The Bully Gang is a newly-founded ransomware group that has been active since October 2022. This group has already committed attacks against several companies around the world, including a major attack against the Insurance Regulatory and Development Authority of India (IRDAI), in which a large amount of personal and sensitive information was leaked.
According to our research on the group’s Telegram channel, it is highly probable that the Bully Gang is based in the United States. This conclusion is based on several factors, including the operators’ high level of English and use of United States slang and phrases, the group’s name (which references an actual gang in New York City), and the presence of United States themes and references in photos and pictures uploaded to the channel.
If the Bully Gang is indeed based in the United States, this is a unique and interesting case.
Most known cybercrime organizations are based in Eastern Europe, or at least present themselves as such. This is likely due to the more enabling policies of law enforcement in these regions. While there have been some western cybercrime groups in the past, they have typically been quickly arrested, disrupted, and shut down compared to their Eastern European counterparts. An openly active United States based ransomware group is therefore a rare phenomenon.
The existence and activity of the Bully Gang raises questions about the authorities’ perception of the group and the steps that will be taken against it. Will the Bully Gang succeed in remaining active, or will it be shut down? If it succeeds, will other United States ransomware groups follow in its footsteps? It will also be interesting to see if there are differences in victim selection or attack patterns between the Bully Gang and more traditional cybercrime groups.
