Ransomed.vc gang claims to shut down after six affiliates allegedly arrested

A ransomware gang that has claimed attacks on Sony, a Hawaiʻi state government website and a supplier to Colonial Pipeline says it is shutting down after six of its affiliates were arrested.

The Ransomed.vc group emerged in August, initially threatening victims with the prospect of European data breach fines if ransoms for stolen data were not paid. Several companies added to the gang’s leak site said they were never hacked.

Over the last week, the hacker behind the gang said they were interested in selling the entire operation.

In now deleted messages on Telegram starting on October 30, the person claiming to be behind the operation said they were selling the RansomedVC's ransomware builder, domain names, VPN access to 11 breached companies, access to affiliate groups and social media channels under their control, as well as 37 databases the group claims are worth about $10 million.

The account then began posting increasingly desperate messages, offering 20% discounts before posting a final message on Wednesday.

“Within my investigation i have found that 6 people affiliated with me (may) have been arrested, in this way i am putting an end to this. the profit we made isnt worth the ruining of the lifes of any of our affiliates, all of our 98 affiliates are now officially fired, we are sorry for the not so long operation of the group but it happened to be that some of the kids cant have a normal opsec, i cannot do anything about it,” they wrote.

“I earned good with them but using newly born kiddies at the age of ~20 is just not right in my eyes, they will end up in prison anyways but i do not wish to continue all of this that will support their stupidness, we do not regret any of our breaches nor ransoming any of our ‘customers’ and ‘clients.’”

Recorded Future ransomware expert Allan Liska said this kind of ransomware gang shutdown was unusual but noted that Ransomed.vc “is really more about seeking attention than they are carrying out actual attacks.” The Record is an editorially independent unit of Recorded Future.

“Yes, they got lucky on some attacks, but mostly they want the attention and this is another way to do that. In a crowded ransomware field, marketing is increasingly important,” he said.

James Turgal, former executive assistant director for the FBI Information and Technology Branch (CIO) and vice president at Optiv, told Recorded Future News that the concept of selling ransomware services has become mainstream since ransomware-as-a-service (RaaS) operations emerged over the last few years.

Several gangs sell subscriptions to affiliates and proxies that either pay recurring fees or give cuts of ransoms to the developers, who maintain the ransomware tools and infrastructure. Some gangs, according to Turgal, sell ransomware code in exchange for a one-time fee.

In the case of RansomedVC, Turgal said, the situation may be a bit different.

“Are they selling the business because the FBI or international law enforcement is closing in on their operations? Very rarely do criminal organizations repent their illegal ways and grow a conscience. The sale could be a ruse to see if law enforcement will track their advertisement to see how close law enforcement is to their operations,” he said.

He went on to note that if the gang is successful in selling its operation, it may complicate future attribution and create another viable market for cybercriminals to reap rewards.

Callie Guenther, senior manager of threat research at cybersecurity firm Critical Start, said it was not common for ransomware gangs to publicly advertise a sale of their operation in this way.

Groups typically disband, rebrand or go underground when facing legal pressure, she noted.

“Their reason for selling — to avoid federal scrutiny — highlights the increasing pressure and successful measures taken by law enforcement agencies worldwide,” she said.

“This could be a sign that international efforts to combat cybercrime are having a significant impact.”