Today the FBI, NCA UK, and EUROPOL, partnering with Chainalysis, revealed information on Lockbit ransomware group money flow.
The following data was retrieved from July, 2022 - February 2024. Lockbit was first observed in late 2019. This analysis only covers 18 months of a 4 year crime spree.
They reviewed 30,000 Bitcoin addresses, with over 500 Bitcoin addresses active. Those 500+ wallets have received over $120,000,000+. The analysis also shows over $114,000,000 is still unspent (approx. 2,200 BTC unspent, numbers will vary based on price of Bitcoin).
A large portion of this money was the 20% paid to Lockbit ransomware group administrative staff. This indicates the total money stolen could be in excess of $1,000,000,000 from July, 2022 - February, 2024. This means Lockbit ransomware group may have done multi-billion dollars worth of theft internationally.
The following data was retrieved from July, 2022 - February 2024. Lockbit was first observed in late 2019. This analysis only covers 18 months of a 4 year crime spree.
They reviewed 30,000 Bitcoin addresses, with over 500 Bitcoin addresses active. Those 500+ wallets have received over $120,000,000+. The analysis also shows over $114,000,000 is still unspent (approx. 2,200 BTC unspent, numbers will vary based on price of Bitcoin).
A large portion of this money was the 20% paid to Lockbit ransomware group administrative staff. This indicates the total money stolen could be in excess of $1,000,000,000 from July, 2022 - February, 2024. This means Lockbit ransomware group may have done multi-billion dollars worth of theft internationally.
😱95👏30🤯26❤8👍8🤓4❤🔥3😁1
On Monday when the Lockbit ransomware group website was seized by FBI, NCA UK, and EUROPOL, they made a post noscriptd "Who is Lockbitsupp?" - this post indicated that law enforcement could potentially unveil key leadership behind the organization.
During the week we spoke with Lockbit ransomware group administrative staff. They stated they did not believe law enforcement know his/her/their identities. They even boastfully raised the bounty of their head to $20,000,000.
Today we finally get to see the "Who is Lockbitsupp?" post. The post is very short. It states Lockbit does not live in the United States or Netherlands. It also states he drives a Mercedes. They end the post with a picture of "Tox Cat" - an emoji frequently used by Lockbit ransomware group administrative staff and state Lockbit ransomware group administrative staff has 'engaged' with law enforcement.
tl;dr Lockbit ransomware group called their bluff and succeeded
During the week we spoke with Lockbit ransomware group administrative staff. They stated they did not believe law enforcement know his/her/their identities. They even boastfully raised the bounty of their head to $20,000,000.
Today we finally get to see the "Who is Lockbitsupp?" post. The post is very short. It states Lockbit does not live in the United States or Netherlands. It also states he drives a Mercedes. They end the post with a picture of "Tox Cat" - an emoji frequently used by Lockbit ransomware group administrative staff and state Lockbit ransomware group administrative staff has 'engaged' with law enforcement.
tl;dr Lockbit ransomware group called their bluff and succeeded
🤣154🔥9❤6👍6❤🔥4😢3🤔2💯1🫡1
vx-underground
On Monday when the Lockbit ransomware group website was seized by FBI, NCA UK, and EUROPOL, they made a post noscriptd "Who is Lockbitsupp?" - this post indicated that law enforcement could potentially unveil key leadership behind the organization. During the…
We asked Lockbit ransomware group administration their thoughts on this past week.
Lockbit ransomware group said they will make formal reply to law enforcement once they're finished restoring their infrastructure
ALPHV said: "My Mercedes drives Lockbit"
Lockbit ransomware group said they will make formal reply to law enforcement once they're finished restoring their infrastructure
ALPHV said: "My Mercedes drives Lockbit"
🤣160❤9👍5🔥3😁3😎3🤔1😍1🤓1
This week has been fundamentally similar to HBO's Game of Thrones.
It started off strong, had a wonderful plot and development. It had twists, turns, cool cameo appearances. Then it suddenly ended and you say, "what the fuck is that"
It started off strong, had a wonderful plot and development. It had twists, turns, cool cameo appearances. Then it suddenly ended and you say, "what the fuck is that"
🤣157👍7❤6💯6🤓3😇1
January 24th, 2024 RisePro, an infostealer that competes with stealers such as RedLine, had it's second iteration leaked online. It is the builder, toolkit, documentation, and proxies.
