December 2024 Deep Web and Dark Web Trend Report

Note

This trend report on the deep web and dark web of December 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

 

Major Issues
 

 

1.  Ransomware

 

 

1.1. RansomHub
 

 

RansomHub is a ransomware group whose activities have been detected since February 2024. As the end of 2024 approached, the group has increased the frequency of their attacks, making its presence felt. In December, they repeatedly attacked major Korean manufacturing companies, demonstrating their advanced attack capabilities. The group has evolved from simple system encryption to targeted attacks focused on data theft, with companies that possess industrial technology and confidential information being their main targets.

 

 

• Analysis of Damage Cases

 

 

The RansomHub gang claimed to have stolen 58 GB of data from the internal network of a global metal manufacturing company in Korea. The reportedly leaked data includes financial records, human resources-related information, tax documents, operational data and other key company information. In particular, the leaked data includes information on the company’s partners, such as purchase orders, raising concerns about potential secondary damage throughout the supply chain.

 

Figure 1. Victim company posted on RansomHub DLS

 

 

It is worth noting that after the victim was posted on RansomHub’s dedicated leak site (DLS) in early December, the threat actor “zaime” also exposed the company’s data on BreachForums. The sample screenshots posted on BreachForums were confirmed to be the same as the screenshots posted by RansomHub, but it is necessary to further confirm whether the leaked data is the same. This situation indicates the risk that the stolen data may be more widely distributed on the dark web.

 

 

Figure 2. Company affected by the breach posted on BreachForums

 

 

 

• Breach Incident on Company A

 

 

Hanwha Cimarron, a U.S. high-pressure tank company acquired by Hanwha Solutions (a subsidiary of Hanwha Group) in December 2020, became a target of RansomHub’s attack. This incident is a recent case in a series of ransomware attacks on the overseas affiliates of Hanwha Group. In September 2023, Hanwha Q CELLS’s Chinese subsidiary had approximately 800 GB of data leaked due to LockBit ransomware. In April 2024, Hanwha Azdel, the U.S. subsidiary of Hanwha Advanced Materials, had approximately 1 TB of data leaked due to Black Basta ransomware.

 

Figure 3. Victim company posted on RansomHub’s DLS

 

 

This pattern of consecutive attacks suggests that complex factors beyond simple security vulnerabilities may have been at play. While LockBit, Black Basta, and RansomHub are different gangs on the surface, there is a possibility that their affiliates have moved around the dark web or that they have traded corporate initial access information through initial access brokers. In particular, it is presumed that the information stolen from the previous attacks, such as network structures, VPN access details, and business partnerships between affiliates, was used as the initial access point for subsequent attacks.

 

Of particular concern is the structural vulnerability of overseas subsidiaries. Due to business connections with the headquarters, there are often cases in which subsidiaries share network access rights. As a result, a security breach in one subsidiary may lead to a chain of breaches in other subsidiaries. This structure likely motivated ransomware gangs to repeatedly target subsidiaries of a specific business group.

 

 

• Threat Analysis and Key Points

 

 

The gang targeted companies in the global supply chain. In particular, they preferred manufacturers with key technologies or companies with overseas branches. Analysis indicates that the threat actors targeted information vital to the affected companies’ global competitiveness.

 

The ransomware gang employed a double extortion strategy, attempting to exfiltrate data before encrypting the system. In particular, they demonstrated advanced attack capabilities by precisely identifying and selectively stealing key company data.