KELA in Press


KELA Launches Intelligence Driven Third-Party Risk Scoring Solution

We are excited to announce the  launch of our innovative Third-Party Risk Management (TPRM) module, fully integrated into our threat intelligence platform.  The new module stands out in the market due to its advanced algorithm, which not only assesses traditional attack surface risk factors but also integrates comprehensive threat intelligence from KELA’s platform. Click to read the full Press Release.


Nesspro, A Leading Israeli Software Solutions Group, Partners With KELA To Enhance Cyber Protection

NESSPRO, the largest and leading software solutions group in Israel from NESS, which provides a variety of advanced solutions for all worlds of information technology in general and a selection of solutions in the world of cyber and information security in particular, has signed a business partnership with the Israeli KELA Group, which provides cyber intelligence to cope with digital threats from multiple sources including the darknet.


ALPHV steps up laundering of Change Healthcare ransom payments

As the ransomware group moves to hide its $22 million, its affiliate notchy is laying low after reportedly being stiffed on payment.

Relatively little is known about notchy, but the moniker may be operated by more than one person, as it uses plural pronouns when referring to itself. The username was first registered on the Russian-language RAMP forum in December 2021, but posted for the first time in August 2022 and only posted 11 times total, according to the cybersecurity firm KELA.


In vendita i dati di Okta in un forum underground. Ma non sono quelli del precedente attacco

Su un noto forum underground è stato messa in vendita un set di dati contenente presumibilmente informazioni di Okta ottenute durante l’attacco informatico di ottobre 2023. La società ha dichiarato che questi dati non le appartengono.

Anche gli specialisti di KELA hanno esaminato i dati forniti e hanno confermato in modo indipendente che non appartengono a Okta.


Chinese Cybercrime: Discretion Is the Better Part of Valor

Think “Chinese hackers” and most likely Beijing’s many state espionage threat actors come to mind. Partly, says cybersecurity firm Kela, that’s because Chinese criminals increasingly keep a low profile on public-facing forums and rely on Telegram and other encrypted foreign messaging apps to discreetly coordinate activities and sell wares.


Okta Says Data Leaked On Hacking Forum Not From Its Systems

Okta denies that its company data was leaked after a threat actor shared files allegedly stolen during an October 2023 cyberattack on a hacker forum.

Cyber-intelligence firm KELA also reviewed the shared data and independently corroborated that the data does not belong to Okta but is believed to be from a different company breached in July.


Down, Not Out: Russian Hacktivists Claiming DDoS Disruptions

Russia’s war of conquest against Ukraine grinds onward, but the number of self-proclaimed, pro-Kremlin hacktivists appears to be dwindling as the strategy of temporarily disrupting the availability of high-profile websites has failed to sustain enthusiasm.

Cybersecurity firm KELA said claims by five of the most active groups that emerged just before or in the early days of the conflict – KillNet, NoName057(16), Anonymous Russia, Phoenix and People’s Cyber Army – were “significantly lower” during the second half of 2023 and early part of 2024 compared to the first six months of 2023.


FBI Warns U.S. Healthcare Sector of Targeted BlackCat Ransomware Attacks

The U.S. government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month.

Another significant tactic adopted by some ransomware groups is the sale of direct network access as a new monetization method via their own blogs, on Telegram channels, or data leak websites, KELA said.


Svendita ransomware! Knight vende tutto al miglior offerente su RAMP Forum

Il codice sorgente della terza versione del ransomware Knight è stato messo in vendita su un forum di hacker da uno dei rappresentanti del gruppo, riferiscono i ricercatori KELA.

Il ransomware Knight è apparso alla fine di luglio 2023 ed è un rebranding di Cyclops, rivolto ai sistemi con Windows, macOS e Linux/ESXi. Il malware ha guadagnato una certa popolarità negli ambienti degli hacker. Questo perché ai clienti del gruppo sono stati offerti anche infostealer e una versione potenziata del ransomware per i partner entry-level che attaccavano piccole organizzazioni.


Knight ransomware source code for sale after leak site shuts down

The alleged source code for the third iteration of the Knight ransomware is being offered for sale to a single buyer on a hacker forum by a representative of the operation.

Threat analysts at cyber-intelligence firm KELA spotted the advertisement two days ago posted on RAMP forums by someone using the alias Cyclops, known as a representative of the Knight ransomware gang.


Builder del Ransomware Zeppelin in Vendita: Codice sorgente del Builder al costo di 500 Dollari

Su uno dei forum del crimine informatico è apparso un annuncio sulla vendita del codice sorgente e di una versione hackerata del builder del ransomware Zeppelin. Per tutta la merce i criminali informatici chiedono 500 dollari. I ricercatori del KELA hanno attirato l’attenzione sul post dei venditori.



Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500.


Fire Sale: Zeppelin Ransomware Source Code Sells for $500 on Dark Web

A threat actor has sold for just $500 the source code and a cracked builder for Zeppelin, a Russian ransomware strain used in numerous attacks on US businesses and organizations in critical infrastructure sectors in the past.

Researchers at Israeli cybersecurity firm KELA in late December spotted a threat actor using the handle “RET” offering the source code and builder for Zeppelin2 for sale on RAMP, a Russian cybercrime forum that, among other things, once hosted Babuk ransomware’s leak site. A couple of days later, on Dec. 31, the threat actor claimed to have sold the malware to a RAMP forum member.


The Bad | Zeppelin Ransomware Source Code Found Listed On Cybercrime Forum For $500

Like the post-holiday sales that have trickled into the new year, dark markets and underground channels also continue to offer sales and promotions on malware kits, tools, and illicit services. Most recently, a threat actor known as ‘RET’ advertised the sale of Zeppelin ransomware builder’s source code and a cracked version for a mere $500 in a cybercrime forum.

Source: KELA Cyber Threat Intelligence


Zeppelin ransomware source code sold for $500 on hacking forum

A threat actor announced on a cybercrime forum that they sold the source code and a cracked version of the Zeppelin ransomware builder for just $500.

The post was spotted by threat intelligence company KELA and while the legitimacy of the offer has not been validated, the screenshots from the seller indicate that the package is real.


Sale of Zeppelin ransomware source code, cracked builder touted

Zeppelin ransomware had source code and cracked builder declared to be sold for only $500 by the threat actor using “RET” as their handle, BleepingComputer reports.

In a post on a hacking forum identified by threat intelligence firm KELA, RET emphasized that they were only able to crack a builder iteration of the ransomware. Such a package, which has been obtained without a license, was meant to be sold to a single buyer, with the sale being frozen until the transaction’s completion, according to RET.


Zeppelin ransomware source code sold for $500 on hacking forum

A threat actor announced on a cybercrime forum that they sold the source code and a cracked version of the Zeppelin ransomware builder for just $500.

The post was spotted by threat intelligence company KELA and while the legitimacy of the offer has not been validated, the screenshots from the seller indicate that the package is real.


Stolen Credentials Fuel Social Engineering Scams

In recent months, researchers report seeing a surge in social engineering attacks that target hotels that use and steal the hotels’ access credentials for the site to scam their customers. Many of the attacks appear to be targeted or opportunistic and are fueled by information stolen via information-stealing malware, or info stealers.

“The most common infections used to steal accommodation accounts have been Raccoon, Redline, Lumma, Vidar and MetaStealer – all commodity info stealers available for purchase as malware-as-a-service,” says a new report from threat intelligence firm Kela.


German police takes down Kingdom Market cybercrime marketplace

The Federal Criminal Police Office in Germany (BKA) and the internet-crime combating unit of Frankfurt (ZIT) have announced the seizure of Kingdom Market, a dark web marketplace for drugs, cybercrime tools, and fake government IDs.

Using KELA’s threat intelligence tools, BleepingComputer has found two invitations from the Drughub and Cypher markets to “Kingdom refugees,” which are excellent examples of how competitors quickly take advantage of such incidents.


Internal documents leaked as Rhysida claims responsibility for British Library ransomware attack

The British Library, which was hit by a ransomware attack that has disabled its computer systems, website, phone network and public Wi-Fi for more than three weeks, confirmed yesterday that internal HR documents have been leaked following the attack. The Rhysida ransomware group has claimed responsibility for the attack.

Victoria Kivilevich, director of threat research at security company KELA Cyber Threat Intelligence, said the price demanded by Rhysida for the British Library data was relatively high, but not the highest, which was 50 bitcoins for data stolen from Prospect Medical Holdings in August 2023.


Lumma Stealer malware now uses trigonometry to evade detection

The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software – the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox.

The malware family became available for purchase on cybercrime forums for the first time in December 2022, and a few months later, KELA reported that it had already started to become popular in the underground hacking community.


KELA Revolutionizes Cyber Intelligence with Two Cutting-edge Modules, Threat Actors and Identity Guard, Elevating and Simplifying Proactive Threat Defense

KELA, the leading provider of real, actionable threat intelligence, is announcing the launch of two groundbreaking modules – Threat Actors and Identity Guard. These additions reflect the company’s ongoing dedication to refining its comprehensive cyber intelligence platform. The innovative modules not only strengthen KELA’s commitment to delivering timely and actionable threat intelligence but also empower organizations of all sizes, contributing to a more robust and adaptable security posture. The modules are designed to enhance the accessibility of threat intelligence, delivering timely and actionable insights to effectively counter cyber threats facing your organization.


KELA Revolutionizes Cyber Intelligence with Two Cutting-edge Modules, Threat Actors and Identity Guard, Elevating and Simplifying Proactive Threat Defense

KELA, the leading provider of real, actionable threat intelligence, is announcing the launch of two groundbreaking modules – Threat Actors and Identity Guard. These additions reflect the company’s ongoing dedication to refining its comprehensive cyber intelligence platform. The innovative modules not only strengthen KELA’s commitment to delivering timely and actionable threat intelligence but also empower organizations of all sizes, contributing to a more robust and adaptable security posture. The modules are designed to enhance the accessibility of threat intelligence, delivering timely and actionable insights to effectively counter cyber threats facing your organization


Info Stealers Thrive in Hot Market for Stolen Data

In the dubious race for popularity among cybercriminals, Redline Stealer appears to be far and away attackers’ top choice for malware built to steal lucrative and sensitive data, including cryptocurrency wallet and remote access credentials.

Each batch of information stolen from an infected system, known as a “bot,” can be offered for sale as a “log” on dedicated marketplaces such as RussianMarket and TwoEasy – aka – or via forums such as BHF and Dark2Web, and Telegram messaging app channels, according to threat intelligence firm KELA (see: Info-Stealing Malware Populates ‘Cloud of Logs’ Offerings).


Risky Biz News: Clop is coming after your SysAid servers

Qakbot takedown aftermath: A KELA report found that the law enforcement takedown of the Qakbot botnet has had a minimal impact on the cybercrime underground, with many former Qakbot members and customers continuing to collaborate on operations.


Cybercrime Enablers

Try thinking of Initial Access Brokers (IABs) as criminals who sell house keys to burglars. IABs, or breach brokers, sell unauthorized network access to cyber attackers, who use it to enter a target network and launch their attacks.

According to an unnamed source at the U.S. Federal Bureau of Investigation (FBI), attackers rely on IABs to facilitate illicit actions, including Business Email Compromise (BEC), elder fraud, ransomware, and romance and tech support scams.

In 2021, Kela Cyber Threat Intelligence found that almost 300 IABs had posted more than 1,300 unauthorized network access listings for sale on cybercrime forums, according to a Kela blog


ASVEL basketball team confirms data breach after ransomware attack

French professional basketball team LDLC ASVEL (ASVEL) has confirmed that data was stolen after the NoEscape ransomware gang claimed to have attacked the club.

ASVEL’s says that they were alerted to a potential breach on October 12 via the press, following their addition to NoEscape ransomware’s extortion portal on October 9, 2023.


A Strong Foundation: Safeguarding The Construction Industry In The Digital Age

According to Cybersecurity Ventures, in 2021, construction-related companies were among the third most common industries to experience ransomware attacks that year, with 13.2% of firms reporting at least one attack.[2] And the construction industry continues to be named as one of the most commonly targeted industries, with manufacturing and industrial sectors experiencing the most ransomware and extortion incidents, according to the 2023 Q1 KELA Cyber Threat Intelligence report.


Qakbot Attackers Remain Alive and Quacking, Researchers Find

The Qakbot activity comes despite a massive international law enforcement operation, spearheaded by the FBI, that disrupted a substantial part of the botnet infrastructure in late August. Operation Duck Hunt – a play on the name of the botnet operation and its malware – resulted in the seizure of 52 servers and nearly $9 million worth of cryptocurrency, as well as the forced removal of Qakbot malware from 700,000 endpoints

In May, the Cyclops ransomware-as-a-service operation launched Knight as version 2.0 of its Cyclops ransomware, saying they’d rewritten the crypto-locking malware from the ground up and were looking for collaborators to distribute it via spear-phishing campaigns, threat intelligence firm Kela reported.


Tattletale Ransomware Gangs Threaten to Reveal GDPR Breaches

Money is a great inducement to innovation. That includes – maybe especially so – ransomware groups whose attempts to squeeze dollars from data lead to no end of novel technical and business techniques.

Like most ransomware groups, Alphv appears to prioritize U.S.-based targets, although the group has been mentioning the EU privacy regulation when listing European victims on its data leak site, “in most of the cases highlighting GDPR-related files in the leaked data,” Kela reported.


A Huge Scam Targeting Kids With Roblox and Fortnite ‘Offers’ Has Been Hiding in Plain Sight

THOUSANDS OF WEBSITES belonging to US government agencies, leading universities, and professional organizations have been hijacked over the last half decade and used to push scammy offers and promotions. Many of these scams are aimed at children and attempt to trick them into downloading apps, malware, or submitting personal details in exchange for nonexistent rewards in Fortnite and Roblox.

Victoria Kivilevich, director of threat research at security firm KELA, says the company has seen CPABuild discussed on cybercrime and hacking forums.


Risky Biz News: Russian bill to hide the PII data of military, police, and intelligence agents

Hacktivism financing: KELA looked at the various tactics employed by hacktivist groups to finance their operations, such as renting their DDoS botnet, engaging in hacked data trading, extortion, and classic donations.


Quando l’hacktivismo diventa business. Scopriamo come i gruppi riescono a trovare fondi per le loro attività

Gli analisti di KELA affermano che gli attivisti informatici motivati ​​politicamente o ideologicamente utilizzano una varietà di metodi di finanziamento per sostenere le loro attività. Sebbene l’hacktivism sia principalmente associato agli attacchi DDoS e alle fughe di dati, gli aggressori si dedicano anche al furto e alla vendita di dati, all’estorsione, al noleggio di malware e botnet e all’offerta di servizi di hacking a pagamento (e gli obiettivi di tali attacchi non hanno nulla a che fare con la politica).


