Hacking Humans 6.17.21
Ep 152 | 6.17.21

Answering a job ad from a ransomware gang.


Mantas Sasnauskas: There was an ad on this famous Russian hacking forum from REvil, a ransomware group. And they were basically looking for groups that would be willing to work with them and share their earnings.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Mantas Sasnauskas from CyberNews on how he and his colleagues applied for a job with a ransomware gang. 

Dave Bittner: All right, Joe, before we get to our stories this week, we've got some follow-up. We had a listener named Christopher (ph) write in. He wrote, (reading) Dave and Joe, just wanted to start by saying a quick thank-you for interviewing Colonel Hamilton and Mr. Kallberg. Dave, good interview. 

Dave Bittner: Thank you very much, Christopher. 

Joe Carrigan: Dave does a very good job with the interviews. 

Dave Bittner: (Laughter) I appreciate that. 

Dave Bittner: (Reading) I always enjoy getting a view from the top, so to speak. Joe, you actually called us war fighters. That's not a term we hear very much outside of the community, but indeed, that is what we are. Thank you for that. 

Dave Bittner: That's nice. 

Joe Carrigan: It's a lot easier than saying soldiers, Marines, airmen and sailors. Say war fighters. 

Dave Bittner: (Laughter) Right, right. 

Dave Bittner: (Reading) Question - I am just getting into the cybersecurity world, and I'm about to start my AAS in cybersecurity. From talking to people, they say degrees are relative, but certifications matter. Well, there's about 12.2 million different certifications, or at least it seems that way. 

Joe Carrigan: A little bit of a hyperbole, but yes. 

Dave Bittner: (Reading) What certs matter, and what is a good starting point for cybersecurity? Thank you. 

Dave Bittner: Well, Joe, this is a world that you are deeply involved in with your being at Hopkins (laughter). So... 

Joe Carrigan: Right, yes. Actually, at Hopkins, we don't put a lot of value on certs. 

Dave Bittner: Really? 

Joe Carrigan: Yeah. The professors there seem to think that they're more training focused. And it's true. They are more training focused. And our mission tends to be more education focused. And we do differentiate between those two. However, in - out in the real world, once you get beyond the ivory tower of the educated (laughter)... 

Dave Bittner: Right. 

Joe Carrigan: Right? - you do need these certifications. And the first certification I recommend for anybody in the United States, particularly if they want to do work with the United States government, is the TIA Security+. 

Dave Bittner: OK. 

Joe Carrigan: You should get that certification. It wouldn't hurt also to get a Network+. I don't think you need A+. That's the putting together PCs - or at least it used to be. I haven't looked at that in a couple years. But Network+ and Security+ would be great starting certifications. You don't have to have any time in the industry to get those certifications, just the training to understand things. 

Joe Carrigan: But Security+ is a minimum requirement for getting any job working with the federal government or as a contractor for the federal government. To do any of the networking stuff there, you have to have a Security+ certification at a minimum. 

Dave Bittner: OK. 

Joe Carrigan: So that's a good starting point. When you get into other certifications, it depends on where you want to go. If you want to go into penetration testing, the Certified Ethical Hacker's a good certification to get. There other certifications, like from (ISC)², like the CISSP. That is a great certification to have, but it requires five years of experience in the field. So it's not going to be your first certification. You can actually take the certification exam and then become, like, an associate member and have that as a certification. But it's not a full CISSP until you've been in the industry for five years. 

Joe Carrigan: So my recommendations - start with the Net+ and Security+. And then see where you're going to go in your career, and then get the certification that meets those requirements. The other thing is network. That helps a lot. Meet people. 

Dave Bittner: Oh, yeah, yeah, yeah. Mmm hmm. Right. 

Joe Carrigan: Look for mentors. The toughest job to get in cybersecurity is the first job. After that, they're all easy. 

