{
	"id": "1f7f180d-217a-47d3-ba21-2eaeae2af5a3",
	"created_at": "2026-04-06T00:13:19.688451Z",
	"updated_at": "2026-04-10T03:30:34.120657Z",
	"deleted_at": null,
	"sha1_hash": "cd17f9e6d05b0b24febda243cf7759d3ee6c25a3",
	"title": "Sep 2023 Cybercrime Update | New Ransomware Threats and the Rising Menace of Telegram",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4453347,
	"plain_text": "Sep 2023 Cybercrime Update | New Ransomware Threats and the\r\nRising Menace of Telegram\r\nBy Jim Walter\r\nPublished: 2023-09-13 · Archived: 2026-04-02 11:48:07 UTC\r\nIn this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month.\r\nFrom the burgeoning market of bypass services to the alarming criminal activities on Telegram, we provide an\r\nupdate on cybercriminal activity to help defenders, SOC Teams and security leaders stay abreast of the latest\r\ndevelopments and fortify their defenses in this ever-evolving battleground.\r\nThe AV/EDR/XDR Bypass Market\r\nThreat actors across the cybercrime landscape are interested in anything that will help them bypass security\r\nsolutions and evade detection, and this has resulted in a busy trade for tools and services which claim to answer\r\nthis need.\r\nThe bypass market is not new but has witnessed an alarming growth in both the sophistication of the tools being\r\noffered and the assertiveness of the actors involved. These actors are leveraging unprecedented access to\r\nenterprise-level tools, continually testing and refining their malware against these tools, and posing a sophisticated\r\nand potent threat in targeted environments.\r\nhttps://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nPage 1 of 7\n\nAdvertisement for “EDR Killer”, a malware dropper and bypass service\r\nBypass tools and services, which are far from being budget-friendly, are becoming a staple in the arsenal of\r\nransomware operators. The bespoke nature of these services, exemplified by vendors such as “r1z,” indicates a\r\nburgeoning market where customizations can drive the price upwards from a base of around 3000 USD.\r\nDemo of “EDR Killer” bypassing an AV company\r\nHowever, modern EDR/XDR technologies are not entirely helpless against these tools, provided they are well-maintained and appropriately configured. Threat actor tools, when successful, are usually deployed against\r\noutdated versions or ill-maintained and misconfigured setups, laying open the vulnerabilities for these AV bypass\r\ntools to exploit.\r\nRansomware | New Threat Actors Ramping Up Attacks\r\nThe ransomware threat may be less in the headlines than this time last year, but known and new threat actors\r\ncontinue their activities, exploiting novel techniques and finding overlooked weaknesses in organizations’ security\r\nposture, as the ransomware attack on MGM Resorts this week has shown.\r\nElsewhere, new threat actors continue to appear and are ramping up operations. The coming months are expected\r\nto be a busy time for new attacks.\r\nhttps://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nPage 2 of 7\n\nINC Ransom\r\nThe INC Ransom group emerged on the scene in early August 2023, establishing themselves with a semi-private,\r\naffiliate-based operation. A closer look at their operation reveals a penchant for exploiting weaknesses in Remote\r\nDesktop Protocols (RDP) and utilizing purchased valid account credentials, typically acquired through Initial\r\nAccess Brokers (IAB).\r\nTheir modus operandi includes leveraging living-off-the-land binaries (LOLBINs) such as WMIC.EXE and\r\nMSTC.EXE , among others, aiming to bypass detection technologies embedded in targeted environments. The\r\nvictims, once infected, are ushered into a negotiation process via a TOR-based portal, with a stringent 72-hour\r\nwindow to comply with the payment demands before their data gets published.\r\nINC Ransomware victim sign-in portal\r\nINC Ransom ransom note\r\nhttps://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nPage 3 of 7\n\nRansomed.VC\r\nRansomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and\r\nmultiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined\r\ntowards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal\r\nrepercussions in case of data leaks.\r\nRansomed.vc capture for August 2023 (Wayback Machine)\r\nTheir evolutionary journey can be traced back to the “RANSOMED” forums, with their website undergoing a\r\nsignificant transformation before a highly publicized launch in August 2023. The group has expanded its\r\ncommunication channels, utilizing both clearnet and dark web platforms to circulate news and updates regarding\r\ntheir activities.