14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
We've updated the vx-underground Crime/Legal Ruling section. We've archived Department of Justice indictments for 2024 (so far), 2023, 2022, and 2021.
Cases are formatted as follows:
[date] - United States v [Person(s)] ( [Reason] )
It should be noted that modification of the rules was not exclusive to ransomware. Breached also forbids:
- Drug sales
- Weapon sales
- Violence-as-a-Service (VaaS)
- Selling credit card or debit cards
- Selling Real IDs or documentation
- Drainers or recruitment of drainers
January 24th, 2024 RisePro, an infostealer that competes with stealers such as RedLine, had it's second iteration leaked online. It is the builder, toolkit, documentation, and proxies.
We have archived it: "Win32.RisePro.b"
https://vx-underground.org/Archive/Builders
Apparently on LinkedIn Lockbit, ALPHV, and HIVE are actually all the same group
Читать полностью…
We asked Lockbit ransomware group administration their thoughts on this past week.
Lockbit ransomware group said they will make formal reply to law enforcement once they're finished restoring their infrastructure
ALPHV said: "My Mercedes drives Lockbit"
Today the FBI, NCA UK, and EUROPOL, partnering with Chainalysis, revealed information on Lockbit ransomware group money flow.
The following data was retrieved from July, 2022 - February 2024. Lockbit was first observed in late 2019. This analysis only covers 18 months of a 4 year crime spree.
They reviewed 30,000 Bitcoin addresses, with over 500 Bitcoin addresses active. Those 500+ wallets have received over $120,000,000+. The analysis also shows over $114,000,000 is still unspent (approx. 2,200 BTC unspent, numbers will vary based on price of Bitcoin).
A large portion of this money was the 20% paid to Lockbit ransomware group administrative staff. This indicates the total money stolen could be in excess of $1,000,000,000 from July, 2022 - February, 2024. This means Lockbit ransomware group may have done multi-billion dollars worth of theft internationally.
We stayed up to 2am for the FBI / NCA UK / EUROPOL "Who is LockbitSupp?" reveal.
They extended the deadline 😡😡😡
We had a real chance at love. A mystery woman offered us $600/week.
All we did is ask for the malware and she blocked us:(
Reports are surfacing that every large-scale cell phone provider in the United States is experiencing technical issues or outages this morning.
https://apnews.com/article/cellular-att-verizon-tmobile-outage-02d8dfd93019e79e5e2edbeed08ee450
We've updated the vx-underground Windows malware paper collection
- 2024-01-24 - How to perform a Complete Process Hollowing
- 2024-02-02 - Bypassing EDRs With EDR-Preloading
- 2024-02-16 - Beyond Process and Object Callbacks - An Unconventional Method
Today we spoke with Lockbit ransomware group administrative staff regarding the recent arrests of their affiliates. Lockbit administration told us several things.
1. They assert the individuals arrested are the wrong people and the multi-agencies involved arrested innocent people.
2. They assert the FBI / NCA UK / EUROPOL do not have know their information. They state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty on their own head if anyone can dox them.
3. They state the FBI / NCA UK / EUROPOL are not skilled pentesters, and their success was only due to their administrations laziness.
Today the United States government, or UK government, or EUROPOL, ... whoever is administrating the Lockbit blog... announced there is now a reward up to $10,000,000 for the identification of leadership behind Lockbit ransomware
Affiliates are worth up to $5,000,000
Just now the US government, in conjunction with the UK and EUROPOL, released more information on Lockbit ransomware group.
The information released is minor, and some information is already available publicly. However, they did unveil Lockbit employs 193 affiliates.
What it's like talking to Threat Actor's in Russia:
> Serious conversations
> Straight to the point
> Business only
What it's like talking to Threat Actor's in America, Canada, and Europe:
> Trust established by volume of kitty pictures sent
> Kitty picture spamming
We made a Get Well Soon card for Lockbit and affiliates
Читать полностью…
Hello harddrive purchasers,
All remaining international harddrives have been mailed, except 2 in Germany because the "ß" letter angered the post office and we have to redo the label. Oopsies. We learned the "ß" has to be written as "ss". 😡
North American harddrives will be shipped the coming week.
We've also dramatically improved our process for cloning, packaging, and shipping. In the future delivery will be much faster. We bought a bunch of stuff to make labels, package stuff, etc =D
Breached, the infamous forum where individuals buy, sell, leak, and trade data, recently made some modifications to their rules.
Breached now forbids ransomware sales, recruitment, development, and ransomware-adjacent extortion.
See attached image for more information
lozaning is a nuisance to society. We gotta stop them. They've created the Toothbrush Botnet!
Читать полностью…
This week has been fundamentally similar to HBO's Game of Thrones.
It started off strong, had a wonderful plot and development. It had twists, turns, cool cameo appearances. Then it suddenly ended and you say, "what the fuck is that"
On Monday when the Lockbit ransomware group website was seized by FBI, NCA UK, and EUROPOL, they made a post titled "Who is Lockbitsupp?" - this post indicated that law enforcement could potentially unveil key leadership behind the organization.
During the week we spoke with Lockbit ransomware group administrative staff. They stated they did not believe law enforcement know his/her/their identities. They even boastfully raised the bounty of their head to $20,000,000.
Today we finally get to see the "Who is Lockbitsupp?" post. The post is very short. It states Lockbit does not live in the United States or Netherlands. It also states he drives a Mercedes. They end the post with a picture of "Tox Cat" - an emoji frequently used by Lockbit ransomware group administrative staff and state Lockbit ransomware group administrative staff has 'engaged' with law enforcement.
tl;dr Lockbit ransomware group called their bluff and succeeded
Meanwhile there is a Lockbit impersonator on Telegram scamming people out of $150 😂😂😂
Читать полностью…
Today UnitedHealth Group, a large health insurance provider in the United States, submitted an SEC Form 8K - they've been compromised.
The report does not indicate who is responsible for the attack.
More information: https://www.sec.gov/Archives/edgar/data/731766/000073176624000045/unh-20240221.htm
We've updated the vx-underground malware families collection
- Kutaki
- RogueRobin
- zLoader
- Qealler
- QuasarRAT
- RhadamanthysLoader
- Ryuk
- Stealc
- Emotet
- IcedId
- VenomRAT
- Glupteba
- CactusRansomware
- AsyncRAT
- DarkBitRansomware
- Amadey
- Pikabot
🫡🫡🫡
Earlier we spoke with ALPHV ransomware group. We asked their opinion on the recent takedown of the Lockbit ransomware group website.
ALPHV, their long time competitor, offered words of encouragement for their competitor. They said and quote: "Lockbit is a pussy"
Today Poland's CBZC (Centralne Biuro Zwalczania Cyberprzestępczości, Central Bureau for Combating Cybercrime) released footage of a Lockbit affiliate arrest.
Читать полностью…
Today the Ukraine police announced they have arrested a Father-and-Son duo who were Lockbit affiliates.
More information: https://www.npu.gov.ua/news/slidchi-natspolitsii-prypynyly-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia-lockbit-v-ukraini
We've updated the vx-underground malware sample collection.
- File name corrections to Bazaar collection
- More samples added to VirusSign collection
- 18,000+ new samples syncing with VXDB
Check it out here: https://vx-underground.org/Samples/VirusSign%20Collection/2024.02
Today the Russian government announced the arrest of an individual from SugarLocker ransomware group a/k/a Encoded01
More information: https://www.facct.ru/media-center/press-releases/sugarlocker-ransomware/
Journalists asking Threat Intel vendors what they're going to monitor now since the Big 3 (Conti, ALPHV, Lockbit) have been taken down
Читать полностью…