Dave Bittner: (Laughter) Well, there's so much demand. But I think Christopher makes a good point here that despite there being demand - you and I have talked about this many times - the frustration we feel because they'll have these job listings for entry-level jobs. And they'll say, you know, entry-level job, minimum wage, 20 years' experience required. Here's a dozen certs that you need. 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: And, you know, it's like how - in what way, shape or form is that an entry-level job? But... 

Joe Carrigan: Yeah, exactly. I really want to just send the letter in or pick up the phone and call people and say, you're never going to fill this position. 

Dave Bittner: Right. 

Joe Carrigan: It's just not going to happen. 

Dave Bittner: Yeah. Well, maybe they have to learn that and then adjust what they're asking for. Who knows? I don't know. Not a world I'm involved with. 

Joe Carrigan: Right. 

Dave Bittner: But, Christopher, thank you for sending in your note. We do appreciate it. And, of course, we'd love to hear from all of you or - well, not all of you at the same time. But if you have a question, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, let's dive into some stories this week. I'm going to kick things off for us. My story comes from the Naked Security folks over at Sophos - Paul Ducklin, who's been a guest on our show before. And it's titled "How to Hack Into 5,500 Accounts... Just Using 'Credential Stuffing.'" 

Dave Bittner: And the article starts off with some common knowledge about passwords and password reuse and not using some of the more common passwords. Paul goes through some of the top passwords on the Have I Been Pwned database. 

Joe Carrigan: Right. 

Dave Bittner: 123456 is the most common password, with 24 million appearances on Have I Been Pwned. 

Joe Carrigan: Twenty-four million appearances for that password. 

Dave Bittner: Yup. There are some other things in here that they point out. You know, people - they often think they're being clever with their use of passwords and words. They'll say, like, oh, for my Facebook password, it's picklejarfb, and the FB is for Facebook, you know? 

Joe Carrigan: Right. 

Dave Bittner: But for Twitter, it's picklejartw. 

Joe Carrigan: (Laughter). 

Dave Bittner: For Instagram, it's picklejarig. Well, guess what. That... 

Joe Carrigan: Right. That's just password reuse. 

Dave Bittner: Right. How hard is it going to be for the bad guys who are going through these databases of passwords - if they - I guarantee you, if they see a suffix on a password that's -FB, the jig is up. 

Joe Carrigan: Right. 

Dave Bittner: They know... 

Joe Carrigan: Yup. 

Dave Bittner: They know what you're doing. 

Joe Carrigan: They've got you. 

Dave Bittner: In fact, they may - they probably have automated scripts to look for that sort of thing. I... 

Joe Carrigan: Absolutely. It's called a regular expression, and you can find it very easily. 

Dave Bittner: Yeah. So the story that Paul highlights in this article is about one gentleman who the Department of Justice actually charged. He was out of San Francisco. And this person made off with $800,000 in just a few months. What this person did was he would figure out what payroll service a particular company was using. 

Joe Carrigan: Right. 

Dave Bittner: Right? Because chances are if one employee is on a particular payroll service, everyone else is going to be, you know, on the same payroll service. That's generally how it works. 

Joe Carrigan: Right. 

Dave Bittner: Right? So one person's password, for example - or credentials, rather, would come up in a password breach for a particular payroll service. And let's say it was - you know, it was me@thecyberwire.com, right? 

Joe Carrigan: Right. 

Dave Bittner: And it was my login for a payroll service. Well, this person - this bad guy would then go to the list of employees at the CyberWire and look for the other folks who work here. They would follow the same pattern of their email addresses, right? That's easy to figure out... 

Joe Carrigan: Yup. 

Dave Bittner: ...Usually, right? 

Joe Carrigan: If it's not published on a website somewhere... 

Dave Bittner: Yeah. 

Joe Carrigan: ...You might have to figure them out. 

Dave Bittner: Yeah. 

Joe Carrigan: But normally they're easier to get than that. 

Dave Bittner: It's usually a pattern. 

Joe Carrigan: Right. 

Dave Bittner: Most companies establish a pattern for their employee names and email addresses. So they would go through that. They would figure out that or assume that those people were using the same payroll service. Then they would go through and look for matching those emails with password databases online, some of the breached passwords that are out there. And they would just... 