Hacktivists Embrace Cybercrime Tactics for Funding

Difference between hacktivists and hackers has become increasingly complex.

According to a report by KELA, a cybersecurity intelligence firm, hacktivists have been exploring avenues beyond traditional donations to secure the resources they need. The report highlights instances where hacktivist groups engage in activities such as ransomware attacks, cryptocurrency theft, and credit card fraud. These illicit activities provide them with a substantial financial influx, enabling them to sustain and amplify their campaigns.


The Week in Ransomware – August 4th 2023 – Targeting VMware ESXi

Ransomware gangs continue to prioritize targeting VMware ESXi servers, with almost every active ransomware gang creating custom Linux encryptors for this purpose.


Hacktivist or just hacker: Compromising morals for money

While financially motivated threat actors are clearly in the cybercrime business to make money, their supposedly ideologically driven hacktivist counterparts often find it harder to make ends meet.

A report (PDF, registration required) authored by researchers at KELA describe how five hacktivist groups are trading in stolen data, offering hack-for-hire and training services as a way to fund cyberattacks.


Hacktivists fund their operations using common cybercrime tactics

Hacktivist groups that operate for political or ideological motives employ a broad range of funding methods to support their operations.

Israeli cyber-intelligence firm KELA notes that although hacktivism appears to be about causing service disruption through DDoS attacks or reputation damage via data leaks, the modus operandi of these threat groups encompasses a broader scope of activities, including common cybercrime tactics.


Risky Biz News: Cybercrime and threat intel

Akira gang still active: Threat intelligence company KELA says that even if security researchers released a free decrypter for the Akira ransomware, the gang has continued to operate undisturbed.

Qilin RaaS: The same KELA researchers have also noted a change in the way the Qilin RaaS works, which has switched to a model where ransom payments are first sent to affiliates instead of them taking their cut.


Abyss Locker Ransomware Looks to Drown VMware’s ESXi Servers

The 4-month-old ransomware gang is now actively targeting VMware’s virtual environments with a second variant of its custom malware.

The Abyss Locker ransomware gang is now a threat to industrial control systems (ICS), enterprises, and public-sector organizations alike thanks to a custom Linux encryptor aimed at deep-sixing VMware’s ESXi virtualized environments.

According to KELA researchers (PDF), Abyss Locker was launched in March as part of a double-extortion ransomware gambit, in which data is both encrypted and exfiltrated for possible leaking if the victim doesn’t pay up.


Hawai’i Community College pays ransomware gang to prevent data leak

The Hawaiʻi Community College has admitted that it paid a ransom to ransomware actors to prevent the leaking of stolen data of approximately 28,000 people.

Hawaiʻi Community College is an accredited public community college operating two campuses on the island of Hawaii and is part of the University of Hawai’i (UH), which has over 50,000 students.


KELA Partners with Vertosoft as Key Distributor for Delivering Actionable Cyber Threat Intelligence to the US Public Sector

KELA, the leading provider of actionable cyber threat intelligence, is pleased to announce its distribution agreement with Vertosoft, a high-value distributor specializing in innovative and emerging technology solutions. This strategic partnership aims to deliver 100% real, actionable, timely, and contextual intelligence about cyber threats to the US public sector. By joining forces, KELA will gain access to Vertosoft’s extensive network of contract vehicles at the Federal, State, and Local levels, as well as their trusted public sector partners.


The Stormous ransomware group is back, a ransomware gang adds a new backdoor, and more

This continues to be one of the worst years for ransomware. Here’s the latest news: The Stormous group which had been under the radar for a while, is back in business. According to researchers at Kela, the gang’s extortion site has been updated with listings of new alleged victims. It also has a section selling data allegedly stolen from organizations, a job application page and a contact page. A year ago the group significantly decreased additions to its online site. But now it claims to have recently hit more than 30 organizations. Also this month Stormous announced a partnership with the GhostSec hacktivist group to target organizations in Cuba.


New ransomware ‘Big Head’ uses fake Windows update alerts

A newly-discovered ransomware family named Big Head is tricking unsuspecting users by displaying fake Windows update alerts and Microsoft Word installers. Cybersecurity firms Fortinet and TrendMicro have identified several variants of this ransomware, all originating from a single operator.

Cyber-intelligence firm KELA separately told BleepingComputer that Big Head’s main author is likely of Indonesian origin. It discovered a user on Telegram with the same names and avatars as those found in the aforementioned ransom notes. The ransomware itself doesn’t appear to be widespread or highly sophisticated. It uses standard encryption methods and is fairly easy to detect, thanks to poor evasion techniques.


New ‘Big Head’ ransomware displays fake Windows update alert

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.

Two samples of the malware have been analyzed before by cybersecurity company Fortinet, who looked at the infection vector and how the malware executes.

KELA’s analysts have discovered a user on Telegram using the same names and avatars as those found in Big Head’s ransom note, claiming to be a “ransomware expert” on posts published on “IndoGhostsec.”


APT activity on cybercrime forums

APT activity on cybercrime forums: And sticking with the theme, threat intel firm KELA published a report on the activity of various APT groups on cybercrime forums. The report covers activity from Emennet Pasargad (data leaker), Bronze Starlight (ransomware op), and Pioneer Kitten (initial access broker).


In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack

RAIDForums database leaked

Someone has leaked a database allegedly containing the information of roughly 479,000 users of the RaidForums cybercrime forum. Threat intelligence company KELA has an analysis of the leak, which includes email addresses, usernames, IPs, and credentials. Leaked hacker forum databases can be useful for identifying cybercriminals.


‘Infostealer’ malware evolves to become even more lethal

The class of malware called infostealers continues to evolve into a more lethal threat.

These threats are software that can steal sensitive data from a victim’s computer, typically login details, browser cookies, saved credit cards and other financial information. SiliconANGLE has covered their role in the past in various ransomware and other attacks, including Stealc and LockBit in February and EventBot, an Android-based infostealer, back in April 2020.

Unfortunately, criminals continue to enhance this malware genre, and two new reports released this week document their latest efforts.

One trend is the use of automation to spread their impact. “Cybercriminals work hard to develop new commodity stealers and release them into the automated botnet markets at affordable prices to appeal to a wider audience,” said Yael Kishon, who authored the report from the KELA Cybercrime Prevention research group. The group tracks various infostealer versions and their creators.


The new info-stealing malware operations to watch out for

The information-stealing malware market is constantly evolving, with multiple malware operations competing for cybercriminal customers by promoting better evasion and increased ability to steal data from victims.

Information stealers are specialized malware used to steal account passwords, cookies, credit card details, and crypto wallet data from infected systems, which are then collected into archives called ‘logs’ and uploaded back to the threat actors.

Cybersecurity intelligence firm KELA has compiled a report presenting the rise of variants and malware-as-a-service (MaaS) operations that have grown substantially in the first quarter of 2023, raising the associated risk for organizations and individuals.


An Executive’s Guide To The Cybercrime Underground

An article by David Carmiel, KELA’s CEO.

In recent years, the cybercrime underground has become increasingly sophisticated and profitable by preying on vulnerable organizations. As a result, security leaders must gain visibility into what happens in this underground network of illegal activity to protect their organizations from emerging threats and accurately assess their risks.

In this article, I will explore the current state of the cybercrime underground, including its definition, motivations, actors and methods. I will also provide recommendations for security leaders on defending their organizations against emerging threats.


Infostealer Malware: What is it and how to investigate

Infostealers are a type of malware specifically designed to locate and exfiltrate credentials. Their prevalence and impact were limited pre-COVID-19 as most of the headlines were grabbed by ransomware operations that crippled large organizations. Remote and hybrid working models helped to maintain productivity which put pressure on IT departments to facilitate this by accelerating digital transformation strategies. At the same time, there was a significant uptick in the number of known Malware-as-a-Service (MaaS) operations as well as growth in the number of malware variants seen in the wild.

This research from KELA also displayed the relative splits in the type of infostealer malware used to steal the credential material between January and July 2022 on the Russian Market, TwoEast and Genesis.


Ukraine reports drop in cyberattacks by pro-Russian groups

The State Service of Special Communications and Information Protection of Ukraine published Saturday its cyber incidents report for the first quarter of this year, showing a decrease in the number of attacks by pro-Russian groups targeting the commercial and financial sectors, the government and local authorities, and at the security and defense sectors. At the same time, the intensity of attacks on the energy sector and the mass media remains at the same level.

The report said that according to the Russian-Ukrainian war cyber tracker maintained by ‘@Cyberknow20,’ Telegram is used by hacktivists as a leading platform for organizing malicious activity. “The interest to the platform as a ‘cybercrime ecosystem’ is confirmed by the recent release of the article Telegram – How a messenger turned into a cybercrime ecosystem by 2023 by KELA, the cyber threat intelligence company” it added.


Cybercrime: Ransomware Hits and Initial Access Listings Grow

The cybercrime economy is alive and well, if counts of known ransomware victims and initial access sales are good gauges of its health.

Compared to the first quarter of 2022, the first three months of this year featured a 30% increase in known ransomware victims, totaling 900 organizations, threat intelligence firm Kela reported.


US healthcare sector to continue facing ransomware attacks, data breaches

The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) observed a continuation of many ongoing trends concerning cyber threats to the healthcare and public health (HPH) community.

Data released Monday by cybercrime threat intelligence firm KELA showed that Clop is the second most active group, targeting more than 100 victims in the first quarter of this year.


Kodi discloses data breach after forum database for sale online

The Kodi Foundation has disclosed a data breach after hackers stole the organization’s MyBB forum database containing user data and private messages and attempted to sell it online.

The Kodi Team says they disclosed the breach after learning that hackers were selling the stolen database online. BleepingComputer has since learned from cyberintelligence company KELA that the ‘Kodi Community Forum’ database was being sold in February on the now defunct Breached hacking forum.


KELA reports manufacturing, industrial sectors most targeted by ransomware, data leak actors during Q1 2023

Cybercrime threat intelligence firm KELA disclosed that the manufacturing and industrial sectors were most targeted by ransomware attackers and data leak actors during the first quarter of this year. LockBit, Royal, and Alphv were behind over 50 percent of the attacks in this sector, while the U.S. is still the most targeted country, recording 45 percent of ransomware and extortion attacks.


Reimagining Cyber- Inside cybercrime with Raveed Laeb

In this episode Raveed Laeb (VP, KELA) shares how threat actors are putting more effort into building lasting business-like enterprises — investing more in branding, customer support, cybercrime-as-a-service, specialization, and even intuitive user interfaces.


Four Top Misconceptions In Cybercrime Threat Intelligence And How CISOs Should Think Instead

An article by David Carmiel, KELA’s CEO.

Cybercrime is constantly evolving, with new threats emerging from the underground and attacks becoming more sophisticated. False positives and endless hours of manual effort are the pain point for all defenders. Security teams need automated intelligence that’s highly targeted and contextualized to prioritize threats and take the right actions to mitigate them. Unfortunately, misconceptions about the cybercrime underground and cybercrime threat intelligence prevent some defenders from leveraging tools that can help them build a threat-based security program.

It’s time to clear the air about some top misconceptions about the cybercrime underground and cybercrime threat intelligence. Contrary to popular belief, in addition to nation-states and APTs, many attacks are carried out by opportunistic criminals looking for an easy way to make money rather than having a clear agenda and objectives.


KELA partners with Snowflake to help joint customers remediate potential risks

KELA has partnered with Snowflake to launch its technical intelligence data on Snowflake Marketplace. KELA’s Technical Cybercrime Intelligence availability on Snowflake Marketplace will enable joint customers to get near-instant, seamless, and secure access to potentially compromised IPs and domains involved in cybercrime activity.


FBI Says It Arrested BreachForums Mastermind ‘Pompompurin’

Federal agents arrested the alleged administrator of criminal underground forum BreachedForums, tracing him to a small town in New York’s Hudson Valley.

Breached also appears to allow ransomware groups to advertise for affiliates, targets and initial access to victim networks, without restrictions. Kela reports that the Chaos ransomware builder has been advertised on the forum, as have new ransomware-as-a-service offerings SolidBit and Garyk.



 KELA today announced that it has partnered with Snowflake, the Data Cloud company, to launch its technical intelligence data on Snowflake MarketplaceKELA’s Technical Cybercrime Intelligence availability on Snowflake Marketplace will enable joint customers to get near-instant, seamless, and secure access to potentially compromised IPs and domains involved in cybercrime activity.


Publicity Stunt: Criminals Dump 2 Million Free Payment Cards

Here’s further proof that cybercriminals are rampant self-promoters: Credit card market BidenCash, which sells compromised payment card data, last week released for free details of 2 million payment cards. The market for carders – aka credit and debit card thieves – trumpets that the release is intended to celebrate its one-year anniversary.

Telegram has become “a popular platform for banking fraud cybercriminals who created dedicated channels for advertising stolen credit card information and checks, fullz and financial accounts,” Kela reports. “Forged credit cards and banknotes are also a popular item for sale. For example, sellers claim that they provide a cloned ATM card with a PIN.”


Report: Telegram “Cybercrime Ecosystem” Rivals the Dark Web, but Much Easier to Access

A cybercrime ecosystem is firming up on Telegram, and the scope of services it offers is growing to rival dark web forums, according to a report from cybercrime intelligence firm KELA. But Telegram is easier for the average person to access, and its hundreds of millions of users may only be a simple search away from these offerings.


KELA launches new cyber intelligence platform

KELA, the leading provider of actionable cyber threat intelligence, has announced the launch of its revolutionary new and consolidated cyber intelligence platform.

It consists of a new intuitive, sleek, and easy-to-navigate user interface and four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence.


LockBit adds another Argentinian company among the victims of the ransomware: Grupo Albanesi

Lockbit, one of the largest ransomware groups in the world, listed among its victims Albanian group the main natural gas distributor and electricity supplier in Argentina.

The cybercriminal group that encrypted Albanians is one of the most prolific in the world.

It first appeared in September 2019 and, according to Kela’s data, had a stranglehold on the cybercrime scene in 2022, with a 28.57% of ransomware attacks.


Is Telegram the New Dark Web? Report Documents “Cybercrime Ecosystem” on Messaging App

A new report from cybercrime intelligence firm KELA documents how Telegram, one of the leading privacy-first messaging apps, has become home to a “cybercrime ecosystem” comparable to dark web forums.


Major Canadian bookstore chain Indigo still hampered by cyberattack

A week has passed since Indigo Books and Music first reported that it had suffered a cyberattack, and yet the bookstore chain continues to have issues with its website and digital transaction capabilities.

Tech news portal BleepingComputer suspects that the cyber incident affecting Indigo may be ransomware related. It reached out to threat intelligence company Kela, which found that at least one cybercrime market was selling Indigo credentials in January and February. These credentials were stolen through malware such as Redline, Vidar, and Raccoon.


