RansomedVC, the ransomware-as-a-service (RaaS) group that cut a high-profile but short-lived swath through the cybercrime scene over the past three months, is shutting down operations and selling off its infrastructure.

The threat actor’s decision comes after the possible arrests of six of the group’s affiliates and growing fears about law enforcement, with the owner saying in since-deleted Telegram messages that the risk of arrest for affiliates wasn’t worth the profit derived from ransomware and extortion attacks.

They also pointed to the age of many affiliates, saying that “using newly born kiddies at the age of ~20 is just not right in my eyes.” In addition, they said they don’t regret the data breaches or ransoms demanded of the group’s ‘customers’ and ‘clients.’”

The owner said that RansomedVC had 98 affiliates and that they’ve all been “fired.”

As of November 10, “one Ransomed[.]vc leak site has been closed down, and the other hosts a closing note on the home page,” according to threat researchers with cybersecurity firm ZeroFox. “However, its ransomware forum (on which Ransomed[.]vc coordinates its ransomware-as-a-service projects) remains active, likely to assist in the sale of its infrastructure and assets.”

The fire sale represents a quick end to a ransomware group that listed more than 40 victims on its leak site, with most of those organizations in Europe. RansomedVC began life as an underground forum for cybercriminals, then graduated to running its own RaaS operations that included demanding ransoms of as much as $1 million, with the bulk of its activity in September.

A Controversial Group

However, the group wasn’t without its controversy. Among the organizations RansomedVC claimed to have attacked were Sony, the District of Columbia Board of Elections, the U.S. credit agency TransUnion, government agencies in Hawaii, and Colonial Pipeline, the victim of a previous high-profile ransomware attack in 2021.

However, Colonial officials denied that their systems had been attacked, adding that stolen files exposed by RansomedVC were from an unrelated data breach of a third party. Oddly, in a Telegram post in October, the group said it was unable to extort money from Colonial Pipeline and included a photo of incident response company Dragos CEO Rob Lee, who helped the giant gas company in responding to the 2021 attack.

In a posting on X (formerly Twitter), Lee wrote, “PSA: Criminal groups lie. Yes even, and especially, ransomware groups. Exhausting but pointless.”

The Fire Sale is On

Now everything RansomedVC is for sale. According to its original posting, that includes the various domains – Ransomed[.]vc, Ransomed[.]biz, and dark web forum – the custom source code, access to affiliate groups and social media account usernames, the related Telegram channel and group, VPN access to 11 companies with revenue adding up to $3 billion, 37 databases (all for $10 million), and a control panel for the locker.

The list also includes a ransomware builder that the group claims can bypass all antivirus protections and automatically infect all LAN devices within a network.

Another post on Telegram offers a 20% discount for “someone who can be verified or is already verified as a trusted person by the majority of forums.”

“These posts very likely represent a legitimate cessation of Ransomed[.]vc’s activity and a fire sale of the operation’s infrastructure,” the ZeroFox researchers wrote in a blog post. “Threat actors (not limited to extortion collectives) will likely be motivated to purchase the infrastructure to target victims, create spin-off extortion operations, or leverage for further malicious activity.”

Ransomware groups are known for using source code from other ransomware strains in their own payloads, they wrote, adding that affiliates that had been deploying Ransomed[.]vc will likely continue their nefarious ways by moving to other RaaS operations.

“The collective’s closure is unlikely to have any considerable impact on the broader R&DE [ransomware and data extortion] threat landscape, as affiliates are likely to pivot to other extortion operations at pace and continue their respective targeting with little cessation or downtime,” they wrote.