CloudSEK’s Threat Intelligence Research team analyzed the profile of a ransomware group dubbed Arvin Club.
This group maintains an Onion site and multiple channels to update their activities and status.
The group recently breached Kendriya Vidyalaya, a group of central government schools in India. Additionally, the group has shown support for REvil, which has since disbanded.
Further research was conducted to analyze the group’s operations and TTPs.
Preliminary Observations
Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels.
The group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches.
Their latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.
Information from the Group’s TOR Website
The group made their first post on their official TOR website on 5 May 2021. However, it appears that the group has been active prior to that as well.
The website lists the group’s victims and the date of the breach. However, most of the entities listed were not breached by Arvin Club.
The breached entities listed on the official Arvin Club TOR website:
Breach Date
Victim
24 October 2021
Kendriya Vidyala, India
20 September 2021
Bureau van Dijk
28 June 2021
Leiden University
28 June 2021
Russian Air Carrier UT Air
11 June 2021
Largest password compilation RockYou2021
24 May 2021
Beh Pardakht Mellat Cards
21 May 2021
Iranian educational messenger Etoudplus
15 May 2021
Bank Mellat from Iran
14 May 2021
Card Pay Portal
6 May 2021
USA 280 Million data leak
6 May 2021
Compilation of many breaches (COMB)
4 May 2021
Cybercrime forum Maza
4 May 2021
Underground carding shop titled Swarm Shop
4 May 2021
1.3 Million ClubHouse user records
Information from Telegram Channels
Arvin Club has 2 Telegram channels, one of which is their official channel and has 3000 subscribers.
The members of the Telegram channels include popular threat actors who have moderate to high reputations across cybercrime forums.
Persian is a major language of communication across the telegram channels owned by the club.
Additionally, the group posts about different data breaches which are further published on their website and channels.
The Telegram group is swamped with discussions, and opinions on different cyber incidents around the world.
Research and Analysis
CloudSEK’s Threat Intelligence Team’s observations suggest that Arvin Club is not a full-fledged ransomware, given the unavailability of samples or dedicated extensions to unlock the files.
Additionally, there are no mentions of different tools that are specific to the group’s arsenal. This is similar to the modus operandi of the Bonaci group, which does not deploy ransomware to encrypt victims’ files and folders but to exfiltrate and publish data.
The group seems to incorporate sophisticated hacking methods. However, their recent breach was not impactful and neither did they make any attempts to extort the victim.
The group has merely tried to make data available publicly and have adopted a Persian motto, which translates to “Freedom to connect.”
All the above-mentioned features set the Arvin Club apart from typical ransomware groups.
It should be noted that Arvin Club never claims responsibility for any hacking attempts made on the entities listed on their official website. Owing to which, Threat Intelligence provider Hack Notice explicitly states “as reported by Arvin Club,” and not hacked by them (Refer Appendix).
Association with the Iranian Government
As a consequence of some hacking incidents, in July 2021 it was reported that the group was allegedly linked to the Iranian government. However, the group has denied these allegations via a post published on their website.
Response to REvil Event
In response to the REvil ransomware group being rounded-up by the FBI, Arvin Club published a tongue-in-cheek meme on their website.
Response to members of REvil group being arrested by the FBI