# W4 Jan | EN | Story of the week: Ransomware on the Darkweb

**[medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1](https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1)**

Hyunmin Suh March 15, 2021

[Hyunmin Suh](https://medium.com/@tedsuh?source=post_page-----7595544363b1--------------------------------)

Jan 26, 2021


4 min read

_It ain’t over yet till the DDoS Sings_

S2W LAB publishes weekly reports of the Ransomware activities that took place at
Dark Web. Report includes summary of victimized firms, Top 5 targeted countries and
industrial sectors, status of dark web forum posts by ransomware operator, etc.

## Executive Summary


-----

The number of victimized firms uploaded on the darkweb ransomware site decreased (-22)
compared to the past week, and the number of ransomware groups remained same.
Industrials sector still positioned at the highest proportion of the industries, but Services
sector seemed to increase rapidly which needs to receive careful attention.

Looking back to our previous story, Avaddon mentioned ‘arsenal to “persuade”’ which turned
out to be a DDoS attack against victimized firms. As Avaddon seems to be attempting a
variety of arsenals to negotiate, victimized firms need to be aware of the secondary attack.

## 1. Weekly Status

 A. Status of the victimized firms (01/18 ~ 01/24)

For a week, were mentioned and a change in the state of the data leaked from the
victim company in the ransomware site was detected.
Activity from detected

## B. TOP 5 targeted countries

1. United States — 58.6%
2. United Kingdom — 10.3%
3. Canada — 6.9%
4. Sweden — 6.9%
5. Germany — 3.4%

## C TOP 5 targeted industrial sectors


-----

1. Industrials — 41.4%
2. Services — 20.7%
3. Financial — 6.9%
4. Real Estate — 6.9%
5. Technology — 6.9%

## 2. Status of active Ransomware forum posts @ Dark Web

 A. Avaddon

Exploit[.]IN, XSS[.]IS
Avaddon
06/03/2020

**Weekly Summary of Activity**


-----

01/26/2021
Rolled out Windows OS support for XP and 2003
Updated the locker with new functions
Ran through the panel adding couple of new features
Tried new ways to pressure victims
Related article:

**Referring to previous SoW…**

The phrase ‘arsenal to “persuade”’ mentioned by Avaddon in the previous post turns
out to be a DDoS attack against victimized firms.
The size of DDoS is clearly mentioned but the harassment of the victims will intensify in
order to give a huge pressure.

**Articles & Analysis report on Avaddon**

## Avaddon Ransomware Analysis Article

Trend Micro (07/08/2020) ‘Ransomware Report: Avaddon and New Techniques
Emerge, Industrial Sector Targeted’


-----

Related article:

## B. Babuk

Raidforums
biba99
08/26/2020

**Weekly Summary of Activity**

01/21/2021
Babuk Locker version supports linux based (*nix) Virtual Servers (esxi) and NAS

**Articles & Analysis report on Babuk**

## Babuk Locker Analysis Article

Bleeping Computer (01/05/2021) ‘Babuk Locker is the first new enterprise ransomware
of 2021’
Related article:

## C. Lockbit

Exploit[.]IN, XSS[.]IS
LockBit
01/17/2020

**Weekly Summary of Activity**


-----

01/21/2021
Reply post implying that new Lockbit 2.0 is undergoing

## For Reminder, Lockbit’s first post


-----

**Articles & Analysis report on Avaddon**

## LockBit Ransomware Analysis Article

Sophos News (04/24/2020) ‘LockBit ransomware borrows tricks to keep up with REvil
and Maze’
Related article:


-----