Joe Carrigan: Credential stuff. 

Dave Bittner: ...Count on people reusing passwords. 

Joe Carrigan: Right. 

Dave Bittner: And as you and I know and our listeners know, way too many people reuse their passwords. 

Joe Carrigan: A lot of people, yeah. 

Dave Bittner: So they could log in to these payroll companies, stuff the accounts with the credentials. And as we say, this person would change the person's account information so that their next payment would go to a debit card account that he controlled rather than their own bank account. 

Joe Carrigan: Right. 

Dave Bittner: And over the course of about a year or so, back from 2017 to 2018, this person skimmed off about $800,000. 

Joe Carrigan: Wow. 

Dave Bittner: That's real money. 

Joe Carrigan: Yeah. That's a good payday for some - or good - a good salary. 

Dave Bittner: Yeah. The good news is this person got caught, and the DOJ is bringing them to justice, so that's good. Paul Ducklin has a few recommendations here. Of course, don't reuse passwords. 

Joe Carrigan: Right, yeah. 

Dave Bittner: And your clever variations on your password are not nearly as clever as you think they are. 

Joe Carrigan: Nope, 100% agree. 

Dave Bittner: And they are pretty much ineffective. Of course, use a password manager. Joe, have we mentioned using a password manager (laughter)? 

Joe Carrigan: A couple times, yeah. I seem to vaguely remember saying use a password manager. 

Dave Bittner: Right. We could change the name of the show to Use A Password Manager... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...And it would probably be effective. Turn on two-factor authentication. It struck me when I was reading this article that if folks had two-factor enabled for their payroll accounts - in other words - you know, to either log in to the payroll accounts or if their payroll account allowed them to have some sort of notification if any of their critical information was changed... 

Joe Carrigan: Right. 

Dave Bittner: ...That would go a long way towards preventing this sort of thing. 

Joe Carrigan: Yes, that's a good point, that the company kind of bears some responsibility here. When somebody logs in and changes account information for where you're going to send their paycheck, their livelihood... 

Dave Bittner: Right. 

Joe Carrigan: ...You owe at least an email to that person. Well, maybe... 

Dave Bittner: Somebody should get notified, if not the folks at your company who are handling payroll. 

Joe Carrigan: Yeah, somebody should get notified. 

Dave Bittner: Yeah. And then they can decide what to do about it. 

Joe Carrigan: Right. 

Dave Bittner: So if your payroll system enables you to do that, then you should definitely do that. And if it doesn't, ask them why. 

Joe Carrigan: Right. 

Dave Bittner: (Laughter) Say, this is something we'd like to have. And then, of course, report payment anomalies. If you notice anything is wrong with your payments or your salary, whatever, and anything coming to you from your company, the sooner you report it, even if it's something that seems odd, like you see a charge for a dollar or a... 

Joe Carrigan: Right. 

Dave Bittner: Because a lot of times, these folks are testing to see if the system works, to see if they can indeed make money move around. 

Joe Carrigan: In fact, a lot of services use micropayments as a way to test that banking information is correct before they actually send real payments. 

Dave Bittner: Right, right. 

Joe Carrigan: So if you see that kind of activity and you didn't request it, you know something's up. 

Dave Bittner: Yeah, absolutely. All right, well, that is my story this week. Again, that's from Paul Ducklin over at Naked Security. We'll have a link to that in the show notes. Joe, what do you have for us? 

Joe Carrigan: Dave, my story comes from Becky Bracken over at Threatpost. And she is talking about two recent reports. And the first one comes from the Threat Intelligence Team with GreatHorn. And we've talked about some of their research before. They've made a discovery about people sending lewd or adult-related phishing lures into people's email accounts. This is the interesting part. It's not simply just libido driving users to click these suggestive scams. These things are intended to shock the user. 

Dave Bittner: Oh. 

Joe Carrigan: Right? So think about it. You're at work. 

