|Report Type||Threat Group Profiling|
|Research Subject||Arvin Club Ransomware Group|
- CloudSEK’s Threat Intelligence Research team analyzed the profile of a ransomware group dubbed Arvin Club.
- This group maintains an Onion site and multiple channels to update their activities and status.
- The group recently breached Kendriya Vidyalaya, a group of central government schools in India. Additionally, the group has shown support for REvil, which has since disbanded.
- Further research was conducted to analyze the group’s operations and TTPs.
- Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels.
- The group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches.
- Their latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.
Information from the Group’s TOR Website
- The group made their first post on their official TOR website on 5 May 2021. However, it appears that the group has been active prior to that as well.
- The website lists the group’s victims and the date of the breach. However, most of the entities listed were not breached by Arvin Club.
- The breached entities listed on the official Arvin Club TOR website:
|24 October 2021||Kendriya Vidyala, India|
|20 September 2021||Bureau van Dijk|
|28 June 2021||Leiden University|
|28 June 2021||Russian Air Carrier UT Air|
|11 June 2021||Largest password compilation RockYou2021|
|24 May 2021||Beh Pardakht Mellat Cards|
|21 May 2021||Iranian educational messenger Etoudplus|
|15 May 2021||Bank Mellat from Iran|
|14 May 2021||Card Pay Portal|
|6 May 2021||USA 280 Million data leak|
|6 May 2021||Compilation of many breaches (COMB)|
|4 May 2021||Cybercrime forum Maza|
|4 May 2021||Underground carding shop titled Swarm Shop|
|4 May 2021||1.3 Million ClubHouse user records|
Information from Telegram Channels
- Arvin Club has 2 Telegram channels, one of which is their official channel and has 3000 subscribers.
- The members of the Telegram channels include popular threat actors who have moderate to high reputations across cybercrime forums.
- Persian is a major language of communication across the telegram channels owned by the club.
- Additionally, the group posts about different data breaches which are further published on their website and channels.
- The Telegram group is swamped with discussions, and opinions on different cyber incidents around the world.
Research and Analysis
- CloudSEK’s Threat Intelligence Team’s observations suggest that Arvin Club is not a full-fledged ransomware, given the unavailability of samples or dedicated extensions to unlock the files.
- Additionally, there are no mentions of different tools that are specific to the group’s arsenal. This is similar to the modus operandi of the Bonaci group, which does not deploy ransomware to encrypt victims’ files and folders but to exfiltrate and publish data.
- The group seems to incorporate sophisticated hacking methods. However, their recent breach was not impactful and neither did they make any attempts to extort the victim.
- The group has merely tried to make data available publicly and have adopted a Persian motto, which translates to “Freedom to connect.”
- All the above-mentioned features set the Arvin Club apart from typical ransomware groups.