Spotlight: Making the Most of Cyber Threat Intelligence with Itsik Kesler of KELA

In this Spotlight episode of the Security Ledger podcast, I interview Itsik Kesler, the CTO of the threat intelligence firm Kela about the evolution of threat intelligence and findings from the company’s latest State of Cybercrime Threat Intelligence report


Largest Canadian bookstore Indigo shuts down site after cyberattack

Indigo Books & Music, the largest bookstore chain in Canada, has been struck by a cyberattack yesterday, causing the company to make the website unavailable to customers and to only accept cash payments.

The exact nature of the incident remains unclear but Indigo is not ruling out that hackers may have stolen customer data.

BleepingComputer learned from threat intelligence company Kela that at least one cybercrime market was selling in February and January Indigo credentials stolen by information-stealing malware, like Redline, Vidar, and Raccoon.


Exclu Shutdown Underscores Outsized Role Messaging Apps Play in Cybercrime

Over the last year, experts have increasingly found that cybercriminals are moving away from Dark Web forums in favor of messaging apps and encrypted communications channels. And more broadly, security analysts and researchers have released details showing how legitimate platforms like Telegram, WhatsApp, and Discord are becoming a hotbed of criminal activity — not only for cybercriminal communications but also for a wide range of scams and exploit campaigns.

More recently, KELA researchers reported that Telegram in particular is being used to sell and leak stolen data, use it as a channel for selling other illegal products, publicize information about their attacks, and build bots to bolster their infrastructure that launches attacks and exfiltrates data.


How To Prepare Your Organization For The Future Of Cybercrime

An article by David Carmiel, KELA’s CEO.

To be prepared for the future of cybercrime, security teams must remain vigilant, as the threat of malicious actors continues to evolve. Businesses and institutions must understand the cybercrime underground and develop strategies to mitigate threats to stay ahead of criminals.

Organizations must research past security incidents and consider what victims could have done differently. They should then take this knowledge and assess their attack surface, identifying the areas where a malicious actor can exploit weak points or gain access.


Why cybercrooks love Telegram Messenger

The Telegram text and video messaging service has become a “thriving ecosystem” for cybercrime and will likely continue to be a major challenge for security researchers and law enforcement, says a new report.

It is largely used by individuals for legitimate messaging and purchases — including digital equipment, consumer loans, apparel and shoes –who appreciate that it’s free and supposedly encrypted.

But researchers at Israel-based Kela say in a report released Wednesday that Telegram Messenger is also a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.


A look into corners of the cyber criminal underworld. Mobilization of criminals as cyber auxiliaries

Telegram used for sharing stolen data and selling malware.

KELA has published a report looking at cybercriminals’ use of Telegram to conduct their business. The researchers explain that Telegram’s Secret Chat feature provides end-to-end encryption and relative anonymity. While the vast majority of the app’s users are legitimate, and Telegram has cooperated with law enforcement in the past, criminals are still attracted to the platform.


Why cybercrooks love Telegram Messenger

The Telegram text and video messaging service has become a “thriving ecosystem” for cybercrime and will likely continue to be a major challenge for security researchers and law enforcement, says a new report.

Researchers at Israel-based Kela say in a report released Wednesday that Telegram Messenger is also a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.




Why cybercrooks love Telegram Messenger

The Telegram text and video messaging service has become a “thriving ecosystem” for cybercrime and will likely continue to be a major challenge for security researchers and law enforcement, says a new report. It is largely used by individuals for legitimate messaging and purchases — including digital equipment, consumer loans, apparel and shoes –who appreciate that it’s free and supposedly encrypted.

But researchers at Israel-based Kela say in a report released Wednesday that Telegram Messenger is also a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.



KELA launches cyber intelligence platform to empower proactive digital crime prevention

KELA launched a new and consolidated cyber intelligence platform, consisting of a new intuitive user interface and four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence.

The platform provides real, actionable intelligence to support various security teams across an organization in their efforts to uncover threats and proactively prevent digital crimes.


KELA launches cyber intelligence platform to empower proactive digital crime prevention

KELA launched a new and consolidated cyber intelligence platform, consisting of a new intuitive user interface and four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence.

The platform provides real, actionable intelligence to support various security teams across an organization in their efforts to uncover threats and proactively prevent digital crimes.


KELA introduces a platform for cyber intelligence to enable proactive digital crime prevention

KELA has introduced a new and consolidated cyber intelligence platform, which includes a new intuitive user interface as well as four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence. The platform provides real-time, actionable intelligence to assist various security teams across an organization in uncovering threats and proactively preventing digital crimes.


KELA Unveils Revolutionary Cyber Intelligence Platform at CyberTech Tel Aviv, Empowering Proactive Digital Crime Prevention with Real, Actionable Intelligence

TEL AVIV, IsraelJan. 30, 2023 /PRNewswire/ — KELA, the leading provider of actionable cyber threat intelligence, today announced the launch of its revolutionary new and consolidated cyber intelligence platform, consisting of a new intuitive, sleek, and easy-to-navigate user interface and four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence, providing real, actionable intelligence to support various security teams across an organization in their efforts to uncover threats and proactively prevent Digital Crimes. The platform’s innovative approach positions KELA as the go-to solution for organizations seeking to stay ahead of cyber threats.


CyberTech Tel Aviv: KELA unveils revolutionary cyberintelligence platform.

Israeli KELA will unveil a revolutionary cyber intelligence platform today at the CyberTech Tel Aviv event, which will enable proactive prevention of digital crime through real and actionable intelligence.

It is composed of a new intuitive, elegant and easy-to-navigate user interface and four add-on modules: Threat Landscape, Monitor (surveillance), Hunt (hunting) and Tactical Intelligence (tactical intelligence), which provide real, actionable intelligence to support an organization’s various security teams in their efforts to uncover threats and proactively prevent digital crimes. The platform’s innovative approach positions KELA as the go-to solution for organizations looking to stay one step ahead of cyber threats.

Commenting on the launch of the new platform, Raveed Laeb, Vice President of Products at KELA, said, “Our four seamlessly integrated modules provide unparalleled intelligence to security professionals at all levels, empowering them to protect proactively their organizations and nations by connecting the dots and gaining a comprehensive understanding of targeted threats in real time”.



KELA Unveils Revolutionary Cyber Intelligence Platform at CyberTech Tel Aviv, Empowering Proactive Digital Crime Prevention with Real, Actionable Intelligence

KELA, the leading provider of actionable cyber threat intelligence, today announced the launch of its revolutionary new and consolidated cyber intelligence platform, consisting of a new intuitive, sleek, and easy-to-navigate user interface and four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence, providing real, actionable intelligence to support various security teams across an organization in their efforts to uncover threats and proactively prevent Digital Crimes. The platform’s innovative approach positions KELA as the go-to solution for organizations seeking to stay ahead of cyber threats.


KELA Launches Cyber Threat Intelligence Platform

KELA’s new cyber threat intelligence platform can identify, address and analyze cyber risks while MSPs and MSSPs can join its partner program.

KELA has released a cyber threat intelligence platform designed to serve as “the go-to solution for organizations seeking to stay ahead of cyber threats,” according to the company.


KELA Unveils Revolutionary Cyber Intelligence Platform at CyberTech Tel Aviv, Empowering Proactive Digital Crime Prevention with Real, Actionable Intelligence

KELA, the leading provider of actionable cyber threat intelligence, announced the launch of its revolutionary new and consolidated cyber intelligence platform, consisting of a new intuitive, sleek, and easy-to-navigate user interface and four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence, providing real, actionable intelligence to support various security teams across an organization in their efforts to uncover threats and proactively prevent Digital Crimes. The platform’s innovative approach positions KELA as the go-to solution for organizations seeking to stay ahead of cyber threats.


KELA Unveils Revolutionary Cyber Intelligence Platform at CyberTech

KELA, the leading provider of actionable cyber threat intelligence, today announced the launch of its revolutionary new and consolidated cyber intelligence platform, consisting of a new intuitive, sleek, and easy-to-navigate user interface and four complementary modules: Threat Landscape, Monitor, Hunt, and Tactical Intelligence, providing real, actionable intelligence to support various security teams across an organization in their efforts to uncover threats and proactively prevent Digital Crimes. The platform’s innovative approach positions KELA as the go-to solution for organizations seeking to stay ahead of cyber threats.


Cybercrime and threat intel

Threat intelligence company KELA has published its yearly report on cybercrime for the past year. Some of the company’s main findings are below.

  • Almost 2,800 victims of ransomware and extortion attacks.
  • Victims were listed on 60 different leak sites.
  • 52% of these new platforms emerged in 2022.
  • Lockbit was 2022’s most active group.
  • Initial access brokers offered access to more than 2,200 networks, collectively valued at more than $4.5 million.

Building coping mechanisms to deal with ransomware attacks across critical infrastructure sectors

Critical infrastructure sites have in recent weeks and months emerged as hotbeds for ransomware attacks. Adversaries have targeted hospitals, a rail company, a shipping port, a mining site, a mail delivery service, and government agencies, making such devastating attacks the rule rather than the exception. To deal with this rising and dangerous trend, organizations across critical infrastructure sectors must increase coordination with allies, develop and share appropriate cybersecurity standards, apart from identifying and addressing vulnerabilities at these sites and developing federal strategies for deterrence options against cyber threats.


Darknet Markets Using Custom Android Apps for Fulfillment

To better safeguard administrators and users from law enforcement, multiple drug-focused darknet markets last year began testing new strategies: Only displaying items for sale to pre-vetted members and providing them with Android apps built using the M-Club engine.

Discussion of M-Club started to appear in cybercrime forum chats by last April, according to underground chatter tracked by threat intelligence firm KELA. As of last week, an advertisement was running on Russian language forum Legalize, devoted to so-called research chemicals, aka RC. It touts the M-Club’s “24/7 user support,” ability to calculate salaries for couriers – aka drug mules – as well as “multifunctional Telegram bot” designed to improve the customer experience.


Canadian mining firm shuts down mill after ransomware attack

The Canadian Copper Mountain Mining Corporation (CMMC) in British Columbia has announced that it was the target of a ransomware attack that impacted its operations.


An interesting detail discovered by BleepingComputer with the help of cyber-intelligence firm KELA is that a cybercriminal offered to sell account credentials belonging to a CMMC employee on a hacker marketplace on December 13, 2022.


Forbes: 5 Trends Shaping The Future Of Cybercrime Threat Intelligence

An article by David Carmiel, KELA’s CEO.

Cyber threats are evolving faster than ever, and the cybercrime underground has become an organized cybercrime ecosystem. In 2021, ransomware activity increased significantly. The number of attacked companies found in our sources increased almost twofold—from 1,460 to 2,860 victims. To effectively combat these threats, it’s essential for cybersecurity professionals to stay up to date on the latest trends in cybercrime.

In this article, we’ll look at five trends shaping the future of cybercrime threat intelligence and how organizations can protect themselves. We’ll also discuss how these trends are impacting the way businesses need to protect themselves against attacks.


Corporate email accounts are sold in dark web markets

Cyber security researchers from the cyber-intelligence firm KELA have reported that at least 225,000 email accounts are for sale on the cybercrime underground markets.


KELA’s recent research showed that threat actors now have new marketplaces and shops allowing them to easily buy corporate email accounts to easily deceive users during their attacks.



Cyber security week in review: December 9, 2022

Webmail sale shops offer corporate emails for as little as $2

Israeli threat intelligence firm KELA released a detailed report on popular cybercrime marketplaces selling access to corporate webmail services, including xLeet, Odin, Lufix, and Xmina. Xleet and Lufix are said to be the largest shops offering webmail access, with average prices ranging from $2 to $25 for a single webmail. Many of these shops provide advanced functions, such as “proofs” that webmail access indeed works. These proofs include performing a live check on the email to verify the access or showing a screenshot of the compromised account inbox.


Cyber Security Headlines: APT37 exploits zero-day, Firewalls bypassed generically, Zombinder’s Android malware

Automated dark web markets sell corporate email accounts for $2

Cybercrime marketplaces are increasingly selling stolen corporate email addresses for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks. Analysts at Israeli cyber-intelligence firm KELA have closely followed this trend, reporting at least 225,000 email accounts for sale on underground markets. The demand for corporate emails continues to grow, which had created the need for automated webmail shops such as Xleet and Lufix, claiming to offer access to over 100k breached corporate email accounts, obtained through brute-forcing credential stuffing and phishing, with prices ranging between $2 and $30, if not more, for highly-desirable organizations.


Risky Biz News: Apple to encrypt iCloud backups, support third-party security keys

In other news: Iranian data wiper hits diamond industry; security firm blames hack on rival security firm; CISA Director faces ethics complaint.


Webmail shops: Threat intelligence firm KELA has a report [PDF] out on the IAB market selling access to corporate webmail services. The company specifically covers Xleet, the largest criminal shop selling access to webmail accounts, but also other smaller shops such as Xleet, Odin, Lufix, and Xmina. The most popular listings are for Office 365 accounts, and most shops also sell other types of accounts as well.


Automated dark web markets sell corporate email accounts for $2

Cybercrime marketplaces are increasingly selling stolen corporate email addresses for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks.

Analysts at Israeli cyber-intelligence firm KELA have closely followed this trend, reporting at least 225,000 email accounts for sale on underground markets.


Cybercrime Threat Intelligence is More Critical Than Ever

As the old saying goes, knowledge is power. And in the world of cybersecurity, that could not be more true. Security teams need to have access to timely and relevant threat intelligence to stay ahead of the curve and protect their networks against ever-more sophisticated attacks. Unfortunately, many organizations still rely on outdated methods for gathering information about potential threats, leading to missed opportunities and reduced security posture. This article will explore why security teams must adopt a cybercrime threat intelligence platform in order to gain that knowledge so that they can have power over protecting their organization.


BlackProxies proxy service increasingly popular among hackers

A new residential proxy market is becoming popular among hackers, cybercriminals, phishers, scalpers, and scammers, selling access to a million claimed proxy IP addresses worldwide.

Using KELA’s DarkBeast threat intelligence platform, BleepingComputer has found numerous posts on hacking forums where the BlackProxies service is being promoted in topics about credential stuffing and account hijacking.


Aurora infostealer malware increasingly adopted by cybergangs

Cybercriminals are increasingly turning to a new Go-based information stealer named ‘Aurora’ to steal sensitive information from browsers and cryptocurrency apps, exfiltrate data directly from disks, and load additional payloads. The reason for this sudden rise in Aurora’s popularity is its low detection rates and general unknown status, making its infections less likely to be detected. Simultaneously, Aurora offers advanced data-stealing features and presumably infrastructural and functional stability.

