Threat Trend Report on Deep Web &Dark Web – Ransomware Groups & Cybercrime Forums and Markets in June 2024
Note
This trend report on the deep web and dark web of June 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true.
Major Issues
1. Ransomware
(1) Dark Vault
The DarkVault ransomware gang was first discovered in April 2024. It copied the website design of the LockBit ransomware gang’s Dedicated Leak Site (DLS), giving the impression that the 2 gangs were related. However, DarkVault is not the first cybercrime group to copy LockBit. Some cybercrime groups actually use the LockBit name, branding, and leaked ransomware builder in their attacks.
The LockBit 3.0 ransomware builder (also known as LockBit Black) that was leaked by one of the LockBit developers in 2022 is being used by many threat actors in their attacks. While it has not been confirmed whether DarkVault is also using this builder, some groups use this builder with minimal modifications (e.g.: just adding a personal message) or use it as a basis for a new ransomware variant. Currently, DarkVault is considered simply a copycat of LockBit.
Figure 1. Smart farm startup listed as a victim on the DarkVault DLS
On June 10th, 2024, a Korean smart farm (development of IoT devices and solutions for the fields of livestock, agriculture, and environment) startup was listed as a victim on the DarkVault DLS. The gang proposed a negotiation period of about a week and is likely to release the exfiltrated data if the victim does not agree to negotiate within this period or fails to come to an agreement. This double extortion tactic where data is exfiltrated first before encrypted with ransomware is frequently employed by ransomware gangs.
(2) Qilin
Synnovis[1] is a medical diagnosis service provider based in London, the United Kingdom. It runs as a partnership with SYNLAB UK & Ireland, Guy’s and St Thomas’ NHS Foundation Trust, and King’s College Hospital NHS Foundation Trust. It is providing over 32 million cases of expert pathological services and diagnostic testing for more than 1.7 million residents of the southeastern part of London. These services provide important diagnostic support for hospitals, general doctors, and other NHS medical service providers.
On June 3rd, 2024, the whole Synnovis IT system failed. This incident affected all services of Synnovis and caused the services of some medical institutes including hospitals that have partnerships with the company to be halted. The next day, Synnovis’s CEO Mark Dollar gave an official announcement that the incident was due to a ransomware attack. He also explained that patients were affected due to this attack and because of emergency recovery tasks being given priority, some schedules had to be canceled or transferred to another provider. In particular, the blood transfer system suffered issues, so operations and procedures that needed blood transfers at Guy’s and St Thomas’ Hospital and King’s College Hospital had to be canceled.
On June 6th, Synnovis said that medical checkups for regional care service users in Bromley, Southwark & Lambeth, Bexley, and Greenwich and Lewisham areas of South East London were being run manually. It also announced that only a very limited number of tests were being run and aside from emergency cases, all bloodwork processes were suspended.
Figure 2. An official statement published after the cyberattack against Synnovis
Ciaran Liam Martin, the first CEO of the UK’s National Cyber Security Centre (NCSC) announced that the recent cyberattack seems to have been launched by the ransomware gang “Qilin.”[2] Martin implied that as the gang launched the attack with financial motives, paying the ransom could resolve the problem. However, the UK keeps a policy of not paying ransom, so the issue is likely to persist.
