DarkVault is a self-proclaimed exclusive online community and ransomware operation that performs many illegal activities, including bomb threats, swatting, doxing, website defacing, malware creation, scams, spam, and various amounts of fraud. Basically, it's probably a few individuals engaged in a bunch of cybercrimes. There have been reports of DarkVault being LockBit, or affiliated with LockBit, because their data leak site (DLS) mimics LockBit 3.0's. However, just because the DLS is copied doesn't mean they are the same group. DarkVault is one of several groups that have copied LockBit 3.0's DLS (e.g. Dispossessor).
The individual(s) behind DarkVault have two pages; one for posting alleged victims of what we assume are ransomware attacks or data exfiltration from breaches, and another that explains their illegal activities. After reviewing their DLSs and Telegram, it's difficult to make any further determinations because, aside from the posted victims, everything else is relatively empty. Furthermore, we don't have a ransomware sample or any indication that this is truly a group performing ransomware attacks. Once we have any updates on DarkVault's behavior, we will post them. What you currently see is taken from their DLSs.
Known Victims(10)
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Retail & Wholesale | United States | ||
| Professional Services | United States | ||
| Information Technology | United States | ||
| Insurance | United States | ||
| Information Technology | United States | ||
| Telecommunications | Sri Lanka | ||
| Fashion & Textiles | India | ||
| Information Technology | India | ||
| Healthcare & Medicine | United Kingdom | ||
| Hospitality | Saudi Arabia |