Aurora history

Aurora was first announced in April 2022 on Russian-speaking forums, advertised as a botnet project with state-of-the-art info-stealing and remote access features. As KELA reported earlier this year, Aurora’s author was looking to form a small team of testers to ensure the final product is good enough.


Forbes: Proact, Don’t React: How CISOs Should View Cybercrime Threat Intelligence

An article by David Carmiel, KELA’s CEO.

Anyone involved in cybersecurity knows that the threat landscape is constantly evolving. Attackers are always looking for new ways to exploit systems and data, while defenders are working hard to stay ahead of them. In this constant cat-and-mouse game, it’s essential for security professionals to have up-to-date information on the latest threats.

When defending your organization against cybercrime threats, it’s essential to have access to the latest threat intelligence. Security teams need actionable insights into the cybercrime underground ecosystem to better understand the threats their organizations face and take appropriate steps to defend themselves.

Threat intelligence can be extremely valuable in helping organizations stay ahead of attackers and mitigate risk. But it’s also a complex and rapidly changing field, so keeping up with the latest trends can be challenging. This article will look at how the cybercrime threat intelligence landscape has evolved over the last few years and what we can expect in the coming months and years. We’ll also discuss some critical challenges security professionals face when implementing or using cybercrime threat intelligence.


The dark side of the internet: Onion and the Dark Web

When george lucas devised starwars perhaps he did not imagine that the Dark Side of the Force would come to gain so much weight in the 21st century. We all have a dark side that we only show at certain times or to certain people. On the Internet, that infinite and imminent window to content, we can find multiple links that lead us to discover information or events that the usual search tools do not offer us.

It is a Dark Side not led by Sith Lord Darth Sidious and his disciples, but by many people who, in a hidden way, pull the strings to “sell” sensitive content to the general audience. We all know browsers like Edge, Safari or Chrome and search engines like Google or Bing. But these only give us access to the superficial and transparent layer of the Internet.

Is the Dark Web synonymous with crime?

What needs to be hidden in order to be present on the network is not always appropriate or legal content. On the Dark Web, issues related to terrorism, drugs or weapons are the order of the day, and those who can access it, can consult it and even get hold of it with ease.

According to him 2022 Kela Threat Intelligence Reportthe 48% of companies do not have a data protection policy against data theft by the Dark Web, despite the latent threat it poses.


OPERA1ER group hits African banks for $30 million

Over the past decade, banks have not escaped the rising tide of ever-increasing sophisticated cyberattacks, and many of them have been hacked and lost billions of US dollars in serious intrusions, with the most famous threat actors that pulled off successful bank heists including the likes of Carbanak and the Lazarus Group North Korean APT.

The common thread across all recent major bank cyber-heists was that they usually targeted organizations in North America and Europe before attackers switched their targeting to Asia and Latin America. But as banks elsewhere have seriously upgraded their network defenses, threat actors are now turning their eyes toward Africa, a region that has been left relatively unscathed in previous years.



New clipboard hijacker replaces crypto wallet addresses with lookalikes

A new clipboard stealer called Laplas Clipper spotted in the wild is using cryptocurrency wallet addresses that look like the address of the victim’s intended recipient.

Laplas is different from other malware of the same kind, which are typically just add-ons of info-stealing malware. The new clipper is a feature-rich tool that gives hackers more granular control and better insight into the efficiency of their operations.

The tool is provided under a subscription model, the most expensive tier being $549 for a year’s access to the web-based panel that allows operators to monitor and control their attacks.


Risky Biz News: Internal chats for Yanluowang ransomware gang leaked; reveal members are Russian, not Chinese

The internal chat logs of the Yanluowang ransomware gang were leaked online on Halloween, revealing the group’s core members, details about how they build their code, and how they deal with victims.

But more than anything, the leak reveals that despite their name and repeated claims that the gang consists of Chinese nationals, all internal chats are in “some of the most perfect Russian“—as one threat intel analyst described it to RiskyBizNews on Tuesday.

IAB quarterly report: In its quarterly report for Q3 2022 [PDF], threat intel firm KELA said it observed initial access brokers selling access to more than 570 corporate networks over the past quarter, with a cumulative requested price of around $4 million.


Hackers Selling Ransomware Victims and Network Access Data for $4 Million

Israeli cyber-intelligence firm KELA has recently published its Q3 2022 ransomware report in which it has reported that an estimated $4 million worth of 576 global corporate network access is being sold worldwide by hackers, enhancing the cyberattacks on large corporate networks.

Initial access sales have seen steady activity in the sector over the past year, but the value of the offering has increased rapidly over the same period.

This quarter appeared to be about identical to the two previous quarters in terms of network access sales. However, the escalating summoned price has now reached a significant milestone of $4 Million.


Oltre 600 aziende vittime di ransomware nel terzo trimestre, cosa c’è dietro?

Non passa giorno che non si abbia notizia di un nuovo attacco ransomware ad aziende di tutto il mondo, comprese quelle del nuovo paese. Abbiamo imparato a nostre spese quanto possa essere devastante la pratica estorsive sulle vittime e sui suoi clienti, soprattutto quando ad esser colpite sono operatori di infrastrutture critiche. Per adottare le necessarie contromisure è cruciale monitorare l’evoluzione dell’ecosistema criminale, in particolare l’attività delle principali gang ransomware.

Un rapporto pubblicato di recente dalla società di threat intelligence KELA fa luce sulla attività ransomware osservata nel terzo trimestre del 2022. KELA ha identificato circa 600 vittime analizzando molteplici fonti, tra cui i blog e i portali di negoziazione delle gang ransomware, i siti di per la divulgazione dei dati rubati (leak site) e i rapporti pubblici. Rispetto al secondo trimestre del 2022, l’attività è diminuita dell’8%, scendendo da luglio ad agosto ma aumentando da agosto a settembre. Sono stati osservati in media 200 attacchi ogni mese del terzo trimestre rispetto alle 216 vittime del secondo trimestre.


Cyber ​​Security Today: Disgruntled IT security executives, a not-to-be-listed list and more

Never had one of those days when you thought, ‘I got it! To hell with this job? If you’re a cybersecurity leader, you’ve got company. A third of the 400 infosec managers in the US and UK recently surveyed said they were considering quitting their jobs. Of these, a third would do so within the next six months. This is according to research done for a security company called BlackFog. What may be surprising is that the numbers aren’t bigger given the pressures of cybersecurity jobs. Thirty percent of respondents said the part of the job they hated the most was the lack of work-life balance. An almost equal number, 27%, said they spent too much time fighting fires rather than focusing on strategic issues. On the other hand, 44% said that what they enjoy most about their job is being the protector of the company.

Something else to consider: 28% said they had resigned from a previous job after a damaging cyberattack in their organization. And 13% said they were fired because of a cyberattack.

Is your organization on the list? This is not a list of the best, the most profitable, or the prettiest companies. These are the companies allegedly penetrated by hackers who sell their access for further exploitation by other threat actors. Depending on the month, an average of 190 organizations are regularly referenced by around a hundred initial access brokers. That’s according to a recent report by Israeli cybersecurity firm Kela. Access would be through things like compromised remote desktop portals for employees. An average price would be around $2,800. Access to some victims is auctioned off. For example, in July, a broker set a starting price of $20,000 for access to an electricity utility in France.


576 corporate networks are exposed, thanks to initial access brokers

KELA analysts have shared a ransomware report for the third quarter, mainly focusing on the activities of access brokers.

Ransomware is still a nightmare for corporates and can cause millions of dollars of damages, or even worse, completely shut down the companies. KELA, a cyber intelligence company from Israel has published a report regarding the ransomware attacks of the third quarter of this year. And they have some interesting findings in the report.


$4 Million in Exchange for Access to 576 Corporate Networks

A New Cybersecurity Report for Q3 2022 Shows Increase in Value Offerings

According to a new report published by cybersecurity researchers, hackers are selling access to 576 corporate networks around the world for a total of $4,000,000, driving enterprise attacks.

The Q3 2022 ransomware report published by Israeli cyber-intelligence researchers from KELA showed stable activity in the initial access sales sector but a significant increase in the value of the offerings.

Despite the fact that the number of network access sales remained roughly the same as in the previous two quarters, the total requested price has already reached $4,000,000, explains Bleeping Computer.


‘Hackers sell access to nearly 600 corporate networks for €4 million’

The total price charged by initial access brokers (IABs) rose to €4 million in the last quarter. For that amount, buyers were able to purchase access to nearly 600 corporate networks.

Security firm KELA presented the stats in a recent research report. The researchers analyzed 110 initial access brokers (IABs) who illegally sold access to 576 compromised corporate networks over the last quarter. The networks netted a total of €4 million. In the second quarter, the combined price only amounted to €664,000.

Most of the access was sold by criminal groups like LockBit, Black Basta, Hive, Alphv (aka BlackCat) and BianLian. Access to the corporate networks of US organizations was particularly popular.


Ransomware activity and network access sales in Q3 2022

Ransomware activity report: Threat actors are selling access to hundreds of organizations, with a cumulative requested price of around $4M.

Research published by threat intelligence firm KELA related to ransomware activity in Q3 reveals a stable activity in the sector of initial access sales, but experts observed a rise in the value of the offerings.

“In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.” reads the report published by the experts.

KELA identified around 600 victims by analyzing ransomware actors’ blogs and negotiation portals, data leak sites and public reports. Compared to the second quarter of 2022, the activity decreased by 8%, falling from July to August but increasing from August to September. On average, the experts observed 200 attacks each month of Q3 compared to 216 victims in Q2.

In Q3 2022, the most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv(aka BlackCat) and the new entry BianLian group.


InfoSec News Nuggets: Hackers selling access to 576 corporate networks for $4 million

A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling attacks on the enterprise. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings. Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000.


Yanluowang ransomware leaks suggest pseudo Chinese persona, REvil links

It’s the second major ransomware organisation to have been rocked this year after internal chat logs were leaked by anonymous hackers

Chat data from the Yanluowang ransomware organisation has been leaked online revealing a fake Chinese persona and potential links with other ransomware organisations. Yanluowang is named after the Chinese and Buddhist mythological figure Yanluo Wang but chat data revealed those involved in the organisation spoke in Russian.

REvil is still in operation but its dominance of the ransomware landscape ended in 2021 following a coordinated international law enforcement operation to arrest many of its core members.  It’s believed the remaining lower-level cyber criminals either stayed with the organisation or moved on to work for more lucrative rivals. The leaked messages did not explicitly tie Saint to the REvil gang nor does it reveal any more about the relationship between Saint and the arrested REvil members.

Many additional messages using the Russian language were leaked and more active aliases were also named, including ‘Killanas’ which was the second most-active user in the organisation behind Saint.

Killanas is believed to have had a role in handling code assignments, according to KELA’s analysis, which also identified ‘Felix’ as a tester and ‘Stealer’ as another organisation member.


Ransomware: ‘Amateur’ Tactics Lead Fewer Victims to Pay

Why are so many ransomware-wielding attackers collectively shooting themselves in the foot?

Ransomware Ecosystem: The Fracturing

Some ransomware groups run data-leak sites, where many but not all groups list victims who haven’t paid. These lists are notoriously incomplete: groups don’t list all victims, paying or otherwise, and sometimes they get it wrong or even lie (see: Tracking Ransomware: Here’s Everything We Still Don’t Know).

In another sign of how the ransomware ecosystem has been fracturing, in 2021, ransomware groups collectively ran 44 data-leak sites, while already this year there are 107 sites in total. “We expect we’ll be close to 125 if not 130 by the end of the year,” Liska says.

Of the groups that run data-leak sites, the most victims during the third quarter – ranging from 200 to 20 – were listed by LockBit, followed by Black Basta, Hive, BlackCat and BianLian, threat-intelligence firm Kela reports. The most victims were based in the United States (40%), followed by the United Kingdom, (6%), France (6%), Germany (5%) and Spain (4%).

Industry-wise, listed victims most often hailed from professional services (17%), followed by manufacturing & industrial products (16%), and healthcare and life sciences (8%), Kela reports.



Your guide to the dark web and how to safely access .onion websites

Here is our comprehensive guide to the dark web and what businesses need to know about this layer of the internet.

When the dark web is mentioned online, it is usually in tandem with criminal marketplaces and arrests made by law enforcement agencies.

Is the dark web just for criminals?

Drugs, weapons, and stolen IP and data are all hot businesses in the dark web, with hundreds of terabytes of information on offer. Traders cash in on stolen credit card data dumps, initial access points to vulnerable systems, credentials, and intellectual property belonging to companies comprised during cyberattacks.

According to Kela’s 2022 Threat Intelligence report (PDF), 48% of organizations have no documented dark web threat intelligence policy in place, despite the obvious danger.


KELA, The powerful Israeli National Police software to monitor the Cybercrime Underground

Places like the Cybercrime Underground, that part of the Internet that can only be accessed through programs like Tor, have been a problem for the security of countries for a long time . As well as for totally legal uses, they have become the preferred refuge for traffickers of all kinds of illegal substances, materials and information , where they carry out their business in the safest way possible.
In Spain, the National Police has just published a contract document to be able to buy KELA”s software, that is dedicated to monitoring Cybercrime Underground.



After RaidForums’ Demise, Breached Forum Seizes Leaks Mantle

The FBI seizure of cybercrime forum RaidForums earlier this year hasn’t stopped black hats from finding a new place to connect online following emergence of a new alternative: Breached.

The rapid rise of Breached – also known as BreachForums – shows there remains a strong demand for sites that facilitate the buying and selling of stolen data. “Breached is not only the successor of RaidForums, but in a very short time frame has become a promising data leak marketplace,” says Yael Kishon, a threat intelligence analyst at Israeli threat intelligence firm Kela


Does your cybercrime prevention program work?

KELA surveyed 400 security team members in the US who were responsible for gathering cybercrime threat intelligence daily to better understand if they’re proactively scanning the dark web and other cybercrime sources, what tools they’re using, the gaps they see in their cybercrime threat intelligence approach, and more.

“We found organizations may be less prepared for threats emerging from the cybercrime underground than they should be,” said David Carmiel, CEO of KELA. “At KELA, our extensive intelligence expertise has shown us just how complex the cybercrime underground really is. The threats are much more comprehensive, and what organizations know and refer to as the dark web is changing within the hour.”


The Spanish police will use Israeli technology to chase criminals on the “Cybercrime Underground”

The Spanish Police will equip itself with Israeli cyber intelligence to expand its operational capabilities in the so-called “Cybercrime Underground”.