Dave Bittner: Yeah. 

Joe Carrigan: Maybe you work in a cubicle farm, and someone sends you in something that's rather suggestive. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: Right? 

Dave Bittner: Suggestive or perhaps explicit? 

Joe Carrigan: Explicit... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...Suggestive of explicit material... 

Dave Bittner: Right. 

Joe Carrigan: ...That kind of thing. 

Dave Bittner: Right. OK. 

Joe Carrigan: And you're like, whoa, this can't happen at work. I can't have this kind of thing going on. Maybe you... 

Dave Bittner: Right. 

Joe Carrigan: You know. 

Dave Bittner: Because that's the moment when your boss - just passing by your cubicle and looks in. 

Joe Carrigan: Right. 

Dave Bittner: And that's up on your screen, and now you're in trouble. 

Joe Carrigan: Exactly. It opens the door for them to make the reckless click, right? And I like the term that they've come up with here. They call it dynamite phishing. Are you familiar with the idea of dynamite fishing? 

Dave Bittner: (Laughter) I am familiar with dynamite fishing, yes. 

Joe Carrigan: (Laughter) OK. For those of you who may not be familiar with it, you sit in a pond full of fish, and you light a stick of dynamite, throw it over the boat and wait for the dynamite to go off and then simply roll around and pick up the fish that you've stunned. 

Dave Bittner: Right, collect all the fish who've floated to the surface. Yeah. 

Joe Carrigan: It doesn't always involve explicit material, but the goal is to put the user off balance, to scare them or put them into an - into some kind of excited emotional state and decrease the brain's ability to make rational decisions. 

Joe Carrigan: So, Dave, I want to make a streaming recommendation to our friends. If anybody has Netflix, they have a documentary series on there called "Human: The World Within." And the first episode is called "React." It spends a good bit of time talking about how people react in these kind of situations. And they have one story about a woman who was in Puerto Rico when Hurricane Maria hit and how she actually shut down, right? 

Joe Carrigan: And it all starts - this is the same thing in social engineering. They're trying to fire off a part of your brain called the amygdala - right? - and trying to get you to just cognitively - your focus to narrow, that cognitive narrowing focus. We had a guest who talked about that a couple months ago. It's remarkably effective. And while it's great out in the woods when you're confronted with a bear... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...It's not good when you get one of these emails. 

Dave Bittner: Right. Right. 

Joe Carrigan: Right? These URLs that are in these emails essentially do one of three things - either download malware, they send users to a bogus site to trick them into giving up their payment information or they track users for a follow-up attempt. And they use a link trick called email pass through, which really just puts a unique number that they know who is clicking on the link. Once you click on the link, that actually opens you up to being blackmailed. Hey, why were you looking at this, right? 

Dave Bittner: Oh, I see. 

Joe Carrigan: Right? And GreatHorn thinks that this is part of their scam - is that they're going to further exploit these people and try to get them. So if you get one of these emails, just delete it. It's - try not to be shocked. That's also a good point. In the case of the woman from Puerto Rico, what she did to overcome that shock again was she enrolled herself to become an emergency response person. 

Dave Bittner: Oh, wow. 

Joe Carrigan: So that now she's comfortable with getting into these kind of positions and knows how to react. She's experienced them - right? - through training. And that's what we talk about frequently here. I thought it was a great show. And I thought, you know who'd really like this is the listeners to "Hacking Humans." 

Dave Bittner: (Laughter) There you go. 

Joe Carrigan: I make that recommendation. 

Joe Carrigan: The second report comes from Agari. Their Cyber Intelligence Division, they call it ACID. What they did was they put out 8,000 account credentials that they had control of onto a phishing site. And they wanted to see what happened. And a quarter of those account credentials were automatically tested as soon as they were posted. So these guys are out there watching these things, and they test them immediately as soon as you drop the information. 

Joe Carrigan: There are three families of attacks that were responsible for 85% of the activity, demonstrating that it was a small number of actors or, more likely this - in my opinion, versions of phishing code. So I think there are these kits out there that just let people try these things out. 

