{
	"id": "b9e51ffe-fd8a-439f-8082-3c396a59c5e3",
	"created_at": "2026-04-06T00:11:40.80339Z",
	"updated_at": "2026-04-10T03:21:41.483662Z",
	"deleted_at": null,
	"sha1_hash": "760eebf6137d324c3114faf4d32541ae0ace2286",
	"title": "W4 July | EN | Story of the week: Ransomware on the Darkweb",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6143352,
	"plain_text": "W4 July | EN | Story of the week: Ransomware on the Darkweb\r\nBy S2W\r\nPublished: 2021-07-23 · Archived: 2026-04-05 21:15:47 UTC\r\n9 min read\r\nJul 22, 2021\r\nKind but Bad Guy\r\nPress enter or click to view image in full size\r\nWith contribution from\r\n, , , | S2W LAB Talon\r\nSoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The\r\nreport includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of\r\ndark web forum posts by ransomware operators, etc.\r\nExecutive Summary\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 1 of 23\n\n1. [Statistics] There are a total of 34 ransomware victims in one week, and the US still accounts for the largest\r\nshare at 23.5%, but the overall distribution is even in Southeast Asia and South America\r\n2. [Darkweb] The operator of the Suncrypt ransomware guarantees a reliable transaction with the victim, and\r\nfinally writes a security report on what to do to avoid such a breach\r\n3. [Cryptocurrency] Suncrypt uses ChipMixer to launder Bitcoin received from victims\r\n4. [Darkweb] LockBit2.0 Affiliate Program Promotion Activities Spotted on RAMP Forum\r\n5. [Termination] KelvinsecTeam banned from the deep web hacking forum after its long journey of posting\r\nthousands of hacking related contents\r\n1. Weekly Status\r\nA. Status of the infected companies (07/12~07/18)\r\nFor a week, a total of 34 infected companies were mentioned\r\n11 threat groups’ activities were detected\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 2 of 23\n\nB. TOP 5 targeted countries\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 3 of 23\n\n1. United States — 23.5%\r\n2. United Kingdom — 11.8%\r\n3. Germany \u0026 Spain \u0026 France \u0026 Peru — 5.9%\r\n4. Others — 2.9%\r\nC. TOP 5 targeted industrial sectors\r\nPress enter or click to view image in full size\r\n1. Financial \u0026 Law — 11.8%\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 4 of 23\n\n2. Logistics \u0026 Transportation \u0026 Government- 8.8%\r\n3. Others — 2.9%\r\nD. Top 5 Ransomware\r\nPress enter or click to view image in full size\r\n1. Lockbit — 32.4%\r\n2. Avos — 17.6%\r\n3. hive — 11.8%\r\n4. prometheus — 8.8%\r\n5. grief — 5.9\r\nE. Current status of data leak site operated by ransomware groups\r\nWe are keep monitoring the status of data leak sites operated by ransomware groups and approximately 22\r\nsites operate stably while 6 sites are unstable.\r\n“Latest Updated” is based on the date the victim company information was updated.\r\nMonitoring data leak site operated by ransomware\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 5 of 23\n\nCurrent status of monitoring data leak site operated by ransomware\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 6 of 23\n\nA. Suncrypt ransomware\r\nSuncrypt, which had not been updated by the victim company for half a year, was recently confirmed to\r\nhave resumed activity after the victim’s negotiation page was discovered\r\nTOP 5 targeted industrial sectors \u0026 countries\r\nThe industries affected by Suncrypt were mainly Services, Technology, and Retail, and HQ was mainly\r\nattacked by United States, Belgium, and Germany.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 7 of 23\n\nPress enter or click to view image in full size\r\nSuncrypt infected companies\r\nPress enter or click to view image in full size\r\nA-1. Suncrypt infected companies\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 8 of 23\n\nIn June 2021, Company C in the United States is infected with Suncrypt ransomware, internal files are\r\nleaked and encrypted, and the main website is subjected to DDoS attacks until pay BTC to Attacker\r\nMalware SHA256 : 509e16db291fb5b1ecf79154590f038d76e6579425daaee035db6480b4f2c33c\r\nVia Ransom note, Suncrypt guides you through 1:1 chat page and details for negotiation\r\nPress enter or click to view image in full size\r\n1:1 chat page with Suncrypt operator\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 9 of 23\n\nA-2. Negotiation the price of the victim company\r\nA negotiator is involved to mediate the price between Suncrypt and the victim company.\r\nThe negotiator offers an amount of 750,000 (USD) from Suncrypt for the following three items that the\r\nvictim company can provide if paid\r\n1. Decryptor : decrypt files encrypted by ransomware\r\n2. The erasure Log : A deletion log to confirm that Suncrypt has deleted all the leaked files\r\n3. The security report : to avoid this kind of situations in the future\r\nHe also mentioned that paying the amount will stop DDoS attacks on the company’s website, and that the\r\nprice can be lowered through fast delivery and negotiation\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 10 of 23\n\nAfter several rounds of negotiations, the victim company finally offered a $279,944 amount, and Suncrypt\r\naccepted it.