We have archived it: "Win32.RisePro.b"
https://vx-underground.org/Archive/Builders
We have archived it: "Win32.RisePro.b"
https://vx-underground.org/Archive/Builders
🔥29❤15👍8
vx-underground
Breached, the infamous forum where individuals buy, sell, leak, and trade data, recently made some modifications to their rules. Breached now forbids ransomware sales, recruitment, development, and ransomware-adjacent extortion. See attached image for more…
It should be noted that modification of the rules was not exclusive to ransomware. Breached also forbids:
- Drug sales
- Weapon sales
- Violence-as-a-Service (VaaS)
- Selling credit card or debit cards
- Selling Real IDs or documentation
- Drainers or recruitment of drainers
- Drug sales
- Weapon sales
- Violence-as-a-Service (VaaS)
- Selling credit card or debit cards
- Selling Real IDs or documentation
- Drainers or recruitment of drainers
🤯52😢17👍16❤1
Hello harddrive purchasers,
All remaining international harddrives have been mailed, except 2 in Germany because the "ß" letter angered the post office and we have to redo the label. Oopsies. We learned the "ß" has to be written as "ss". 😡
North American harddrives will be shipped the coming week.
We've also dramatically improved our process for cloning, packaging, and shipping. In the future delivery will be much faster. We bought a bunch of stuff to make labels, package stuff, etc =D
All remaining international harddrives have been mailed, except 2 in Germany because the "ß" letter angered the post office and we have to redo the label. Oopsies. We learned the "ß" has to be written as "ss". 😡
North American harddrives will be shipped the coming week.
We've also dramatically improved our process for cloning, packaging, and shipping. In the future delivery will be much faster. We bought a bunch of stuff to make labels, package stuff, etc =D
❤52🤣31😁14🔥5🎉3👍2😱1😢1
vx-underground
Season 2 of FBI vs Lockbit ransomware group is scheduled to premier in roughly 1 hour. Lockbit has restored their servers (new Tor domains) and is planning on making a statement to the FBI regarding last weeks takedown. Stay tuned for the next episode of…
Will Lockbit admit defeat? Will the FBI summon the energy to complete the spirit bomb? Will Lockbit call in for back up? and who is this rumored legendary Super Saiyan?!
🔥94🤣50🤔4🤓4❤🔥2👍1
Lockbit ransomware group administrative staff have released a lengthy response to the FBI and bystanders.
In summary: they claim they failed to keep their systems up-to-date because they had become 'lazy', and they had become complacent. They believe they were compromised by CVE-2023-3824, but are not totally sure. They also speculate it could have been a 0day exploit. They also speculate other RaaS groups (their competitors) may have been compromised.
They also speculate the reason why the FBI took such aggressive action was because a recent ransomware attack performed by one of their affiliates had sensitive information on former President Donald J. Trump. They state they believe their affiliates should target government entities more often to illustrate government vulnerabilities and flaws.
It is an incredibly long read with lots of speculation and attempts to discredit law enforcement agencies.
You can read the full post here: https://samples.vx-underground.org/tmp/Lockbit_Statement_2024-02-24.txt
In summary: they claim they failed to keep their systems up-to-date because they had become 'lazy', and they had become complacent. They believe they were compromised by CVE-2023-3824, but are not totally sure. They also speculate it could have been a 0day exploit. They also speculate other RaaS groups (their competitors) may have been compromised.
They also speculate the reason why the FBI took such aggressive action was because a recent ransomware attack performed by one of their affiliates had sensitive information on former President Donald J. Trump. They state they believe their affiliates should target government entities more often to illustrate government vulnerabilities and flaws.
It is an incredibly long read with lots of speculation and attempts to discredit law enforcement agencies.
You can read the full post here: https://samples.vx-underground.org/tmp/Lockbit_Statement_2024-02-24.txt
❤103🤣55🤓13👍10❤🔥6🔥6😎5🤔1😱1
The malware samples we archive are not toolkits. Please do not execute them on your machine.
Thanks,
Thanks,
🤣181😁19❤11🤯5🤝4🤓3🔥1
We recently had a few people ask us if we dislike CTI (Cyber Threat Intelligence) because we occasionally meme them online.
No, in fact we very much like them. We enjoy reading the DFIR reports, notes and theories on how financially motived and/or state-sponsored groups operate, and we enjoy reading the geopolitical backgrounds and/or influences on groups. This field of research is profoundly valuable to our line of work because these factors influence malware development in more ways than one. We are big fans of research performed by groups such as Mandiant, Cisco Talos, Recorded Future (and/or Insikt Group), Intel471, CrowdStrike, and Threat Intel adjacent groups like TheDFIRReport.
