{
	"id": "3d262f54-5736-4d46-8008-1990732f6528",
	"created_at": "2026-04-06T00:14:10.372109Z",
	"updated_at": "2026-04-10T03:20:54.596468Z",
	"deleted_at": null,
	"sha1_hash": "0d6b16213c30172935885b213ba8b7ce73ab6efe",
	"title": "W1 Jun | EN | Story of the week: Ransomware on the Darkweb",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2385975,
	"plain_text": "W1 Jun | EN | Story of the week: Ransomware on the Darkweb\r\nBy Hyunmin Suh\r\nPublished: 2021-06-03 · Archived: 2026-04-05 15:50:00 UTC\r\nCorporate Data Matters\r\nGet Hyunmin Suh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nCo-Author:\r\n, , YH Jeong @ Talon\r\nPress enter or click to view image in full size\r\nImage from unsplash\r\nSoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The\r\nreport includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 1 of 13\n\ndark web forum posts by ransomware operators, etc.\r\nExecutive Summary\r\nCompared to SoW 5 months ago (W1 Jan), the number of victimized firms increased by about 2.6 times,\r\nand the ransomware threat groups increased by 1.6 times, requiring attention to ransomware attacks.\r\nThe United States was mostly positioned at top in terms of the rate of victim infection, but as the number\r\nof active ransomware threat groups increased, the percentage of victimized firms’ country locations also\r\nvaried.\r\nUsers who worked as affiliate partners with Darkside (as a pentester) claiming to the admin of XSS forum\r\nas Darkside did not pay their portion properly, which accepted and permanently suspended the Darkside\r\naccount.\r\nBabuk ransomware rebranded as Payload Bin and their first victim was CD PROJEKT.\r\nThe CD PROJEKT’s source code leak is an incident found to be related to HelloKitty ransomware as\r\nBabuk ransomware announced last week planning to integrate a platform by gathering ransomware\r\npartners who did not operate their own data leak site.\r\n1. Weekly Status\r\nA. Status of the victimized firms (5/24 ~ 5/30)\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 2 of 13\n\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 3 of 13\n\nFor a week, a total of 80 victimized firms were mentioned and a change in the state of the data leaked from\r\nthe victims in the ransomware site was detected.\r\n11 threat groups’ activities were detected.\r\nCompared to previous statistics 5 months ago, the number of victims increased by about 2.6 times, and the\r\nransomware threat groups increased by 1.6 times that needs to raise awareness about ransomware attacks.\r\nLink to W1 Jan | EN | Story of the Week: Ransomware on the Darkweb\r\nB. TOP 5 targeted countries\r\nThe United States was mostly positioned at top in terms of the rate of victim infection, but as the number of active\r\nransomware threat groups increased, the percentage of victimized firms’ country locations also varied.\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 4 of 13\n\n1. United States — 26.3%\r\n2. Germany — 11.3%\r\n3. France — 8.8%\r\n4. United Kingdom — 5.0%\r\n5. Norway — 3.8%\r\nC. TOP 5 targeted industrial sectors\r\n1. Manufacturer — 18.8%\r\n2. industrial — 11.3%\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 5 of 13\n\n3. Education — 8.8%\r\n4. Financial \u0026 Consultancy \u0026 Service — 6.3%\r\n5. Health Care \u0026 Store \u0026 Real estate — 5.0%\r\n2. Posts related to Ransomware threat actors @Dark Web\r\nA. Darkside permanently banned from XSS forum\r\nPress enter or click to view image in full size\r\nOn May 14th, the user (qwety1) of the XSS Forum claimed to the admin that the user did not receive any amount\r\nworking as a pentester participating with the affiliate program of DarkSide Ransomware.\r\nPress enter or click to view image in full size\r\nThe administrator of the XSS Forum mentioned they begin the procedure for paying compensation with the rule of\r\nXSS Forum as below.\r\nreturn to the victims occurs from the balance, dividing proportionally between the victims in a% rati\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 6 of 13\n\nPress enter or click to view image in full size\r\nThe administrator started reviewing proofs for 6 asserting users of participated in Darkside ransomware affiliate\r\nprogram. After that, 3 users were confirmed and compensated its loss by admin.\r\nPress enter or click to view image in full size\r\nXSS.IS adminThanks to all. The question is closed.\r\ndarksupp(Darkside ransomware's Operator) - the status is set. But I want to emphasize that the status\r\nAppeared faded\u003e there was a \"cut\" of the deposit\u003e the status is set. This is the observance of the p\r\nSince I do not know anything, I am not ready to take responsibility for any loud statements and will\r\nMy job is just to follow the rules honestly, clearly and correctly.\r\nAs a consequence, Darkside is banned by administrator violating the forum policy as a scammer.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 7 of 13\n\nB. Babuk ransomware rebranded as Payload[.]bin\r\nPress enter or click to view image in full size\r\nLink to W4 May | EN | Story of the Week: Ransomware on the Darkweb\r\nLast week, we covered a post where the Babuk ransomware launch an integrated platform gathering partners who\r\ndon’t have a data leak site, and operate them instead. On May 31, the Babuk ransomware rebranded as Payload\r\nBin and re-organised the homepage.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 8 of 13\n\nAll leaks data previously disclosed by the Babuk ransomware disappeared with renewal but CD Projekt’s source\r\ncode data. The CD PROJEKT’s source code leak is an incident found to be related to HelloKitty ransomware on\r\nFeb 9.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 9 of 13\n\nRansomware damage announced by CD Projekt\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 10 of 13\n\nRansom note released by CD Projekt via Twitter\r\nhttps://twitter.com/CDPROJEKTRED/status/1359048125403590660/photo/1\r\nPress enter or click to view image in full size\r\nAfter the announcement, there was a user looking for the leaked data regarding CD Projekt’s incident.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 11 of 13\n\nHowever, there wasn’t any free sharing page on DDW, rather a seller appeared trying to sell the source code of\r\nCD Projekt on DDW as a form of auction.\r\nPress enter or click to view image in full size\r\nAs Babuk announced, the data appears to be CD Projekt’s data which was stolen by HelloKitty ransomware\r\nregarding previous incident, and they seem to be partnered with Babuk ransomware now rebranded as Payload\r\nBin.\r\nConclusion\r\nThe number of victims mentioned on data leak site operated by ransomware is rapidly increasing compared\r\nto 5 months ago, so it needs to be vigilant\r\nBabuk ransomware rebranded as Payload Bin, appears to strengthen its strategy of threatening victims by\r\nfocusing on exfiltrating the data by partnering with the previously active ransomware groups who did not\r\nhave their own data leak page.\r\nHomepage: https://www.s2wlab.com\r\nFacebook https://www.facebook.com/S2WLAB/\r\nTwitter https://twitter.com/s2wlab\r\nFacebook https://www.facebook.com/S2WLAB/\r\nTwitter https://twitter.com/s2wlab\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 12 of 13\n\nSource: https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nhttps://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b"
	],
	"report_names": [
		"w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434450,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d6b16213c30172935885b213ba8b7ce73ab6efe.pdf",
		"text": "https://archive.orkl.eu/0d6b16213c30172935885b213ba8b7ce73ab6efe.txt",
		"img": "https://archive.orkl.eu/0d6b16213c30172935885b213ba8b7ce73ab6efe.jpg"
	}
}