When the victimizers become the victims…. RansomHub the victim of a takeover?

Posted on by Dissent

In February, RansomHub was described as the leading Ransomware-as-a-Service group and as a pervasive threat to critical sectors. Weeks later, Trend Micro analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware. RansomHub was clearly developing and making a significant impact in the ransomware ecosystem.

But in the blink of an eye, it seemed, RansomHub went offline on March 31.  Days later, DragonForce claimed responsibility for a takeover.

As of April 7, attempts to connect to RansomHub’s onion site will show you a page that says “RansomHub,” but it is not RansomHub in control of the site.

As DragonForce explains on their onion site:

Hi. Don’t worry RansomHub will be up soon, they just decided to move to our infrastructure! We are reliable partners.

A great example of how our new “projects” system works,

  • RansomHub / Blog: http://ijbw7ii[redacted]
  • RansomHub / Client: http://rnc6sc[redacted]onion

P.S. RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks. 

The RansomHub links redacted above do connect to RansomHub’s onion sites, but now display DragonForce’s layout and captcha.

An Involuntary Cartel Membership?

The explanation for DragonForce’s action appears to relate to what DragonForce calls their new direction:

The DragonForce Ransomware Cartel! – it’s time for a change.

Today I would like to introduce you to our new direction, we are starting to work in a new way, according to a new principle. You no longer have to work under our brand, now you can create your own brand under the auspices of a time-tested partner! We, The DragonForce Ransomware Cartel, present you “projects” now you create yourself.

We are in global update mode! Please be patient.

Does Their “Global Update Mode” Include Everest Team, Too?

Over the weekend, DataBreaches noticed that Everest Team’s onion site no longer appeared normal. It had been replaced by a one-line message: “Don’t do crime CRIME IS BAD xoxo from Prague.”

Today, it is totally offline.

DataBreaches reached out to DragonForce to ask whether they were responsible for the defacement or any takeover of Everest Team, but no reply has been received.  DataBreaches also emailed Everest Team to inquire, but no reply was immediately available. This post will be updated if they reply.

This post was edited post-publication to correct the spacing of DragonForce’s name.

Category: MalwareOf Note