Ransomed.vc Group Hits NTT Docomo After Sony Breach Claims

Written by

In a recent development following the recent data leak from Sony, the notorious ransomware syndicate Ransomed.vc has targeted Japan’s largest telecommunication giant, NTT Docomo.

According to an advisory published by Resecurity on Tuesday, Ransomed.vc is demanding a ransom of over $1m from NTT Docomo, in a move that comes after Sony refused to pay a similar ransom, allegedly leading to the leak of their exfiltrated data.

Resecurity’s HUNTER team contacted the operators behind Ransomed.vc via TOX (TOR IM) regarding the Sony breach and NTT Docomo. According to the actors, they claim to have 240 GB of data stolen from Sony, which they are willing to sell for a relatively low price, starting from $10,000 in BTC. 

Their primary motivation appears to be public shaming of the victim rather than profit. Such tactics, known as “pressure support,” are used to motivate the victim into arranging the payment.

Ransomed.vc, which emerged from an underground forum and was initially spotted by Malwarebytes in August 2023, has rapidly become active on the dark web. 

Initially an underground forum focused on data leaks, access brokerage and exploits, Ransomed.vc later transformed into a ransomware operation, focusing on monetizing stolen data. 

Since then, Resecurity said the group has employed unique tactics, leveraging GDPR laws and data protection regulations to extort companies in the European Union, using the threat of fines to pressure them into paying the ransom.

Read more on GDPR and data protection: Replacing GDPR in the UK: A Cost-Benefit Analysis

The group also runs an affiliate program to monetize compromised access to enterprise networks. Notably, they discourage attacks on Russian or Ukrainian infrastructure. 

“It’s expected the bad actors will target enterprises from different market verticals (fintech, telecommunications, oil & gas media) using stolen data with the goal of extortion leveraging similar tactics used by Ransomed.vc,” reads the advisory.

Resecurity said it would continue to track Ransomed.vc’s activities through proactive surveillance of the dark web, collecting actionable cyber threat intelligence.

Editorial image credit: Piotr Swat / Shutterstock.com

What’s hot on Infosecurity Magazine?