{
	"id": "5a42a186-8f95-4c5f-9220-20f7ba7b1eb7",
	"created_at": "2026-04-06T00:07:18.083225Z",
	"updated_at": "2026-04-10T13:12:59.99086Z",
	"deleted_at": null,
	"sha1_hash": "32f20b5032df378b26bd08c4bc6ee793731074d0",
	"title": "W4 Jan | EN | Story of the week: Ransomware on the Darkweb",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 751746,
	"plain_text": "W4 Jan | EN | Story of the week: Ransomware on the Darkweb\r\nBy Hyunmin Suh\r\nPublished: 2021-03-15 · Archived: 2026-04-05 14:25:38 UTC\r\nIt ain’t over yet till the DDoS Sings\r\nPress enter or click to view image in full size\r\nS2W LAB publishes weekly reports of the Ransomware activities that took place at Dark Web. Report\r\nincludes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of dark\r\nweb forum posts by ransomware operator, etc.\r\nExecutive Summary\r\nThe number of victimized firms uploaded on the darkweb ransomware site decreased (-22) compared to the past\r\nweek, and the number of ransomware groups remained same. Industrials sector still positioned at the highest\r\nproportion of the industries, but Services sector seemed to increase rapidly which needs to receive careful\r\nattention.\r\nGet Hyunmin Suh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nPage 1 of 7\n\nLooking back to our previous story, Avaddon mentioned ‘arsenal to “persuade”’ which turned out to be a DDoS\r\nattack against victimized firms. As Avaddon seems to be attempting a variety of arsenals to negotiate, victimized\r\nfirms need to be aware of the secondary attack.\r\n1. Weekly Status\r\nA. Status of the victimized firms (01/18 ~ 01/24)\r\nFor a week, a total of 29 companies were mentioned and a change in the state of the data leaked from the\r\nvictim company in the ransomware site was detected.\r\nActivity from 7 threat groups detected\r\nB. TOP 5 targeted countries\r\n1. United States — 58.6%\r\n2. United Kingdom — 10.3%\r\n3. Canada — 6.9%\r\n4. Sweden — 6.9%\r\n5. Germany — 3.4%\r\nC. TOP 5 targeted industrial sectors\r\nhttps://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nPage 2 of 7\n\n1. Industrials — 41.4%\r\n2. Services — 20.7%\r\n3. Financial — 6.9%\r\n4. Real Estate — 6.9%\r\n5. Technology — 6.9%\r\n2. Status of active Ransomware forum posts @ Dark Web\r\nA. Avaddon\r\nForums: Exploit[.]IN, XSS[.]IS\r\nUser ID: Avaddon\r\nInitial Date of Activity: 06/03/2020\r\nLeaked Site in Operation (Y/N): Y\r\nWeekly Summary of Activity\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nPage 3 of 7\n\nPosted Date: 01/26/2021\r\nRolled out Windows OS support for XP and 2003\r\nUpdated the locker with new functions\r\nRan through the panel adding couple of new features\r\nTried new ways to pressure victims\r\nRelated article: https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/\r\nReferring to previous SoW…\r\nPress enter or click to view image in full size\r\nThe phrase ‘arsenal to “persuade”’ mentioned by Avaddon in the previous post turns out to be a DDoS\r\nattack against victimized firms.\r\nThe size of DDoS is clearly mentioned but the harassment of the victims will intensify in order to give a\r\nhuge pressure.\r\nArticles \u0026 Analysis report on Avaddon\r\nAvaddon Ransomware Analysis Article\r\nTrend Micro (07/08/2020) ‘Ransomware Report: Avaddon and New Techniques Emerge, Industrial Sector\r\nTargeted’\r\nhttps://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nPage 4 of 7\n\nRelated article: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\r\nB. Babuk\r\nForums: Raidforums\r\nUser ID: biba99\r\nInitial Date of Activity: 08/26/2020\r\nLeaked Site in Operation (Y/N): Y\r\nWeekly Summary of Activity\r\nPress enter or click to view image in full size\r\nPosted Date: 01/21/2021\r\nBabuk Locker version supports linux based (*nix) Virtual Servers (esxi) and NAS\r\nArticles \u0026 Analysis report on Babuk\r\nBabuk Locker Analysis Article\r\nBleeping Computer (01/05/2021) ‘Babuk Locker is the first new enterprise ransomware of 2021’\r\nRelated article: https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nC. Lockbit\r\nForums: Exploit[.]IN, XSS[.]IS\r\nUser ID: LockBit\r\nInitial Date of Activity: 01/17/2020\r\nLeaked Site in Operation (Y/N): Y\r\nWeekly Summary of Activity\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nPage 5 of 7\n\nPosted Date: 01/21/2021\r\nReply post implying that new Lockbit 2.0 is undergoing\r\nFor Reminder, Lockbit’s first post\r\nPress enter or click to view image in full size\r\nArticles \u0026 Analysis report on Avaddon\r\nLockBit Ransomware Analysis Article\r\nhttps://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nPage 6 of 7\n\nSophos News (04/24/2020) ‘LockBit ransomware borrows tricks to keep up with REvil and Maze’\r\nRelated article: https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/\r\nhttps://www.s2wlab.com\r\nFacebook https://www.facebook.com/S2WLAB/\r\nTwitter https://twitter.com/s2wlab\r\nSource: https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nhttps://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1"
	],
	"report_names": [
		"w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32f20b5032df378b26bd08c4bc6ee793731074d0.pdf",
		"text": "https://archive.orkl.eu/32f20b5032df378b26bd08c4bc6ee793731074d0.txt",
		"img": "https://archive.orkl.eu/32f20b5032df378b26bd08c4bc6ee793731074d0.jpg"
	}
}