The notorious ransomware syndicate, Ransomed.vc, has resurfaced with a high-stakes attack on Japan’s telecommunications giant, NTT Docomo. This cyber onslaught follows closely on the heels of a recent data breach at Sony, which investigators suspect may be linked to the activities of Ransomed.vc. The group has made a brazen demand for a staggering $1,015,000 in ransom from NTT Docomo, after Sony refused to meet their earlier demands, leading to the public release of stolen data, according to a report by Resecurity.
Is Japan in the Crosshairs of a New Cyber Threat Wave?
With this renewed attack, concerns are growing over whether Japan is becoming a prime target for cybercriminals. Ransomed.vc, originally just an underground forum in August 2023, has quickly transformed into a formidable ransomware syndicate, catching the attention of cybersecurity experts worldwide.
From Underground Forum to Cyber Threat Powerhouse
Initially, Ransomed.vc focused on activities such as data leaks, access brokerage, vulnerabilities, exploits, and other cybercriminal tradecrafts. Their unique credit system, which rewarded members based on their contributions, encouraged the sharing of valuable information, particularly compromised data, combo lists with credentials, and personally identifiable information (PII).
Exploiting GDPR and Data Protection Regulations
As the group’s operations evolved, they adopted an unconventional approach to extortion, branding themselves as “a leading company in digital peace tax.” This method involved exploiting GDPR laws and data protection regulations to coerce European Union-based victims into paying ransoms. Failure to comply would lead to the public release of stolen information, resulting in GDPR fines. The group argued that paying the ransom was a lesser expense compared to potential fines and the subsequent financial and reputational damage from regulators.
Establishing an Affiliate Program
Ransomed.vc has also set up an affiliate program, inviting others to monetize compromised access to enterprise networks, albeit with some limitations. Notably, attacks on critical infrastructure are off-limits, though exceptions can be made with special confirmation from administrators. This move suggests a network of cybercriminals and compromised access suppliers forming around the syndicate.
Sony Data Breach Exposes Vulnerabilities
The recent Sony data breach has exposed the extent of Ransomed.vc’s activities. Stolen files, including source codes, internal presentations, and confidential information, were exposed. The breach appears to involve an engineer’s workstation and references to SVN repositories. While the breach’s scope may not encompass all systems as initially claimed, the authenticity of the exposed artifacts is evident.
Amplifying the Leak
What adds intrigue to the situation is that the breach was amplified by an individual known as BorisTulev, who claimed to be a Ransomed.vc affiliate. On September 23, 2023, the group released a new archive containing 2.4 GB of data, revealing fresh sensitive details behind the incident, including compromised credentials and an SSH private key. Interestingly, the leaked data points to an IP address related to one of NTT DOCOMO’s data centers.
Premature Move or Intentional Strategy?
The announcement of the attack on NTT DOCOMO was dated September 26, but a day earlier, on September 25, BorisTulev had already published information about the victim on the Dark Web forum, leading to his immediate ban from the platform. This raises questions about whether this was an intentional strategy by Ransomed.vc or a premature move by BorisTulev. Notably, the actor’s profile indicates a South Slavic ethnic background, specifically Bulgaria, adding to the intrigue surrounding their origin.
Pressure Support: Motivation Over Profit
The Security HUNTER (HUMINT) team has reached out to Ransomed.vc via TOX (TOR IM) regarding the Sony breach and NTT DOCOMO. The group claims to possess 240 GB of stolen Sony data, which they are willing to sell for a relatively low price, starting at $10,000 in BTC. Their primary motivation appears to be public shaming rather than profit, a tactic known as “pressure support” to compel victims into arranging payments.
Interconnected Cybercriminal Activity
Ransomed.vc’s links to the Telegram account @EOMLOL, as identified in their source code, raise further concerns. This account’s reference to Blackforums[.]net, another underground forum focusing on data breaches, suggests a web of interconnected cybercriminal activity. Blackforums[.]net also features actors with ties to Ransomed.vc, pointing to a complex ecosystem of cyber threats.
The Emergence of a “Five Families” Alliance
Furthermore, a recent development involves the creation of a “Five Families” alliance, composed of groups previously involved in large-scale cyber incidents. This alliance, which includes STORMOUS, GhostSec, SigedSec, ThreatSec, and others, indicates a shift from hacktivism to ransomware operations, with a focus on collaborating and recruiting new members to scale their operations.
Ongoing Threat and the Need for Vigilance
While the Resecurity team closely monitors Ransomed.vc’s actions, the group claims to possess unreleased data breaches affecting U.S.-based corporations, government entities, and European targets. This ongoing threat emphasizes the importance of proactive surveillance and threat intelligence gathering to protect against evolving cyber threats.
In the face of these escalating cyber threats, it is evident that vigilance and cooperation among cybersecurity experts and organizations are crucial to mitigate the potential damage caused by groups like Ransomed.vc. As the world becomes increasingly interconnected, the need for robust cybersecurity measures has never been more pressing.
Follow The420.in on