RansomedVC, a ransomware and data extortion group that surfaced a few months ago, recently declared its intention to shut down operations and sell components of its infrastructure. Operating on the ransomware-as-a-service (RaaS) model, the group targeted over 40 organizations, demanding ransoms of up to $1 million, with a focus on European entities.
While the primary targets were in Europe, the group claimed responsibility for attacks on Sony and the District of Columbia Board of Elections. On October 30, the operators announced the cessation of operations, closing the project’s leak websites, but the gang’s dark web forum remains active to facilitate the sale of assets and infrastructure.
The group, known for engaging in extortion activities since August, posted on its Telegram channel detailing the items for sale, including leak websites, a dark web forum, social media accounts, an allegedly undetectable ransomware builder, malware source code, access to affiliate groups, a Telegram channel, VPN access to 11 victims, 37 databases, and a control panel for the file-encrypting malware.
Although the initial announcement provided no explanation for the shutdown, a subsequent post on November 8 suggested that arrests of six individuals associated with RansomedVC might have prompted the decision, resulting in the immediate firing of all 98 affiliates. Despite RansomedVC’s closure, cybersecurity experts anticipate minimal impact on the ransomware landscape, as affiliates are likely to transition to other RaaS operations.
According to ZeroFox, the shutdown may not deter threat actors, and there is a potential motivation for purchasing RansomedVC’s infrastructure to target victims, establish spin-off extortion operations, or exploit it for further malicious activities.