Analytical Digest for March 15-April 15

Despite russia’s invasion of Ukraine and overt military action, GC3 continues working with companies, law enforcement and research organizations to neutralize cyber crime.



In a private industry notification (PIN) FBI warned local governments and government services that ransomware would likely “strain” their capabilities if not prevented.

The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. 


Guidepoint Security

According to the report of the Guidepoint Security, ransomware trends in 2022, like previous years, continues the trend of ransomware being one of the most impactful and prolific threats that public and private sectors face daily.

The trends indicate that western countries are affected more frequently than others. It is also very clear that countries with suspected ties to ransomware groups, including former Soviet Union countries, China, and North Korea, have far fewer victims than other countries.Some critical infrastructure verticals such as Finance, Information Technology, and Healthcare continue finding themselves in the top 10 industry verticals affected by ransomware.

Looking at the 2021 and 2022 data, 2022 start off at a faster rate than last year. 


Cyclops Blink malware

The U.S. Federal Bureau of Investigation has wrested control of thousands of routers and firewall appliances away from Russian military hackers by hijacking the same infrastructure Moscow’s spies were using to communicate with the devices.

The targeted botnet was controlled through malware called Cyclops Blink, which U.S. and UK cyberdefense agencies had publicly attributed in late February to “Sandworm,” allegedly one of the Russian military intelligence service’s hacking teams that has repeatedly been accused of carrying out cyberattacks.



Microsoft observed attacks targeting Ukrainian entities from Strontium, a russian GRU-connected actor they have tracked for years. 

Strontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information.



U.S. Department of Justice (DOJ) and German federal police have successfully shut down the Russian dark web marketplace Hydra, which has contributed to nearly 80% of all dark web market-related cryptocurrency transactions last year.

Along with shutting down Hydra’s servers, the DOJ also issued criminal charges against russian resident Dmitry Pavlov for conspiracy to distribute narcotics and conspiracy to commit money laundering in connection with his operation and administration of the servers used to run Hydra. Pavlov is allegedly the administrator of Hydra’s servers.

Over 34 mln US Dollars in Bitcoins were seized. There were over 17 mln accounts of users and 19,000 accounts of sellers at the forum.   

German authorities claim that the shop had the biggest cash-flow. Only during 2020 it gained over 1,23 bln US Dollars.

The marketplace operated since 2015, it has received approximately $5.2 billion in cryptocurrency, the DOJ said.


New dump shops were appeared on the Darknet: 

  1. The Bankir Shop offers over 130.000 compromised payment cards. 
  2. The YESBRO Shop offers over 150.000 compromised payment cards. The shop is a successor of the Wizzard Dump shop.

Both shops are available via WEB or TOR versions.


GC3 monitors over 50 services specializing in the distribution of compromised payment card details.