Dave Bittner: Right, it's just all automated. 

Joe Carrigan: Right. I think it's more likely that there are three or four of these big products out there, not three or four groups. I think there's hundreds of groups using these same three or four products. Ninety-two percent of the compromised accounts were manually breached by an attacker. About 20% of those manually breached in the first hour. And 91% were accessed within the first week of compromise. 

Dave Bittner: Wow. 

Joe Carrigan: If your email credentials wind up in a phishing attack, you're 91% likely to have someone get into that account within a week, is what that's saying. The majority of these accounts were only accessed once, but some of them were accessed for long periods of time where these guys maintain access. And as these attackers gained access to an increasing number of accounts, they were used to launch additional attacks, which makes sense, right? 

Dave Bittner: Yeah. I wonder about the single access. Does that just mean they're collecting them to then sell to other people? 

Joe Carrigan: Probably. 

Dave Bittner: That's what it sounds like to me. 

Joe Carrigan: Yeah, probably. They saw these scammers create forwarding rules, pivot into other applications like Microsoft OneDrive and Microsoft Teams, attempt to send outgoing phishing emails, sometimes by the thousands, and use the accounts to set up infrastructure for business email compromise attacks. So two studies, really interesting studies - we'll put a link in the show notes, and you can take a look at the article. 

Dave Bittner: Yeah. And again, I mean, so much of this, if you had multi-factor authentication enabled... 

Joe Carrigan: Right. 

Dave Bittner: ...It would shut a lot of this down, right? 

Joe Carrigan: Shut a lot of it down, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Because a lot of this stuff is automated. And to get by multi-factor authentication, you kind of have to give each account personal attention. And these bad guys don't have the time to do that. 

Dave Bittner: Right. 

Joe Carrigan: Right? So they're going to script it. 

Dave Bittner: Right. 

Joe Carrigan: They're going to go for the low-hanging fruit. 

Dave Bittner: All right. Well, interesting stuff for sure. We will have links to both of those studies in our show notes. Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day is a short one today, and it comes from a listener named Stof (ph). Stof writes, received this call just now - never heard one this convincing. Nearly got me, too. 

Joe Carrigan: And he has a quote in there. It says, (reading) hi. This is amazon.com. This call is to authorize payment of 700 - something, something - dollars for your purchase of an iPhone 11. If you didn't make this purchase, please press 1 to speak to customer service. 

Joe Carrigan: Then he writes, because I have recently made some purchases from Amazon and this is the first time I've done it in a long time, I immediately feared my credit card had been leaked or my account credentials stolen and someone was making purchases, so it nearly got me to press 1. But I realized it was likely a scam and that I should contact the company directly myself to ask them if they attempted to call me about this. Love the show. Keep up the great advice. 

Joe Carrigan: They hit stop right at the right time, right? He doesn't normally shop at Amazon, and he had made some purchases recently, and then he gets this call. And that's how these things work, right? You send out hundreds of these calls, thousands of these calls, hoping to find the person in Stof's position, who responds and goes, uh-oh. Then you have a problem, right? 

Dave Bittner: Right. 

Joe Carrigan: You know, use - the victim are like, I better push 1 because I want to make sure that - did I order the right phone? I thought I ordered an Android phone. It's a random chance. But if you put enough calls out there, you're going to hit somebody like this. So good on Stof for not falling for this. 

Dave Bittner: A phone tree where you have to press 1 - that sounds like Amazon, right? 

Joe Carrigan: Right, right. 

Dave Bittner: That sounds like a big company. You know, it doesn't sound like just some scammer who's calling you directly. So it lends some credibility to it. 

Joe Carrigan: If you do get one of these calls, do not scam bait these guys because they're calling your phone number. They already have your number. 

Dave Bittner: Right, right. All right, well, thank you, Stof, for sending that in. Again, we would love to hear from you. You can send your Catch of the Days to hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Mantas Sasnauskas. He is from CyberNews. And he shares the story of how he and his colleagues applied for a job with a ransomware gang. Here's my conversation with Mantas Sasnauskas. 

