RansomedVC: The rise and sale of a ransomware gang

RansomedVC stormed into the headlines with its hack of one of Sony’s networks on 25 September, along with a string of other victims.

Now, only a little more than a month later – and after a rollercoaster of recruitment and spin-offs – the entire operation is up for sale.

The ransomware gang made the announcement on both its Telegram channel and its darknet leak site overnight. On Telegram, the group also deleted all previous posts, leaving only the for-sale announcement and a screenshot alleging to show traffic stats, presumably for the darknet leak site.

“I do not want to continue being monitored by federal agencies and I would wish to sell the project to someone who will want to continue it,” a RansomedVC spokesperson said on its leak site. “We are selling everything.”

From forum to ransomware gang

Sony was just one of the gang’s first victims. While claiming to have “successfully compromised all of Sony [sic] systems” in late September 2023, it also reported 22 other victims in the same period, including NTT Docomo, the Hawaii Health System, and Australian company Platinum Hail Management Solutions.

RansomedVC first started as a hacking forum itself in August 2023. But that forum was taken down by a distributed denial-of-service (DDoS) attack after it was accused of being a knock-off of another hacking forum. Ironically, RansomedVC would end up in a partnership with that same forum just months later.

Knock-off forum or not, RansomedVC came out of the gates as a ransomware operator swinging and with a unique twist on the usual extortion techniques. In its relatively early days – a whole two and a bit months ago – it threatened its victims with GDPR violations.

VIEW ALL

“I heard you do not wanna pay me?” the group asked one of its victims on its Telegram channel in August. “Well then lets [sic] start with leaking a few customers to the public. I wonder what the GDPR agency will think about our relationship?”

The group’s leak site also started to go through a series of evolutions, and along the way, the GDPR threats fell by the wayside, though the group continued to maintain that it was merely a very expensive pen-testing organisation.

“We offer a secure solution for addressing data security vulnerabilities within companies,” the group’s leak site still reads. “As penetration testers, we seek compensation for our professional services.”

The group also continued to refer to itself as the “leading agency in digital peace”.

As to how RansomedVC worked, it has always been hard to tell how much hacking the group did itself and how much was done by affiliates, with RansomedVC providing tools and infrastructure.

“It is unclear right now whether Ransomed uses a specific ransom variant, or extorts victims only through leaked information,” security company Flashpoint said in a blog post on 15 August. “Its channel initially claimed the group was looking for affiliates and has since closed recruiting efforts and declared that enough individuals have joined them – there is no further evidence of how the group conducts its attacks.”

Hiring and building

However, the group seems to have gone into another expansion phase while at the same time working with an unidentified third party to expose Dragos’ chief executive, Rob Lee, as being involved with using leaked data for the benefit of bringing on more clients – an accusation that Lee vehemently denies.

“Rob Lee has close ties with numerous well-known IABs (initial access brokers) such as one of our former partners ‘fooble’, whom Rob cheated,” the unknown third party posted on RansomedVC’s leak site on 13 October. “And as a response to this unacceptable & dishonest conduct, we are leaking the files which Rob Lee bought from us and attempted to leverage against the Colonial Pipeline Company.”

Lee was having none of it.

“Pretty confident the gas company wasn’t ransomed, and 100 per cent positive I wasn’t involved in any capacity to include the incident response,” Lee said in a post on LinkedIn. “Criminals lie, even and especially ransomware groups. It’s an extortion tactic for reputation harm. Make sure you validate things before jumping to conclusions.”

While that apparent mini-feud was playing out, RansomedVC was once again touting itself as a pen-testing service for hire while also announcing it was taking the side of Israel in its fight against Hamas.

“RansomedVC now offers pen-testing services!” the group said on Telegram and its leak site on 16 October, asking for targets to be sent to its support channel. “Guaranteed results!” were promised. A few days earlier, it had said it was “buying access” to sites in Gaza and Iran.

Days later, the group advertised for more penetration testers of its own, likely just looking for more affiliates to sell its ransomware-as-a-service operations to.

On 20 October, the group said it was “in need of only advanced pen-testers, our jobs are one of the highest paid you can ever find.” RansomedVC was offering a five bitcoin payout for those who signed up, roughly the equivalent of just shy of $55,000.

Then, on 22 October, RansomedVC returned to its roots, opening its second darknet forum.

“Hello and welcome to our newly build [sic] forum called Ransomed,” the group said in its initial post on the forums. “Without wasting time I am here to present you the already existing and in development features our forum will have.”

The forum is a combination leak site and ransomware-as-a-service operation, with a cryptocurrency deposit and exchange system, escrow to protect purchasers, and a range of sub-forums for selling network access, leaks, and, of course, ransomware. Both English and Russian seem to be the languages of choice, and the site – which is still up and running as of the time of writing – has 224 members who have posted 214 messages so far.

It has been down now and then, which could just as easily be hosting problems as DDoS attacks from rivals.

The beginning of the end?

And then, on 30 October, the for-sale notice was posted. While the leak site post cited “being monitored by federal agencies” as the motivation for selling out, the Telegram post was slightly different.

“I do not want to continue running the project due to personal reasons, none will be disclosed to journalist, don’t even ask,” the post said before going on to list just exactly what is for sale, which – if it is true – is quite a revealing list.

The crown jewels appear to be the group’s own ransomware itself, which, according to RansomedVC, is capable of “bypassing all AVs and automatically infecting all LAN devices inside network”. It can also “automatically escalate privileges” and is alleged to be completely custom and unique code.

Also in the package are the group’s domains and onion sites, Telegram channels and groups, and access to its affiliates and social media accounts. Thirty-seven unshared databases are for sale, and hosting for the ransomware’s infrastructure.

The most alarming part of the sale is VPN access to 11 companies. They’re not identified but have a combined revenue of US$3 billion, RansomedVC said.

What next?

If the sale does go through, it will be interesting to see if the buyer continues under the RansomedVC moniker or simply lets that drop and focuses instead on exploiting the unpublished databases while conducting ransomware attacks on the 11 companies with exposed networks. The proposition could be of interest to established groups or just as easily be snapped up by an emerging operation.

As to the current operators of the group, fear of law enforcement and “personal reasons” could well be their only reasons for selling out. But it’s highly unlikely they’d be selling out without at least a few successful ransoms under their collective belts. There are a number of the group’s victims who have not had their data leaked, while others have had the whole leak published. This is hardly evidence that any of those companies paid the ransom demanded of them, but it’s certainly possible that is the case.

RansomedVC never published the amount of money it was demanding for its ransoms. However, with many other operations asking for millions of dollars from each of their victims, its operators could be walking away with a sizable stake – not to mention however much RansomedVC sells for.

But it’s also likely that those federal agencies will still be looking, too.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.