{
	"id": "1edd6639-f51f-4ada-b879-1c994d2b54ec",
	"created_at": "2026-04-06T00:17:55.264794Z",
	"updated_at": "2026-04-10T03:28:20.940997Z",
	"deleted_at": null,
	"sha1_hash": "8110bdf25195cb7f2e0f7f651ef0ea6444c24ef1",
	"title": "On the Horizon: Ransomed.vc Ransomware Group Spotted in the Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76469,
	"plain_text": "On the Horizon: Ransomed.vc Ransomware Group Spotted in the\r\nWild\r\nPublished: 2023-08-21 · Archived: 2026-04-05 15:45:13 UTC\r\n[Update] November 9, 2023: “End of an Era, the Sinking of Ransomed.VC”\r\n[Update] October 5, 2023: See the subheading: “RansomedVC De-anonymized Itself After Moving to\r\nWordPress.”\r\n[Update] October 2, 2023: See the subheadings: “RansomedVC Partners with STORMOUS Hackers,” and “The\r\nOutcome of the Sony Leak.”\r\n[Update] September 15, 2023: See the subheading: “Ransomed.vc Interview.”\r\n[Update] September 4, 2023: The Ransomed team is collaborating with Everest Ransomware, read more under:\r\n“Old Ties, New Threats: Everest Echoes.”\r\n[Update] August 24, 2023: Added subheadings: “Ransomed.vc Lists Three New Victims and Receives Payment for\r\na Previous Attack,” “An Extortion Approach That Utilizes GDPR Fines.”\r\nWe have been monitoring Telegram for a long time as many of the threat actors and dark web activities are also\r\nactively running on Telegram. A Telegram group that we previously monitored as RansomForums had recently\r\nannounced that they would be doing a project called Ransomed.vc.\r\nThe group’s owner has renamed his private chat room to Ransomed.vc Chat:\r\nFigure. 1. First Message of Ransomed.vc Chat room\r\nFigure 2. Welcome post of Ransomed.vc  (Source: FalconFeedsio)\r\nHowever, the site suffered a DDoS attack shortly after its launch and was dubbed BreachForums2 by the attackers:\r\nFigure 3. Ransomed.vc’s screenshot after being attacked (Source: Karol Paciorek)\r\nAnother Twitter user also discovered that RansomForums’ favicon icon looks the same as BreachForums’ favicon.\r\nFigure 4. Favicons of RansomForums and BreachForums (Source: Crocodyli)\r\nAccording to the group owner’s chat messages, the admin will not use the forum for a while until Breachforums is\r\nclosed and he has the source code of RaidForums:\r\nFigure 5. Telegram group owner’s statement\r\nAfter this process, Ransomed.vc was transformed into a site sharing ransom victims:\r\nFigure 6. Main page of Ransomed.vc\r\nhttps://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/\r\nPage 1 of 6\n\nWhen we search the directories of the page domain, we see that they do not have any other subpages other than\r\nthe ones they have shared at the moment:\r\nFigure 7. Dirbuster output of Ransomed.vc domain\r\nWhen we check the domain in VirusTotal, it appears clean, but in the relation graph, it is linked to an IP address\r\ntagged as malicious:\r\nFigure 8. VirusTotal output and Relation graph of Ransomed.vc domain (Source:VirusTotal)\r\nIn addition, the group shares victim posts on its Telegram channel, which they actively use:\r\nFigure 9. Telegram channel information\r\nFirst Victims of Ransomed.vc\r\nFigure 10. A1 Data Provider has been compromised by Ransomed.vc\r\nFigure 11. A1 Data Provider’s screenshots of Ransomed.vc\r\nI\u0026G Broker House:\r\nFigure 12. I\u0026G Broker House\r\nFigure 13. I\u0026G Broker House’s screenshots of Ransomed.vc\r\nWe also see that they are looking for new operators on their Telegram channels, which suggests that there may be\r\nmore victim announcements in the near future.\r\nFigure 14. Ransomed.vc Telegram posts about they are looking for new operators\r\nRansomed.vc Lists Three New Victims and Receives Payment for a Previous\r\nAttack\r\nBased on the latest information, the Ransomed.vc group has targeted three new victims. One of these victims is\r\nOptimity, a provider of managed IT services. The threat actors assert that they have exported Optimity’s entire\r\nAzure Cloud, which granted them access to over a thousand companies.\r\nFigure 15. Optimity\r\nAnother exported database belongs to Transunion. The ransom threat actors claimed that they successfully\r\ninfiltrated the entire cloud, gaining possession of all materials used and downloaded by Transunion employees.