In the past two years, we have witnessed an escalation of new ransomware groups, many of which have either disappeared within a few months or changed their names. The list of names provided below is not exhaustive but is intended as an example.
- Atom Silo (December 2021 – January 2022)
- Black Shadow (December 2021 – August 2022)
- Bonaci Group (October 2021 – December 2021)
- Cross Lock (April 2023 – July 2023)
- Dark Power Ransomware (March 2023 – March 2023)
- DarkRace (June 2023 – June 2023)
- DataLeak (December 2022 – February 2023)
- Karma Leaks (October 2021 – November 2021)
- Midas (November 2021 – April 2022)
- Monte (September 2022 – September 2022)
- Night Sky (January 2022 – January 2022)
- Pandora (March 2022 – May 2022)
- RedAlert (August 2022 – December 2022)
- Rook (December 2021 – January 2022)
- Sparta (September 2022 – October 2022)
- Spook (October 2021 – October 2021)
- Unsafe (December 2022 – July 2023)
- Vsop (September 2022 – January 2023)
- XingLocker (April 2021 – January 2022)
Ransomed appears to be yet another ransomware group that has emerged and disappeared within a few months, and all the signs are there.
Ransomed originally started with the “subtitle” RansomForums, and the project was also promoted on a new Telegram channel. However, just a few days later, both the forum and the Telegram channel were blocked and closed.
The situation is no better for the BlackForums forum, another attempt by the same cybercriminal to launch a forum primarily gathering old databases leaked from other forums many months prior. The forum was first launched on April 9th of this year, but already two months later, the forum is no longer accessible.
The cybercriminal attempts to bring BlackForums.net back online through a new Registrar/Provider, Njalla*, located in Nevis, an island situated between the Atlantic Ocean and the Caribbean Sea. Once again, the forum never sees the light of day as the provider Njalla suspends its publication.
*Njalla is owned by Peter Sunde, founder of The Pirate Bay.
On September 2nd and 16th, two new attempts, the umpteenth ones, to bring BlackForums online, this time relying on the Registrar Tucows Inc. The forum is currently online with a new redesign.
We were talking about the numerous attempts made by the cybercriminal of Serbian-Bulgarian origin, as he has claimed to us in recent weeks during a chat on his Tox channel, to ‘keep alive’ his projects. However, from what we have observed, his skills do not appear to be as advanced as he claims. In fact, once again, the Ransomed.vc website is unreachable today
SuspectFile: How much truth is there to what you said about your Bulgarian nationality? I personally don’t think you’re Bulgarian, but not even Russian )
Ransomed: Its 100% truth I am bulgarian and serbian. I am, and will be proud our motherland created similar mastermind. maybe I am an extremist nationalist
The impression we have formed of the person behind numerous aliases such as “Pulpo,” “Creeper,” “Impotent,” “Kmeta,” “KmetaNaEvropa,” and “Promise,” pseudonyms that the cybercriminal claims to have used in the past and which we find within the story/interview published by @Dissent of DataBreaches.net “He’s smart, he’s an accomplished liar, and now Impotent says he’s retired”, is certainly not the impression of a professionally prepared cybercriminal.
Thanks to the ‘chat’ we had with him on Tox and the story from Dissent, we have formed the opinion of an individual who walks with one foot in the real world and one in the realm of fantasy. An ambiguous character who sometimes tries to mask his insecurities and fears behind multiple identities, undoubtedly a person with a strong desire to be seen and constantly seeking not only financial but also mental well-being.
Frankly, believing everything he has said in the various interviews he has given over these months is a bit difficult for us. Instead, we believe that many of his statements have been ‘seasoned’ with a hefty dose of imagination, but perhaps what he has described is what he genuinely hopes will happen to him one day.
We also recommend reading another excellent article written by Христо, the founder of Questona.com
The interview that SuspectFile.com conducted with Ransomed.vc
SuspectFile: The new project Ransomed.vc officially started on August 15th, the day the domain was registered on servers hosted by Njalla* in Nevis, an island located between the Atlantic Ocean and the Caribbean Sea – Registrant Contact Organization: 1337 Services LLC – Charlestown, KN – (this information will be revisited in another question). Are you the owner of Ransomed.vc? What nicknames have you used in the past, and on which forums have you been an owner, administrator, or moderator in the past?
