Groove Gang making a name for themselves.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Michael DeBolt: The affiliates are kind of wanting to get their name out there and say, hey, you know, we do great work ourselves – we don't need to be cast in the shadows of the ransomware operators. We can kind of make a name for ourselves. That's kind of what we're seeing right now.
Dave Bittner: That's Michael DeBolt. He's Chief Intelligence Officer at Intel 471. The research we're discussing today is titled, "How Groove Gang is shaking up the Ransomware-as-a-Service market to empower affiliates."
Michael DeBolt: Well, first of all, big shout out to the McAfee Advanced Threat Research Team, who we collaborated with on this. If you haven't already, check those folks out. They do amazing stuff. Yeah, as far as you know, kind of understanding and wrapping our heads around what we mean by a shake-up of the traditional model, I think it's first really important to understand the nuts and bolts of what we mean by the traditional ransomware-as-a-service model. And when you think about it, for the most part, ransomware operations are split into two distinct roles. You have affiliates and you have service operators. Sometimes we call those developers as well. Affiliates, those are the folks who, nowadays – it hasn't always been like this – but nowadays they're fairly skilled penetration testers. Their job is to basically go out and find and gain access to new target networks, move laterally, escalate privileges, ultimately find their way to an organization's domain controller, and then hand off the keys, basically, to service operators or the ransomware service operators – we call them developers as well. They develop the actual ransomware malware, they run the infrastructure needed to successfully extort the victims, they have the decryption keys, they run the name-and-shame blogs. They do all the payment processing and sometimes even the call centers.
Michael DeBolt: So, historically, you know, you have these two distinct roles. It's been almost like a structured hierarchical setup, with the service operators being at the very, very top, kind of calling the shots, and the affiliates as, I would call the "workhorses" at the very bottom. Yeah, and so you have this situation where historically it's been a very hierarchical setup. Now, as we're seeing with this Babuk fallout – we'll talk about that, I'm sure – the affiliates are kind of wanting to get their name out there and say, hey, you know, we do great work ourselves. We don't need to be cast in the shadows of the ransomware operators. We can kind of make a name for ourselves. So that's kind of what we're seeing right now, is breaking up the hierarchical structure.
Dave Bittner: Now, is it fair to say that this hierarchical structure was functioning fairly smoothly for a while that at the outset, as it was established, it seemed like all parties were were doing well and profiting from it?
Michael DeBolt: Yeah, absolutely. I mean, you just look at the news headlines, right? Ransomware has been prolific over the last two years. I mean, there's nothing to suggest that anything is necessarily wrong with the hierarchical model. It's been quite successful. People have made, you know, cybercriminals have made tons and tons of money, billions of dollars. But what we've seen is a shift in, you know, back in the day when you had ransomware, like in 2014 and even earlier, you had affiliates kind of casting a wide net, if you will. So they would be botnet operators looking for installs. It was more of a quantity game versus a quality game. Whereas now, the skills that an affiliate needs to have is more about big game hunting. So, finding the juicy nuggets, finding the targets that are really going to pay off in the end, and that requires a little bit more of a skill set. So you're starting to see this – I would say this imbalance emerge between the skills that are required for a ransomware operator and what's required of an affiliate, and affiliates are starting to realize that they can make a name for themselves.
Dave Bittner: Hmm. Well, take us through, I mean, when did we start to sense that there was some unhappiness between the developers and their affiliates
Michael DeBolt: Yes, it really started earlier this spring, back in April of 2021. This saga, if you will, started back in April, when we saw the DC Metropolitan Police were actually breached in their data was leaked by a ransomware group called Babuk. This gained a lot of really unwanted public attention from the group and also from the underground community writ large. So what they did was they announced that they were shifting tactics. They were going to move away from traditional encryption-based extortion. They were only going to do data exfiltration and then naming and shaming. They released their ransomware source code to the public as sort of proof that they were going to do this, and they shut down their affiliate program. What they were trying to do is get back below the radar, operate in the shadows, basically telling the world that they were done with locking up victim computers. And this was really the beginning of Babuk's fallout and the eventual rise of what we now see as the new RAMP forum, which we detail in the blog, and also a corresponding group we know as Groove, which are likely ex-affiliates or perhaps even a subgroup of of Babuk.
