Ransomed[.]vc, a notorious ransomware and data extortion group, has recently announced the end of its operations and the auction of its entire cybercrime infrastructure.
On October 30, 2023, the Telegram channel of the organization was made public. One of the group’s leak sites has currently been shut down, while the other site has a goodbye message, and the ransomware forum is still available online.
This suggests a deliberate attempt to sell off the group’s assets. According to ZeroFox, Ransomed[.]vc has victimized over 40 organizations since August 2023, with most of them, nearly 60 percent, being based in Europe.
The shutdown seems to be a genuine cessation, with potential buyers interested in the group’s infrastructure for various malicious purposes.
![Ransomed[.]vc announces closure of operations](https://lh7-us.googleusercontent.com/CbD70SpGa6i4x-NEn95cEZLRVmVK6W6Kh5qhk8WwGoQ4eGly6B2y3jZKSmz3CinruPiPqAWdXAfgFVn5GkUCdcvAnKnqQzBpe-7urCId4zwpnak-_G7QUwu00YAoIJQX147NI1gYCFuLqeHrhjMDHM0 "Ransomedvc to Shutdown Operations, Selling out Infrastructure 2")
The sale package includes domains (Ransomed[.]vc, Ransomed[.]biz and its dark web forum), a stealthy ransomware builder, source code, access to affiliate groups, social media accounts, a Telegram channel, VPN access for 11 companies with combined revenue of USD 3 billion, 37 databases, and a control panel for the locker.
Possible Arrests and Affiliate Dismissals
A subsequent November 8, 2023 post indicated the possible arrest of six individuals linked to Ransomed[.]vc.
![Ransomed[.]vc announces possible arrest of operatives and firing of 98 affiliates](https://lh7-us.googleusercontent.com/KI2ggftMIS1J3sWfZu6hSM6AW0HtGmnsoDjjoUIUEd-evjwa3QWCr_vF8uK463x2Or2D_0DU4LsyJKEy5wGv2i3N3XlKXRadK_TlmhEXL0Txgppqsprta_Fa8796kuDeJxdWHtza8TgTRPXkW3jJkQ8 "Ransomedvc to Shutdown Operations, Selling out Infrastructure 3")
The post blamed the arrests on poor operational security and lack of experience. Additionally, the group claimed to have fired all 98 affiliates, although ZeroFox has not confirmed the validity of these claims.
Limited Impact on the Ransomware Landscape
The closure of Ransomed[.]vc is unlikely to have a significant impact on the wider ransomware and data extortion threat landscape.
Affiliates are expected to quickly switch to other extortion operations, continuing their targeting activities with minimal disruption.
As the dark web buzzes with the sale of Ransomed[.]vc’s cyber arsenal, concerns emerge over the potential exploitation of the acquired infrastructure for new attacks, the creation of spin-off extortion operations, or the involvement in other malicious activities.
The situation highlights the persistent and evolving nature of cyber threats.
Recommendations for Mitigating Risks
To reduce such risks, cybersecurity experts suggest adopting a Zero-Trust posture based on the principle of least privilege.
Key measures include implementing network segmentation, secure password policies, phishing-resistant multi-factor authentication, and leveraging cyber threat intelligence to detect and counter ransomware and data extortion threats.
Furthermore, organizations are advised to ensure regular backups of critical data, develop comprehensive incident response strategies, configure email servers to block malicious indicators, and deploy authentication protocols to prevent spoofed emails.
A proactive approach to monitoring compromised accounts in deep and dark web forums and continuous surveillance for compromised account credentials is also emphasized to strengthen cyber defenses in the face of evolving threats.
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.