gains through negotiations or compliance. However, it is important for organizations to focus on sound cybersecurity practices and incident response planning to prevent and mitigate such threats. You can read the “Dark Web Threat Profile: CLOP Ransomware” here. (https://socradar.io/dark-web-threat-profile-clop-ransomware/)LockBit Ransomware: A Global Alarm The SOCRadar Dark Web team recently uncovered a concerning announcement on the LockBit ransomware's dark web portal. The notorious LockBit 3.0 ransomware group has declared the successful compromise of 14 new victims on its blog site. These victims represent a diverse range of companies hailing from various countries, industries, and sizes. https://image.socradar.com/screenshots/2023/08/10/8e1bd7a6-96a2-4e30-bfc1-1d11ade1e061.jpgLockBit ransomware dark web platform The scope of this revelation paints a stark picture of LockBit's widespread impact. The victims span multiple countries and sectors, showcasing the ransomware's indiscriminate targeting strategy. The list includes a blend of global economic powerhouses and burgeoning economies, highlighting the ransomware's global reach. - United States (4) - Germany (3) - United Kingdom (2) - Canada (1) - South Africa (1) - Thailand (1) - Egypt (1) - Turkey (1) This announcement underscores the relentless evolution of ransomware tactics and the escalating need for robust cybersecurity measures. The LockBit 3.0 group's audacious attack on such a varied pool of victims is a clear indicator of the sophistication of modern cyber threats. It is imperative for organizations across the globe to bolster their security protocols and remain vigilant against the evolving landscape of cybercrime. You can read the “Dark Web Profile: LockBit 3.0 Ransomware” here. (https://socradar.io/dark-web-profile-lockbit-3-0-ransomware/)Find Indicators of Compromise on SOCRadar SOCRadar continuously monitors threat actors and malware, offering comprehensive insights encompassing their latest mentions, activities, and indicators of compromise (IOCs). Leveraging the Threat Actor Tracking feature of SOCRadar, users can access this information. https://image.socradar.com/screenshots/2023/08/10/fe658a48-5962-43df-a409-2f31d9e594f7.jpgThreat Actors on SOCRadar platform By harnessing the power of SOCRadar, organizations can obtain actionable intelligence and define use cases more effectively to facilitate the detection and prevention of malicious activities, bolstering their cybersecurity defenses. Furthermore, SOCRadar’s External Attack Surface Management (EASM) functionality provides timely alerts regarding potential threats to digital assets, ensuring your organization is not exposed to attacks. https://image.socradar.com/screenshots/2023/08/10/c097a0b4-8dd3-4dd6-972e-aca8249d86e4.pngCompany Vulnerabilities on SOCRadar platform

The Play Ransomware gang has once again raised alarm bells, claiming new victims from the U.S. and Canada on their dark web platform, as reported by the SOCRadar Dark Web Team. https://image.socradar.com/screenshots/2023/08/02/cc76318e-537d-4d85-b44e-df2891f15cc7.pngRecent victims of Play Ransomware The group claims to have successfully breached the systems of five organizations, adding three US and two Canadian companies to its list of victims. The victims come from a variety of industries, including a hotel in Florida, an engineering firm in Texas, a law firm in Alaska, a construction company in Ontario, Canada, and a personal care products manufacturer also based in Ontario. Breaches Across U.S. Entities: Varied Sensitive Data Compromised Three organizations from the U.S. have fallen victim to this cyber threat group. These victims span a variety of sectors, including a hotel in Florida, a Texas-based engineering firm, and an Alaska-based law firm. The gang allegedly compromised a broad spectrum of sensitive data at the Florida hotel, including private and personal confidential data, client and employee documents, client databases, client scans, and financial records. Similar data breaches reportedly occurred at the Texas engineering firm and the Alaska law firm. Despite these claims, the cybercriminals did not disclose the size of the compromised data or provide examples. Canadian Organizations Also Targeted Shifting focus to Canada, the gang asserts that it infiltrated two Ontario-based companies: a construction company and a personal care products manufacturer. The compromised data allegedly includes private and personal