*The same provider previously used by Conor Brian Fitzpatrick (Pompompurin).
Ransomed.vc: yes, I remember he used it actively.
SuspectFile: What connections (if any) did you have or do you have with individuals who were part of the BreachForums team?
Ransomed.vc: I dont talk with dogs. But there are a few nice people such as armadyl and dedale that are not stupid, others just time wasters.
SuspectFile: Ransomed.vc is hosted on the Tor platform. Should we consider this a permanent solution, or do you plan to return to your old origins to manage a new forum in the near future?
Ransomed.vc: I consider it my only way not to talk with njal.la. they suspended our domain recently.
SuspectFile: On your blog, you list several victims, and among them, we want to focus on the American SFK, whom you mention as being shared with the Everest ransomware group. Is active collaboration with other groups a practice you intend to adopt again?
Ransomed.vc: We will always look for a partnership with anything
SuspectFile: A few months ago, in a conversation with Everest, we talked about a new project very similar to what you have created in recent weeks. Everest has always been considered a group, but in reality, “the group” was formed by a single person. Everest mentioned a affiliate program and the possibility of collaboration with other groups. Can we say that you have taken ownership of Everest’s original project?
Ransomed.vc: No. my own idea.
SuspectFile: In a recent interview with the Daily Dark Web (https://linktr.ee/dailydarkweb), you stated that your group currently consists of about 80 affiliates, and from your responses, it appears that you are not the one conducting attacks on victims. Is it correct to say that your only roles within Ransomed.vc relate to coordination and administration?
Ransomed.vc: Yes, I did some attacks on a few sites but I am too busy to even look at them currently.
SuspectFile: In point 2 of the FAQ on your blog, you establish the methods by which your affiliates should communicate with you, mandating, in addition to English, the use of Russian as a language. At point 9, you prohibit your affiliates from launching attacks against Russian and Ukrainian entities. It is natural to deduce that your origins are neither German or Italian. But what was the motivation, if any, when you listed the Soviet Union (USSR) as your location on your X (Twitter) channel?
Ransomed.vc: Most the people I work with or who work for me are from there. No need for local feds to look at us there.
SuspectFile: These days, we discover that the BlackForums.net forum also seems to be connected to you. The domain was registered on September 4th, and we find that the Registrant Contact is once again based in Charlestown, KN, a city on the island of Nevis, just like Ransomed.vc. At the moment, the forum’s URL is not accessible (502 Bad Gateway, another DDoS?), but we could see that the forum’s structure is very similar to what RansomForums had before being hit by DDoS attacks and subsequently closed. Is it correct to say that you are using leaked forum databases such as BreachForums, Exposed, and RaidForums?
Ransomed.vc: Its not a ddos, its just a suspended domain.
SuspectFile: Do you agree with us when we say that in recent times, your latest projects have garnered significant attention from law enforcement agencies, especially the FBI and Europol, as evidenced by the providers you have used closing your accounts in just a few days? Do you fear that you may soon meet the same fate as hackers like Pompompurin?
Ransomed.vc: Well its their job i guess, I dont hate them for it. i just dont think they deserve to live.
About me landing in FBI’s hands, I can always find a way to kill myself. No matter of when and where. So they may get my body, but not my
SuspectFile: A final question, on a personal note, to which you are, of course, free not to respond: we have had the opportunity to interact with you for several days. We were struck by your accommodating and often playful attitude. However, we have also read passages on your blog where there is a slight but noticeable arrogance towards those who will read what you have written. Do all these facets of your character represent your true self, or do they serve to conceal the fear and suspicion that someone in your line of work should always have if they want to “come home in one piece” at the end of the day?
Ransomed.vc: My True Self is not somewhere near the face I show on here. I am not as aggressive in real life, nor do I do any of the stuff I do online. I am living good and high quality life.
SuspectFile: Who runs ransomed.vc with you? It wouldn’t surprise us if you answered that you don’t have collaborators because you prefer to manage everything yourself, instead of relying on someone you can’t directly control.
Ransomed.vc: I am the one who runs ransomed.vc no one else manages it.
SuspectFile: Last August @Dissent of DataBreaches.net published an article with an interview with you, in one of your replies we read that you would leave this “job” of yours and enjoy life, have you had any second thoughts?
Ransomed.vc: I am pretty close to quit. a few more years.