\r\nVictims responded that they could not pay with Monero from a legal point of view, only Bitcoin, according\r\nto the U.S. Department of Justice’s (DOJ) Guidline on Privacy Coins.\r\nPress enter or click to view image in full size\r\nAccordingly, Suncrypt delivered the bitcoin address and the victim company transferred about 7.04 BTC to\r\nthe address.\r\nPayment date : 2021–06–15 05:46\r\nBitcoin Address : bc1qqqj3tjv0yztrvda95paau4rwve2gkqpwqfld7v\r\nPress enter or click to view image in full size\r\nAfter confirming the amount paid, Suncrypt provides the first three items (Decryptor, The erasure Log, The\r\nsecurity report) that he said will be provided when the transaction is complete.\r\n1) Decryptor\r\ndecrypt files encrypted by ransomware and detailed instructions\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 11 of 23\n\n2) The erasure Log\r\nAn erasure logs to prove that Suncrypt has deleted all files stealed from the victim company\r\nPress enter or click to view image in full size\r\n3) The security report\r\nSuncrypt also provides complete after-sales service in details report that to avoid this kind of situations in\r\nthe future\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 12 of 23\n\nA-3. Security consulting offered by Suncrypt\r\n1. Defend your credentials from mimikatz\r\nLimit administrator privileges to the smallest group possible\r\nEven if you have thousands of user accounts, you should probably only have 2–5 administrator accounts\r\nStart with two accounts and force users to justify any additional accounts added to the administrator group\r\nupgrade the schema and functional level of your forest and domain to at least 2012 R2\r\n**This domain functional level adds a fairly new group called “Protected Users”. Along with other protections,\r\nthe members of the Protected Users group cannot authenticate by using NTLM, Digest Authentication, or\r\nCredSSP. These changes provide powerful protections that make Mimikatz almost worthless.\r\nGet S2W’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n2. Verify KB2871997 has been installed to apply additional required security.\r\nAfter you install this security update, the default setting for non-protected users on Windows 7 and\r\nWindows 8 is to not force clear leaked logon session credentials\r\nTo override this default you can add the following registry dword, TokenLeakDetectDelaySecs, and set it\r\nto a recommended value of 30 seconds\r\n**HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\TokenLeakDetectDelaySecs\r\nStop storing passwords in memory by changing the “UseLogonCredential” registry setting to ‘0’ instead of\r\nthe default value of “1” and passwords are no longer available to Mimikatz\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 13 of 23\n\n**HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\r\nUseLogonCredential 0 : not store credentials in memory\r\nUseLogonCredential 1 : store credentials in memory\r\n3. Start monitoring your systems for unauthorized software and malware, which should help identify Mimikatz\r\ninstallation and activity\r\n4. In your specific case the critical vulnerabiliry contained Forti VPN, please update FortiVpn and monitor for\r\nupdates and Windows updates\r\n5. Inform your IT stuff to remove the posibility of storing user passwords within the network\r\n6. Also we recommend you to use SentinelAV and dattoo backup system. Also Veeam Tapes is good ,but pc with\r\nveeam should be in WORKGROUP and user should be different from main domain\r\n7. Every PC should have AV. Don’t let any pc without AV\r\n8. Also try configure 2FA (at all network pc) when you connect to remote desktop\r\n9. Use password on AV\r\n10. Also tip for you: If you want chage Fortigate VPN to other . We dont reccomend you to use Sonic VPN,Pulse\r\nSecure, because its under massive hack\r\nA-3. Transaction analysis\r\nBitcoin transaction analysis paid by victim\r\nPayment date : 2021–06–15 05:46\r\nAmounts : 7.044 BTC\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 14 of 23\n\nBitcoin transaction analysis via Xarvis\r\n6.1951973 BTC amount, which is about 88%, finally flows to the following two addresses, and money\r\nlaundering is performed through coin mixing\r\nChipMixer(coin mixing) 1\r\nAddress : 1CWnkH6kmZMUPsMCe8PN77Ndo2ASHhA8Sg\r\nAmounts : 4.9340973 BTC\r\nTransactions time : 2021–06–16 07:40\r\nChipMixer(coin mixing) 2\r\nAddress : 1GykxLzh7Eftbyd7ABW1D74tGFUziLyqxK\r\nAmounts : 1.2611 BTC\r\nTransactions time : 2021–06–25 09:41\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 15 of 23\n\nIf you look at the amount divided by performing Coin mixing, it is distributed in exactly the same amount.