confidential data, client and employee documents, as well as financial and tax-related information. Once again, the cybercriminals remained silent about the size of the data breach and didn't share any examples of the compromised data. Who is Play Ransomware? On Jun 22, 2022, in the BleepingComputer forum, someone wrote that his files were encrypted with the extension “Play.” Afterward, Trend Micro published an analysis article about the new ransomware variant, Play Ransomware. The main target of Play Ransomware is the Latin American region, and Brazil is at the top of the list. Even though they seem like a new ransomware group, their identified TTPs look like Hive and Nokayawa ransomware families. One of the similar behaviors that make them look similar are they use AdFind, a command-line query tool capable of collecting information from Active Directory. For more information about the threat actor, see the "Dark Web Profile: Play Ransomware" blog. (https://socradar.io/dark-web-profile-play-ransomware/)https://image.socradar.com/screenshots/2023/08/02/a0da3736-12c9-418a-9099-7e42ea88b656.jpg

The Cl0p ransomware gang added 71 victims to its rapidly growing list in a single day, according to the latest reports from the SOCRadar Dark Web Team. https://image.socradar.com/screenshots/2023/07/27/f907deef-082e-4922-a081-e12117004e52.pngA screenshot from Cl0p’s dark web platform The cybercriminal group, infamous for its strategy of exploiting system vulnerabilities and breaching major organizations, has taken full advantage of the MOVEit vulnerability, leaving a wake of destruction and anxiety in its path. Among the recent victims are some of the biggest names in various industries, including Deloitte, Flutter Plc., and Virgin Pulse. These attacks are a part of a growing trend where cybercriminals are turning their attention towards larger and more lucrative targets, including major organizations. https://image.socradar.com/screenshots/2023/07/27/594ca66c-b9c1-4b8c-9832-2df159dea3ff.jpgThe distribution of the organizations that the group alleges have had their systems breached, by country. Geographically, the United States has borne the brunt of these cyber onslaughts with 38 victims, followed by the United Kingdom with 7, while Switzerland and the Netherlands each had 3 victims. The grim tally of victims breached due to the MOVEit vulnerability has crossed 500. This chilling statistic is a stark reminder of the importance of timely patching of known vulnerabilities and the implementation of strong cybersecurity measures. In conclusion, the recent spike in cyberattacks, especially by the Clop ransomware gang, underscores the urgent need for proactive cybersecurity measures. Organizations must consistently patch system vulnerabilities, i and adopt proactive detection strategies to identify threats before they can be exploited. How Can SOCRadar Help? SOCRadar’s Threat Feed and IoC Management module helps organizations manage their threat intelligence feeds and Indicators of Compromise (IoCs). https://image.socradar.com/screenshots/2023/07/27/b5b3e393-eb1d-4f70-a4b9-7b4f4e4df929.pngSOCRadar Threat Feed / IoC tab Also, SOCRadar’s Threat Actor Tracking module provides organizations with a comprehensive view of known and emerging threat actors, including their TTPs, IoCs, and infrastructure. This information can be used to identify and respond to threats more quickly and effectively. https://image.socradar.com/screenshots/2023/07/27/5e04a567-aa22-4a88-9596-58601a795431.pngSOCRadar Threat Actors tab

Italian asset management company Azimut, responsible for managing assets worth over $87 billion, fell victim to a ransomware attack. The hacker group BlackCat aka ALPHV has taken credit for the attack and asserted that they had acquired approximately 500 GB of potentially sensitive data. The group has demanded an undisclosed sum of money, likely in cryptocurrency, from Azimut. However, the company has chosen not to acquiesce to the ransomware group's demands, as stated in a public announcement on July 24. https://image.socradar.com/screenshots/2023/07/26/2b7415e5-2db7-48f4-8dc3-b42302a47d8a.pngBlackCat’s Ransom Announcement BlackCat's ransom letter allegedly includes sensitive photos of customer data, and they claim to possess comprehensive financial information about numerous clients, such as company reports, stock details, and antique purchases. The hacker group threatens to expose this information unless their demands are met, cautioning