Ransomware Group Profile: Arvin Club

CloudSEK Threat Intelligence Research team's analysis of the ransomware group dubbed Arvin Club

Updated on

April 19, 2023

Published on

November 12, 2021

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Report Type	Threat Group Profiling
Research Subject	Arvin Club Ransomware Group
TLP	AMBER

Executive Summary

CloudSEK’s Threat Intelligence Research team analyzed the profile of a ransomware group dubbed Arvin Club.
This group maintains an Onion site and multiple channels to update their activities and status.
The group recently breached Kendriya Vidyalaya, a group of central government schools in India. Additionally, the group has shown support for REvil, which has since disbanded.
Further research was conducted to analyze the group’s operations and TTPs.

Preliminary Observations

Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels.
The group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches.
Their latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.

Information from the Group’s TOR Website

The group made their first post on their official TOR website on 5 May 2021. However, it appears that the group has been active prior to that as well.
The website lists the group’s victims and the date of the breach. However, most of the entities listed were not breached by Arvin Club.
The breached entities listed on the official Arvin Club TOR website:

Breach Date	Victim
24 October 2021	Kendriya Vidyala, India
20 September 2021	Bureau van Dijk
28 June 2021	Leiden University
28 June 2021	Russian Air Carrier UT Air
11 June 2021	Largest password compilation RockYou2021
24 May 2021	Beh Pardakht Mellat Cards
21 May 2021	Iranian educational messenger Etoudplus
15 May 2021	Bank Mellat from Iran
14 May 2021	Card Pay Portal
6 May 2021	USA 280 Million data leak
6 May 2021	Compilation of many breaches (COMB)
4 May 2021	Cybercrime forum Maza
4 May 2021	Underground carding shop titled Swarm Shop
4 May 2021	1.3 Million ClubHouse user records

Information from Telegram Channels

Arvin Club has 2 Telegram channels, one of which is their official channel and has 3000 subscribers.
The members of the Telegram channels include popular threat actors who have moderate to high reputations across cybercrime forums.
Persian is a major language of communication across the telegram channels owned by the club.
Additionally, the group posts about different data breaches which are further published on their website and channels.
The Telegram group is swamped with discussions, and opinions on different cyber incidents around the world.

Research and Analysis

CloudSEK’s Threat Intelligence Team’s observations suggest that Arvin Club is not a full-fledged ransomware, given the unavailability of samples or dedicated extensions to unlock the files.
Additionally, there are no mentions of different tools that are specific to the group’s arsenal. This is similar to the modus operandi of the Bonaci group, which does not deploy ransomware to encrypt victims’ files and folders but to exfiltrate and publish data.
The group seems to incorporate sophisticated hacking methods. However, their recent breach was not impactful and neither did they make any attempts to extort the victim.
The group has merely tried to make data available publicly and have adopted a Persian motto, which translates to “Freedom to connect.”
All the above-mentioned features set the Arvin Club apart from typical ransomware groups.

It should be noted that Arvin Club never claims responsibility for any hacking attempts made on the entities listed on their official website. Owing to which, Threat Intelligence provider Hack Notice explicitly states “as reported by Arvin Club,” and not hacked by them (Refer Appendix).

Association with the Iranian Government

As a consequence of some hacking incidents, in July 2021 it was reported that the group was allegedly linked to the Iranian government. However, the group has denied these allegations via a post published on their website.

Response to REvil Event

In response to the REvil ransomware group being rounded-up by the FBI, Arvin Club published a tongue-in-cheek meme on their website. [caption id="attachment_18177" align="aligncenter" width="381"]

Response to members of REvil group being arrested by the FBI[/caption]

Appendix

[caption id="attachment_18178" align="aligncenter" width="512"]

Arvin Club Ransomware group’s official website[/caption] [caption id="attachment_18179" align="aligncenter" width="512"]

Hack Notice’s post mentioning Arvin Club[/caption]

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more