The first samples of the new(ish) White Lock ransomware began emerging towards the end of September. The earliest compilation time stamp of the four samples currently on MalwareBazaar, Triage, and VirusTotal is September 29, 2025. It has all the hallmarks of traditional crypto-ransomware: kills anti-virus processes, destroys shadow copies, encrypts files and appends a unique string (in this case, '.fbin'), and so on. However, the purpose of this post isn't to dissect the technical aspects of this new ransomware. However, that may come in a later post. The purpose of this post is to highlight the connection between the data extortion group dAn0n and the newly emerging White Lock ransomware operation. Spoiler alert, they're likely the same.

When White Lock executes, it changes the desktop wallpaper and drops a ransom note, named 'c0ntact.txt', which tells victims to navigate to a TOR domain to facilitate negotiations.

This is the TOR web chat provided to victims. If you enter the client ID token provided in the ransom note, it will provide access to the chat room. They likely either expire or are disabled manually after negotiations from the team, as is the case with the example Client ID.

There's not much to it, aside from two things. You can view the chat room page without a client ID token and there's an email provided.

If you navigate to /chat.html, it will let you, but it will throw an error. Still, the page is viewable. The ransom note earlier indicated a 4 BTC ransom, and it looks like 4 BTC is the standard ransom amount according to the chat room. Otherwise, it's a standard chat room.

The email, on the other hand, is the key to tying White Lock to dAn0n, and it's pretty simple. The www[.]whitelock[.]xyz subdomain is hosted on the same IP that www[.]dan0n[.]com was—specifically, the www subdomains.

The email servers are also hosted on the same subnet.

The dAn0n operation and the White Lock operation are fundamentally very different. First, the dAn0n operation is only believed to have stolen data; no ransomware encryptors involved. Second, the manner in which dAn0n extorted victims was "loud." They would dox employees, contact leadership teams, insurance companies, clients, partners, government agencies, and possibly more. They stole data and made sure everyone was aware of it. White Lock, conversely, has no double extortion page at all, at least not one we could find. All that exists is a chat room to negotiate. So, they went from only stealing data and extorting with a loudhorn to encrypting data and covertly negotiating.

The dan0n/White Lock group remains one of the more covert operations of the current active ransomware groups. They initially did double extortion without encrypting systems, but moved to a more direct extortion with encryption operation.

Ransomware Tracker Entries:

https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dan0n
https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/white-lock

IOCs:

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dan0n

The dAn0n Hacker Group, or dAn0n, was first observed in the Spring of 2024. They posted their first victim on their simultaneous dark web and clear net data leak site on March 26. The dAn0n group is often lumped in with other ransomware groups, but there's no evidence they ever deployed a ransomware encryptor (crypto-ransomware). The only evidence of their operations comes from their victims and any information they provide. Based on their own data and admissions, they only stole, extorted, and sold data, which we refer to as Data Brokers.

The most interesting aspect of the dAn0n operation was their quiet approach, but loud extortion techniques. There isn't too much research on their tactics and techniques, but the manner in which they extorted victims on their data leak sites was overtly verbose. For example, each victim publication included a "Status" GUI that tracked the extortion chain. The most observed Status process was six steps:

1. Setting a deadline of X hours (usually 180 or 240)
2. Informing leadership team
3. Informing insurance company
4. Refuse of the deal
5. Informing clients and partners
6. Informing regulatory authorities

Their M.O. was to inform just about everyone to coerce victims into payment. After publishing 19 victims, they suddenly ceased operations in late August of the same year. Although they didn't utilize an encryptor in this operation, this group reappeared in 2025 as White Lock, which did use a traditional crypto-ransomware.

The UK has taken one of the most decisive steps yet in the global fight against ransomware. Following a summer of attacks that disrupted healthcare, retail, and legal services, the government has confirmed that a targeted ban on ransom payments and a universal reporting requirement will become law.

What the Policy Includes

• Ban on ransom payments: Public sector organisations and operators of Critical National Infrastructure (CNI) will be prohibited from paying ransoms. The NHS alone has faced over 1,300 attempted ransomware intrusions in the past 12 months, according to government data.
   
• Mandatory reporting: All UK organisations will need to report ransomware incidents to a new central body. This addresses a long-standing visibility gap only around 20–25% of ransomware attacks are currently reported, according to Europol.

Why This Matters Now

The policy follows a summer in which:
- Marks & Spencer had online retail operations disrupted for months.
- NHS Scotland had patient appointment data temporarily inaccessible.
- The Legal Aid Agency confirmed the theft of over 250,000 case records.

These cases highlight the dual impact of ransomware: direct operational downtime and longer-term trust erosion.

Part of a Global Trend

The UK’s measures align with global efforts under the Counter Ransomware Initiative (CRI), a coalition of 48 countries. The CRI’s 2024 report estimated ransomware caused over $30 billion in global economic losses annually. Unlike the US, which currently discourages but does not ban ransom payments, the UK is moving toward outright prohibition for its most vital services.

What Organisations Must Do

With ransom payment off the table, resilience becomes the only option. The National Cyber Security Centre (NCSC) recommends:
- Multi-Factor Authentication (MFA), which blocks 99.9% of credential-based attacks.
- Offline, immutable backups, tested regularly.
- Security awareness training, especially against phishing (still the entry point in over 60% of ransomware incidents).
- Incident response exercises aligned with NCSC guidance.

The ransomware economy thrives on secrecy and silence. The UK’s new measures end both.