Ransomware Group Profile: Arvin Club

Summary

CloudSEK Threat Intelligence Research team's analysis of the ransomware group dubbed Arvin Club
Report Type Threat Group Profiling
Research Subject Arvin Club Ransomware Group
TLP AMBER

Executive Summary

  • CloudSEK’s Threat Intelligence Research team analyzed the profile of a ransomware group dubbed Arvin Club.
  • This group maintains an Onion site and multiple channels to update their activities and status.
  • The group recently breached Kendriya Vidyalaya, a group of central government schools in India. Additionally, the group has shown support for REvil, which has since disbanded.
  • Further research was conducted to analyze the group’s operations and TTPs.
 

Preliminary Observations

  • Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels.
  • The group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches.
  • Their latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.
 
Information from the Group’s TOR Website
  • The group made their first post on their official TOR website on 5 May 2021. However, it appears that the group has been active prior to that as well.
  • The website lists the group’s victims and the date of the breach. However, most of the entities listed were not breached by Arvin Club.
  • The breached entities listed on the official Arvin Club TOR website:
 
Breach Date Victim
24 October 2021 Kendriya Vidyala, India
20 September 2021 Bureau van Dijk
28 June 2021 Leiden University 
28 June 2021 Russian Air Carrier UT Air
11 June 2021 Largest password compilation RockYou2021
24 May 2021 Beh Pardakht Mellat Cards
21 May 2021 Iranian educational messenger Etoudplus
15 May 2021 Bank Mellat from Iran
14 May 2021 Card Pay Portal
6 May 2021 USA 280 Million data leak 
6 May 2021 Compilation of many breaches (COMB)
4 May 2021 Cybercrime forum Maza
4 May 2021 Underground carding shop titled Swarm Shop
4 May 2021 1.3 Million ClubHouse user records
 
Information from Telegram Channels
  • Arvin Club has 2 Telegram channels, one of which is their official channel and has 3000 subscribers.
  • The members of the Telegram channels include popular threat actors who have moderate to high reputations across cybercrime forums.
  • Persian is a major language of communication across the telegram channels owned by the club.
  • Additionally, the group posts about different data breaches which are further published on their website and channels.
  • The Telegram group is swamped with discussions, and opinions on different cyber incidents around the world.
 

Research and Analysis

  • CloudSEK’s Threat Intelligence Team’s observations suggest that Arvin Club is not a full-fledged ransomware, given the unavailability of samples or dedicated extensions to unlock the files.
  • Additionally, there are no mentions of different tools that are specific to the group’s arsenal. This is similar to the modus operandi of the Bonaci group, which does not deploy ransomware to encrypt victims’ files and folders but to exfiltrate and publish data.
  • The group seems to incorporate sophisticated hacking methods. However, their recent breach was not impactful and neither did they make any attempts to extort the victim.
  • The group has merely tried to make data available publicly and have adopted a Persian motto, which translates to “Freedom to connect.”
  • All the above-mentioned features set the Arvin Club apart from typical ransomware groups.
  It should be noted that Arvin Club never claims responsibility for any hacking attempts made on the entities listed on their official website. Owing to which, Threat Intelligence provider Hack Notice explicitly states “as reported by Arvin Club,” and not hacked by them (Refer Appendix).  
Association with the Iranian Government
As a consequence of some hacking incidents, in July 2021 it was reported that the group was allegedly linked to the Iranian government. However, the group has denied these allegations via a post published on their website.    
Response to REvil Event
In response to the REvil ransomware group being rounded-up by the FBI, Arvin Club published a tongue-in-cheek meme on their website.   
Response to members of REvil group being arrested by the FBI
Response to members of REvil group being arrested by the FBI
 

Appendix

 
Arvin Club Ransomware group’s official website
Arvin Club Ransomware group’s official website
 
Hack Notice’s post mentioning Arvin Club
Hack Notice’s post mentioning Arvin Club

Table of Contents

Request an easy and customized demo for free