DiamondFox: New Joint Research from Check Point & Terbium Labs

Next: Excuse Me, Could I Borrow Your W-2?
Previous: Inside the Dark Web: Fraud Guides
These are not the foxes you're looking for.
May 10, 2017

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

We recently partnered with researchers at Check Point to investigate the DiamondFox ransomware - an insidious platform wreaking havoc on victims across the world. Perhaps unsurprisingly, this ransomware-as-a-service is openly traded, reviewed, and detailed on the dark web.

To support Check Point’s technical analysis of the malware, Terbium Labs leveraged our Analyst team and massive dark web crawler to locate critical forum discussions and advertisements of DiamondFox across the dark web.

And although these discussions were fairly distributed, we discovered what is arguably DiamondFox’s main sales and communication thread, which has been moderated for over a year by the ransomware’s creator and official vendor – a threat actor known as edbitss.


The report includes a review of the ransomware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For the full Diamond Fox report click here.

We’ve previously written about the pernicious risk of these underground forums (see: Dark Web Forums: the Underbelly’s Underbelly) and the unique threat they pose to individuals and businesses alike. In the case of Diamond Fox, all the salient points are still at play.

Dark web forums contain actionable intelligence, but simultaneously present an incomplete picture of the threat. Indeed, the actual vendor-customer transactions are removed from the already-hidden posts, effectively adding another layer of difficulty for researchers to further investigate purchasing and delivery mechanisms. Official sales are conducted separately and through encrypted communications only. As pictured in the official sales thread above, edbitss prefers Jabber, which relies on the encrypted XMPP protocol preferred by many on the dark web.

After someone purchases DiamondFox, the evolving and modular malware features a wide range of plugins (the malware’s capabilities) which enable their users to engage in widespread fraud and vandalism with relative ease (and little technical knowledge). The advertised password and file stealers, distributed denial of service (DDoS) attack dashboards, keyloggers, and RAM scrapers are highlight sought after by would-be fraudsters and hackers.

Ultimately, DiamondFox is one of the many malicious tools fueling the cybercrime economy and contributing to the alarming rate of stolen and leaked personal information online.

Click here to read the full report.

analysis June 24, 2019
New Research: Terbium Labs Uncovers Pervasive Links Between Fraud and Transnational Crime

Terbium Labs investigated the links between payment fraud and serious transnational crime. This research begins to fill a gap in understanding about the use of fraudulent financing in some of the most heinous crimes...

analysis April 17, 2019
Terbium Labs Investigates Dark Web Fraud Guides for an Inside Look on Cyber Crime

With our latest research, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data, Terbium Labs investigates dark web fraud guides to create a detailed, first-hand account of the illicit...