\r\nRansomed Telegram channel is banned\r\nDespite facing bans from various social media and communication platforms, they have adapted quickly, shifting\r\ntheir communication hub to other platforms including underground Russian cybercrime forums. Their approach\r\nindicates a brazen disregard for the potential humanitarian consequences of their actions, even allowing for attacks\r\non critical infrastructure sectors, provided they get an approval from the “admin”.\r\nhttps://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nPage 4 of 7\n\nAdvert to join the Ransomed RaaS (Affiliate Program)\r\nTheir business model encompasses an affiliate program, providing a platform for like-minded criminals to\r\ncollaborate and enhance their nefarious activities. The group has also demonstrated their ability to deface\r\nwebsites, including government domains, using them as a billboard to showcase their ransom demands and details\r\nof the attacks.\r\nRansomware message on Hawaii[.]gov website\r\nhttps://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nPage 5 of 7\n\nLeveraging GDPR laws, they have positioned themselves as a pure extortion group, operating without deploying\r\nany ransomware. This approach complicates the efforts to neutralize and respond to their threats effectively.\r\nTelegram | The “Wild Wild West” of Cybercrime\r\nSince its inception in 2013, Telegram has gradually but steadily morphed into a hub for criminal activities, such\r\nthat it now resembles the unregulated and chaotic nature of IRC channels and the early days of the internet. From\r\nmalware distribution to recruitment into criminal organizations, the platform is now a hotbed for various\r\ncybercrime ventures.\r\nOne of many Telegram channels offering EDR Bypass tools, tips and tricks\r\nTelegram’s encrypted environment, coupled with the capability to host large groups and automate processes\r\nthrough “bots,” has facilitated a significant migration of cybercriminal activities from traditional dark web\r\nmarkets to this more secure platform.\r\nAs of September 2023, the platform continues to teem with vendors offering custom malware tools and crypters,\r\nand it has now become the preferred platform for ransomware groups to disseminate stolen data and recruit\r\naffiliates, functioning as a versatile tool in their operations.\r\nhttps://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nPage 6 of 7\n\nTelegram has become a hive for cybercriminals to share stolen data\r\nConclusion\r\nAs we approach fall of 2023, with businesses returning to offices and schools and colleges opening for the new\r\nterm, the cybercrime landscape continues to evolve at pace, with new entrants wielding sophisticated tools looking\r\nfor any avenue of attack. Organizations must be vigilant and prepared, continuously adapting to the ever-changing\r\nthreats emerging from the digital shadows.\r\nIn the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which\r\nleverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal.\r\nIt’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate\r\nthreats before they can inflict significant damage.\r\nThe cybercriminals are not resting, and neither should we. To learn more about how SentinelOne can help defend\r\nyour organization’s endpoint, cloud, and network assets, contact us or request a free demo.\r\nSource: https://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nhttps://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/"
	],
	"report_names": [
		"sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "adf68b66-8287-44de-9cdc-3277508a8126",
			"created_at": "2023-11-05T02:00:08.082461Z",
			"updated_at": "2026-04-10T02:00:03.400457Z",
			"deleted_at": null,
			"main_name": "RansomVC",
			"aliases": [
				"Ransomed.vc"
			],
			"source_name": "MISPGALAXY:RansomVC",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d",
			"created_at": "2024-11-01T02:00:52.730802Z",
			"updated_at": "2026-04-10T02:00:05.330644Z",
			"deleted_at": null,
			"main_name": "INC Ransom",
			"aliases": [
				"INC Ransom",
				"GOLD IONIC"
			],
			"source_name": "MITRE:INC Ransom",
			"tools": [
				"PsExec",
				"Nltest",
				"Rclone",
				"AdFind",
				"esentutl",
				"INC Ransomware"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434399,
	"ts_updated_at": 1775791834,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd17f9e6d05b0b24febda243cf7759d3ee6c25a3.pdf",
		"text": "https://archive.orkl.eu/cd17f9e6d05b0b24febda243cf7759d3ee6c25a3.txt",
		"img": "https://archive.orkl.eu/cd17f9e6d05b0b24febda243cf7759d3ee6c25a3.jpg"
	}
}