Note

This trend report on the deep web and dark web of July 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

Major Issues 

 

1)  Ransomware

 

(1) Brain Cipher
 

Brain Cipher is a new ransomware gang that appeared in mid-June of 2024. The gang runs its dedicated leak site (DLS) on a Tor network and is known to use a ransomware variant derived from the LockBit 3.0 builder. 

The gang’s first attack was against Indonesia’s national data center on June 20th, 2024, impacting over 200 government agencies. Although the gang encrypted a large amount of data, leaked it, and threatened the victims, it also provided a decryption tool free of charge, which was unexpected and unusual. The gang tried to justify the attack calling it a “penetration test” and denying any political motives. At the same time, it emphasized the importance of industrial financing and recruiting specialists. 

Brain Cipher was also seen implementing a unique communication strategy, where it published 2 statements on its DLS after the attack with one of the statements being in the FAQ format. In the statements, the gang tried to claim the legitimacy of the attack and present the government and media in a negative light by criticizing the government, controlling public opinions, sowing distrust for the media, and so on. The statements revealed the gang’s intention to justify its actions and manipulate the public and government responses. 

The gang also showed that there were some business aspects to their attack, selling ad spaces on its DLS for high sums and requesting donations in cryptocurrency. It also stressed that this would be the only time the gang would offer a decryption tool without charge and that it would not be so generous in future cases after the attack on the Indonesian National Data Center. The group also announced that it will delete all the leaked data once the government agencies complete the decryption.

 

Figure 1. Indonesian National Data Center information uploaded on Brain Cipher’s DLS

 

Security specialists normally do not believe the promises made by ransomware operators as there is no valid reason to trust a criminal group that has already committed illegal acts. It is also very likely that the threat actors have already copied the data, so the concept of “permanent deletion” may be an empty promise. Moreover, a system with an exposed vulnerability is likely to be attacked in the future. Considering that the main purpose of a ransomware attack is financial gains, deleting data goes against the threat actors’ interests. As such, the promise to give up the gained data is unlikely to be kept. 

Brain Cipher’s emergence and activities are seen as a new threat to cybersecurity. Accordingly, we must continuously monitor their complex motives and strategies as well as their unpredictable behavior patterns.

The gang’s promise to delete the data may also be a strategy to avoid liabilities. In conclusion, security experts are advised to establish comprehensive security measures such as building a strong backup system, improving security vulnerabilities, monitoring the dark web using threat intelligence, using security products, and holding educational training sessions for employees rather than depending on promises made by threat actors.
 

(2) Hunters International

Hunters International was first discovered in October 2023. Some members of the cybersecurity community believe that the ransomware code used by this gang shares a 60% similarity with the Hive ransomware, which was dismantled by law enforcement agencies in January 2023. In response, the gang claimed that it was not related to Hive, revealing on its DLS that it only purchased the source code from the Hive gang. Based on this claim, there have been suspicions that Hunters International may be active in regions that previously saw the activities of the Hive ransomware group. For ransomware development, Hunters International uses Rust which is portable across other platforms. After leaking and encrypting the victim’s data, the gang uses a double extortion technique that involves demanding a ransom. It mainly targets companies and organizations in the US, the UK, Germany, and Namibia, as well as various other industries including hospitals. 

One of the main characteristics of Hunters International is that it sorts the extorted data into categories and makes them public one by one. The data is typically organized into 8 to 15 categories with each one revealed at specific intervals. When the negotiation with the victim does not go as intended, the gang ultimately reveals all the data. Each data is uploaded on the gang’s DLS in order and the next set of data to be uploaded is displayed with a timer. The other sets of data are labeled as “upcoming,” indicating that they will soon be revealed. Each data set is attached with a sample screenshot, and when the data is released, the original screenshot and all of the data files become available. Another notable characteristic of this gang is that when the negotiation with the victim succeeds after the first data is revealed, it does not further release the remaining data and deletes the already revealed data. Such a systematic and phased strategy for data leaks seems to serve the purpose of exerting incredible pressure on the victims so that they follow the gang’s demands. 

In April 2024, Hunters breached a global optical and medical tech company in Japan. After not listing the company on its DLS for a while, the gang abruptly listed the victim on July 16th and revealed all of the leaked data with after a while.

 
 

Figure 2. A company listed as a victim on Hunters International’s DLS