Mantas Sasnauskas: I was quite interested and involved into tracking some smaller-time cybercriminals starting some time ago. Then I tracked this old-school IRC botnet, then another one. And then I thought, hey, why not try to infiltrate or whatever, talk with these guys that are doing some serious business and maybe get some insight how it all works from being inside or being one of them? 

Dave Bittner: Well, let's walk through it together. I mean, how do you get your start? Where do you find these folks, first of all? 

Mantas Sasnauskas: Phishing (ph) from my side was quite easy. There was an ad on this famous Russian hacking forum from REvil, a ransomware group, and they were basically looking for groups that would be willing to work with them and share their earnings. So they basically take, like, 30% of their share, and they give 70% to the affiliate group. 

Mantas Sasnauskas: Basically, affiliate groups - they do all the hard work like initial compromise, hacking the company, doing lateral movement and basically putting, with this specific one, Cobalt Strike Beacon. And then the main group - in this specific case, they were working with Ragnar Locker. They provide the locker and the service to extort the money from the company then. 

Dave Bittner: So you start a conversation with these folks. And how do they go about vetting you, making sure that you're someone they want to do business with? 

Mantas Sasnauskas: When they posted the ad, I got several requests. And some were not serious. But this specific request sounded quite serious, and it seemed that these people knew what they were talking about. And basically, they invited me to join in. 

Mantas Sasnauskas: Then I replied to the ad wanting to join this affiliate group since, I mean, I knew a little bit - probably more than a little bit - what they were looking specifically and what skills do these people should possess. So I basically, you know, social engineered my way into it so my application would be interesting for them or, like, what they were looking for. So, yeah, then we started talking. They were very adamant that they were looking for people who are native Russian speakers. 

Dave Bittner: I'm going to go out on a limb here and say that you are. 

Mantas Sasnauskas: To be honest, I am not a native Russian speaker. 

Dave Bittner: Oh. 

Mantas Sasnauskas: So I had to use my co-worker to help me out. 


Dave Bittner: Forgive my American ignorance. What is your native language? 

Mantas Sasnauskas: Lithuanian. 

Dave Bittner: Ah, OK. 

Mantas Sasnauskas: To be honest, a lot of people in Lithuania do speak Russian, and a lot of them speak it very well. But I'm from a newer generation that speaks in English better than Russian. 

Dave Bittner: I see. 

Mantas Sasnauskas: And besides, like, they are very adamant because they use, like, slang and spoken language. So if they sense that you might not be, and I was afraid of that, they might just stop the whole communication. 

Mantas Sasnauskas: Like, our communication happened through the qTox chat, and you basically do not have nicknames. So basically, I, like, social engineered a persona that lived in a certain country - not in Russia, but in another country, neighboring Russian country - the - like, a town and everything because they did ask me some things that, you know, you could not Google, probably, or you would have to Google very well to answer that, like a street name or whatever or, like, what's on that street. So, yeah, there was this one specific question from them once. 

Mantas Sasnauskas: But when - I think when they were quite comfortable with me, that I'm, like, a Russian speaker and I have very good cybercriminal skills or these skills to hack, penetrate the company, then they were quite willing to share some more information with me. 

Dave Bittner: And what information did they share? What did you learn from there? 

Mantas Sasnauskas: Yeah. So basically, they started asking me some things, and they started telling me how they worked. So, I mean, for probably most of the people that are involved in these, like, ransomware investigations or whatever, it might be just a known thing. But, yeah, so basically, they have targets. They do a very thorough OSINT and espionage on companies. 

Mantas Sasnauskas: And in this specific group, there were four people, which one identified as the No. 1 guy - he didn't have any nickname - and the other guy that I called No. 2 guy because I thought he was like kind of, like, No. 2 guy. So, yeah. So the No. 1 guy would do, like, a very thorough OSINT, espionage on companies. The selection process took maybe, like, two weeks or so. And then on Friday evening, they basically - the main guy, No. 1 guy, says, we have five targets - he gives out the targets - and do your work. 

