Ransomed.vc has shifted from an underground forum to a high‑velocity ransomware operation, announcing an extortion target on Japan’s NTT Docomo after leaking Sony data. The group leans on supply‑chain perceptions, GDPR‑pressure rhetoric, and a growing affiliate network to maximize impact. #Ransomedvc #NTTDocomo #Sony #BorisTulev #Tanaka #Lapsus$ #FiveFamilies #ThreatSec
Keypoints
- Ransomed.vc announced a new victim (NTT Docomo) and demanded $1,015,000 after publishing Sony data on Breach Forums.
- The Sony breach may have served as an intrusion vector facilitating broader access to the telecom operator’s data, suggesting supply‑chain compromise dynamics.
- The group runs an affiliate program (reported ~77 affiliates) and coordinates through a mix of clearnet, TOR/DLS, Telegram, and OPSEC practices, aiming to monetize stolen access.
- GDPR‑based extortion (“digital peace tax”) is used to pressure EU victims, with claims that ransom payments can be preferable to fines and reputational damage.
- Sony‑related data dumps include 2.4 GB of stolen data, compromised credentials, and a leaked SSH private key, with artifacts like “PcFailed” and engineer workspaces (e.g., bookmarks) cited as indicators.
- The case situates Ransomed.vc within a broader Gen Z‑driven phishing/ ransom ecosystem, linked to groups such as Lapsus$, Scattered Spider, ThreatSec, Five Families, HydraC2, and hacktivist coalitions.
MITRE Techniques
- [T1195] Supply Chain Compromise – The Sony breach is analyzed as a potential intrusion vector enabling broader access to Docomo’s data. ‘intrusion vector for broader supply-chain compromise that enabled the group to illegally access the telecom operator’s data.’
- [T1078] Valid Accounts – The Sony data dump includes compromised credentials and leaked SSH private key. ‘the new data set contained compromised credentials and leaked SSH private key’
- [T1567.002] Exfiltration to Web Service – Data exfiltration to the dark web/DLS and public leakage. ‘leaked their stolen data online’
- [T1005] Data from Local System – Indirect implication of exfiltration from a workstation (engineer‑level data) linked to the Sony leak (e.g., compromised credentials and SSH key from an engineer’s workstation). ‘notably, the new data set contained compromised credentials and leaked SSH private key, presumably stolen from an engineer’s workstation.’
Indicators of Compromise
- [Domain] ransomed.vc – primary domain used for operation and data leaks
- [Domain] sony-autotest.com – observed activity linked to Sony breach context
- [Domain] blackforums.net – referenced as an associated underground forum profile context
- [Domain] qu.ax – link to an archived text file (HErm.txt) used in data disclosures