Cyber Security Headlines: Chat app backdoor, PyPi cryptominer, corporate access prices drop

Access to corporate networks sees a value dip:
According to the security firm KELA, dark web markets selling initial access to corporate networks saw a dip in Q2. While the average listing per month remained flat compared to Q1, the average price for initial access fell 50% to $1,500. The median dropping from $400 in Q1 to $300 in Q2. KELA suspects two factors at play in this. One is the significant disruption in the workings of large scale threat actors like DarkSide, Conti, and Lapsus$ shutting down, with LockBit and Hive reducing overall volume of activity. This is paired with a new trend in threat groups increasingly targeting mid-sized companies. These offer a balance of lower risk while still offering significant financial reward.


Cisco Hacked: Ransomware Gang Claims It Has 2.8GB Of Data

Networking giant Cisco confirms hacking as ransomware group publishes a partial list of files it claims to have exfiltrated. On the same day that the Yanluowang ransomware group published a partial list of files it says were stolen from Cisco, the networking giant’s Talos Intelligence Group confirmed that Cisco had, indeed, been hacked.

The threat intelligence analyst’s perspective:
“It’s not uncommon for IABs to act as contractors for different threat actors, with many auctioning their access to corporate networks on popular dark web hacking forums,” Ferrett says. What’s more, she concludes, “this attack can certainly be viewed as part of a broader trend of ransomware threat actors diversifying away from pure encrypt-and-extort, with Yanluowang previously claiming to have breached Walmart despite the company stating there was no ransomware deployed on its systems.”

Threat intelligence specialist KELA has, just this week, confirmed that “in Q2 2022, several notorious ransomware and data leak actors were spotted being active again: REvil (Sodinokibi), Stormous, and Lapsus$”


Ransomware Groups Refine Shakedown and Monetization Models

Ransomware-wielding attackers continue to seek new ways to maximize profits with minimal effort. Some of their top tactics include tapping initial access brokers, working with botnet operators and testing new monetization models.
Here are some of the top trends being seen by experts as ransomware groups aim to increase profits:
-Continuing Use of Initial Access Brokers
From April to June, threat intelligence firm Kela reported seeing more than 550 network access listings, with an average asking price of $1,200 each. On a country-by-country basis, listings for U.S. organizations are most common – accounting for 20% of all listings this year – followed by Brazil, France, the U.K. and Italy.

-Seeking Fresh Monetization Models
A group called RansomHouse appears to have emerged last December and describes itself as a “professional mediators community” that will “facilitate negotiations” between ransomware groups and victims, “claiming to help both sides to set up a dialogue to make informed decisions,” Kela reports.

-Increased Hacking of Remote Services
In recent months, Kela reports, initial access brokers have been capitalizing on three vulnerabilities in particular, in Microsoft Exchange – CVE-2021-42321, Confluence Server and Data Center – CVE-2022-26134, and VMware Workspace One Access and Identity Manager – CVE-2022-22954.


Access to hacked corporate networks still strong but sales fall

Statistics collected by cyber-intelligence firm KELA during this year’s second quarter show that marketplaces selling initial access to corporate networks have taken a blow.

More specifically, although the number of the offerings remained similar to last quarter, averaging 184 access listings per month, the cumulative requested price was $660,000, which is 0% of Q1 ’22 figures. Additionally, the average price for network access in the recent quarter was only $1,500, whereas, in Q1 ’22, access to networks was sold at an average of $3,000, dropping the price by half. The median price also dropped from $400 to $300.


Ransomware attacks have dropped. And gangs are attacking each other’s victims

On Monday, cybersecurity firm KELA published its Ransomware victims and network access sales report (PDF), suggesting that the number of significant ransomware victims dropped by approximately 40%, recorded as 698 in Q1 compared to Q4 2021’s 982. On average, the company recorded 232 ransomware attacks per month during this time period. A notable shift is Conti’s place as one of the most prolific ransomware groups, alongside LockBit, Hive, Alphv/Blackcat, and Karakurt.


How the initial access broker market leads to ransomware attacks

KELA conducted an examination of past security incidents involving these ransomware groups. First up is LockBit, of which an attack began against Bangkok Airways due to AnyConnect VPN access offered by a threat actor called “babam.”

While it isn’t clear exactly who purchased Bangkok Airways access, on August 23, 2021 — not yet a month after access was offered in underground forums — the airline became infected by ransomware. Two days later, Bangkok Airways appeared on the LockBit leak site.

“Bangkok Airways did not disclose any investigation details, but based on the timeline, it is highly possible that the attack was performed using the bought access,” the researchers noted.


Buying Bot-Stolen Logs: Marketplaces Make It ‘2easy’

Multiple sellers on the 2easy market, for example, appear to have already “worked out” certain types of data, meaning it’s been excised from logs before they’re offered for sale, according to a report from Israeli cybersecurity firm Kela. In many cases, this technique appears to center on cryptocurrency wallets, which attackers can target to siphon away all the funds they store, the report says. But in other cases, it might be part of the terms and conditions being offered by an information-stealing malware service being used by the seller.


KELA’s Dark Web Threat Intelligence Products are now Available in AWS Marketplace

KELA announces its recent product induction in AWS Marketplace to provide the highest quality attack surface intelligence and protection for organizations, empowering them to neutralize their most relevant threats without compromising on technology needs


2easy now a significant dark web marketplace for stolen data

Based on an analysis by researchers at Israeli dark web intelligence firm KELA, the sudden growth is attributed to the market’s platform development and the consistent quality of the offerings that have resulted in favorable reviews in the cybercrime community.


Ransomware in 2022: We’re all screwed

According to Kela’s analysis of dark web forum activity, the “perfect” prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.


The five biggest ransomware attacks of the year so far

Although the initial attack vector
has not been officially confirmed, it is thought to have used a malicious browser update delivered via a legitimate website, according to David
Carmiel, CEO at KELA, a provider of
cyber threat intelligence.
Although it is not known how elevated privileges on the system were
obtained, Carmiel says that this
“often happens through the use of
known vulnerabilities and further
social engineering”.
He advises CIOs to implement
security policies to ensure that all
staff and other key stakeholders do
not download updates without verifying their authenticity.


A look at the ransomware industry.

Researchers at KELA have issued a report describing what ransomware operators are looking for in a potential victim:
“In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
“40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen.


Bad News: Innovative REvil Ransomware Operation Is Back

Of course, REvil is just one of many players. Indeed, Israeli threat intelligence firm Kela says that numerous ransomware operators continue to list new victims on their data leak sites. In just the past week, Kela says, it’s seen new victims listed by these 11 groups: BlackMatter, Clop, Conti, Cuba, Grief, Groove, LockBit, Marketo, Ragnar Locker, REvil and Vice Society.


Researchers pinpoint ransomware gangs’ ideal enterprise victims

Researchers with threat intelligence company KELA have recently analyzed 48 active threads on underground (dark web) marketplaces made by threat actors looking to buy access to organizations’ systems, assets and networks, and have found that at least 40% of the postings were by active participants in the ransomware-as-a-service (RaaS) supply chain (operators, or affiliates, or middlemen). The analyzed threads have provided interesting insights into how these threat actors choose their next victims.


What Is The Ideal Ransomware Victim?

According to a new report, the ideal ransomware victim is in a lucrative commercial market in a wealthy country that uses remote desktop protocol or a VPN.
Cybersecurity firm KELA’s report cited activity from July 2021 that indicated ransomware attackers prefer organizations in specific geographies and markets, and prefer very specific products for initial network access.
Specifically, organizations in the U.S. with revenue of ore than $100 million are the most sought-after targets, according to KELA’s report.


Large US businesses are hackers’ ideal ransomware targets

If you run a large, US-based non-health-care or -education company with revenue exceeding $100 million, then you will likely find yourself a victim of a ransomware attack. These organizations are the most likely ransomware victims, according to a new report by cyber security firm Kela.
Kela searched dark web forums for hackers wanting to buy access to organizations. It found 48 active threads where hackers claimed they wanted to buy different kinds of accesses. Of those hackers, 40% were involved in ransomware in some way or another.
Victoria Kivilevich, a threat intelligence analyst at Kela, said ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding specific sectors and countries from the targets list.


Ransomware gangs target companies using these criteria

After examining ransomware gang’s “want ads,” cybersecurity intelligence company KELA has compiled a list of criteria that the larger enterprise-targeting operations look for in a company for their attacks.
KELA analyzed 48 forum posts creates in July where threat actors are looking to purchase access to a network. The researchers state that 40% of these ads are created by people working with ransomware gangs.
These want ads list the company requirements that ransomware actors are looking for, such as the country a company is located, what industry they are in, and how much they are looking to spend.


This is the perfect ransomware victim, according to cybercriminals

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million.


What Are Ransomware Operators Looking For?

Analyzing how ransomware operators choose their targets makes it possible to better understand the types of companies these threat actors have on their list. In this regard, Victoria Kivilevich, Threat Intelligence Analyst at KELA has released a profile of an ideal ransomware victim based on valuable criteria for cyber attackers buying access.


Criminals’ Wish List: Who’s Their Ideal Ransomware Victim?

The most sought-after type of victim for ransomware-wielding attackers is a large, U.S.-based business with at least $100 million in revenue, not operating in the healthcare or education sector, for which remote access is available via remote desktop protocol or VPN credentials.
So says Israeli threat intelligence firm Kela in a new report, rounding up dozens of active discussion threads it tracked on cybercrime forums during July that were devoted to buying initial access to networks. About half of the threads it found had been created the same month, suggesting that the market for supplying such access continues to thrive, it says.


9 Takeaways: LockBit 2.0 Ransomware Rep ‘Tells All’

Want to take information security defense advice from a ransomware-wielding attacker?
Here goes: “Employ a full-time red team, regularly update all software, perform preventive talks with a company’s employees to thwart social engineering and … use the best ransomware-fighting antivirus.”
So says “LockBitSupp,” a representative of the LockBit 2.0 ransomware group, in a Russian-language interview with the Russian OSINT YouTube channel posted Monday, and translated into English by Israeli threat intelligence firm Kela. The BlackBerry Research & Intelligence Team says that whoever is behind the LockBitSupp handle claims to be based in China and is active on the Russian-language XSS cybercrime forum.


5 Steps to Prepare an Effective Threat Intelligence Plan

Organizations have a constant need to defend against and defeat these bad actors, but are challenged by not knowing where to look, what they should be looking at or having enough staff resources with the skills to figure it out. Even if they had those capabilities, most organizations do and should have policies that prohibit employees from searching the dark web. In some sectors, it’s even legally prohibited. The result is a lack of insight into the true threats an organization may be facing. They don’t know what’s coming until it’s too late.


Is Your Password Worth $500,000 To Ransomware Gangs?

Research from another intelligence provider, KELA, found one example of ‘admin access’ to a $500 million revenue company network being offered for 12 BTC, or more than $500,000 at current rates.


10 Initial Access Broker Trends: Cybercrime Service Evolves

The rise of ransomware as a moneymaking powerhouse for online attackers parallels the services being offered by initial access brokers. Such brokers sell access as a service to others, saving them the time, effort and expense of gaining a toehold in an organization’s network.
Initial access brokers gain first access to victims’ networks in a variety of ways – often via weak remote desktop protocol or remote management software to which they’ve gained brute force access. Sometimes, attackers exploit an unpatched vulnerability in a system. Whatever the approach, once they have access, brokers can resell it to others, sometimes more than once.



In the last year, initial access brokers, who sell ways to gain remote access to compromised devices to cybercriminals, including ransomware gangs, have posted more than 1,000 access listings for sale averaging at $5,400 for each, according to research released today by security firm KELA. Researchers confirmed that at least 262 were sold, and 28 percent of the victim entities are based in the United States, the largest share of all affected countries.


Ransomware operators love them: Key trends in the Initial Access Broker space

In a threat actor’s mind, take out the legwork, reap the proceeds of blackmail.
Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities.
In recent years, ransomware-as-a-service (RaaS) groups have taken an interest in these brokers, as by employing them directly or paying them a fee in return for access to a target system, they are able to avoid the first step of intrusion: the time-consuming process required to find a vulnerable endpoint.


‘Initial access brokers’ lead ransomware efforts by selling access to compromised networks

A new report into so-called “initial access brokers” from threat intelligence firm Kela Research and Strategy Ltd. has detailed some disturbing trends in the criminal internet underworld and those involved in ransomware endeavors.
The Kela report was based on exploring over 1,000 access listings over the last year. IABs are threat actors who sell access to malicious services and play a crucial role in the ransomware-as-a-service economy. IABs facilitate network intrusions by selling remote access to a computer in a compromised organization and link opportunistic campaigns with targeted attacks, often ransomware operators. IABs don’t undertake ransomware attacks but sell access to a compromised network that is then used by ransomware gangs and others.


Initial Access Brokers Refine Their Ransomware-as-a-Service Model

It seems that during the pandemic IABs have been busy improving their business model. New research from threat intelligence company KELA shows that pricing is often determined by company size and the level of privilege on offer within the compromised network, with $5,400 as the average price for network access, and $1,000 as the median price.


Initial Access Brokers Sell a Way In, Widening the Ransomware Market

“One major aspect of this trend is the cooperation between actors facilitated by the rise of targeted ransomware. In order to support work in scale, ransomware operators turn to partners and affiliates to fulfill their remote access needs,” said Victoria Kivilevich, threat intel analyst at KELA.


KELA’s “All Access Pass: Five Trends with Initial Access Brokers” Report Reveals the Inner Workings of the Ransomware-as-a-Service Ecosystem

KELA, the global leader in actionable threat intelligence, today announced the launch of brand new research along with LUMINT, a new offering providing users with a glimpse into KELA’s latest intelligence insights from the dark web including newly listed ransomware attacks, compromised network accesses for sale in cybercrime forums, leaked databases and data dumps, and updates on trending cybercrime threats. KELA’s newly released research report, “All Access Pass: Five Trends with Initial Access Brokers,” includes an in-depth analysis of Initial Access Brokers (IAB) and their activity for a full year from July 1, 2020 to June 30, 2021.


How (and Why) Hacker Forums Self-Moderate

“Everything in moderation,” the saying goes. But it may come as a surprise that this expression even seems to apply to many of the hacker forums littered across the dark web. On the surface, these forums may appear to be a lawless landscape, but there are some activities even hacker forums ban because they tend to attract too much heat.


Cybercriminals Employing Specialists To Maximize Ill-Gotten Gains

Ransomware gangs are increasingly turning to specialists to complete their capers on corporations, according to a Dark Net intelligence provider. A report issued Friday by Tel Aviv-based Kela noted that the days when lone wolves conducted cyberattacks from start to finish has become nearly extinct. The one-man show has nearly completely dissolved, giving way to specialization, maintained the report written by Kela Threat Intelligence Analyst Victoria Kivilevich.


Ransomware gangs get more professional

Ransomware, and indeed malware generally, used to be something of a cottage industry, the preserve of individuals or small groups. But new research from threat intelligence company KELA shows that it’s becoming a highly professionalized industry.