Michael DeBolt: And then in May, we saw the Colonial Pipeline attack happen and really the forum administrators from across the popular forums, they got real nervous. They started reacting, saying, oh no, what's going on? You know, we're kind of getting exposed out there in the public. This media attention is a little bit too much than we want to deal with. So they sort of banning all this ransomware activity on their platforms, which was quite a big deal. They wanted to, again, stay away from the heat caused by that high-profile event. The mentioned DC Metropolitan Police hack was another high-profile incident, they were – underground community was becoming toxic and dangerous. Those are the kind of words that they used. So they banned all these ransomware operators. So you kind of start seeing some of the fallout of Babuk in early April, then you see the ransomware operators getting banned. It's kind of setting the stage here for these affiliates who are, like I said, kind of this underlying workhorse for these ransomware operators saying, you know what, maybe it's time for us to start making a name for ourselves
Michael DeBolt: So then, in July, we saw this new forum emerge called RAMP and this group called Groove. And interestingly, as we detail in the blog, this new forum and the blog that was created was hosted on the same Tor-based resource that was previously hosted by Babuk, their name-and-shame blog. So there's some connections there that were quite interesting between this new group and Babuk.
Dave Bittner: Can you give us some details about this RAMP forum itself? I mean, did it – was it a brand new thing that spun up in order to host this sort of thing? Or was it pre-existing, and they welcomed – since there was a vacuum for a place for folks to advertise these sorts of wares?
Michael DeBolt: Yeah, so this not the first time we've seen, I guess, what we would call a network access marketplace. There's a couple of other ones out there. What makes this one interesting is the connection between a known ransomware group in Babuk and actually, there's also connections to another ransomware group called BlackMatter. But it was the connection between RAMP's administrator – the actor known as Orange – and the previous group called Babuk, and the fallout. So really, RAMP is around offering a platform for affiliates or anybody else that wants to make money off of stolen network access to go and sell those wares. This actor who created RAMP claimed that the new forum was for ransomware-related actors who were ousted from the main forums back in May, and he claimed that this Groove Gang had been in operation for two years doing cyber industrial espionage. Like I said, likely as affiliates or a subgroup of Babuk, and also at least another ransomware group called BlackMatter, and they were basically looking to expand beyond the shadows of ransomware, looking to become more self-sufficient in their aim to make more money on their own. In fact, one of the things that they said was, we don't care who we work with and how – you've got the money, we're in
Dave Bittner: So, you mentioned the word "Orange" and that being a name that someone is using here. Can you can you clarify that a little bit? Who is this entity using the name Orange?
Michael DeBolt: Sure. And as with anything that you do in the cybercrime underground, you really take a grain of salt with some of these handles and aliases that actors use, but this essentially the handle that was used by the administrator who created the forum.
Dave Bittner: All right. Well, how about the Groove Gang themselves? I mean, what are the details there? What have you learned about that organization?
Michael DeBolt: Yeah. So, Groove purports to be either a subgroup or affiliates of Babuk. We also see some connections between Groove and the infrastructure that was used by not only Babuk, but but other ransomware groups as well, which tells us – gives us a strong hint that the group gang was one of these affiliates that were really fueling the ransomware surge that we've seen within the last year and a half or two years, by providing those network accesses. So, this probably a group of Eastern European individuals, small group, trusted group, who are highly skilled in penetration testing. They understand how to go about targeting big whale – you know, big game hunting operations, using credentials, stolen credentials, and vulnerabilities and they know how to monetize that through ransomware and other means
Dave Bittner: So, in terms of the way that they're operating here, you know, this group who's sort of broken away and become, you know, independent of the previous developers – are they using the same tactics, techniques, and procedures as they were previously? Or have they evolved things to suit their own purposes?
