January 2025 Deep Web and Dark Web Trend Report
Note
This trend report on the deep web and dark web of January 2025 is sectioned into Ransomware and Dark Web Forums & Markets. We would like to state beforehand that some of the content has yet to be confirmed to be true.
Major Issues
1. Ransomware
1.1 CL0P
- Overview
The CL0P ransomware group carried out a large-scale attack exploiting a vulnerability in the Cleo managed file transfer (MFT) platform in mid-December 2024. As a result of this attack, approximately 59 companies across various industries such as chemical, food, and car rental were affected.
Figure 1. Victims of Cleo MFT vulnerability exploitation listed on CLOP DLS
- Analysis
The vulnerability exploited in the attack was a zero-day flaw (CVE-2024-50623[1]) found in Cleo’s LexiCom, VLTrader, and Harmony products. This flaw allowed unlimited file uploads and downloads and enabled remote code execution. CL0P has a history of exploiting zero-day vulnerabilities in similar platforms, such as Accellion FTA, GoAnywhere MFT, and MOVEit Transfer, to attack corporate networks.
CL0P threatened to disclose the names of the affected companies if they did not negotiate within 48 hours. On January 18, they threatened to fully disclose the data of companies that did not negotiate, and on January 21, they announced they would release an additional list of companies. Currently, CL0P has created individual victim pages for each affected company.
With over 4,000 companies estimated to use Cleo software, the actual scale of the damage is expected to be larger than currently known.
- Implications
This attack by CL0P highlights the emergence of corporate file transfer platforms as a new attack vector. The group’s consecutive attacks on Accellion, GoAnywhere, MOVEit, and now Cleo MFT indicate the urgent need for companies using similar systems to strengthen their security.
Companies should prioritize applying security patches to file transfer systems, enhance access control for key systems accessible from outside, and establish multi-layered defense mechanisms against zero-day vulnerabilities. Additionally, along with establishing a multi-layered defense system against zero-day vulnerabilities, the encryption and backup policies for critical data should be reviewed.
1.2 FunkSec
- Overview
FunkSec, a ransomware group that emerged in early December 2024, has rapidly risen to prominence by disclosing over 85 cases of damage in a short period. They claim to have breached more than 200 government and corporate websites, although some of the leaked data appears to be recycled from past hacktivist campaigns.
Figure 2. FunkSec ransomware group’s DLS
- Analysis
FunkSec began its activities in October 2024 and became more active in December. Within the first month of their activities, they demonstrated aggressive behavior by selling access to 15 government websites.
In an interview with the cyber threat community, the group claimed to consist of four members: “Scorpion”, “el farado”, “sentap”, and “MRZ”. However, analysis of their activities suggests that the key member, Scorpion, is likely from Algeria rather than Russia, and el farado has shown technical inexperience by posting basic hacking questions on forums. Additionally, one member is a former administrator of the hacker group GhostSec, and the group owner has a history of running the DarkZone forum with GhostSec. Based on this evidence, security experts believe that FunkSec operates at the intersection of hacktivism and cybercrime, with their primary goal being visibility and recognition rather than financial gain.
The FunkSec group uses the FunkLocker ransomware developed in Rust and claims to have applied four encryption methods: RSA, AES, Orion, and Chacha. The latest version V1.5 of the FunkLocker ransomware initially showed a low detection rate on VirusTotal; however, security experts’ analysis confirmed that it is a poorly developed code created with the help of AI.
