Insights For Success

Strategy, Innovation, Leadership and Security

darknet

More Ransomware gang tor darknet sites

GeneralEdward Kiledjian
anonymous-2821433.jpg

I wrote a blog post about popular ransomware group TOR (darknet) showcase sites (here).

The purpose of this entry is to add additional sites to the list (so you should check that one out first).

Astro Tream

anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion

Untitled.png

CUBA FREE

cuba4mp6ximo2zlo.onion

Untitled.png

Babuk Ransomware

wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion

Untitled.png

Ragnarok ransomware

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Untitled.png

Everest Ransomware

ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion

Untitled.png

Ransomex ransomware

rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion

Untitled.png

Popular Ransomware Darknet showcase websites

GeneralEdward Kiledjian
ransomware-5231739.jpg

The recent explosion of breaches by the CL0P Ransomware gang has renewed an interest in the darkweb showcase sites used by these threat actors to prove that they successfully broken into a company and to encourage victims to pay, Many have asked me to share some of these site and I was always hesitant. I recently learned that some “consultants” are charging customers to provide these publicly available links, which is wrong.

Most of these are on the TOR darkweb so you will have to use a TOR browser or VPN that bridges to TOR.


Mobikwik Indian data leak

mobikwikoonux37wauz6oqymshuvebj5u763rutlogc2fb2o3ugcazid.onion

Screen Shot 2021-03-30 at 9.05.08 AM.png


Cl0p ransomware gang

http://ekbgzchl6x2ias37.onion/

Screen Shot 2021-03-04 at 3.22.54 PM.png

DopplePaymer

http://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion/

Screen Shot 2021-03-04 at 3.24.22 PM.png

AKO group

http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion/

Screen Shot 2021-03-04 at 3.26.22 PM.png

Ragnar Locker

p6o7m73ujalhgkiv.onion

Screen Shot 2021-03-04 at 3.28.18 PM.png

Nefilim Group

hxt254aygrsziejn.onion

Screen Shot 2021-03-04 at 3.29.38 PM.png

Avaddon Ransomware

http://avaddongun7rngel.onion/

Screen Shot 2021-03-04 at 3.42.55 PM.png

Darkside Group

darksidedxcftmqa.onion or darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion

Screen Shot 2021-03-04 at 3.44.31 PM.png

Suncrypt

nbzzb6sa6xuura2z.onion

Screen Shot 2021-03-04 at 3.46.55 PM.png

REvil Ransomware

http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/

Screen Shot 2021-03-04 at 3.51.43 PM.png

Mount Locker

http://mountnewsokhwilx.onion/

Screen Shot 2021-03-04 at 3.57.10 PM.png

Pay2Key Leaks

pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion

Screen Shot 2021-03-04 at 4.04.45 PM.png

Lockbit Ransomware

http://lockbitkodidilol.onion/

Screen Shot 2021-03-04 at 4.12.47 PM.png

Ragnarok Leaks

wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Screen Shot 2021-03-04 at 4.15.37 PM.png

The Cl0P Ransomware Darknet showcase

GeneralEdward Kiledjian
ransomware-2321665_1920.png

There are hundreds of write-ups about the CL0P Ransomware and the grand behind it. They came back into the spotlight recently claiming to have exploited the Accellion FTA (old file transfer service) and thus customers running unpatched version of the Accellion product.

Over the last couple of weeks, more “leaks” have come out claiming many more companies have been breached through this vulnerability and then infected with the Cl0p ransomware.

Many have asked if I knew where (on the Darknet, aka TOR network) the CL0P gang is publishing the list of infected companies. the answer is yes : http://ekbgzchl6x2ias37.onion/

Screen Shot 2021-03-03 at 1.05.36 PM.png

Now a word of caution. We aren’t certain who created this site. We don’t know if data on the site is actual CL0P infected organizations or simply someone that found the leaks and is claiming they are infected.

My research leads me to believe that the CL0P group is behind this TOR site and that the data on it is indicative of infected organizations.

If you click on Canadian Bombardier, you get this page with some data provided as proof.

Screen Shot 2021-03-03 at 1.08.20 PM.png

Here is a sample of the “proof” they provide for Bombardier

Screen Shot 2021-03-03 at 1.09.41 PM.png

The moral of the story is that there are bad people our there that want to profit from the misery of others. These threat actors are getting more creative and have improved marketing skills trying to “encourage” victims to pay up.

Hire a good CISO and invest in your security program.