DarkVault: A Rising Menace in the Ransomware Underworld

DarkVault is a newly identified ransomware group that has quickly gained attention in the cybersecurity community. Known for its aggressive and diverse cybercriminal activities, DarkVault claims to be an exclusive online community involved in various illegal operations. Despite its recent emergence, it has already managed to create significant disruptions across multiple sectors. This post provides an in-depth analysis of DarkVault, its activities, and the potential implications for cybersecurity.

DarkVault emerged in November 2023, positioning itself as a sophisticated ransomware operation. The group’s activities are not limited to ransomware; they include bomb threats, swatting, doxing, website defacing, malware creation, scams, spam, and various forms of fraud.

The individuals behind DarkVault maintain an .onion site, detailing alleged victims of their ransomware attacks or data breaches, and advertising their illegal activities.

Screenshot of DarkVaults darknet homepage, detailing services.

Despite similarities to the notorious LockBit group, DarkVault has not been definitively linked to LockBit, however there are some similarities that do suggest they are in fact a rebranded LockBit ransomware group. Their data leak site (DLS) mimics LockBit 3.0’s design, but many groups have copied this layout, including Dispossessor. The lack of a ransomware sample and detailed information makes it challenging to confirm their operations. The group uses the double extortion method, encrypting systems and threatening to release stolen data if ransoms are not paid.

DarkVault operates with a level of anonymity, common among cybercriminal groups. Key actors associated with DarkVault include "criminaldo" and "Neroces." They utilise multiple communication channels to coordinate their activities and negotiate with victims, including:



• Email: darkvault@cock.li
• Keybase: changeright
• Telegram: criminaldo, darkvaultransom, Neroces
• 
  

DarkVault also uses several Tor links for extortion, making it difficult to trace their activities:

• Link 1
• Link 2
• Link 3
  

DarkVault's most recent activity includes the publication of 19 victims' data on its leak site in April 2024. This rapid publication rate suggests either prior undisclosed activities or a well-coordinated team capable of executing multiple attacks swiftly. Notably, their targets span diverse industries, including surveillance systems, fitness, fashion, and healthcare insurance, located in countries such as the US, India, Sri Lanka, and the UK.

One of the group's notable victims is the UK based charity Tommy Club who raises funds for the various divisions of the Royal British Legion and a data breach at Sandip University in Nashik, India. Despite their brief history, DarkVault's ability to compromise significant targets has raised concerns within the cybersecurity community.

As previously mentioned,  DarkVault’s activities and site design have led to speculation about their connection to LockBit. However, no concrete evidence supports this theory beyond superficial similarities. It is equally plausible that DarkVault is an entirely new entity or a rebranding effort by experienced cybercriminals seeking to capitalise on LockBit's notoriety.

Screenshot of DarkVaults darknet leaked page, taken June 18 2024.

On April 11th, 2024, Cybernews.com published an article suggesting a possible rebranding of the ransomware group LockBit. This speculation arose from a mistake on LockBit's now-defunct darknet website, which provided a clue about a potential rebranding. Security researcher Dominic Alvieri observed that DarkVault's newly created blog featured several elements from LockBit's design. Alvieri's post on X highlighted another error, showing LockBit's logo alongside the words "DarkVault Blog." The resemblance was striking, down to the font, the use of red and white colours, and the format of the gang’s infamous ransom demand countdown clock.

Dominic Alvieri’s X post showing the DarkVault blog page.

Following these social media revelations, DarkVault's blog page was swiftly altered. The Cybernews article also pointed out an interesting detail in the gang's new logo—a cat sitting on a vault. This logo choice could be significant, considering LockBit's very public conflict with the ALPHV/BlackCat ransomware group, which faked its own takedown in February 2024 after a massive $22 million ransomware attack on healthcare provider UnitedHealth.



Additionally, the wording on DarkVault's homepage and about page appears to be AI-generated, with the group claiming to be from Germany. This claim is likely a red herring, intended to mislead and obscure their true origins.

DarkVaults Homepage and new logo

Given the uncertainty surrounding DarkVault, the best defence is a strong cybersecurity posture. However if you find yourself the victim of DarkVaults ransomware then you should immediately engage the services of a professional cyber security company who can advise you accordingly. Always remember that if you decide to pay the ransom you may never get your back anyway!  After all, you are dealing with criminals.

DarkVault represents a significant and evolving threat in the cyber landscape. While its full capabilities and origins remain unclear, its aggressive tactics and diverse illegal activities warrant close monitoring. Organisations must remain vigilant, continually enhance their cybersecurity measures, and be prepared to respond to potential ransomware attacks effectively.

Contact us today for a personalised consultation to discover how the Evolve suite of products can meet your specific security needs. Our team will work with you to assess your current security posture, identify potential vulnerabilities, and tailor a solution that maximises protection and efficiency.

Schedule a consultation with one of our experts today!