Ransomware - Mogilevich

Decryptor Available

The Mogilevich group appeared out of nowhere to immediately begin claiming large organizations. Reportedly, they breached Epic Games, DJI, Shein, Kick, and more, with around two weeks of existence. We, and other researchers alike, were skeptical of these claims because the group offered no proof of these breaches, and none of these organizations had claimed a cyber security incident. Furthermore, there was no proof of any ransom notes, samples, analyses, or public mention of any ransomware or breaches. In other words, there was no proof of anything.

On March 2, 2024, everyone's suspicions were confirmed when the group posted Epic Games again. This time, with an alleged data sample for proof of a breach. However, the "data sample" was a confession that the group were fraudsters and not a RaaS group (You can view their confession in the Ransom Notes below). The operator(s) behind this scheme - a user named Pongo - confessed that the group created fake breaches to gain visibility as quickly as possible to traffic victims to a scam. The scam involved:

  1. Sell fake RaaS private access panels to those who want to be affiliates for an initial deposit of $1,000.
    • They allegedly sold eight of these.
  2. Once the victims paid, they would be manipulated into doubling the deposit or getting the money back.
    • They allegedly earned $16,000 by doing this.
  3. They would then ask for a screenshot of the buyer's crypto wallet, use these as evidence of stolen crypto, and sell those accounts they couldn't access.
    • They allegedly earned $7,000 by doing this.
  4. The group pretended to be buyers from IABs to get pictures and videos of their access techniques and would use this photo and video evidence to build their credibility as a RaaS.
    • They allegedly earned $11,000 by doing this.
  5. On the day of their confession, or just about it, they made their biggest heist by posting a fake 1 TB database from the drone company DJI and demanding $100,000.
  6. Finally, they coerced an alleged buyer of the fake DJI data into thinking there were other interested buyers and that they would miss an opportunity.
    • They allegedly earned $85,000 after negotiating with the buyer.

The name Mogilevich could reference Russian-Ukrainian-Israeli transnational organized crime boss Semion Mogilevich.

Ransomware Type
Data Broker
First Seen
Last Seen
Threat Actors
Extortion Types
Ransom Note Image
Industry Sector Country Extortion Date Amount (USD)
Automotive United States
Information Technology United States
Government Ireland
Sports & Gaming United States
Government Bangladesh
Information Technology China
Information Technology United States
Fashion & Textiles Singapore