What a takedown-era Russian cybercrime forum reveals about the ransomware supply chain (analysis)
▲ 21 r/hacking

What a takedown-era Russian cybercrime forum reveals about the ransomware supply chain (analysis)

After the 2025 law-enforcement action against XSS.[is] (the forum descended from DaMaGeLaB), our Ransomnews research team did a data-led breakdown of how that marketplace actually worked. Sharing the methodology and findings since they're useful for forum/OSINT work. No stolen data, credentials, usernames or IPs here - aggregates only.

Highlights:

  • Membership skews heavily Russian-speaking: ~62% of message text is Cyrillic; the dominant webmail providers are mail.[ru] and Yandex, not Gmail.
  • Posting activity follows a salaried workday curve: quiet overnight, peaks 09:00–13:00 UTC (Moscow midday), weekdays over weekends. A timezone fingerprint that's hard to fake.
  • The busiest trading categories line up exactly with ransomware feedstock: infostealer logs, crypting/FUD, network access, exploits, web shells, RDP.
  • Where this fits in the kill chain: Resource Development + Initial Access. Disrupting it is a left-of-boom move, and there's roughly a 19-day median between an access listing and the victim appearing on a leak site (per Intel 471).

https://preview.redd.it/3ef1tnpfrdah1.png?width=1225&format=png&auto=webp&s=e0689d6b2cea6bfa9602a105264ac092c55ea34e

reddit.com
u/lexcor — 6 days ago
▲ 35 r/hacking

Inside FortiBleed: a FortiGate SSL VPN credential-harvesting operation — 1.16B brute-force attempts vs 320,777 endpoints, NTLM/Kerberos cracked on a 45× RTX 4090 Hashtopolis cluster, SSL VPN cookie-replay into AD

Disclosure: Ransomnews Research Team, this is our write-up, built on infrastructure surfaced by Bob Diachenko. We mapped the full chain to MITRE: mass-scan FortiGate /remote/login + Sophos /userportalforticheck brute force (25k threads) → network sniffers for cleartext creds → hash cracking on a 45-GPU Hashtopolis cluster → OpenConnect cookie replay to hijack live SSL VPN sessions → AD dump/TGT extraction/GPO harvesting. Targets ranked by revenue via OSINT. We anonymised the operator infra rather than publish raw IOCs. We also cross-referenced the resulting FortiGate working set (73,932 devices / 21,613 orgs) against stealer-log and ransomware-leak data: 88% overlap with stealer/breach data, ~590 already on leak sites. Happy to answer questions on method.

ransomnews.com
u/lexcor — 17 days ago
▲ 39 r/NovoNordisk_Stock+2 crossposts

Another take on Novo Nordisk

Most of the initial access happens because of infostealers. Novo Nordisk case might not be different. We ran stealercheck to see how exposed they are.

Disclosure: I help run Ransomnews, this is our reporting.

ransomnews.com
u/lexcor — 19 days ago
▲ 108 r/CyberNews+1 crossposts

Analyzed 24 months of ransomware leak-site posts. 84% land on weekdays, not at 3am.

I spent the last few weeks pulling and cleaning ransomware leak-site posts over a 24-month window, May 2024 to May 2026. After deduping I ended up with 16,699 victim posts from 200 groups. A few things surprised me.

The biggest one is that these operators aren't nocturnal at all. 84% of leak posts go up Monday through Friday, and Sunday is the deadest day in the whole dataset. The busiest single hour is 16:00 UTC, which lines up with afternoon in the US and Europe and evening in Moscow. They're keeping office hours, just not the same ones defenders are watching for. Half of everything posted falls into an 8-hour window between 15:00 and 22:59 UTC.

October peaks every single year, and February 2025 was the record month with over a thousand posts, mostly because of one insane Monday on the 24th where 263 victims got dumped in a day.

The other thing is the ecosystem keeps splitting rather than consolidating. The number of active brands went from 38 to 67 over the period. The big takedowns of LockBit, AlphV and RansomHub didn't shrink the field, the affiliates just rebrand and keep going. Most groups don't last long either. Out of 178 with any real activity, 87 have gone quiet for 90+ days. Qilin is the current volume leader at around 1,690 victims.

Usual caveats: these are distinct posts, not guaranteed distinct victims, times are UTC at the moment I saw them, and a "dormant" group can always come back.

If you do IR, the practical version of this is to weight your coverage toward Monday and Tuesday US time instead of weekends, and staff up harder going into October.

ransomnews.com
u/lexcor — 1 month ago

Built a free tool that checks how many stealerlog records exist for any domain

Stealerlogs are credential dumps from infostealer-infected devices such as RedLine, Lumma, Vidar, Stealc. They contain saved passwords plus session cookies, which is why MFA doesn't help once data shows up in one. Most exposure-check tools focus on big breach corpuses and don't cover this stream well.

So I built Stealercheck. Type in a domain, see roughly how many credentials and session cookies tied to it exist across aggregated stealer-log feeds. Browser-based, no signup, no email required. Domain-level only deliberate, since personal-email lookup is too easy to abuse.

Disclosure: I built it, and the data layer comes from Alerts.bar.

If a domain you care about returns hits, the meaningful next steps are credential rotation and forced session revocation. Glad to answer any technical questions.

ransomnews.com
u/lexcor — 1 month ago