\r\nIn particular, the pattern in which the same amount is divided by a combination of 0.001 BTC, 0.002 BTC,\r\nand 0.004 BTC is a typical feature of mixing performed by ChipMixer, and it is suspected that coin\r\nlaundering was attempted using ChipMixer.\r\nCurrently, there are addresses that have some remaining amount excluding them, and it seems that\r\nmonitoring is needed for transactions in this addresses.\r\nAddress : bc1qapaljnz2zxfmpfgz9kq2prswsuxhe54l2k9u7y\r\nAmounts : 0.7048 BTC\r\nC. RAMP(Babuk/Payload.bin)\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 16 of 23\n\nIt has been changed to a membership forum, and the number of community active users and posts is\r\ngradually increasing\r\nPress enter or click to view image in full size\r\nUser status as of 2021.07.20\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 17 of 23\n\nAdmin Orange, Moderator 777 Users are the most active\r\nPress enter or click to view image in full size\r\nC-1. The post of selling FortiNet VPN\r\nREvil ransomware has posted a purchase article on an underground forum to purchase VPN-related access\r\ninformation, and there is a possibility that ransomware groups may use VPN-related access information purchased\r\nthrough DDW in a ransomware attack\r\nCurrently, the RAMP forum is operated for the purpose of promoting affiliate programs and sales services\r\nrelated to ransomware RaaS, so the credential information posted on the forum is highly likely to be\r\nmisused by ransomware groups\r\nAccording to a post posted on July 15, 2021, a user has announced that Fortinet VPN access information\r\nwill be posted\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 18 of 23\n\nThe user who posted the first thread has not yet found any additional posts about VPN access information\r\nForum admin posted credentials to access vsphere data center\r\nC-2. Sharing hacking tools\r\nTools used for hacking are shared among forum members\r\nPress enter or click to view image in full size\r\nMimikatz: A tool that can steal Windows account passwords\r\nNetscan : port scanning tool\r\nDsquery: Active Directory query tool (collect user accounts, domain trusts, permission information)\r\nPsexec : Used to download or upload files via network share.\r\nBabuk Builder: A tool to create Babuk ransomware\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 19 of 23\n\nC-3. LockBit promoting LockBit affiliate program\r\nOn July 15, 2021, it was confirmed that the operator of LockBit, which has been showing the most activity\r\nfor the past week, is actively promoting the LockBit affiliate program.\r\nCompared to other ransomware, the activity level was low, and information about 11 new victims was\r\nposted on the Rick site this week.\r\nThe industries affected by LockBit were mainly Transportation, Retail and Financial, and the HQ was\r\nmainly attacked by United States, United Kingdom and Australia.\r\nTOP 5 targeted industrial sectors \u0026 countries\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 20 of 23\n\nThe post of LockBit promoting LockBit affiliate program\r\nPress enter or click to view image in full size\r\n3. Posts related to Underground Forum @Dark Web\r\nA. Banned @teamkelvinsecteam\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 21 of 23\n\nTeamkelvinsecteam is an active user on Radiforums, and has posted more than 1,000 hacking related posts\r\nduring the active period\r\nIt is known as a famous hacking group within the forum and has a high reputation\r\nAll posts written in the past are now deleted\r\nPress enter or click to view image in full size\r\nConclusion\r\nAs the Suncrypt ransomware victim paid a high cost, it is necessary to review and apply the security\r\nconsulting content that could be obtained as a post-service service to other companies.\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 22 of 23\n\nAs the number of active users in the RAMP forum increases, continuous monitoring of users and posts is\r\nnecessary.\r\nHomepage: https://www.s2wlab.com\r\nFacebook: https://www.facebook.com/S2WLAB/\r\nTwitter: https://twitter.com/s2wlab\r\nSource: https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nhttps://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a\r\nPage 23 of 23\n\n https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a   \nCurrent status of monitoring data leak site operated by ransomware\nPress enter or click to view image in full size  \n   Page 6 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a"
	],
	"report_names": [
		"w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434300,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/760eebf6137d324c3114faf4d32541ae0ace2286.pdf",
		"text": "https://archive.orkl.eu/760eebf6137d324c3114faf4d32541ae0ace2286.txt",
		"img": "https://archive.orkl.eu/760eebf6137d324c3114faf4d32541ae0ace2286.jpg"
	}
}