The Business of Ransomware: Specialists Help Boost Profits

Known as “pentesters” on Russian-language cybercrime forums, RaaS operations regularly advertise for these types of individuals, seeking help with obtaining domain-level access on victims’ networks and often offering them 10% to 30% of every ransom paid by a victim, according to Kela’s report.


Ransomware as a service: Negotiators are now in high demand

On Thursday, KELA threat intelligence analyst Victoria Kivilevich published the results of a study in RaaS trends, saying that one-man-band operations have almost “completely dissolved” due to the lucrative nature of the criminal ransomware business.


Ransomware gangs seek people skills for negotiations

The increasing sophistication of the cyber criminal underground is now reflected in how ransomware operations put together their crews, seeking out specialist talent and skillsets. Indeed, some gangs are coming to resemble corporations, with diversified roles and outsourced negotiations with victims, according to new research published by Kela, a provider of threat intelligence services.


Recent Cybercrime Attack Trends

Check out KELA’s Raveed Laeb in an interview with Charlene O’Hanlon from as he sheds some light on the most recent trends in the cybercrime underground ecosystem. Raveed also dives into KELA’s industry leading technologies to explain how we can leverage these trends to track and defeat cybercriminals before they cause harm.


Russian Cybercrime: Is Extradition Ahead?

US President Joe Biden is expected to meet with Russian President Vladimir Putin today to discuss the cyber threats emerging from Russia that are targeting the whole world. In response to the expected talk today, Irina Nesterovsky, Chief Research Officer at KELA explains: “There is this common knowledge between Russian-speaking and Russia-based cybercriminals that as long as you refrain from attacking Russia or any other CIS [Commonwealth of Independent States] countries, you’re safe to a certain degree as local Russian authorities won’t hunt you.”


Exclusive: Tens of thousands of Scottish public sector leaked credentials discovered on the dark web

Kela’s RaDark tool was also deployed to simulate the reconnaissance path used by hackers have to scan network for vulnerabilities based on its ‘attack surface mapping’ capabilities. To find the best ‘vector’ for an attack, cybercriminals will often look for outdated technologies or open ports to find their way in. According to Kela’s analysis across the public sector domains, it found ‘multiple potential compromise points’, including exposed remote access services that could enable an attacker to access and further compromise a network, and outdated web technologies whose ‘inherent vulnerabilities could lead to an attack on the organisation’s website’.


How ransomware groups like DarkSide became professional operations

Once they have identified a potential target, the IAB will ‘groom’ them – they “perform some reconnaissance, escalate privileges or install further tooling,” explains Victoria Kivilevich, a threat intelligence analyst at Israeli cybersecurity company Ke La – before sharing access in exchange for a cut of the ransom. “Once a target is ripe and ready, it can be offered on cybercrime markets where ransomware affiliates can acquire it and move forward with the final attack,” says Kivilech. Last year, DarkSide posted a job advert on the dark web for an IAB with access to companies with a net worth of $400m or higher.



“I think one thing is clear, cybercriminals are not still, nor are they going to be quiet and they are going to look for new ways of doing things and for this they will use all present and future technologies that will provide them with the highest level of impunity possible. The important thing is to know what they are doing and where they are doing it and to follow them (and chase them) wherever they go to be able to anticipate and avoid and / or stop their attacks.
From another point of view, I am sure that the cyber intelligence market, or rather, the maturity in cyber intelligence of Spanish companies will be much higher than that existing today, and that in itself is a positive thing.”


Colonial Pipeline Hacker DarkSide Says It Will Shut Operations

Like many technology startups, DarkSide poured some of its revenue into
developing new features, according to its posts in forums. In March it introduced
DarkSide 2.0, an update to its service that came with a “call on us” feature that
let users make internet-based calls for free to victims, according to an analysis of
forum posts by threat intelligence firm Kela Research and Strategy Ltd.


DarkSide Added ‘Toshiba France’ to Its Victim List but It Could Be the Last One

While new victims continue to show up on Darkside’s shaming blog (as is the case with Toshiba France), we see that the aftermath of the Colonial attack has created waves in the cybercrime underground. More specifically, there are rumors stating that the DarkSide “program” is closing down, and one of the largest Russian-speaking cybercrime forums has just banned the promotion of ransomware on its platform.


The REvil Ransomware Gang Lists Three New Engineering Makers as Victims

Initial access brokers – the tier of cybercriminals who obtain network access, move laterally within the network, and eventually sell the compromised access to ransomware affiliates and gangs – generally do not sell their access to more than one buyer (out of courtesy to fellow cybercriminals). Though there are numerous initial access vectors, we presume that unpatched vulnerabilities are more common to be exploited by multiple groups for the same victim, making it a necessity for organizations to continually prioritize patching and monitor their network infrastructure.


KELA Names David Carmiel New CEO; Promotes Nir Barak to Chairman of KELA Board

We’re excited to officially announce that David Carmiel, former CTO and Chief Research Officer, has been appointed as Chief Executive Officer at KELA. Nir Barak, KELA’s former CEO and Founder has been promoted to Chairman of the Board. In his new role, David Carmiel will continue to guide KELA towards the company’s global mission of providing the world’s best intelligence solutions that empower organizations to neutralize their most relevant threats observed in the cybercrime underground.


Fourth time’s a charm – OGUsers hacking forum hacked again

OGUsers has been hacked for its fourth time in two years, with hackers now selling the site’s database containing user records and private messages. KELA shares that we will likely be seeing members shifting to other communities – and maybe even establishing new ones – given both the poor operational security and the damage to the OG brand among fraudsters and other criminal actors.


MangaDex discloses data breach after stolen database shared online

At this time, the MangaDex database is privately being circulated and has not been publicly released. However, using KELA’s cybersecurity intelligence engine DarkBeast, BleepingComputer has been able to find threat actors distributing what they claim is a MangaDex database from the March 2021 attack.


Avaddon Ransomware Group Hit the Small Italian Municipality of Villafranca d’Asti

In the last few months, KELA has observed Avaddon specifically attacking municipalities in Portugal, Italy, Brazil, France, and Czech Republic. Avaddon has released the municipalities’ sensitive data, indicating that the majority of them have not been paying the ransom demanded. Our researchers are continually monitoring Avaddon and other ransomware groups to identify if attacking municipalities could be a new trend, or if these are simply opportunistic attacks.


KELA Unveils Major Updates to Industry-Leading Technology, DARKBEAST

KELA, the global leader of actionable threat intelligence, announces today many of the recent major improvements applied to their cybercrime research and investigation technology, DARKBEAST, during Q1. KELA’s industry-leading technology helps expose underground digital dangers to its clients by collecting, analyzing, and storing data from numerous sources in the cybercrime underground and making it accessible for users to search through – saving them the time, risk, and complexity of needing to locate and access the sources themselves.


REvil Group’s Failed $4 Million Extortion on Tata Steel Leads to Technical Drawings Leak

With the aid of KELA, we were able to see technical drawings of production line machines that are marked as “Confidential,” so they’re clearly not intended for publication. This potentially means REvil doesn’t have much hope in seeing any positive development in their negotiation efforts, and they’re immediately letting valuable stuff out. We have blurred the following samples that REvil posted as proof of the compromise.


Ransomware group targets universities in Maryland, California in new data leaks

Screenshots published by the group, viewed by ZDNet via KELA’s threat intelligence suite Darkbeast, include lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment requests.


The NWO Is Still Recovering From Last Month’s Ransomware Attack

According to what we were able to find with the help of KELA, the cyber-intelligence experts, the ransomware gang that hit NWO was DoppelPaymer, and the actors have already leaked a dozen files stolen from the servers of the Dutch research council.


REvil Struck Laptop-Maker Acer and Demands $50 Million in Ransom

With the help of KELA’s cyber-intelligence tools, we located the new leak site, and we got to access the documents that are used for the extortion. We have blurred the following for you to get an idea of what has been stolen from Acer’s computers.


Did ‘exposed’ data on dark web lead to ransomware attack on Scottish university?

KELA reveals that there are over 8,000 ‘leaked credentials’ – including email addresses and sometimes passwords – belonging to UHI staff and students that have been leaked or stolen and possibly traded on underground web forums. A further 100-plus ‘compromised accounts’ were also found on malicious dark web sites, including one that indicated access to Active Directory Federation Services – a software component developed by Microsoft – ‘probably related to internal systems’, according to KELA.


Exchange PoC Released and APTs Gather Around Vulnerable Servers Like Piranhas

KELA shares that numerous threat actors have shown high levels of interest in the newly released PoC exploit for Microsoft Exchange. We’ve observed that not only are APT groups showing interest driven from an espionage motivation, but cybercriminals are also showing interest as they see the potential monetary value that can be gained from exploiting this vulnerability.


Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds

Threat intelligence experts are warning of a new version of the Darkside ransomware variant which its creators claim will feature faster encryption speeds, VoIP calling and virtual machine targeting. KELA shared with Infosecurity information posted by the Russian-speaking group to dark web forums XSS and Exploit.


Identity Theft Attacks Channeled Millions in Jobless Claims to Inmates

Covid-19 has experienced a large number of scammers engaging in identity theft and unemployment fraud, in an attempt to receive money that they aren’t eligible for. Fraudulent activities, such as identity theft, are commonly enabled through chatter and tools shared in underground forums. Today, 15 US states use to allow citizens to prove their identity online. KELA reveals that cybercriminals are actively sharing tutorials on how to create a seemingly valid profile that will ensure they get their claim approved in their state.


Darknet Markets Compete to Replace Joker’s Stash

“With the heavy marketing and advertising that Brian’s Club has been investing in, it seems that the longtime attempts of marketing to credit card traders may be finally paying off now that Joker’s Stash is out of the picture,” says Victoria Kivilevich, a threat intelligence analyst with Kela. “Brian’s Club has been immodestly trying to steal the thunder by publishing an advertisement on the main page of [Russian-language forum] XSS, soon after the announcement by Joker’s Stash.”


CD Projekt Red source code reportedly sells for millions in dark Web auction [Updated]

Cyber intelligence firm KELA confirmed the authenticity of that auction, telling The Verge that forum users needed to put up 0.1 BTC (roughly $4,700 as of this writing) to participate in the bidding as a sign that offers were legitimate. The sellers also reportedly provided file listings for Gwent and the Red Engine that underlies CDPR’s games as proof that the data was authentic.


Stolen CD Projekt Red Files Reportedly Now Sold After Dark Web Auction

KELA (which previously provided The Verge with what it believes to be legitimate file lists from CD Projekt’s Red Engine) reports that an auction set up to sell the files has now been closed after a “satisfying offer” was made from outside of the forum it was being held on. That offer reportedly stipulates that the code will not be distrubuted or sold further. Cybersecurity account vx-underground also reported that it had heard the sale was completed.


Hackers ask only $1,500 for access to breached company networks

The number of offers for network access and their median prices on the public posts on hacker forums dropped in the final quarter of last year but the statistics fail to reflect the real size of the initial access market. Data from threat intelligence firm Kela indicates that many of the deals actually closed behind closed doors, a trend shaped over the past months.


Cyberpunk and Witcher hackers claim they’ll auction off stolen source code for millions of dollars

Following the recent ransomware attack on video game developer CD Projekt Red, KELA reveals that hackers are now auctioning off the source code they acquired, with a starting price of $1 million. These include source code files for both the Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077


Experts: Foxtons Breach Was Egregor Ransomware

Recent announcements revealed a data breach on UK-based estate agency, Foxtons. KELA threat intelligence analyst Victoria Kivilevich explains that Foxtons was actually a victim of a ransomware attack in October, and confirms that this breach does not seem to be a separate incident. Generally, ransomware gangs have taken on a trend of a double extortion tactic – where they demand two ransoms one to avoid public exposure of their data and one for unlocking their systems, it’s likely that Foxton has not yet negotiated or agreed to pay and that is why part of the data has been leaked.


How Ransomware Is Accelerating in the COVID-19 Era

KELA’s Ayesha Prakash, VP of Global Channels and Alliances has released her EOY blog about ransomware during the COVID era. In her blog-post, Prakash explains why COVID-19 is a curse on the world, and a gift to cybercriminals. She later explains that what organizations need now is to make cybersecurity a forefront issue, to treat it as business-critical, and as a public health risk.


Ransomware Gangs are Abusing VMWare ESXi Exploits to Encrypt Virtual Hard Disks

Threat actors have also observed selling access to ESXi instances on underground cybercrime forums last year, according to threat intelligence firm KELA. Since ransomware gangs often work with initial access brokers for their initial entry points inside organizations, this might also explain why ESXi was linked to some ransomware attacks last year.


Ransomware’s Helper: Initial Access Brokers Flourish

Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million. During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn’t list a price.


Initial Access Remains a Booming Business on the Dark Web

The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.


‘’ Data Leak Exposes 2 Million Credit Score Reports

‘,’ an India-based online banking service that offers credit card, loan, and insurance management services for small businesses and merchants, has suffered a data breach. Due to KELA’s caching capabilities, we were able to find the first evidence of the particular dataset appearing on the dark web for sale on December 25, 2020.


The State of the Dark Web: Insights From the Underground

KELA’s researchers explain how the dark web represents a wide variety of goods and services which are traded across many different underground forums and markets. KELA explains that tapping into these forums and markets can help security teams keep up with where adversaries may be headed next.


Sensitive Data of Over 325,000 Indian Users Leaked in BuyUCoin Hack

Researchers at KELA discovered a leaked database belonging to BuyUCoin, an India-based global cryptocurrency exchange and wallet. On the same forum that the database was leaked KELA also identified leaked databases from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and, which looks like the handiwork of infamous hacking group ShinyHunters.


KELA Joins Cyber Security Forum Initiative (CSFI) as a Gold Sponsor in a Mission to Support National Cyber Security

KELA is thrilled to join the Cyber Security Forum Initiative (CSFI) as a gold sponsor in a mission to support national cyber security. We’re looking forward to working alongside CSFI to make the cyber environment a safer and more secure place by providing valuable darknet threat intelligence to government, military, private sector, and academia in the US.


Threat Actor Claims to Leak 500K+ Records of C-level People from Capital Economics

Irina Nesterovsky, KELA’s CRO said, “It was originally leaked in early January in an English-speaking forum exposing information of nearly 500K people. The second instance we saw it appearing was when an actor tried selling it in another forum claiming that he had a database “for Finance Company Including SQL” with 500K records. Later that day, the same actor leaked the database for free claiming it contained data of more than 500K C-Level executives. KELA confirmed that the same database was shared in all instances. It appears that the “500K C level” title was given to the post in order to boost the importance of the database – the entire size of the relevant user database is around 500K lines, not at all a majority of which are C-Level employees.”


