Threat Trend Report on Deep Web & Dark Web – Ransomware Groups & Cybercrime Forums and Markets of March 2024
Notice
This trend report on the deep web and dark web of March 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true.
Major Issues
1. Ransomware
1.1. ALPHV/BlackCat Is Gone.
In late February, the ransomware gang ALPHV/BlackCat breached the data of Change Healthcare in the United States. Change Healthcare is a major company in healthcare technology and provides prescription-related services in pharmacies across the US. The damage from the data breach in February lasted for about two weeks. The American Hospital Association (AHA) assessed this as “the most serious cyberattack in history on the nation’s healthcare system.” Following the attack, the victim paid the ransom, but the BlackCat operator did not distribute the profit to its affiliate. Bringing this decision into question, the affiliate reported the BlackCat operator to a cybercrime forum.
Even amidst the operation of law enforcement authorities last December, the ALPHV/BlackCat gang reappeared.[1] However, it was recently revealed that the ransom extorted through the breach of Change Healthcare in the US had not been paid to the affiliate. The ransom paid by Change Healthcare was about $22 million.
The previous and current BlackCat DLS addresses both showed a banner that stated the site was shut down by law enforcement authorities. Currently, both addresses are not available. The banner was the same as the one the law enforcement authorities uploaded after the operation last December. However, law enforcement authorities such as Europol claimed that they were not involved, revealing this banner to be fake. This leads to the assumption that the gang’s operators employed an “exit scam” strategy.
Figure 1. The fake law enforcement authority shutdown banner on the BlackCat DLS
The gang’s operators also showed intentions of selling their source codes, which was shown through their status messages on TOX messenger. The message in Russian reads “Все выключено, решаем,” which translates to “Everything is off, we decide” in English.
Figure 2. BlackCat administrator’s TOX messenger status – <Source> Menlo Security
The “exit scam” strategy is one where hackers shut down their business while simultaneously stealing the funds of their partners and starting anew. ALPHV/BlackCat’s recent actions seem to have followed this strategy, a move that is widely known among security specialists, and some argue that this is an appropriate time to enact such a strategy due to the rise in Bitcoin value.
While the ALPHV/BlackCat gang may completely disappear due to this incident, it also may be recreated under a new name. The gang already has a history of rebranding from DarkSide to BlackMatter, then to ALPHV/BlackCat, and it is being said that the recent incident may be the beginning of another of its transitions. Cases like this help people understand ransomware and cybercrime better and also establish better security strategies, prevent ransomware attacks, and minimize damage.
1.2. RansomExx Claims to Attack Peruvian Ministry of Defense
The RansomEXX gang first appeared in late 2020. According to the security company Sentinelone.com, the gang attacked many large corporations including the Texas Department of Transportation and Group Atlantic.[2] RansomEXX is known to attack large corporations and high-value targets. It mainly launches attacks against government and healthcare sectors, as well as high-value manufacturing companies. The ransomware attacks victims using phishing and spear phishing emails, and the gang is known to leverage exposed and vulnerable applications and services such as Remote Desktop Protocol (RDP).
The Peruvian Ministry of Defense was listed as a victim by RansomEXX on March 24th, 2024. The attack resulted in data from the ministry being exfiltrated and exposed. The ransomware gang uploaded 763.8 GB of data. Currently, there is limited information on the types of data that were leaked. The Peruvian Ministry of Defense is a government department that protects Peruvian national security from land, sea, and air. It has command over the Peruvian army consisting of the military, navy, and air force.
Figure 3. Peruvian Ministry of Defense uploaded as a victim on the RansomEXX DLS
[1] https://atip.ahnlab.com/intelligence/view?id=9ee3e628-732c-4f0a-95ea-b966b0450e34
