We recently partnered with researchers at Check Point to investigate the DiamondFox ransomware - an insidious platform wreaking havoc on victims across the world. Perhaps unsurprisingly, this ransomware-as-a-service is openly traded, reviewed, and detailed on the dark web.
To support Check Point’s technical analysis of the malware, Terbium Labs leveraged our Analyst team and massive dark web crawler to locate critical forum discussions and advertisements of DiamondFox across the dark web.
And although these discussions were fairly distributed, we discovered what is arguably DiamondFox’s main sales and communication thread, which has been moderated for over a year by the ransomware’s creator and official vendor – a threat actor known as edbitss.
The report includes a review of the ransomware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For the full Diamond Fox report click here.
We’ve previously written about the pernicious risk of these underground forums (see: Dark Web Forums: the Underbelly’s Underbelly) and the unique threat they pose to individuals and businesses alike. In the case of Diamond Fox, all the salient points are still at play.
Dark web forums contain actionable intelligence, but simultaneously present an incomplete picture of the threat. Indeed, the actual vendor-customer transactions are removed from the already-hidden posts, effectively adding another layer of difficulty for researchers to further investigate purchasing and delivery mechanisms. Official sales are conducted separately and through encrypted communications only. As pictured in the official sales thread above, edbitss prefers Jabber, which relies on the encrypted XMPP protocol preferred by many on the dark web.
After someone purchases DiamondFox, the evolving and modular malware features a wide range of plugins (the malware’s capabilities) which enable their users to engage in widespread fraud and vandalism with relative ease (and little technical knowledge). The advertised password and file stealers, distributed denial of service (DDoS) attack dashboards, keyloggers, and RAM scrapers are highlight sought after by would-be fraudsters and hackers.
Ultimately, DiamondFox is one of the many malicious tools fueling the cybercrime economy and contributing to the alarming rate of stolen and leaked personal information online.