Ransomware - NO-NAME

NO-NAME is an uneventful name for a ransomware group, and it coincides with another cybergroup known as NoName057(16). However, these appear to be two completely different groups and unrelated. NoName057(16) is a pro-Russian cybergroup that performs denial of service attacks and other hacktivist-related attacks. NO-NAME is a ransomware group and data broker that hosts several double extortion data leak sites (DLSs) on the dark web.

The most interesting thing about this ransomware group is the DLSs themselves. Their primary DLS looks eerily similar to LockBit 3.0. The only difference is the color and logo. It becomes apparent that this impersonation is not a happenstance when looking at another one of their DLS; it's precisely the same as LockBit 3.0's DLS. They are impersonating LockBit 3.0 and even share some of the same victims and unique victim IDs. As such, we've labeled this group as an impersonator.

Only a handful of the victims on the DLS have names associated with them. The other entries are labeled as "NEGOTIATED." We were able to collect seven victims from these two DLSs. However, a thorough analysis from Rakesh Krishnan shows that this group also has more DLSs on Clearnet, from which we gathered a few more victims. Furthermore, there is another TOR domain that hosts the data from all of their victims - an open directory (opendir). We were able to collect another 20-25 victims from this server.

Unfortunately, we weren't able to find any samples on the Internet or in our repositories. However, thanks to ZScalar, we were able to observe some ransom notes and gather information from them. That is the extent of the technical information until we can find a sample to analyze further.