The short-lived RansomedVC ransomware operation is being shopped around by its owner, who is claiming to offer a 20 percent discount just a day after first listing it for sale.
Citing “personal reasons” alongside the desire to avoid “being monitored by federal agencies,” the owner of RansomedVC is looking for someone who wants to carry on the project.
The announcement was made over Telegram on October 30, and the decision to sell at a 20 percent discount to “someone that can be verified or is already verified as a trusted person” followed today.
Included in the undisclosed price is RansomedVC’s ransomware builder, which it perhaps over-confidently claims can bypass all antivirus products and infect every LAN device inside a target network.
The buyer will also supposedly receive access to affiliate groups and social media channels, as well as 37 databases RansomedVC claims are worth more than $10 million collectively.
The Register has tried to contact RansomedVC – which started in August as an underground forum – about the sale but the owner did not respond. Previous Telegram posts have indicated the owner will not speak to journalists.
Some in infosec have speculated that the unusual move to sell a ransomware organization is an exit scam in disguise after the owner allegedly claimed to have made “60k” in previous swindles.
When ransomware organizations shut down, it’s usually done forcibly, or carried out by the owners to evade law enforcement, as was the case with DarkSide following the attack on Colonial Pipeline. It is highly unusual for a ransomware operation to be sold.
The group’s activity has raised eyebrows from the infosec community in recent weeks, from its public conduct to the legitimacy of the attacks for which it claimed responsibility.
For starters, RansomedVC has been posting “nonsense,” as one industry expert put it, in the past few weeks, including an apparent smear campaign against Dragos founder and CEO Rob Lee.
In posts made to the group’s website, Lee was accused of being an offensive threat actor who bought data taken from previous data breaches and used it to secure deals with high-profile clients.
He was also alleged to have tried to use the stolen data he bought to “leverage against the Colonial Pipeline Company” in another difficult-to-believe post.
Lee denied the claims via a LinkedIn post, saying it was just an attack on his reputation and that “criminals lie, even and especially ransomware groups.”
“A criminal is posting that a gas company has been ransomed and included my name in it all to try to get a reputation boost,” he said.
“Pretty confident the gas company wasn’t ransomed and 100 percent positive I wasn’t involved in any capacity to include the incident response. Criminals lie, even and especially ransomware groups. It’s an extortion tactic on reputation harm. Make sure you validate things before jumping to conclusions.”
Some of the major attacks the RansomedVC group has claimed, and built its name on, have also been called into question, including arguably its biggest scalp, Sony.
As we previously reported, Sony did indeed confirm that it had been breached twice this year, but the claim that RansomedVC was responsible for one of them was contested.
Security shop Resecurity also highlighted a similar case following RansomedVC’s claim of the attack on Japan’s largest telco NTT Docomo.
In the cases of both Sony and NTT Docomo, members of BreachForums appeared to leak the data before the ransomware group, raising questions over RansomedVC’s actual role in these attacks.
One possibility is that RansomedVC may have taken other attackers’ stolen data and passed it off as their own. There could also be collusion between the two attackers at play, with the other beating RansomedVC to the first disclosure, or the initial BreachForums leaks coming from RansomedVC under a different alias. ®