Skip links

Strangely enough, no one wants to buy a ransomware group that has cops’ attention

Short-lived ransomware outfit Ransomed.vc claims to have shut down for good after a number of suspected arrests.

The announcement comes just weeks after the group announced it planned to sell the operation to “someone that can be verified or is already verified as a trusted person.”

Two days after the initial announcement, the group’s leader decided it would offer a 20 percent discount, seemingly in an attempt to down tools quickly after previously citing attention from authorities as a reason for the sale.

The latest and what appears to be the final update from Ransomed.vc came on Wednesday via its Telegram channel, saying that six people affiliated with the group’s leader may have been arrested.

“The profit we made isn’t worth the ruining of the lives of any of our affiliates, all of our 98 affiliates are now officially fired. We are sorry for the not so long operation of the group but it happened to be that some of the kids can’t have a normal opsec,” the message read.

It later went on to say that the group was too reliant on “newly born kiddies” around the age of 20, individuals who would likely end up in prison anyway, at least in the opinion of those controlling the channel.

“We do not regret any of our breaches nor ransoming any of our ‘customers’ and ‘clients’. We have done more than anyone else within such a small period of time but this is because we used to hire anyone at any age without any particular skills within opsec, it’s mostly their fault but I do not want them to use my project(s) as a podium to get caught.”

Since the announcement was made, the group’s leader has deleted their Telegram account used for personal contact, so additional insight will not be available.

Ransomed.vc was only established in August, making a name for itself after claiming to be behind one of the two attacks on Sony this year.

Sony would have been the group’s most high-profile scalp during its short tenure, but the spotlight was stolen from it soon after.

A separate party then claimed the attack as theirs, leaking the data Ransomed.vc said it stole before the group itself, casting doubt over the legitimacy of the claim.

Security researchers at Resecurity also said its claim for the attack on Japan’s largest telco, NTT Docomo, was dubious for the same reason. A cybercriminal again leaked data to BreachForums before Ransomed.vc – the same data the group claimed to have stolen.

In the weeks leading up to the planned sale of Ransomed.vc, the beginning of its end, the group began posting erratically, with one example an apparent smear campaign against a cybersecurity exec.

The posts, quite unbelievably, accused the exec of being an offensive cyber attacker, claims he vehemently denied, calling them an attack on his reputation and noting that “criminals lie, even and especially ransomware groups.”

There remains the possibility that the individual(s) behind Ransomed.vc will lay low for a little while before coming back, likely under a new moniker and branding. 

It’s a technique often repeated in the ransomware world, like when BlackMatter was believed to be DarkSide in disguise, when .sZ40 became Lorenz, or most recently when Hunter’s International was thought to be Hive reborn. ®

Source