• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Endurance Ransomware Claims Breach of US Federal Government

November 17, 2022 By Ryan Estes

The WatchGuard Security Team spends a lot of time chasing ransomware extortion groups throughout the dark web. So, it only fits that one of the newer ransomware extortion groups is named Endurance Ransomware. It appears this “group” is one individual known as IntelBroker, who has allegedly breached several entities of the US government and two other separate businesses in one month of existence. This post will unearth IntelBroker’s Endurance Ransomware operation before it is brought to light by more destruction.

On November 15th, the WatchGuard Security Team discovered a post by IntelBroker on the infamous hacker forum, BreachForums, claiming “the Federal government of the United States fell victim to Endurance Ransomware” and that no ransom was offered because they knew the US government wouldn’t pay any demand. Schematics, blueprints, and other revealing documents were also included in the post, as is the norm by these extortion groups, to prove the authenticity of a breach. The full list of alleged affected entities and the types of documentation are shown in the picture below, taken from the extortion post on BreachForums.

The conversations within this post are still ongoing as this is written, and it appears that there is speculation about the authenticity of the alleged breach. A user named LyingLeakers claims that the documents posted as proof of the breach are publicly accessible, but IntelBroker further claims the breach is authentic. The back and forth is shown in the picture below.

If you look at the bottom of the first picture, you can also see that the extortion currency is XMR, or Monero, which is what is known as a privacy coin because it is much more difficult to trace than traditional cryptocurrency. Additionally, IntelBroker only communicates via Tox Messenger, which is an end-to-end encrypted peer-to-peer messaging service akin to Signal. IntelBroker focuses on privacy for payments and messaging, but that appears to be where the privacy ends, considering that their profile on BreachForums discloses what they do and their alleged country of origin, Endurance Ransomware Developer and Serbia, respectively.

Additionally, it appears that IntelBroker’s GitHub is public, and a repository with the name ‘Endurance-Wiper’ is available. The WatchGuard Security Team is currently assessing the capabilities of this wiper to determine its functionality. The wiper is written in C# using Visual Studio 22, but it’s too early to determine if this software, or malware, is attributed to the Endurance Ransomware.

Also, in addition to the US Federal Government, IntelBroker claims to have breached two other small businesses in the retail sector ‒ Dr. Martens and TheBodyShop Indonesia. Similar to the other breach, a post has been published for each to prove authenticity.

IntelBroker also includes some breaches on his Sellix marketplace. Sellix is eCommerce software that allows individuals to sell assets using cryptocurrency. In this case, the asset is the personal data of breached organizations. As of this writing, IntelBroker only has the two retail businesses on there for sale and is asking between $900 and $1,000 for all exfiltrated data. This suggests that IntelBroker is cognizant of the victim’s financial capabilities and tailors ransom demands to each victim.

Finally, IntelBroker claims that the Endurance Ransomware extortion page on the dark web is under construction ‒ providing more communication mediums to extort their victims.

The WatchGuard Security Team is monitoring this ransomware and IntelBroker for any further developments.

Share This:

Related

Filed Under: Research Tagged With: extortion, Malware, ransomware, research

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use