Note

This trend report on the deep web and dark web of August 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

Major Issues 

 

1)  Ransomware

 

(1) Dispossessor 

The Dispossessor ransomware gang started its activities in August 2023 and made a full appearance in the ransomware ecosystem by February 2024. This gang is also known by the name Radar and was led by a leader with the nickname Brain. One of the key characteristics of Dispossessor is its similarity to the LockBit group. After LockBit’s main domains were seized in a large-scale crackdown by global law enforcement agencies, Dispossessor quickly rose to prominence, imitating LockBit’s DLS (Dedicated Leak Sites) structure and content.

In February 2024, Dispossessor appeared on the dark web, announcing that they could download and sell data that had previously been leaked by the LockBit or Snatch gangs. This gang appears to follow a Ransomware-as-a-Service (RaaS) model, but it seems they do not actually have ransomware features. Instead, they seem to function more as data brokers. 

They primarily targeted small to mid-sized businesses and organizations across various countries, including the United States. Using a double extortion model, they encrypted victims’ data and then threatened to publicly release it, demanding ransom. They exploited vulnerable computer systems, weak passwords, and the absence of two-factor authentication to gain access to the victim companies’ systems. After obtaining administrator privileges, data is encrypted.

On August 12, 2024, the FBI, through an international cooperative investigation, seized the servers and websites of the Dispossessor ransomware gang. This investigation was conducted in cooperation between the FBI’s Cleveland office, the UK’s National Crime Agency (NCA), the Bavarian State Criminal Police Office (BLKA), and the Bamberg Public Prosecutor’s Office in Germany. Servers and domains spread across the United States, the UK, and Germany were seized.

 

 

Before domain was seized	After domain was seized

Figure 1. Before and after Dispossessor DLS was seized

As a result of the investigation, it was reported that a total of 43 companies had been targeted by this gang. The affected companies were located in various countries, including Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, India, Peru, Poland, the United Arab Emirates, and the United Kingdom. The Dispossessor gang targeted companies across various industries, including education, healthcare, financial services, and transportation.

Through this investigation, three servers in the United States, three in the United Kingdom, and 18 in Germany were seized, along with eight U.S.-based domains and one German-based domain. This could mean that a case that underscores the importance of international cooperation in combating ransomware threats. But considering the ongoing changes and adaptations within the ransomware ecosystem, continuous monitoring and response from law enforcement agencies will likely be necessary.

 

 

(2) El dorado

El Dorado is a relatively new ransomware gang that is believed to have formed around March 2024. Their existence became publicly known in June 2024 when their DLS (Dedicated Leak Site) was discovered. Given that multiple victim company details were already made public at the time of the DLS discovery, it is likely that they had been operating secretly for several months prior. 

El Dorado is known to use technologically advanced ransomware tools. They appear to possess unique encryption technology that allows them to encrypt both Linux and Windows systems. This could mean their attack target is broad and that they can target a variety of systems. 

An analysis of the list of victim companies associated with this gang reveals that they primarily target businesses and local government agencies within the United States. However, their attack targets are not limited to specific industries and are quite diverse. Victims include public institutions, operations/consulting companies, veterinary education/research institutions, maritime transportation firms, golf courses, construction/architecture companies, and factory automation enterprises. 

The developers of El Dorado are believed to be Russian-speaking, inferred from linguistic features within the ransomware code and their communication patterns. Additionally, it has been confirmed that they actively advertise their gang on RAMP, a cybercrime forum primarily used by Russian speakers. 

El Dorado has adopted a Ransomware-as-a-Service (RaaS) model. This model allows cybercriminals to execute ransomware attacks through a partner program, and El Dorado has been particularly focused on recruiting penetration experts (hackers) to expand their gang. In March 2024, a new partner program advertisement was posted on the Russian-speaking RAMP forum, actively seeking to recruit penetration experts to join the gang. 

Recently, the El Dorado ransomware gang compromised a DevOps consulting firm located in Korea and posted the victim company on their dedicated leak site (DLS).

Figure 2. Victim companies listed on El dorado DLS 1

The victim company was an IT solutions firm that primarily provided consulting, guidance, training, and technical support services using products such as Atlassian, SonarQube, and Freshworks. 

The gang leaked 23GB of data from the company and published the victim’s website address, phone number, and revenue on their DLS. They also included a chat link for negotiations. This breach has sent significant shockwaves through the domestic IT services industry, particularly in the DevOps and business collaboration solutions sectors, highlighting the urgent need for enhanced security measures among similar businesses.