Mantas Sasnauskas: So basically, this specific group would compromise the company or would have a company already that an RDP port that is vulnerable or a Zerologon bug. And then they would go on and compromise Microsoft HDA process, basically for scripting, and then work their magic with Cobalt Strike, which is probably, like, No. 1 tool that they use. And - yeah. And then after they do, like, all the lateral movement and have the whole company's network in their tentacles, then they put the beacons in there. 

Dave Bittner: I see. Now, at some point, you know, you decided that it was not acceptable for you to keep going with them. But had you played along longer, what would their expectations of you have been? What would they have called upon you to do specifically? 

Mantas Sasnauskas: And they did. So, yeah. So I ended up - kind of ended when they gave out the targets. So they expected me to work those targets as well with them together. And I had to somehow ditch that work. So I made, like, totally lame excuses to them. And I thought, OK, this is it. They will not going to respond to me anymore. They will stop all the communication with me and so on. 

Mantas Sasnauskas: But to my surprise, they did not. That No. 2 guy still kept talking with me. And I said, OK, maybe I'm not that skilled. You know, I couldn't do that. And maybe you can teach me somehow, you know? So he then promised me to add me to this other group that basically, like, that needs to learn more. But that never happened. I was expecting maybe, but that never happened. 

Dave Bittner: Yeah. Interesting that there are several levels here, you know, where they had a way to kind of train people up to have the skills that they needed once they vetted you. 

Mantas Sasnauskas: Yeah. But, I mean, from when we talked about everything - and it was - for me, the hard part was to understand all the slang in Russian, like PowerShell or Cobalt Strike or MS HDA. They had some grammar mistakes even in Russian. Or, like, you know, when they type it very quickly in the chat, and sometimes you have to act very fast to reply because they were - quite often they would say, hey, where are you, why are you not replying and so on, while in the meantime, I'm asking my friends who are working in infosecurity, older friends who know Russian well, and I'm like, hey, do you know what this could mean? 

Dave Bittner: (Laughter) Right, right. So you have several chat windows open simultaneously. 

Mantas Sasnauskas: Yeah. That was - I mean, it was fun and also quite exhausting at some times, yeah. 

Dave Bittner: Sure, sure. I mean, it's a high-stress situation to be in. 

Mantas Sasnauskas: Yeah. Also, I mean, from how they talked, they were very different from those people that I used to chat - yeah - probably, like, younger people who these IRC botnet creators or so on. Or, like, majority of people that are probably on right (ph) forums, they're kind of, like, trolls and not very serious. But these people, when you talk with them, it's like, you know, you would be going to work for Barclays (ph) or whatever. 

Dave Bittner: I see. There's a certain amount of professionalism there. 

Mantas Sasnauskas: Yeah, yeah, yeah. 

Dave Bittner: What did you come away with? I mean, what was your sense of these folks? You know, you had to break off contact at some point. But overall, what are the lessons that you learned here? 

Mantas Sasnauskas: So I think they're very serious. My hunch is probably they even have other daytime jobs, like working as system administrators or whatever, but maybe not if they're earning quite a lot of money. But, yeah, from what I understand, they're very, very serious people with also very good skills. 

Dave Bittner: Was it surprising to you that you were able to get in with this group relatively easily? Or, I mean, was it really the Russian language skills that was the highest bar of entry or... 

Mantas Sasnauskas: I think so. 

Dave Bittner: What was your take on that side of things? 

Mantas Sasnauskas: To me, it was quite surprising, actually. I mean, I thought it will be harder because I think - well, OK, since this article is now published, I don't know if they read it. I hope not. Or maybe. 

Dave Bittner: (Laughter) Right. 

Mantas Sasnauskas: Maybe they are going to be listening to this and they will identify that I am the one that was talking to them. 

