A new threat actor is offering files purportedly stolen from Sony on the Dark Web, but debate is ongoing as to how the group obtained the entertainment giant’s data and how valuable it actually is.
An operation called “Ransomed” or “RansomedVC” — little more than a month old at this point — posted a notice to its Dark Web leak site on Monday, claiming to have “compromissed [sic] all of sony [sic] systems.” After Sony refused to pay up, the group says, it’s now selling the data to the community.
But in a post on X (formerly Twitter) for “nerds” that went up Sept. 25, vx-underground clarified that the group “did not deploy ransomware, no corporate data was stolen, services not impacted.” What it did do, it seems, was collect data from various developer tools used by the company, including Jenkins, SVN, SonarQube, and Creator Cloud Development, as well as some other likely noncritical credentials and files.
As of publication, Sony had not responded to Dark Reading’s request for comment. A Sonyrepresentative told SecurityWeek that it’s investigating the situation.
What Actually Happened
To prove its accomplishment, Ransomed apparently attached a file tree for the entire leak in its Dark Web listing. However, it contains fewer than 6,000 files in all, hardly “all of Sony.”
On online message boards, hackers and interested parties alike poked fun at the discrepancy. And in one cybercrime forum post, a user by the name “Major Nelson” went a step further, publishing all of the data they claim Ransomed stole. (It’s unclear how any of these parties obtained this data.) It included those infrastructure files, as well as a device emulator for generating licenses, incident response policies, “a lot of credentials for internal systems,” and more.
Major Nelson seemed to downplay the severity of it all. “You journalists believe the ransomware crew for lies. Far too gullible, you should be ashamed. RansomedVCs are scammers who are just trying to scam you and chase influence. Enjoy the leak,” they wrote.
Since its initial posting, the group itself appears to be changing its messaging. In a more recent forum post captured by SOCRadar, one Ransomed affiliate claimed that it’s selling “access to Sony infrastructure.”
This isn’t the first time that the young threat actor has exaggerated its accomplishments.
Who Are Ransomed?
Ransomed.vc was launched on Aug. 15, as a new hacker forum. But the very next day, it was the victim of a DDoS attack. After that, its admins rebranded it as a leak site for a ransomware operation.
Ferhat Dikbiyik, head of research at Black Kite, has been tracking the group through its online channels. “The thing about this group is that we’ve recorded how many … 41 victims so far? And maybe half of them are from Bulgaria. So they really focus on small businesses in small countries,” he says.
Contrast that with its grand claims about Sony and Transunion, for which it claimed to have stolen “everything their employes [sic] ever downloaded or used on their systems.”
It’s an amateur outfit, Dikbiyik explains. “I think it was two weeks ago they hacked a company, and changed their website. Website defacement is a very old-school script — the more quote-unquote ‘professional’ ransomware groups do not do that — because they do not want to expose the victim and lose leverage.”
Dikbiyik concludes: “They just want to get a reputation.”