Ransom House

Yet another data-extortion cybercrime operation has appeared on the darknet named ‘RansomHouse’ where threat actors publish evidence of stolen files and leak data of organizations that refuse to make a ransom payment.

The new operation claims not to use any ransomware and instead focuses on breaching networks through alleged vulnerabilities to steal a target’s data.

However, they do not take responsibility for their actions. Instead, they blame the companies for not properly securing their network and for “ridiculously small” bug bounty rewards offered for vulnerability disclosures.

“We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security. The culprits are those who did not put a lock on the door leaving it wide open inviting everyone in,” the RansomHouse threat actors write on their ‘about us’ page.

“People are inherently curious and are eager to learn the object of their interest. Usually corporations respond to the message that their “doors are wide open” in negative context, direct threats or silence. In rare cases one could meet gratitude and ridiculously small payments that do not cover even 5% of an enthusiast’s efforts.”

Targeting your data

RansomHouse is believed to have launched in December 2021 with its first victim allegedly the Saskatchewan Liquor and Gaming Authority (SLGA), which is now listed on the extortion site.

Since launching the site this month, the threat actors have added three other victims, with the most recent being a German airline support service provider, attacked last week.

Listing of the most recent victim
Listing of the most recent victim with the extortion still underway

Interestingly, RansomHouse lists URLs to media posts for victims who are still actively extorted, highlighting the publicity of their attacks and using it as an additional extortion method.

If victims don’t pay a ransom to the hackers, their data is sold to other threat actors. If nobody is interested in purchasing it, the stolen dataset is published on the Tor site.

Declaring stolen data as sold
Declaring stolen data as sold for victims that refused to negotiate

A bizarre origin story

The RansomHouse has somewhat of a bizarre origin story, with the organization first mentioned inside White Rabbit ransom notes, but the actors maintained that they only collaborated with the ransomware gang, and do not utilize ransomware themselves.

In a report published today by Cyberint, analysts found Telegram posts promoting RansomHouse on Lapsus$ gang Telegram channel. This indicates that the the threat actors are equally interested in selling data to other threat actors as well as the victim.

RansomHouse posting on Lapsus Telegram
RansomHouse posting on Lapsus Telegram (Cyberint)

As such, while the origins of RansomHouse are unknown at this time, the group hasn’t emerged as a thoroughly independent entity but rather from within other threat groups.

Cyberint claims to have extensively examined the communications of RansomHouse’s core members with other threat actors on Telegram channels and reported seeing professional conduct.

“They speak politely on both their blog and various Telegram channels and do not get swept into irrelevant discussions. Furthermore, they claim to be very liberal and pro-freedom. They do not want to mix business and politics and announced that they would never work with radical hacktivists or espionage groups,” explains the report by Cyberint.

This makes Cyberint’s analysts believe that RansomHouse is a project launched by disgruntled red-team pen-testers who are fed up with low bounty payments and poor cybersecurity planning in general.

Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told Bleeping Computer the following regarding RansomHouse:

The RansomHouse platform is supposedly used by ‘club members’ who carry out attacks using their own tools – and, according to them, those tools include ransomware such as White Rabbit. I suspect, however, that their claims are untrue and that the same individuals who carry out the attacks are also behind RansomHouse.

As for the origin, a representative of RansomHouse who had phoned the press to publicize the attacks spoke English with what sounded like an Eastern European accent.

However, other cybercriminals have voiced concerns that the new data extortion project is suspicious and not to be trusted.

Users on a hacking forum discussing the new leak portal
Users on a hacking forum discussing the new leak portal
(KELA)

Encryption factor

Cyberint claims that RansomHouse only steals the data and handles negotiations or sales to other crooks. Additionally, the new operation says they do not perform encryption using a ransomware strain, so the extortion is based solely on the threat of exposing stolen files.

This would explain why the group previously claimed it is a platform for various ransomware gangs, including White Rabbit, that actually engages in encryption.

Weirdly though, the word “encrypted” is present on the RansomHouse Onion site, denoting that the victimized organizations have had their data encrypted, so that part is debatable.

ransomhouse-main
RansomHouse homepage

For now, this new operation is small and counts only four victims that Bleeping Computer is still in the process of verifying.

It is doubtful that RansomHouse will become a large-scale danger any time soon, but the launch of any extortion portal should be a concern for all network and security admins.

Source: www.bleepingcomputer.com