AiDLocker Ransomware: Blurred Lines Between Cyber-Crime And Hacktivists Increasing.
TLDR:
· AiDLocker Ransomware is likely preparing to post victims who have not paid a ransom.
· AiDLocker Ransomware still has links to pro-Russian hacktivists and might be used by those hacktivists.
· AiDLocker Ransomware will likely post victims onto Telegram, however there is evidence they will maybe also run a leak site.
· AiDLocker Ransomware is likely from Russia, due to its relationship to other Russian groups.
. AiDLocker Ransomware was likely created by the DeaDXInject Team with support from Dead Remedy, Inc — or these could be the same group.
Introduction:
AiDLocker Ransomware has as far as I have been able to track been in development since the start of July 2022. It is being prepared and advertised on Telegram and likely has Russian origins.
AiDLocker relationship to pro-Russian hacktivists:
For background on possible connection between AiDLocker Ransomware and pro-Russian hacktivist groups see my previous report. https://cyberknow.medium.com/pro-russian-hacktivists-possible-ransomware-ambitions-84e804c10a93
For context, that report received the following response from RHA (Red Hackers Alliance)
As you can see, my linkage between the groups was confirmed by RHA — but they argue it is minimal. This was also confirmed by Alpha, the leader of DeaDNet — who claims that they know the developer of AiDLocker Ransomware. https://cyberknow.medium.com/deadnet-diary-a-conversation-with-a-pro-russian-hacktivist-group-leader-ec09121e2796
AiDLocker Ransomware Timeline:
The following Is the timeline of AiDLocker Ransomware from Telegram.
PhantomDev which is a Botnet provider posted to their telegram channel in 2 July 2022:
This was the first time I had seen AiDLocker Ransomware posted and at the time it was being called AiD CryptoLocker. The first post in the AiDLocker Ransomware Telegram page was 1 July 2022:
This outlined the capabilities of the ransomware and had some worrying traits — in particular “self-propagation over the network” — which is not ideal for a ransomware variant.
On 2 July 2022 an announcement was made that the build was ready:
On 7 July 2022, the AiDLocker Ransomware page posted that the first build of the ransomware was ready. An update on 11 July 2022 showed a user panel created by ‘Dead Remedy, Inc’.
What is interesting to note here is that RHA said in their response to my report that DeadXInject Team created AiDLocker Ransomware — it is possible that Dead Remedy, Inc created the platform to host the ransomware. It is also possible that Dead Remedy and DeadXInject are closely connected.
Comment:
It is not uncommon for groups or collectives to use one word as linkage — since we know that DeaDNet knows the creator of AiDLocker Ransomware and that group is called DeadXInject, which appears to have used Dead Remedy — the common usage of ‘Dead” could possibly be a linkage between the three.
On 13 July 2022 the AiDLocker Ransomware page announced that tests were successful:
They also announced updated functionality:
They announced today, 28 July 2022 that they had created a new channel on Telegram and that it would host the “leaks of companies that refused to pay the ransom”
This suggests that DeadXInject Team possibly plans to use this as a RaaS or at the very least as a single means of financial gain. This supports a post from 10 July 2022 in which they offer the service for $100 a month
We might get an indication of the intention of AiDLocker Ransomware after we see victims posted to the Telegram page. It seems to be that ransomware gangs are avoiding Ukraine, this is possibly due to the poor feedback and impact on Conti when they made a political declaration.
If AiDLocker Ransomware did target Ukraine it might suggest that it is being leveraged by hacktivist groups.
As we have seen today with the announcement of the pro-Russian hacktivist group Zarya asking for a $1 million ransom:
The blurring lines between nationalist hacktivism and financial gain are increasing.