Michael DeBolt: Yeah, they're going to do what what has been successful in the past. Their tactics, techniques, and procedures they've used to gain initial access into large organizations is not going to change. And it really is around, unfortunately, it doesn't sound too too exciting, but a lot of these groups, Groove and others that we've seen, are using stolen credentials as initial access techniques. They're perusing shops, automated shops that sell credentials in bulk. They're also, in some cases, running their own botnets, information-stealer botnets, where they're capturing malware logs and then parsing through those logs for juicy targets, mostly network access points like RDP, and VPN, and others, Citrix. And then basically going through that, prioritizing what they have and getting initial access at that point and leveraging that for further on exploitation. Getting to the domain controller is the main goal.
Dave Bittner: And then what's once they're in, what happens next? How do they go from there?
Michael DeBolt: Well, if they're working with a ransomware operator, i.e. they're working with Babuk or they're working with one of the other, you know, pick one ransomware group, they'll go ahead and sell that access to the group. The ransomware operator will deploy the ransomware from there, and then they'll take a cut based on whatever the payout scheme is and whether the victim decides to pay. The other option is they can go into the underground market. There's a whole marketplace for selling network accesses. And at that point, you're selling it wholesale and to the top bidder, and the top bidder gets to do whatever they want with those network access credentials at that point.
Dave Bittner: Is there any sense, you know, within the online forums, you know, the places where these folks trade their wares – are they receiving respect? Do people admire the work that they're doing? Is there resentment from some of the people who were here first, or any threats of retribution? Or do you track any of that sort of thing
Michael DeBolt: Certainly. There's – I mean, we're talking about a community of criminals here. So we're not we're not talking about the most upstanding individuals. So certainly you'll have situations where there's arguments and, you know, blocks being posed against other actors for, you know, a lack of service up-time or whatever ends up being. But I guess for the most part, there's almost a – there's definitely a competition that these network access brokers have right now. But I don't I don't see any major conflict between them. And maybe that's because we're seeing kind of the start of this conglomeration, if you will, of network access brokers kind of banding together, like we do see with Groove.
Michael DeBolt: Previously, we've seen this network access brokers come into the market almost as individual operators. We've seen some connections, and maybe there could be groupings of one or two individuals, but nothing like the hierarchical setup that we've seen with ransomware operations in the past. So it's still kind of a hodgepodge of network access brokers coming into the market, kind of doing their own thing. And really, the demand is there, and people want – these actors, they want network accesses so they can leak data, they can enter into a corporate network, try to escalate their privileges, and get to the domain controller and do whatever they want at that point. So they're just – these network access brokers and the Groove Gang, they're just going to meet that demand, meet that need
Dave Bittner: Do you suspect that we're going to see this sort of thing continue? This kind of professionalization of these sorts of services
Michael DeBolt: Absolutely. I think we're seeing it with Groove. I think we're seeing it with RAMP with the network access marketplaces. I think you'll have pentesting-as-a-service is something we're starting to see a little bit more professionalized, as people in the underground, they start to realize that they can also contract that out. That can also be a service that they don't necessarily have to upskill themselves on. They can go and rent that service, if you will.
Dave Bittner: For the network defenders out there, I mean, how does the information you're sharing here inform how they approach protecting themselves?
Michael DeBolt: Sure. Well, it's like I said before, it's – a lot of this has to do with initial access, right? I mean, this what's fueling the ransomware surge that we have is individual and sometimes one or two individuals who have formed a group are going out there looking at any opportunity they can to access a big game target through network accesses, through stolen credentials, really. Some of them we're seeing, you know, using exploited vulnerabilities, but for the most part, they're looking for credentials. So it's low-hanging fruit. We say it over and over and over again, but multifactor authentication is going to, you know, it's going to help you quite a bit to remove yourself from being on the list of a low-hanging fruit target for some of these actors.
Dave Bittner: Our thanks to Michael DeBolt from Intel 471 for joining us. The research is titled, "How Groove Gang is shaking up the Ransomware-as-a-Service Market to empower affiliates." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies are amazing. CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.