New ransom group RansomHouse says: victims are the culprits

Another type of data extortion cybercrime activity has emerged on a dark web site called RansomHouse, which threatens actors with releasing evidence of stolen files and leaking data from organizations that refuse to pay the ransom. Presumably, the group is made up of security testers who are unhappy with the low bounty payments for vulnerabilities.

This new group emerging in the cyber ransom field claims not to use any ransomware, but instead focuses on disrupting networks through alleged exploits in order to steal data from targets.

However, the group itself takes no responsibility for its actions and accuses affected companies of not providing adequate protection for their networks and offering "ridiculously small" rewards through exploit bounty programs.

"We believe that it is not those who found the vulnerabilities and carried out the hack that are to blame, but those who did not properly protect the security. The culprits are the people who didn't lock the door and put a lock on it, but left it open and invited everyone." The RansomHouse website reads on its "About Us" page.

The RansomHouse dark web site allegedly began its activities in December 2021 with an attack on Canada's Saskatchewan Liquor and Gaming Authority (SLGA), which is now listed as a victim on the group's website.

Since launching the site this month, the attackers have added three other victims in addition to the SLGA, with the most recent victim being a German airline support service provider that was attacked last week.

Interestingly, RansomHouse posted links to the social media posts of victims still actively extorting on its dark web site, highlighting the publicity of their attack as an additional method of extortion.

If victims do not pay the ransom to the hackers, their data will be sold to other threat participants. If no one is interested in buying it, then the stolen dataset is posted on their dark web site.

The origin of RansomHouse, which was first mentioned in the White Rabbit ransom notes, is unknown, but threat actors insist they only work with ransomware groups and do not exploit ransomware themselves.

In a Cyberint report, analysts found that the group had posted on Lapsus $gang's Telegram channel promoting RansomHouse. This suggests that threat participants are equally interested in selling data to other threat participants as well as victims.

Thus, while the origins of RansomHouse are currently unclear, the organization did not emerge as a completely separate entity, but rather from other threat organizations.

Cyberint claims to have extensively examined communications between core members of RansomHouse and other threat participants on Telegram channels, and reports seeing professional behavior.

"They are polite and courteous on their blogs and various Telegram channels and do not get involved in unrelated discussions. In addition, they claim to be very liberal and pro-freedom. They do not want to mix business and politics and declare that they will never work with radical hacktivists or spy groups." Cyberint's report explains.

This led Cyberint analysts to believe that RansomHouse was a project started by disgruntled Red Team penetration testers who were tired of low bounties and poor cybersecurity planning.

The URL of RansomHouse's dark web site:

http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion

The official Telegram channel of RansomHouse:

https://t.me/ransom_house

The "About Us" page of RansomHouse's dark web site:

Our mission

©RansomHouse is a professional mediators community.

We have nothing to do with any breaches and don't produce or use any ransomware. Our primary goal is to minimize the damage that might be sustained by related parties. RansomHouse members prefer common sense, good conflict management and intelligent negotiations in an effort to achieve fulfillment of each party's obligations instead of having non-constructive arguments. These are necessary and sufficient principles that lead to amicable agreements and sometimes even to subsequent productive and friendly cooperation.

RansomHouse shares the opinion of both Red and Blue teams regarding the threats of data leaks. The very possibility of such incidents taking place is a strong incentive to make the private sector, corporations and the public aware of data security and privacy issues and should make those involved in 3rd parties' personal information collection and storage responsible and respectful of their responsibilities. Unfortunately, more often than not CEOs prefer to close their eyes on cybersecurity saving budget on their staff or spending huge amounts of money mindlessly, which inevitably leads to vulnerabilities.

We believe that the culprits are not the ones who found the vulnerability or carried out the hack, but those who did not take proper care of security. The culprits are those who did not put a lock on the door leaving it wide open inviting everyone in. People are inherently curious and are eager to learn the object of their interest. Usually corporations respond to the message that their "doors are wide open" in negative context, direct threats or silence. In rare cases one could meet gratitude and ridiculously small payments that do not cover even 5% of an enthusiast's efforts. Well, the negative reaction is understandable, because the company management will have a hard time explaining millions of dollars spent on security audits and cybersecurity staff high salaries to their shareholders with some freelancer around pointing out the global mistakes they've made, bringing their managerial skills and the results of spending money to the ground. A close example to you might be Lehman Brothers who were warned about severe vulnerabilities in their economic risk management model six months in advance before the collapse - warned by three enthusiastic economist-mathematicians who got nothing but mocks from the fund.

But evolution cannot be stopped, fitting structures emerge in every environment, and so groups of enthusiasts have emerged on the grounds of data negligence, eager to get paid honestly by streamlining this chaos through public punishment. These methods of making money and pointing out companies' mistakes may be controversial, and when you recall that we are talking about billion-dollar corporations on the opposing side, it becomes clear why the RansomHouse team is so important to engage in dialogue. That is what this project is all about - bringing conflicting parties together, helping them to set up a dialogue and make informed, balanced decisions. The team works hard to find a way out of even the most difficult situations and allow both parties to go forward without changing rules as they go along. Incompetence and fuss is unacceptable when dealing with such cases, which is exactly what happens most often. Here and now we are creating a new culture and streamlining this industry.

Unfortunately, companies that refuse negotiations and reject reasonable arguments, companies that are unwilling to pay for this kind of work - will face reputational and legal costs. In order to highlight these cases we will not only disclose information on our website and official Telegram channel but also attract the attention of journalists, public and third parties to the problem and do everything needed to make the incident as public as possible. Information accessibility is one of the foundations of a civilized society and a way for it to rise above itself and overcome social challenges.

We are strictly against the suffering of any individuals who became victims of other people's irresponsibility and leaks. To the best of our ability we help them by giving an opportunity to make a request through our Official Telegram Channel and have their data package removed from the shared set before it is published. The right to manage personal data is fulfilled here to the extent possible in current circumstances.

The current list of leaked companies and the dark web addresses to access some of the leaked documents (Evidence packs).

1、Saskatchewan Liquor and Gaming Authority（https://www.slga.com/）

http://fmcrlb2t524cpiiqiudbvdjmgvaczix2o5y5uc3zvi57niiyl467qgyd.onion/
http://bd3atkmicmcif6mliquqdxltjq6mxvagw44gealayp34awtcx3ywlxid.onion/

2、Jefferson Credit Union（https://www.jeffersoncreditunion.org/）

http://ljxmkfr6kl3ovwgkxycdrvvdf6tk7qdhgowcjkpsiocg7j5uuhmszyyd.onion/

3、Dellner Couplers AB（https://www.dellner.com/）

http://k2xhcuvhwh5cyua5vwa4xjeyvyfatzkrh5yn5kc5munvglzge4cod2ad.onion/

4、AHS Aviation Handling Services GmbH（https://www.ahs-de.com/）

http://6ibv6c5n6orfgzpt4apgqtrbr3ot2ninpbpi6hwolq2lzcgj6lzj4rid.onion/