Log in
Show password
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 
  1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro Incorporated
  6. News
  7. Summary
    4704   JP3637300009


SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Trend Micro Incorporated : Ransomware Operators Found Using New "Franchise" Business Model

10/15/2021 | 09:32am EST

Shared infrastructure

To date, we have found fifteen onion addresses used by at least four different servers, and three others still unknown.

Onion Address Server
w6ilafwwrgtrmilorzqex6pgpvfsa667fydca2wpoluj6sajka225byd[.]onion A
accdknc4nmu4t5hclb6q6kjm2u7u5xdzjnewut2up2rlcfqe5lootlqd[.]onion A
c6zkofycoumltpmm6zpyfadkuddpmlqk6vyd3orrfjgtq3vrgyifl6yd[.]onion A
3klsbd4dwj3yqgo4xpogfgwqkljbnbdxjryeqks2cjion5jj33wvkqyd.onion B
yk7erwdvj4vxcgiq3gmcufkben4bk4ixddl5j2xvu7gurtdq754jmiad.onion B
z4cn6lpet4y4r6mdlbpklpcrjdruwb6kiuvxn6gsiuoub23z6prlx6ad.onion B
ibih5znjxf2cqgo737xmooyvmxhac45wd4rivh6n5hd7fysn42g3fayd.onion B
ikrah6fb4e6r2raxkyvyoxp22jam5z6ak5ajfnzxutmassoagvr2bhad.onion B
hceesrsg6f5p4gcph4j6jv6vl4mkmaik735oz4r45lgjfyedsxfoprad.onion B
qfgh2lpslhjb33z3wsenmqrxcdragelinvcpowlgkbjca6yig5zloeyd.onion B
x4mjvffmytkw3hyu.onion C
tpze4yo74m6qflef.onion D
evl425tkt4hkwryyplvqu6bn6slfow3fa4xwgvwe5t4zf6gizs3ewuyd.onion Unknown 1
xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onion Unknown 2
zckdr5wmbzxphoem77diqb2ome2a54o23jl2msz3kmotjlpdnjhmn6yd.onion Unknown 3

Table 1. The onion addresses used by the different servers

And here is how they relate to the group:

Server XingLocker AstroLocker Team
A x
B x x
C x x
D x
Unknown 1 x
Unknown 2 x
Unknown 3 x

Table 2. The different servers in relation to XingLocker and AstroLocker Team

While this is not a sophisticated innovation, it is important to highlight that ransomware groups are looking for new ways to run their affiliate programs and RaaS businesses. This form of shared infrastructure and code can make things harder from an investigative point of view. It is not uncommon to find XingLocker samples detected as Mount Locker, or identify two different onion addresses pointing to the same onion service but used by different groups. Investigators should be aware of these factors when researching ransomware.

Why is this important? Most RaaS models operate by affiliates working with the ransomware group to install a specifically named ransomware on as many machines as possible, then splitting the profits. This is advantageous for the attackers because when victims look up the ransomware and see many reports about it, they are more likely to pay. As a disadvantage, affiliates are largely anonymous and can't use these attacks as the basis of THEIR own criminal business. They are just like managers in a burger chain.

It seems likely we have now observed a new "franchise" RaaS model involving XingLocker, AstroLocker and Mount Locker. In this model there seems to be a main RaaS (in this case Mount Locker), and then affiliates license the ransomware and release it under their own name and brand.

In this scenario, the affiliates are like managers of their own local burger joint, getting products from a generic food supplier. The products are provided by the parent company, but the individual operators conduct business under their own branding, with unique names and images. This method gives more flexibility and recognition for the affiliates, especially mid-tier aspiring criminal gang leaders. One disadvantage is that it means less brand recognition for specific ransomware, so victims may be less inclined to pay. Of course, from an investigation point of view, this method adds confusion in terms of naming and makes tracking harder.