\r\nOne such dataset has also been obtained for a company named Jhooker. \r\nFigure 16. Transunion\r\nFigure 17. Jhooker\r\nhttps://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/\r\nPage 2 of 6\n\nFurthermore, the ransomware operation has apparently received a payment following their attack on A1 Data\r\nProvider. However, only one out of four payments has been fulfilled. It appears that the ransom group accepts\r\npayments in installments, a departure from the norm among ransomware groups we have encountered so far.\r\nFigure 18. ¼ partial payments have been paid by A1 Data Provider.\r\nAn Extortion Approach That Utilizes GDPR Fines\r\nAn additional revelation about the group has been shared in a tweet by vx-underground. The Ransomed.vc group\r\nseems to use an extortion strategy that leverages GDPR (Europe’s General Data Protection Laws). Essentially, the\r\ngroup coerces victims into either paying the ransom or facing GDPR fines upon the exposure of their data. This\r\nGDPR-based extortion scheme diverges from the typical extortion approaches, as these threat actors exploit\r\nprotective laws to intimidate victims for financial gain.\r\nOld Ties, New Threats: Everest Echoes\r\nIn a recent post by the Ransomed team, we noticed that they are collaborating with Everest Ransomware, as\r\nevident in the details of SKF.com‘s victim announcement. Upon reviewing Everest’s claim post, we observed\r\nEverest also made the same post. Everest is a threat actor that has been active since 2020. Everest has been\r\ninvolved in ransomware attacks, initial access brokering, and data extortion activities. Additionally, they have\r\nbeen active on platforms such as XSS Forum and Breached.\r\nFig. 19. Everest and Ransomed’s claim posts about SKF.com\r\nConsidering that Ransomed was one of the founders of BlackForums after Breached and Everest was active in\r\nBreached, we can infer that their fellowship is not for a single operation but a history.\r\nRansomedVC Partners with STORMOUS Hackers\r\nRansomedVC recently announced on Telegram that they have forged an alliance with Stormous ransomware.\r\nThe threat group’s most recent message on its channel stated that while they had partnered in the past, they are\r\nnow officially confirming it:\r\nFig. 20. RansomedVC’s announcement about partnering with Stormous.\r\nThe fact that Stormous referred to the RansomedVC group as a partner in its own Telegram channel with one of\r\ntheir recent posts fully confirms their partnership.\r\nFig. 21. Stormous’ message on Telegram.\r\nIn the message, the ransomware group also commented on the Sony breach, suggesting that they might intervene\r\nand potentially release more data for free.\r\nThe two ransomware groups appear to be trying to exert pressure on Sony, possibly with the aim of further\r\nextorting their victim or damaging their brand reputation. With the official partnership now established, we\r\nmay expect to receive more updates regarding the Sony situation.\r\nhttps://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/\r\nPage 3 of 6\n\nThe Outcome of the Sony Leak\r\nIn a subsequent update, the RansomedVC threat actors have leaked the data they claimed to possess from the Sony\r\nbreach on their Telegram channel. They mentioned that they extracted only the important data from Sony. See\r\nthe message below:\r\nFig. 22. RansomedVC leaks the data from the Sony breach.\r\nTo learn more about the Sony breach, visit our other blog post: What You Need to Know About the Alleged Sony\r\nBreach\r\nRansomedVC De-anonymized Itself After Moving to WordPress\r\nRansomedVC has recently transitioned its website to WordPress, following the setup of a new virtual private\r\nserver (VPS), hosted by a bulletproof hosting provider known as PONYNET.\r\nUnfortunately for the RansomedVC threat actors, this migration has inadvertently exposed their origin IP address\r\nand a variety of associated DNS entries.\r\nExposed host information. (Source: X)\r\nAdditionally, their actions have led to oversights, as the site seems to be affected by vulnerability known as CVE-2017-5487 (Unauthorized Information Disclosure vulnerability in WordPress 4.7 before 4.7.1). The vulnerability\r\nfurther reveals RansomedVC’s origin IP. The sensitive information is available within the profile of the\r\nadministrator user:\r\nRansomed.vc’s origin IP has been revealed. (Source: X)\r\nThe intention behind this disclosure by @htmalgae is to highlight how the threat actors hastily de-anonymized\r\ntheir hidden service before its full restoration was completed.\r\nRansomed.vc Interview\r\nDaily Dark Web published an interview with Ransomed.vc on September 14th. The interview shows how a\r\nransomware operator thinks and sheds light on many claims and points about Ransomed[.]vc. Some highlights\r\nfrom the interview are as follows:\r\nCan you introduce your group and explain why you engage in ransomware attacks?