Full Report
ASEC Blog publishes Ransom & Dark Web Issues Week 3, March 2025 New RaaS platform VanHelsing Locker being promoted on dark web forums Pro-Palestinian hacktivist group RipperSec claims to have hacked SCADA systems of Korea Electric Power Technology and Dairy Promotion Board, among others Hacktivist group Dienet claims […]
Analysis Summary
# Incident Report: Week 3, March 2025 Ransomware and Hacktivist Activity Summary
## Executive Summary
This report summarizes key threat intelligence gathered during the third week of March 2025, focusing on the emergence of a new Ransomware-as-a-Service (RaaS) platform and significant hacktivist operations targeting critical infrastructure and financial services. Attack vectors included the promotion of new RaaS schemes and direct cyberattacks launched by pro-Palestinian hacktivist groups, resulting in claims of SCADA system compromise and a reported attack against NASDAQ.
## Incident Details
- Discovery Date: March 20, 2025 (Publication Date of Summary)
- Incident Date: Ongoing activity during the third week of March 2025
- Affected Organization: Various organizations, including Korea Electric Power Technology, Dairy Promotion Board, and NASDAQ (claimed attacks)
- Sector: Critical Infrastructure (Energy/Utilities), Food Production, Financial Services
- Geography: Primarily South Korea (cited victims) and the United States (NASDAQ target)
## Timeline of Events
### Initial Access
- Date/Time: Week of March 2025
- Vector: 1. RaaS promotion/Recruitment; 2. Direct Hacktivist Cyber Attacks (exploits/vulnerabilities unknown from summary)
- Details: Promotion of the 'VanHelsing Locker' RaaS platform on dark web forums commenced. Simultaneously, the group RipperSec claimed initial access to SCADA systems.
### Lateral Movement
- *Not explicitly detailed in the summary for the RipperSec/Dienet activities, but implied for successful SCADA compromise.*
### Data Exfiltration/Impact
- **RaaS:** The VanHelsing Locker platform implies intent for data encryption and likely data exfiltration (typical RaaS model).
- **Hacktivism:** RipperSec claimed disruption/compromise of SCADA systems. Dienet claimed a cyber attack against the NASDAQ stock exchange.
### Detection & Response
- Detection occurred upon threat intelligence reporting (ASEC Blog publication on March 20, 2025).
- Response actions detailed externally via subscribing to AhnLab TIP (subscription required).
## Attack Methodology
| Category | Method/Technique |
| :--- | :--- |
| **Initial Access** | RaaS Platform Promotion (Recruitment for future attacks); Direct cyber attack claims via hacktivist groups. |
| **Persistence** | Not detailed. |
| **Privilege Escalation** | Not detailed. |
| **Defense Evasion** | Not detailed. |
| **Credential Access** | Not detailed. |
| **Discovery** | Inferred discovery/reconnaissance required for claimed SCADA system breaches. |
| **Lateral Movement** | Implied requirement for successful SCADA compromise. |
| **Collection** | For RipperSec, collection/access to SCADA operational data is the implied target. |
| **Exfiltration** | Not detailed, though expected in the RaaS model. |
| **Impact** | Encryption (RaaS); Disruption/Compromise of critical industrial control systems (SCADA) and financial systems (NASDAQ). |
## Impact Assessment
- **Financial:** Claims against NASDAQ suggest potential significant financial market disruption, though actual financial impact is unknown.
- **Data Breach:** Compromise of SCADA systems implies access to sensitive operational technology data. Specifics on data volume are unavailable.
- **Operational:** Direct impact claimed on critical infrastructure (Korea Electric Power Technology) and industrial control systems (SCADA).
- **Reputational:** Negative impact on the claimed victims due to public association with major cyber incidents.
## Indicators of Compromise
* **Network Indicators:** Not explicitly listed (defanged required access to AhnLab TIP).
* **File Indicators:** Not explicitly listed (defanged required access to AhnLab TIP).
* **Behavioral Indicators:** Promotion and activity associated with the **VanHelsing Locker** RaaS, **RipperSec** pro-Palestinian hacktivism, and **Dienet** hacktivism targeting US exchanges.
## Response Actions
- **Containment:** Not detailed for specific victims; general threat intelligence dissemination occurred via ASEC publication.
- **Eradication:** Not detailed.
- **Recovery:** Not detailed.
## Lessons Learned
- The threat landscape remains volatile, featuring the continuous launch of new RaaS platforms (VanHelsing Locker) competing on the dark web.
- Critical infrastructure (SCADA systems) and primary financial exchanges remain high-value targets for politically motivated hacktivist groups (RipperSec, Dienet).
## Recommendations
- Organizations should prioritize monitoring dark web forums for new RaaS activity and indicators related to emerging threats like VanHelsing Locker.
- Critical infrastructure entities must rigorously assess and secure their OT/SCADA environments against targeted, politically motivated intrusion attempts.
- Financial Sector entities should enhance monitoring for novel attacks targeting high-profile exchanges like NASDAQ.