Our primarily criticism of Threat Intel is not the large vendors, it is the trickle down effect from Threat Intel. For example: Mandiant may publish a paper on APT28. Following the release of their research it is inevitable that a smaller or lesser known Threat Intelligence company(ies) will regurgitate Mandiant's findings, only to slightly distort it, thus making it inaccurate or altered in some form from the initial source. As this trickle down effect continues the information becomes more and more distorted and inaccurate leading to misinformation.
We also just meme and shit post because our online account is ran by 3 people with a combined IQ of spaghetti. Sometimes we put little-to-no thought into how people will respond to memes.
No, in fact we very much like them. We enjoy reading the DFIR reports, notes and theories on how financially motived and/or state-sponsored groups operate, and we enjoy reading the geopolitical backgrounds and/or influences on groups. This field of research is profoundly valuable to our line of work because these factors influence malware development in more ways than one. We are big fans of research performed by groups such as Mandiant, Cisco Talos, Recorded Future (and/or Insikt Group), Intel471, CrowdStrike, and Threat Intel adjacent groups like TheDFIRReport.
Our primarily criticism of Threat Intel is not the large vendors, it is the trickle down effect from Threat Intel. For example: Mandiant may publish a paper on APT28. Following the release of their research it is inevitable that a smaller or lesser known Threat Intelligence company(ies) will regurgitate Mandiant's findings, only to slightly distort it, thus making it inaccurate or altered in some form from the initial source. As this trickle down effect continues the information becomes more and more distorted and inaccurate leading to misinformation.
We also just meme and shit post because our online account is ran by 3 people with a combined IQ of spaghetti. Sometimes we put little-to-no thought into how people will respond to memes.
❤141🤣36👍17🥰7🤓5😱1
We've updated the vx-underground Crime/Legal rulings collection. We've completed years 2020 - 2024. Documented cases cover:
- Dark Overlord Group
- CardPlanet
- Equifax Hack
- Helix Mixer
- The Twitter Hack
- FastPOS
- Team Xecuter
- QQAAZZ Group
- FIN7
- Bitcoin Fog
- Trickbot
- Kelihos Botnet
- REvil ransomware
- Hydra Market
- Sandworm a/k/a Cyclops Blink
- Ryuk ransomware
- Netstalker ransomware
- Lockbit ransomware
- BreachedForums
- RaidForums
- Mt. Gox Hack
- Conti ransomware
- Callisto Group
- WarzoneRAT
- RaccoonStealer
- Lazarus Group
- APT41
... and a lot more
Check it out here: https://vx-underground.org/Crime/Legal%20Rulings
- Dark Overlord Group
- CardPlanet
- Equifax Hack
- Helix Mixer
- The Twitter Hack
- FastPOS
- Team Xecuter
- QQAAZZ Group
- FIN7
- Bitcoin Fog
- Trickbot
- Kelihos Botnet
- REvil ransomware
- Hydra Market
- Sandworm a/k/a Cyclops Blink
- Ryuk ransomware
- Netstalker ransomware
- Lockbit ransomware
- BreachedForums
- RaidForums
- Mt. Gox Hack
- Conti ransomware
- Callisto Group
- WarzoneRAT
- RaccoonStealer
- Lazarus Group
- APT41
... and a lot more
Check it out here: https://vx-underground.org/Crime/Legal%20Rulings
Vx Underground
The largest collection of malware source code, samples, and papers on the internet.
❤41👍19🔥8❤🔥6
exciting news coming
(if you have friends and like cash prizes)
cya soon
(if you have friends and like cash prizes)
cya soon
❤70🤔28👍5😁5😢4🎉3
We will be hosting our first ever VXUG trivia night. On March 8th teams of friends (or cats?) will answer malware and/or Threat Intel related questions for a chance to win money.
1st place: $500
2nd place: $250
3rd place: $100
Sponsored by Malcore 🙏
(More info soon)
1st place: $500
2nd place: $250
3rd place: $100
Sponsored by Malcore 🙏
(More info soon)
👍52❤28🎉16🥰1
vx-underground
We will be hosting our first ever VXUG trivia night. On March 8th teams of friends (or cats?) will answer malware and/or Threat Intel related questions for a chance to win money. 1st place: $500 2nd place: $250 3rd place: $100 Sponsored by Malcore 🙏 (More…
4th place will be a coupon to Taco Bell, or Robux or a crusty sock, or something, we haven't gotten that far yet
😁66🤣10❤8👏4🥰2💯1