Ransomware, Network Security

Cybergang RansomedVC shutters and sells stolen assets


After a whirlwind three months of headline-grabbing attacks against high profile targets Sony and NTT Docomo, the ransomware gang RansomedVC has pulled the plug, firing almost 100 affiliates and putting its infrastructure and stolen assets up for sale.

While the shuttering may be linked to some of the gang being arrested, researchers expect the remainder of RansomedVC’s operatives will move on to other roles in the ransomware and data extortion racket.

The gang, also known as ransomed[.]vc or Ransomed, first came to light in August. Its claims — grounded in varying degrees of truth — included hacking “all systems” at Sony, stealing 600,000 voter records from the District of Columbia Board of Elections, and breaching Colonial Pipeline.

The Colonial Pipeline claim, which the company dismissed, included a strange twist. RansomedVC made the bizarre and unsubstantiated allegation that Dragos CEO Rob Lee had bought the gang’s stolen files to undermine Colonial.

Lee, who was involved in the response efforts following the infamous 2021 Colonial Pipeline ransomware attack, refuted the claim, saying on LinkedIn the group was using his name “to try to get a reputation boost”.

“Criminals lie, even and especially ransomware groups. It’s an extortion tactic on reputation harm,” he said.

RansomedVC claimed on its leak site to have carried out 44 attacks in September, enough to qualify it as the month’s fourth most prolific ransomware group, according to data compiled by NCC Group.

Then on Oct. 30, a person purporting to head the group posted on Telegram they did “not want to continue running the project for personal reasons” so would be “selling everything.” The sale included an allegedly “fully undetectable” ransomware builder and source code, along with VPN access to 11 companies whose combined revenue was $3 billion, along with 37 databases claimed to be worth $10 million.

Within days the seller was back offering a better deal: a 20% discount to a “verified buyer.” According to a post by ZeroFox, that was followed on Oct. 8 by another message on Telegram.

“Within my investigation i have found that 6 people affiliated with me (may) have been arrested, in this way i am putting an end to this. the profit we made isnt worth the ruining of the lifes of any of our affiliates, all of our 98 affiliates are now officially fired,” the poster said.

They appeared to regret bringing young people into the gang, writing: “I earned good with them but using newly born kiddies at the age of ~20 is just not right in my eyes, they will end up in prison anyways but i do not wish to continue all of this that will support their stupidness.”

In their post, ZeroFox’s researchers said the shuttering of RansomedVC’s operation and the fire sale of its infrastructure appeared to be legitimate but was unlikely to have any significant impact on the broader threat posed by those carrying out ransomware and data extraction crimes.

Ransomware collectives were known to obtain and incorporate other groups’ source code into their payloads and RansomedVC’s affiliates were likely to pivot to other ransomware-as-a-service operations, the researchers said. “Threat actors (not limited to extortion collectives) will likely be motivated to purchase the infrastructure to target victims, create spin-off extortion operations, or leverage for further malicious activity.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.