ShinyHunters publishes 1.9M stolen user credentials from photo editing site Pixlr

ShinyHunters, has recently been very active after going silent for some time. Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world, however we have not observed Shiny Hunters releasing data themselves since November. In the last few days the group has leaked databases for free – among them a Pixlr database, exposing 1.9 million user records.


The ‘DarkSide’ Operators Respond to the Release of a Decryptor

KELA reveals a Q&A published by DarkSide ransomware operators following the release of the ransomware decryption tool. Throughout the Q&A, Darkside operators stated the decryptor was used by 4 targets but 1 of them eventually paid. They also include details about how they will refund losses to affected affiliates and why it’s not happening again in the future. The free decryptor allows victims to recover their files without paying a ransom to DarkSide operators.


Ransomware Disrupts Scottish Environment Protection Agency

The Scottish Environment Protection Agency says a ransomware attack last month continues to cause serious outages and warns that ransom-demanding attackers also stole some data. KELA’s experts share that a portion of SEPA’s data (7% of what they claimed to obtain) has been released on a leak site dedicated to Conti’s ransomware victims, and therefore assess with medium confidence that that this is indeed an attack by Conti.


Cyber criminals are taking aim at online gaming for their next big pay day

Cybersecurity company Kela examined underground forums and found an ecosystem based around buying and selling initial network access to gaming companies, as well as almost one million compromised accounts of gaming employees and clients up for sale – with half of those being listed in 2020 alone.


Leading Game Publishers Hit Hard by Leaked-Credential Epidemic

In a recent scan, they found 1 million compromised credentials associated with the larger gaming universe of “clients” and also employees – half of which were for sale online. More than 500,000 of the leaked credentials pertained to employees of leading game companies, according to the report published Monday.


Top gaming companies hit by major data breach, one million employees affected

Although Kela did not disclose the specific companies affected, it did reveal that it has been monitoring underground markets for more than two-and-a-half years now and that nearly every major gaming company was affected. The compromised credentials would give attackers access to a number of important internal resources, including admin panels and development-related projects.


Stolen employee credentials put leading gaming firms at risk

More than 500,000 login credentials linked to the employees of 25 leading game publishers have been found for sale on dark web bazaars, according to a report by threat intelligence company KELA. Threat actors have been increasingly targeting the gaming industry, including by harvesting and selling access credentials into the internal systems of top-tier game companies.


One Million Compromised Accounts Found at Top Gaming Firms

As Covid-19 has taken away 2020, people around the world have begun giving the online gaming industry a chance, hence growing revenues in this industry tremendously. After scouring dark web marketplaces, KELA discovered a thriving market in network access on both the supply and demand side. This included nearly one million compromised accounts related to employee- and customer-facing resources, half of which were listed for sale last year.


There’s Evidence That Ransomware Groups Are Forming Extortion Cartels

KELA reveals another proof of ransomware groups forming cartels to intimidate victims even further. KELA recently observed MountLocker touting 5% of the data dump originally stolen by “Ragnar Locker” during a cyberattack against ‘Dassault Falcon.’ The ransomware operators claim that the listing is from one of their partners, and provide a reference link to Ragnar Locker’s extortion site, who exposed partial data of this victim earlier this month.


Safe-Inet, Insorg VPN services shut down by law enforcement

Safe-Inet services have been running for 11 years, advertised to cybercriminals needing multiple layers of anonymity and stable connections. BleepingComputer has seen ads for Safe-Inet services on several forums for black hat activities. The one below, posted as recently as December 4 and supplied by cybersecurity intelligence firm, KELA, is from a carder forum hidden in the Tor network


FBI & Interpol disrupt Joker’s Stash, the internet’s largest carding marketplace

Following the recent seizure of Joker’s Stash (the largest marketplace for trading stolen cards) by law enforcement, KELA reveals that the disruption was only temporary and that the market’s admins claimed the actual Joker’s Stash portal continues to work as normal, with only proxy servers having been seized.


Digging the Recently Leaked Chinese Communist Party Database

KELA analyzed and obtained a database containing details of 1.9 million Chinese Communist Party members in Shanghai, which has recently resurfaced in the darknet communities, and found that companies in which CCP members were found include Pfizer, AstraZeneca, Airbus, Boeing, HSBC, Rolls-Royce, Jaguar and more


Millions of ShopBack, RedDoorz user records put on sale in hacker forums; Peatix another victim of breach

KELA, a cybersecurity firm headquartered in Israel, told BT that 5.7 million plaintext passwords were also made available for download from a website called, though the leak does not contain emails. “It will require some work for (threat actors) to correlate emails and hashed passwords from the original leak with dehashed passwords,” the firm said.


Egregor’s Latest Press Release Is a Victim Intimidation Machine

‘Egregor’ team has published a press release meant to intimidate victims and practically convince them to pay the demanded ransom. Spotted on the dark web by researchers of the KELA threat intelligence firm, the press release includes several key points specifically addressed to those who have not “secured a contract” with the actors


Networking equipment vendor Belden discloses data breach

American networking equipment vendor Belden said it was hacked in a press release published earlier this week. According to data provided by threat intelligence firm KELA, credentials for Belden accounts have been available on the cybercrime underground since April this year, although it’s unclear if they have been used to orchestrate this breach.


A hacker is selling access to the email accounts of hundreds of C-level executives

Attackers can use corporate credentials to monetize in many different ways – from manipulating employees to wire money through CEO scams, to exploiting them in order to move laterally in the organizations to conduct a network intrusion.
KELA’s technologies automatically monitor closed underground forums where threat actors are regularly trading corporate credentials and other sensitive data. Contact us to learn more about how KELA can help you detect if any of your sensitive data is circulating in the Dark Net.


Pakistan International Airlines data breach underscores sharp rise in illicit sales of access credentials

KELA’s researchers said that cybercriminals advertised domain admin access to PIA’s internal network for $4,000, while its customer database was listed for $500. Initial network access in such illicit deals refers to remote access to systems in a compromised organization, while those selling it are known as remote access brokers. Rather than hack their way into corporate networks, cybercriminals often purchase such initial network access to gain a foothold, allowing them to move laterally and expand their access rights.


Chinese APT10 hackers use Zerologon exploits against Japanese orgs

KELA reveals the latest threats targeting Japanese organizations, and concludes that threat actors, Advanced APT groups and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks.


Ransomware Operator Promotes Distributed Storage for Stolen Data

“Such servers in Iran and [other] countries will be harder to discover, block, and cease due to a lack of cooperation from local authorities,” says Victoria Kivilevich, threat intelligence analyst at Israel-based security firm KELA, which first discovered the scheme.


DarkSide Ransomware’s New Data Leak Service In Iran Will Spread and Store Victims’ Stolen Data

According to Bleeping Computer‘s latest report, on Nov. 12, the cybersecurity intelligence firm Kela revealed DarkSide operators’ new posted topic on a Russian-speaking hacker forum. Additionally, Bank Info Security reported that the cybersecurity firm Kela said that the hackers claim that their average ransom is between $1.6 million and $4 million.


Darkside Ransomware Gang Launches Affiliate Program

#DarkSide ransomware launches their affiliate program. For the first time ever, KELA notices the operators offering initial access brokers to directly trade with them rather than through affiliates or middlemen. It seems that DarkSide is strengthening their efforts, and we can assume to see a surge of attacks by this gang over the coming months.


Hacker Sells Access to Pakistani Airlines’ Network

KELA spotted a threat actor touting domain admin access to Pakistani International Airline for $4,000 on two Russian-speaking illegal online forums and one English-speaking forum that they had been monitoring. KELA’s team had been tracking ransomware trends, exploring how initial access brokers in the cybercrime community play a role in the supply chain of this popularly deployed malware.


Data-Exfiltrating Ransomware Gangs Pedal False Promises

In terms of unusual timing, another ransomware operation has also promised to turn out the lights. “We’ve seen Suncrypt affiliates stating on Exploit” – a cybercrime forum – “that the operators told them that the program is closing,” according to Israeli cyberthreat intelligence monitoring firm Kela. “It’s a bit interesting – and even suspicious – to see two major ransomware groups shutting down their operations around the same time.”


23,600 Hacked Databases have Leaked from a Defunct ‘Data Breach Index’ Site

More than 23,000 hacked databases have been leaked from the site archive of, a private service advertised on hacking forums to other cybercriminals. For the past several months, KELA’s technologies have been monitoring data from, prior to the site’s seizure in mid-September. As part of KELA’s leaked credential monitoring KELA’s clients have already had visibility into this site, and have already been alerted on any of their data that may have been leaked in these compromised database feeds.


As Dark Net Endangers Enterprises, MSSPs Need New Tools

One cybersecurity intelligence firm, Kela, intends to help MSSPs do just that with its new platform, IntelAct. The technology, Kela says, allows MSSPs to track and intercept any mentions of their clients’ network infrastructure, vulnerabilities or exposures in the dark net. This turns the attackers’ edge against them, remediating issues before they become breaches, the vendor says. IntelAct is fully automated, scalable, and requires no installation or network access.


KELA Launches New Technology for Attack Surface Intelligence

KELA announces today the release of their latest proprietary technology – IntelAct, allowing 100% automated monitoring of an organization’s attack surface. KELA’s Dark Net experts launch a new technology enabling organizations to receive real-time, automated alerts of their exposure in the Dark Net.


В сентябре 2020 года торговать доступом к взломанным сетям стали в три раза чаще

Специалисты KELA пишут, что проиндексировали 108 объявлений, размещенных на популярных хакерских форумах, и подсчитали, что совокупная стоимость предложенных хакерами доступов равняется 505 000 долларов США. Причем около четверти лотов в итоге были проданы злоумышленникам, желающим атаковать те или иные компании.


‘Network access’ sold on hacker forums estimated at $500,000 in September 2020

As ransomware attacks continue to rise, initial access brokers are repeatedly being seen as key players by selling network access to ransomware operators as an initial entry point into victims’ networks. In September alone, KELA detected over 108 accesses for sale at a total value of USD 500,000 – 3 times higher than the numbers gathered in the previous month.


Why Encrypted Chat Apps Aren’t Replacing Darknet Markets

Some markets have moved to drop illegal drugs and begun adopting an “automarket” approach that focuses on self-fulfilled sales of malware, stolen databases, login credentials and other hacking and cybercrime tools and services, the Kela researchers say. Criminals’ thinking, they note, appears to be that by not selling drugs, and with malicious “cyber” tools existing in a legal gray zone in many jurisdictions, such markets will be less likely to get disrupted.


Hackers Sell Access to Your Network Via Remote Management Apps

In a report shared with BleepingComputer, cyber intelligence company KELA was able to determine that the offer was for Zoho’s ManageEngine Desktop Central, a management platform that lets administrators deploy patches and software automatically on network machines, as well as troubleshoot them through remote desktop sharing.


CISA Warns of Notable Increase in LokiBot Malware

Credentials stolen via LokiBot usually end up on underground marketplaces like Genesis, where KELA suspects LokiBot is the second most popular type of malware that supplies the store.


Why Darknet Markets Persist

Kivilevich and Raveed Laeb, Kela’s product manager, tell ISMG that it’s important to distinguish between the two types of darknet markets: drug marketplaces and cyber-focused marketplaces selling such things as malware, stolen databases and login credentials. “We also see sales of illicit and counterfeit goods – money, watches and stuff like that – but most of the time, that’s not the actual focus,” they say.
More recently, the sale of cyber goods has been migrating to what the darknet community calls “autoshops,” meaning they sell goods and services in a highly automated manner. Kela refers to this as the “servitization” – meaning selling not just goods but also services and outcomes – of the underground ecosystem.


LockBit Ransomware Launches Data Leak Site to Double-Extort Victims

KELA has been closely tracking new monetization methods employed by ransomware operators. One common method has been ransomware gangs stealing the data before encrypting it in order to use it as leverage in ransom negotiations, and many times including that data in data leak sites. Riding on this trend, LockBit ransomware has just launched a new data leak site to be used as part of their double extortion strategy to scare victims into paying ransom.


Hacked: ‘Best Australian Financial Data’ for Sale on the Dark Web

Victoria Kivilevich, threat intelligence analyst at Israeli intelligence firm KELA – which discovered the breaches of Australian financial data – said there had been an increase in attacks in recent years, and also RaaS, or ransomware-as-a-service; hackers were also often working together.“The most popular ransomware strains are operated by cybercriminals looking for financial gain,” Ms Kivilevich said. “Chasing profits, ransomware actors are always inventing new methods of intimidating victims.”


KELA Names Ayesha Prakash as Vice President of Global Channels and Alliances

We’re excited to officially welcome Ayesha Prakash to our team as our new Vice President of Global Channels and Alliances. Ayesha joins KELA to build and evolve the company’s strategic alliances and expand KELA’s global engagement with channel and technology partners. We’re excited to have her on board and are looking forward to see what we will accomplish together!


With Empire Gone, Patrons Eye Other Illegal Darkweb Markets

Israeli cyber threat intelligence monitoring firm, KELA has provided BleepingComputer with information on the matter, along with screenshots.
The company analyzed forums where darknet surfers frequent, and have offered insights on their footsteps.


More Ransomware Gangs Threaten Victims With Data Leaking

KELA’s latest research analyzes the recent rise of ransomware attacks and how that rise has introduced new methods of monetization allowing ransomware gangs to monetize bigger and better. This research laid out the top 6 trends observed by ransomware groups in the underground ecosystem and shared how these new methods are likely to spread.


Avaddon Ransomware Joins Data-Leaking Club

Israeli cybersecurity intelligence firm Kela shared that the operators behind Avaddon announced their data-leaking site via a Russian-language cybercrime forum. So far, the ransomware gang has listed one victim – a construction firm – from which 3.5 MB of allegedly stolen documents have been leaked.
“The attackers published a sample of the obtained data, including information related to the company’s activity in the U.K., Mexico, Philippines, Malaysia and Thailand,” Kela tells Information Security Media Group.


Avaddon Ransomware Operators Have Launched Their Data Leak Site

Cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum their new data leak site.


Avaddon Ransomware Launches Data Leak Site to Extort Victims

KELA shared with BleepingComputer that the Avaddon ransomware operators have announced on a Russian-speaking hacker forum this weekend that they have launched a new data leak site. KELA has shared that until now, only one victim has been listed – a US-based construction company.


Hacker Leaks Passwords for 900+ Enterprise VPN Servers

KELA’s #DARKBEAST has helped ZDNet obtain a copy of a recently leaked list of plaintext usernames and passwords for 900+ Pulse Secure VPN enterprise servers. If compromised, these Pulse Secure VPN servers can provide hackers easy access to a company’s entire internal network.


Email is Still a Hacker’s Wonderland, They Could Take or Leave Slack

Cybersecurity researchers from KELA found about 17,000 Slack credentials for sale across 12,000 Slack workspaces in cybercrime online markets. While “many access types — webshells on online stores, RDP servers or corporate email inbox access — are a highly sought-after resource driving thriving markets,” no one is really buying Slack credentials, according to KELA.


