Last updated on May 8th, 2024 at 11:26 pm
Two ransomware gangs had bad news in October, as their data leak sites were taken down. However, ransomware operators still caused havoc, with a new gang emerging and unlikely alliances forming between groups.
Data leak sites taken down
Ransomware gang Trigona was attacked by a group of hacktivists known as the Ukrainian Cyber Alliance (UCA). After exploiting a security vulnerability in software the gang was using, the hacktivists copied all of Trigona’s data and then deleted it from the gang’s servers.
According to Bleeping Computer, Trigona’s leak site now displays the following message: “Trigona is Gone! The servers of the Trigona ransomware gang has been exfiltrated and wiped out. Welcome to the world you created for others.”
Bleeping Computer also reports that UCA will release any decryption keys it finds in the ransomware gang’s data and will provide the data to law enforcement.
October was also a bad month for the cybercriminal group known as RagnarLocker. The ransomware gang’s data leak and negotiation sites were seized after an effort from a group of law enforcement agencies from 11 countries. Bleeping Computer confirms the sites now display a seizure notice.
The alleged developer of RagnarLocker ransomware was also arrested in Paris, France, and five other suspects from Spain and Latvia were interviewed.
Ransomware is still rampant and evolving
Despite Trigona and RagnarLocker being taken down, ransomware was still rampant in October. According to data from eCrime.ch, 348 organizations were listed on data leak sites last month. That’s a reduction of approximately 25% from September, but still means that, on average, 11 organizations were listed each day in October. Worse, the true number of ransomware attacks is even higher, as organizations that co-operate and pay the ransom are not listed on data leak sites.
Two of the victim organizations from last month were posted by a new group: Hunters International. This gang was initially thought to be a rebrand of Hive, a ransomware group that was taken down in January. However, The Register reports that the gang just purchased Hive’s code.
Hunters International has already revealed themselves to be morally repugnant, even for a ransomware gang. The Register reports that its first two victims were a primary school in the UK and a US plastic surgeon’s clinic. Worse, the gang posted pre-op photos of the plastic surgeon’s patients to force the clinic to pay the ransom.
This kind of tactic has also been applied by AlphVM, who listed 27 organizations on its leak site last month. For example, the group released sensitive medical photographs of breast cancer patients earlier this year to pressure Lehigh Valley Health Network into paying the ransom.
Unfortunately, AlphVM may be about to get even more dangerous. 404 Media reports this gang has been collaborating with a violent SIM-swapping group known as the Comm. While it may only seem natural for cybercriminals to team up, 404 Media notes that this is a highly unusual coalition. That’s because AlphVM is an Eastern-European gang and traditionally such groups have refused to work with native English speakers like the Comm.
The takeaway
While two data leak sites were taken offline last month, ransomware continues to plague almost every sector, including governments, hospitals and schools. And with ransomware operators adopting morally repugnant tactics and forming dangerous new alliances, our data is extremely vulnerable.