How to Defend Against Ransomware

Ransomware is a continuously evolving threat, and organizations should be vigilant in maintaining the best and most effective security policies and practices. Protection frameworks set by the Center of Internet Security and the National Institute of Standards and Technology can help organizations prevent and mitigate the impact of ransomware attacks:

  • Audit and inventory: Take an inventory of all organizational assets and data, and identify authorized and unauthorized devices, software, and personnel accessing particular systems. Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.
  • Configure and monitor: Deliberately manage hardware and software configurations, and only grant administrative privileges and access to specific personnel when absolutely necessary. Monitor the use of network ports, protocols, and services. Implement security configurations on network infrastructure devices such as firewalls and routers, and have a software allow list to prevent malicious applications from being executed.
  • Patch and update: Perform periodic vulnerability assessments, and conduct regular patching or virtual patching for operating systems and applications. Ensure that all installed software and applications are updated to their latest versions.
  • Protect and recover: Enforce data protection, backup, and recovery measures. Implement multifactor authentication in all devices and platforms used whenever available.
  • Secure and defend: Perform sandbox analysis to examine and block malicious emails. Employ the latest version of security solutions to all layers of the system, including email, endpoint, web, and network. Spot early signs of an attack such as the presence of suspicious tools in the system, and enable advanced detection technologies such as those powered with AI and machine learning.
  • Train and test: Perform security skills assessment and training for all personnel regularly, and conduct red-team exercises and penetration tests.

Trend Micro Solutions

Organizations can benefit from security solutions that encompass a system's multiple layers (endpoint, email, web, and network) not only for detecting malicious components but also for close monitoring of suspicious behaviors in the network.

Trend Micro™ Vision One™ provides multilayered protection and behavior detection, spotting questionable behaviors that might otherwise seem benign when viewed from only a single layer. For an even closer inspection of endpoints, Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware. This allows detecting and blocking ransomware early on before it can do any real damage to the system.

With techniques such as virtual patching and machine learning, Trend Micro™ Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. It also takes advantage of the latest in global threat intelligence to provide up-to-date, real-time protection.

Ransomware often gets into the system through phishing emails. Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block ransomware before it gets into the system.

For the Indicators of Compromise, please see this document.


Trend Micro Inc. published this content on 15 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 15 October 2021 13:31:06 UTC.

ę Publicnow 2021
12/07PUSHING FORWARD : Key Takeaways From Trend Micro's Security Predictions for 2022
12/03TREND MICRO INCORPORATED : Vulnerabilities Exploited for Monero Mining Malware Delivered v..
12/03TREND MICRO INCORPORATED : This Week in Security News - December 3, 2021
12/01WHAT TO DO AT AWS RE : Invent 2021 - Day 3
12/01TREND MICRO INCORPORATED : Analyzing How TeamTNT Used Compromised Docker Hub Accounts
11/30TREND MICRO INCORPORATED : What You Can Do to Mitigate Cloud Misconfigurations
11/29TREND MICRO INCORPORATED : Campaign Abusing Legitimate Remote Administrator Tools Uses Fak..
11/29AWS RE : Invent 2021 Guide: Checklist & Key Sessions
11/29TREND MICRO INCORPORATED : Cloud One Network Security-as-a-Service
11/24TREND MICRO INCORPORATED : COP26 Backs Electric Vehicles to Reduce Climate Change
More news
Sales 2021 188 B 1 656 M 1 656 M
Net income 2021 34 873 M 307 M 307 M
Net cash 2021 182 B 1 604 M 1 604 M
P/E ratio 2021 27,0x
Yield 2021 2,83%
Capitalization 927 B 8 161 M 8 168 M
EV / Sales 2021 3,96x
EV / Sales 2022 3,68x
Nbr of Employees 6 975
Free-Float 95,4%
Duration : Period :
Trend Micro Incorporated Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO INCORPORATED
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 11
Last Close Price 6 640,00 JPY
Average target price 6 948,00 JPY
Spread / Average Target 4,64%
EPS Revisions
Managers and Directors
Yi Fen Chen President, Group CEO & Representative Director
Mahendra Negi Group CFO, Representative Director & VP
Ming Jang Chang Chairman
Max Cheng Chief Information Officer & Executive VP
Kevin Simzer Chief Operating Officer
Sector and Competitors
1st jan.Capi. (M$)
SEA LIMITED24.02%136 920