Les Comptes Slack N’intéressent pas les Cybercriminels

En utilisant sa plateforme de renseignements sur les menaces, KELA a cherché à obtenir des références Slack sur les marchés de la cybercriminalité, pour tenter de voir si ce vecteur de menace était populaire parmi les cybercriminels. L’entreprise affirme avoir trouvé plus de 17 000 références Slack récemment mises en vente en ligne sur des forums de piratage et sur des marketplace de références, comme Genesis.


The “Bitcoin Twitter Hack” May Have Started With a Slack Compromise

KELA has found that there were at least 17,000 Slack credentials sold in the ‘Genesis Store’ alone, priced between $0.5 and $300, depending on how valuable they were. While a connection with the recent Twitter hack isn’t based on concrete evidence, there are indications pointing to this scenario.


Slack Credentials Abundant on Cybercrime Markets, But Little Interest from Hackers

Following reports that last week’s Twitter hacks may have been due to credentials stolen from an internal Slack channel, KELA decided to dive deeper into this topic, and found that currently more than 17,000 Slack credentials for roughly 12,000 Slack workspaces are being sold on underground cybercrime markets.


MGM Hotel’s 2019 Data Leak Might Have Affected 142M People, Not 10.6M

threat research firm KELA notified the publication about posts on Russian security forums that advertised MGM data breach affecting more than 200 million customers.
In the past few years, hackers have attacked several hotels to steal customer data. In March, Marriott Hotels was breached impacting more than 5.2 million people.


Millions of Logins from UK Ticket Site for Sale on Dark Web

KELA discovered a database of 4.8 million records posted for sale, belonging to a leading provider of ticket services for live shows in the UK. KELA’s intelligence team told Infosecurity Magazine that they acquired a sample of 10,000 records in order to analyze this data. Following analysis, KELA deducted that the leak affects users in the UK, US, New Zealand, Australia, South Africa, Germany, France and a few others, some of which belong to governmental domains.


British e-Ticketing Service Breach Resulted in 4.8 Million Records Now for Sale

Intelligence analysts at KELA discovered a database of 4.8 million records, containing emails and passwords, belonging to a leading provider of ticket services for live shows in the UK. The database was posted on July 8, 2020 on an underground forum by a newly registered threat actor, called “JamesCarter”, for $2500. KELA managed to acquire a sample of the database containing about 10,000 email addresses, and found that only about 300 email addresses were duplicates, deducting that the full leak likely consists mostly of unique combinations.


A Hacker is Selling Details of 142 Million MGM Hotel Guests on the Dark Web

In an exclusive today on ZDNet, KELA shares that the breached MGM database, originally reported to have 10.6 million records actually contains nearly 200 million. The hotel’s database resurfaced in the dark web this past weekend. This wasn’t the only time it resurfaced though. KELA’s intelligence team told ZDNet back in February that the MGM data had been circulating and was being sold in private hacking circles since at least July 2019.


Hacked: Thousands of MyGov Accounts for Sale on the Dark Web

The compromised accounts were detected by Israeli intelligence firm KELA, which specialises in dark web threat intelligence and offers its clients a real-time dark web search engine called Darkbeast.
KELA threat intelligence team leader Elad Ezrahi said the MyGov accounts were extracted from more than 2000 compromised computers, or “bots”. Botnets are networks of compromised machines controlled by a single actor.


The Details of 384,319 BMW Owners Are for Sale on the Dark Web

KELA researchers have shared one of their most interesting recent findings with TechNadu, and it looks like it concerns BMW and 384,319 of its customers in the UK. Apparently, the prolific hacking group that is known as “KelvinSecurityTeam” has posted a database they acquired when hacked ‘’ This is the same group of actors that recently sold databases from 16 companies, including the business consulting firm “Frost & Sullivan.”


500,000 BMW, Mercedes and Hyundai Owners Hit by Massive Data Breach

The personal information of almost 400,000 UK-based BMW customers is being sold to the highest bidder on an online black market, according to Tel Aviv-based darknet intelligence experts KELA.
Hackers at a group called KelvinSecurity Team have gained access to a BMW customer database and listed it for sale on an underground forum used by cybercriminals.


BMW Customer Database for Sale on Dark Web

KELA found a database of UK car owners offered for sale on an underground forum, which was initially described as BMW customers’ database affecting 384,319 customers. The data was posted by the KelvinSecurityTeam. KELA obtained the database and found that it contains almost 500,000 customers’ records from 2016-2018. The exposed data includes initials and surnames, emails, addresses, vehicle numbers, dealer names, and more; it affects owners of different cars in the UK.


Robolox Accounts Hacked with Pro-Trump Messages

Hackers have breached more than 1,800 Roblox accounts and defaced user profiles with messages in support of Donald Trump’s reelection campaign. With the help of threat intelligence firm KE-LA, ZDNet was able to identify multiple web pages containing large lists of Roblox usernames and cleartext passwords.


KELA Launches Sensitive Hostname Detection

KELA is proud to announce the launch of Sensitive Hostname Detection. As part of this addition, KELA’s RADARK now automatically alerts users on sensitive webpages that may be exposed to the public internet.
Get in touch with us today to learn more about how KELA detects vulnerabilities in your organization’s Internet-facing infrastructure.


Oz Sites Being Sold On The Dark Web

Elad Ezrahi, Threat Intelligence Team Leader at the Israeli intelligence company KELA, told the Australian Financial Review: “If the web shell enables the actor to abuse the mail server of the compromised website, the actor could use it to send spam and phishing emails… if the compromised site is of a governmental entity, for example, the consequences can be notably severe.”


Hacked: Aussie Websites for Sale on Dark Web

Elad Ezrahi, Threat Intelligence Team Leader at Israeli Intelligence company KELA, said web shells could be used for nefarious purposes. Remote access markets served as a gateway for obtaining data, he said.


KELA Acknowledged in Gartner’s Market Guide for Security Threat Intelligence Products and Services 2020

Nir Barak, CEO and Founder of KELA shares, “Since KELA’s establishment we have been investing significant efforts to make sure that our technologies and services are perfectly applicable to what is required by security and intelligence teams. In our opinion, being acknowledged as a vendor of dark and deep web monitoring by our wide and global customer base, and now also by Gartner, definitely makes it seem like our team’s arduous work is making an impact, and gives us validation that we are growing on the right path.”


Ransomware Gangs Team Up to Form Extortion Cartel

KELA shares intelligence from their daily ransomware monitoring with specialists from Bleeping Computer. “BleepingComputer was told by cyber intelligence firm KELA that the Maze operators added the information and files for an international architectural firm to their data leak site.”


26 Million LiveJournal Credentials Leaked Online, Sold on the Dark Web

With the help of threat intelligence firm KELA, ZDNet has confirmed the existence of the LiveJournal stolen database and has tracked down copies and mentions of user data in multiple locations across the hacking underground.


KELA Extends Intelligence Monitoring Capabilities with Access to Instant Messaging Groups & Real-Time Image Searching

KELA announced today the capability of automatically searching through images and chatter in instant messaging groups, through DARKBEAST, their proprietary Dark Net threat hunting platform. The expansion of KELA’s data lake to include instant message groups, such as closed Telegram groups and Discord channels, is meant to provide partners and clients with added intelligence from different high-quality and curated sources.


Hacker Selling 40 Million User Records from Popular Wishbone App

Since Have I Been Pwned allows users to hide their email from public searches, we also verified these emails against a private platform managed by threat intelligence KELA, which has also been indexing and tracking data leaked in older breaches.


Cybercrime Marketplace MagBo Selling Access to 43,000 Hacked Websites

According to the latest report from threat intelligence firm KELA, MagBo is offering access to over 43,000 hacked servers and some of these belong to state and local governments, ministries, financial institutions, and health care facilities.


The “MagBo” Portal Offers Access to Thousands of Hacked Servers

KELA researchers report that the daily server additions to the market are between 200 and 400, and the number of daily transactions is approximately 200. There are 190 unique sellers who have something to offer on MagBo, while the cost to access each server depends on its type.


43,000 Hacked Servers up for Sale on Cybercrime Marketplace

More than 43,000 hacked servers are currently for sale on online cybercrime marketplace MagBo, according to new research from threat intelligence firm KELA and ZDNet.


Hackers Preparing to Launch Ransomware Attacks against Hospitals Arrested in Romania

According to threat intelligence provided by cyber-security firm KELA, the PentaGuard group has been around since 2000, when they were involved in mass-defacements of several government and military websites, including the website of Microsoft Romania.


Loja de crimes cibernéticos está vendendo acesso a mais de 43.000 servidores hackeados

Um relatório da empresa de inteligência sobre ameaças KELA mostra a recente evolução do MagBo. A pesquisa foi feita em conjunto pelo KELA e o site ZDNet.


Access to Thousands Hacked Servers Being Sold Online

The infamous MagBo platform is known to have offered almost 150,000 different compromised websites, with over 200 daily transactions a day and over 200 to 400 new additions on the platform each day. According to data from KELA, “190 different threat actors currently have active listings on the market.”


Cyberkriminelle verkaufen Zugang zu mehr als 43.000 gehackten Servern

Cyberkriminelle verkaufen über einen Online-Marktplatz namens MagBo Zugangsdaten für mehr als 43.000 gehackte Server. Das geht aus einer Analyse der Threat-Intelligence-Firma Kela hervor. Demnach gilt MagBo als einer der größten Marktplätze für kompromittierte Server.


KELA Sees MagBo Remote Access Market Booming During Pandemic

Threat intelligence company KELA has reported a boom in Remote Access Markets during the pandemic. Remote Access Markets sit on the Darknet and provide attackers with details on compromised websites and services. It means that attackers don’t have to waste time trying to steal credentials to gain access to those websites.


KELA Expands Their Intelligence Data Lake with Real-Time Monitoring of Remote Access Markets

As servitization of the underground world continues to thrive, KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of a new information source type to their technologies – Remote Access Markets.


A Cybercrime Store is Selling Access to More than 43,000 Hacked Servers

Over the years, the site has boomed, to put it lightly. Since it launched in 2018, KELA says the site has sold access to more than 150,000 sites, with 43,000 still being up for sale as of this week. KELA product manager Raveed Laeb says they’ve tracked 190 different threat actors selling hacked servers on the site.


KELA Announces the Addition of Featured Queries to Their DARKBEAST Platform

KELA Targeted Cyber Intelligence, a global Dark Net threat intelligence provider, announces today the addition of Featured Queries to DARKBEAST – their proprietary Dark Net search engine and investigation platform — helping their users stay informed on the most relevant underground threats.


Cyber Security Today – Canada hit by COVID cheque fraud; Webex, Teams under attack, more COVID email scams and three big data breaches

According to an Israeli security company called KELA criminals soon began selling editable digital copies of cheques on the dark web. A criminal can either purchase a digital file and fill in their own name or have a criminal service do the editing for them.


Behind the Scenes of Dark Net Market Closures and Their Consequences

Like every free market, the Dark Net economy sees its many rises and falls. Sites come and go, just like brick and mortar stores open and close. Yet in recent months, we’ve seen a large number of sizeable illicit Dark Net sites closing, and smaller niche ones taking their place.


Threat Actor Selling Access to a Canadian University’s Domain

A Canadian university’s network may be at risk from a cyber attack, according to KELA, an Israeli threat intelligence firm.
Irina Nesterovsky said this threat actor seems to specialize in brute-forcing RDP (remote desktop) servers, running an affiliate program with other threat actors for this purpose.


Malware Unfazed by Google Chrome’s New Password, Cookie Encryption

Genesis, one underground shop for browser data kept using the original version of the malware and suffered grave losses when Chrome 80 came along, as uncovered by KELA researchers towards the end of February.


Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale

Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.
“A different market – one that specializes in automated selling of access to compromised accounts – currently offers over 21,000 Koodo accounts,” Laeb told BleepingComputer.


Релиз Chrome 80 помешал работе малвари AZORult и маркетплейса Genesis

Специалисты компании KELA обратили внимание, что у торговой площадки Genesis, где торгуют не просто личными данными пользователей, но готовыми виртуальными личностями, возникли серьезные проблемы.


A Small Change To Google Chrome Hits Cybercrime Marketplace Hard

Raveed Laeb is a product manager for KELA, a threat intelligence firm that uses sophisticated, automated tools to keep tabs on the countless gigabytes of stolen data being traded on Darknet forums and marketplaces. He’s been investigating Genesis for quite some time and recently released an in-depth report on his findings so far.


Chrome 80 Update Cripples Top Cybercrime Marketplace

According to new research shared with ZDNet this week by threat intelligence firm KELA, the Genesis Store is currently going through a rough patch, seeing a 35% drop in the number of hacked credentials sold on the site.
KELA says Genesis administrators are currently scrambling to fix their inventory deficit and feed the store with new credentials before customers notice a drop in new and fresh listings.


KELA Wins InfoSec Award at RSA Conference 2020

“We are very pleased to receive this prominent cybersecurity award, and it’s an honor to be selected from a wide selection of top-notch companies that were in the running for this prize. Our hard work has paid off in being recognized as global leaders in threat intelligence,” said KELA COO Eran Shtauber.


MGM Customer Data Has Been on Dark Web for Six Months

Irina Nesterovsky, head of research at cyber intelligence firm KELA, claimed that the most recent upload of breached data on nearly 10.7 million hotel customers was simply a repackaged bundle — as often happens on the dark web.


Exclusive: Details of 10.6 Million MGM Hotel Guests Posted on a Hacking Forum

According to Irina Nesterovsky, Head of Research at threat intel firm KELA, the data of MGM Resorts hotel guests had been shared in some closed-circle hacking forums since at least July, last year. The hacker who released this information is believed to have an association, or be a member of GnosticPlayers, a hacking group that has dumped more than one billion user records throughout 2019.


Tokyo 2020: The Dark Web is Hacker Gold

What treasures can hackers find on the dark web, how have these been used in the past, and what might threat actors be planning for Tokyo this summer? Here are the top four threats that KELA’s research team has been monitoring recently on the dark web


Outing Cyber-Criminals Puts a Face on Cyber-Crime

Online threat actors are just plain criminals – like 36-year-old Aleksandr Alekseyevich Korostin from Sigayevo, Sarapul District, Udmurtiya Republic, Russia – hiding behind anonymity as SaNX. – OPINION by KELA Cyber Intelligence Center


Cyber Gangsters Publish Staff Passwords Following ‘Sodinokibi’ Attack on Car Parts Group Gedia

The threat marks a disturbing change in tactics by the crime groups behind the Sodinikobi ransomware, said Irina Nestrovosky, head of research for Israeli security company and specialist in darknet threat intelligence, KELA, which monitors hacking groups.