Dave Bittner: Right, right. 

Mantas Sasnauskas: Yeah, I don't know. Like, also, one of the things that I learned from this is how they cash out the money, which was probably the most interesting part for me. Even if you receive your, you know, ransom, the bitcoins, and you're on the radar from - I don't know - probably, like, Europol, Interpol, FBI, whatever, then you should be very careful with your bitcoins and how you cash out. And I didn't even ask them. They asked me if I have means to cash out my cryptocurrency that I'm going to be receiving so I won't be tracked. 

Dave Bittner: So were they looking to you to help them launder that money at all, or was it just for your own profits? 

Mantas Sasnauskas: No, just for my own profits because that's when they told me that they have means to, yeah, like, launder the money, to get cash from those bitcoins that would be untraceable. And - yeah. And basically, they introduced me to another person, who basically runs the crypto exchange. And the - they use those un-legitimate (ph), kind of legitimate crypto exchanges that doesn't have KYC - Know Your Customer. And those crypto exchanges, they help them cash out the money for a fee. When I say cash out, like literally bring the money in cash. 

Dave Bittner: (Laughter) Right, right, right, Did you get any sense for these folks as individuals, you know, the types of people that you're - we're dealing with here? I mean, it sounds like they're very professional. Was there a matter-of-factness to the way that they interacted with you? 

Mantas Sasnauskas: There wasn't a sense of danger at all. Like, I mean, it was just like talking to the - your co-workers, kind of friends, especially since we were talking for quite some time chatting together. I mean, I don't think that they considered me as their friend because they were always saying, like, when you get the targets, then you will show what you're worth. 

Dave Bittner: They maintained a certain skepticism toward you, hoping that you were going to, you know, show your worth with the things that you were able to do. And, of course, never got to that point. 

Mantas Sasnauskas: Never got to that point - exactly, yeah. I mean, there were some other interesting parts that this particular group, these two people - like, four people in total, but I think these two people together, they were working since, like, 2009 and doing some other stuff, like selling access to the companies, compromising them and then going on to ransomware. I think this particular group is kind of like a veteran group already. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: What a great idea, trying to infiltrate a ransomware gang. This is so interesting to me. I'm fascinated by money laundering and how they go about this. I understand the structure that a lot of these ransomware gangs use. And what he applied to was a - an affiliate group 'cause these ransomware gangs have affiliate programs. They're almost franchising ransomware. 

Dave Bittner: Right. 

Joe Carrigan: You go out, you get the business, and then we'll take care of everything else and take a 30% cut, which is a pretty lucrative cut for the people that actually do the penetration. It's 70%. 

Dave Bittner: Yeah. 

Joe Carrigan: These people post ads, so it's pretty easy to get in. It's interesting how they were looking for people who spoke Russian natively, and they were going to filter that out by using things like slang and knowledge of specific areas. But Madras (ph) was successful in socially engineering his way into one of these gangs... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Which is - I think is fascinating. Once he gets into the gang, you find further businesslike structure in there. You've got a leader. You've got a guy who's responsible for OSINT, which is open-source intelligence gathering. You've got a guy who's responsible for breaking into things, which is what Madras (ph) was one of. And these guys take their job seriously, and they're very skilled. 

Joe Carrigan: And then they even go so far as to say, we'll help you get the money out by using one of these semi-legitimate crypto exchanges that literally bring money to the customers... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Which is... 

Dave Bittner: In cash. 

Joe Carrigan: Yeah, in cash. So you send them your crypto coin, your bitcoin or whatever, and they buy it and then bring you cash, of course, minus some fee. 

Dave Bittner: Yeah. 

Joe Carrigan: But you still make out fairly well. This was an interesting interview. I really enjoyed it. 

Dave Bittner: Yeah, yeah. Well, we appreciate him taking the time for us. Interesting insights into how some of this happens. And it's good to see the folks infiltrating these types of groups that, you know, they're not as bulletproof as they seem to be or hope to be. 

Dave Bittner: Well, that is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.