The WatchGuard Security Team spends a lot of time chasing ransomware extortion groups throughout the dark web. So, it only fits that one of the newer ransomware extortion groups is named Endurance Ransomware. It appears this “group” is one individual known as IntelBroker, who has allegedly breached several entities of the US government and two other separate businesses in one month of existence. This post will unearth IntelBroker’s Endurance Ransomware operation before it is brought to light by more destruction.
On November 15th, the WatchGuard Security Team discovered a post by IntelBroker on the infamous hacker forum, BreachForums, claiming “the Federal government of the United States fell victim to Endurance Ransomware” and that no ransom was offered because they knew the US government wouldn’t pay any demand. Schematics, blueprints, and other revealing documents were also included in the post, as is the norm by these extortion groups, to prove the authenticity of a breach. The full list of alleged affected entities and the types of documentation are shown in the picture below, taken from the extortion post on BreachForums.
The conversations within this post are still ongoing as this is written, and it appears that there is speculation about the authenticity of the alleged breach. A user named LyingLeakers claims that the documents posted as proof of the breach are publicly accessible, but IntelBroker further claims the breach is authentic. The back and forth is shown in the picture below.
If you look at the bottom of the first picture, you can also see that the extortion currency is XMR, or Monero, which is what is known as a privacy coin because it is much more difficult to trace than traditional cryptocurrency. Additionally, IntelBroker only communicates via Tox Messenger, which is an end-to-end encrypted peer-to-peer messaging service akin to Signal. IntelBroker focuses on privacy for payments and messaging, but that appears to be where the privacy ends, considering that their profile on BreachForums discloses what they do and their alleged country of origin, Endurance Ransomware Developer and Serbia, respectively.
Additionally, it appears that IntelBroker’s GitHub is public, and a repository with the name ‘Endurance-Wiper’ is available. The WatchGuard Security Team is currently assessing the capabilities of this wiper to determine its functionality. The wiper is written in C# using Visual Studio 22, but it’s too early to determine if this software, or malware, is attributed to the Endurance Ransomware.
Also, in addition to the US Federal Government, IntelBroker claims to have breached two other small businesses in the retail sector ‒ Dr. Martens and TheBodyShop Indonesia. Similar to the other breach, a post has been published for each to prove authenticity.
IntelBroker also includes some breaches on his Sellix marketplace. Sellix is eCommerce software that allows individuals to sell assets using cryptocurrency. In this case, the asset is the personal data of breached organizations. As of this writing, IntelBroker only has the two retail businesses on there for sale and is asking between $900 and $1,000 for all exfiltrated data. This suggests that IntelBroker is cognizant of the victim’s financial capabilities and tailors ransom demands to each victim.
Finally, IntelBroker claims that the Endurance Ransomware extortion page on the dark web is under construction ‒ providing more communication mediums to extort their victims.
The WatchGuard Security Team is monitoring this ransomware and IntelBroker for any further developments.