Azimut about the severe consequences of not taking them seriously. Notwithstanding the threats, the asset management company stands its ground and announces its refusal to comply with the attacker's demands. Azimut reassures its customers that their data remains secure and unaffected by the breach. The firm confirms that BlackCat was unable to access any personal or financial information of clients, and no unauthorized transactions were carried out. To learn more about BlackCat, visit our blog. (https://socradar.io/dark-web-profile-blackcat-alphv/?utm_campaign=SOCRadar%20Blog&utm_source=Platform&utm_medium=SOCRadarBlog&utm_term=DarkWebProfile%3ABlackCat%28ALPHV%29)Strengthen Your Security with SOCRadar’s Attack Surface Management As cyber threats continue to rise, it becomes crucial for organizations to identify their publicly accessible assets and be vigilant about potential vulnerabilities in their infrastructure. This awareness enables them to prioritize security measures, fortify exposed assets, and proactively address weaknesses before they become targets for exploitation. By actively managing their attack surface, organizations can bolster their security defenses and minimize the risk of falling victim to cyber-attacks. https://image.socradar.com/screenshots/2023/07/26/6698a8d9-bfad-4941-97ce-c0e8f387d5e8.pngSOCRadar Attack Surface Management Module

The ransomware landscape continues to evolve in troubling ways as groups, such as the notorious Cl0p ransomware group, are becoming more audacious with their tactics. PwC, one of the world's largest auditing and consulting firms, appears to be one of the recent victims of the group's extortion tactics. From the Dark Web to the Surface Web The Cl0p group has apparently used a novel strategy, previously seen in the playbook of the ALPHV/BlackCat ransomware group, involving the creation of surface web URLs to host and publicize the stolen data. This new strategy takes a worrying turn from the conventional modus operandi, where the stolen data was typically released on the .onion websites in the dark web. https://image.socradar.com/screenshots/2023/07/19/746d540d-b770-4575-becd-03b2cb4eb49e.pngIn the case of PwC, the ransomware group is believed to have allegedly released the company's files unencrypted on the open web, thus making them available to anyone with the URL.  https://image.socradar.com/screenshots/2023/07/19/e2ff1f12-758a-49fe-bc52-5c83d3469962.pngThis method of leveraging clear web URLs mirrors the tactics of the ALPHV/BlackCat group, further highlighting the increasingly symbiotic and evolving nature of the cyber threat landscape. Growing List of Victims In addition to PwC, SOCRadar Dark Web Team reported that the Cl0p ransomware group has added 10 new victims to their dark web portal. Eight of these victims are based in the U.S., with high-profile entities such as American Airlines, Jonas Fitness Inc., SMC3, ITT Inc., Allegiant Air, Estée Lauder Inc., Bluefin Payment Systems, and Ventiv Technology on the list. The other two victims are ComReg from Ireland and Ofcom from the United Kingdom. https://image.socradar.com/screenshots/2023/07/19/e4827d7e-efe2-46e2-856e-50ad916f260c.pngIn another worrisome development, the MEDUSA ransomware group has reportedly added two new victims to their dark web portal - Health Springs Medical Center and Nini Collection Ltd., both based in the U.S. The continuing advancement of ransomware groups and their increasingly daring strategies underscore the significant threat they pose to both businesses and consumers. As these groups continue to innovate, their targets must similarly evolve their defensive strategies. Cybersecurity isn't a static field; it's a continual cat-and-mouse game. These incidents serve as a critical reminder for organizations to stay proactive in their defense, regularly updating and testing their cybersecurity infrastructure, and fostering a culture of security awareness among their employees. Mitigate Ransomware Threats with SOCRadar SOCRadar Extended Threat Intelligence (XTI) provides its users with the most recent feed. The platform continuously tracks both existing and emerging threats and alerts your organization in the event of any impact. You can view information about threat actors, updates in their activity, and all malware threats on the Threat Actor/Malware tab on the SOCRadar platform. https://image.socradar.com/screenshots/2023/07/19/558d775b-ceca-4f85-8a8a-9c9b195f6ee1.pngSOCRadar Threat Actors page