\r\n– Of course I can, we are a big team I have to say of 77 affiliates and a few more groups in partnership. We are\r\nfinancially motivated so this answers the second part of the question\r\nMore on the topic of their working scheme:\r\nWhat are the primary motivations behind your attacks? Is it for financial gain, ideological reasons, or\r\nsomething else?\r\nhttps://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/\r\nPage 4 of 6\n\n– Financial gain and sometimes political reason.\r\nHow do you choose your targets? Are you targeting large corporations, small businesses, or individual\r\nusers?\r\n– I require at least 5M in revenue so it is even worth to work on.\r\nTheir answers to some of the claims we included in this article were as follows:\r\nIn a recent post by the Ransomed team, they are collaborating with Everest Ransomware. Could you\r\nspecify the nature of your connection with the Everest Group?\r\n– Old friends dont forget their friends.\r\nAlleged ties between Exposed Forum and Ransomed: Could you specify the nature of your connection with\r\nthe Exposed Forum?\r\n– I have seen the news yeah, idk what I can say about it, never been in their forum neither will I ever be.\r\nDon’t forget to check out Daily Dark Web’s post for the full interview.\r\nEnd of an Era, the Sinking of Ransomed.VC\r\nRansomed.vc’s last post on Telegram about the end of the operation\r\nRansomed.vc shared a Telegram post announcing the shutdown of their operations due to the arrest of six\r\nindividuals associated with their group. The announcement acknowledged that the financial gains did not\r\noutweigh the harm caused to their affiliates’ lives. It highlighted the mistake of hiring young and inexperienced\r\npeople, which led to security lapses and likely contributed to their arrests. However, the post contained no apology\r\nfor the ransomware attacks they were involved in. Concluding the post, Ransomed.vc distanced themselves from\r\nthe actions of their former associates and the ongoing illegal activities, signing off with a casual farewell.\r\nThere are some questions in mind:\r\nWhat will happen to the Ransomed forum?\r\nWhat will happen to the victims?\r\nWe’ll see in the future…\r\nBonus:\r\nTwitter is buzzing with claims that the Ransomed admins are impotent and self-report their affiliates to the feds.\r\nWe don’t know if these rumors are true, but we discuss such rumors in another blog series, not here.\r\nFollow Dark Peep if you want to know about rumors and interesting incidents happening on the dark web!\r\nDiscovering the Dark Web Landscape: SOCRadar XTI Monitoring and Threat\r\nInsights\r\nhttps://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/\r\nPage 5 of 6\n\nUtilizing advanced monitoring techniques and AI-driven intelligence, SOCRadar XTI consistently surveils the\r\nentire web landscape, including the clear, dark, and deep web, alongside other hacker channels on platforms like\r\nTelegram. With its robust monitoring capabilities, SOCRadar provides an invaluable service by alerting\r\norganizations before compromise.\r\nFor a deeper understanding of the hidden facets of the internet and insights into threat actors operating from the\r\ndepths of the dark web, and their malicious toolsets, explore our platform.\r\nSOCRadar Dark Web Monitoring\r\nFurthermore, you can request a free dark web report here to learn the scope of your exposure to such threats and\r\nbolster your overall security posture.\r\nSource: https://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/\r\nhttps://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/"
	],
	"report_names": [
		"on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild"
	],
	"threat_actors": [
		{
			"id": "adf68b66-8287-44de-9cdc-3277508a8126",
			"created_at": "2023-11-05T02:00:08.082461Z",
			"updated_at": "2026-04-10T02:00:03.400457Z",
			"deleted_at": null,
			"main_name": "RansomVC",
			"aliases": [
				"Ransomed.vc"
			],
			"source_name": "MISPGALAXY:RansomVC",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434675,
	"ts_updated_at": 1775791700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8110bdf25195cb7f2e0f7f651ef0ea6444c24ef1.pdf",
		"text": "https://archive.orkl.eu/8110bdf25195cb7f2e0f7f651ef0ea6444c24ef1.txt",
		"img": "https://archive.orkl.eu/8110bdf25195cb7f2e0f7f651ef0ea6444c24ef1.jpg"
	}
}