An attack group known as ARES is now growing a reputation on the cybercrime landscape for selling and leaking stolen corporate and public authority databases.

The threat operator first emerged towards the end of 2021 on Telegram and since then has been associated with multiple malicious operators. These include the infamous RansomHouse ransomware gang, the network access group called Adrastea and the dedicated data leak platform known as KelvinSecurity.

The ARES Group currently manages its own site on the web, which features both database leaks and a hacker forum. Many experts believe that the gang’s website could now fill the gap left by the defunct cybercriminal forum known as Breached.

Reports issued by experts at Cyfirma state that the ARES Group is now displaying cartel-like behaviour and actively looking for new affiliations with other malicious operators.

Uncovering the ARES site

Dubbed “ARES Leaks”, the online platform is not based on the Dark Web, but instead hosted on the normal web. With extensive coverage, it offers access to leaks from approximately 65 countries, including France, Spain, and Italy in Europe, as well as those from the United States and Australia.

The website is known for hosting leaks involving a wide range of information, like email addresses, phone numbers, customer details, SSN, B2B, enterprise databases, passport information, forex data and even government leaks.

The threat group accepts payments in cryptocurrency from its members who seek to access the compromised data or purchase any of its available services. These span several areas, including vulnerability exploitation, malware development and pen-testing, along with distributed denial of service attacks.

Increased ARES hiring activity

According to the reports from analysts at Cyfirma, activity on the ARES Leaks site has increased following the notorious Breached site shutting down. The end of last year saw the ARES group seeking to hire expert penetration testers and malicious software developers who were able to work in Syria and offer payments in cryptocurrency.

Additionally, ARES operates VIP and private channels, selling more valuable information from data leaks at high-profile organisations. Cyfirma also reported that ARES recently began inroads to acquiring military access to databases. It actively promoted this interest via advertisements on other cybercrime platforms.

LeakBase is another project that is supported by the ARES Group. It launched early this year, and due to the closing of the Breached forum and aggressive promotion, it has accumulated many new sign-ups.

Hosted on the standard web, it offers free memberships and databases, as well as market space for users to sell leaks, services, leads and exploits. It also features an escrow payments system to help foster trust. The ARES-run forum also hosts areas for programming, tutorials, hacking tips, social engineering, cryptography, penetration, opsec and anonymity guides and group discussions.

While still nowhere near the stature of Breached at the present time, LeakBase is quickly growing a reputation for ARES and could soon rise to become a key hub for services, resources, and information for threat operators.

Experts believe ARES is a well-organised threat operator that keeps expanding its operations and services to encompass all major areas of cybercrime.