Research Saturday 10.23.21
Ep 206 | 10.23.21

When big ransomware goes away, where should affiliates go?


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Doel Santos: The initial thought of this was when big ransomwares such as REvil, DarkSide, and others go away, if I'm an affiliate, where should I go? And that evolution of trying to keep track of these ransomware families that are now trying to get a piece of that cake.

Dave Bittner: That's Doel Santos. He's a threat intelligence analyst at Palo Alto Networks' Unit 42. The research we're discussing today is titled, "Ransomware Groups to Watch: Emerging Threats."

Dave Bittner: Well, let's go through it together. I mean, there there are four main groups that you highlight here. Can we start off just by listing who did we cover in this report?

Doel Santos: Sure, yeah. In this particular report, I selected AvosLocker Hive Leaks, LockBit 2.0, and HelloKitty for the initial part of the report.

Dave Bittner: Well, let's go through them together one at a time and point out some of the specifics about each group. Why don't we start with AvosLocker?

Doel Santos: Yeah. AvosLocker is quite interesting. The way that I stumbled across this ransomware was taking a look at a dark web discussion forum called "Dread." For those who don't know, Dread is similar to Reddit of the dark web. So people post news, post information over there. And across all those posts and news, I saw a user announcing the launch of a new ransomware-as-a-service called AvosLocker. And they claimed, you know, to tell all of the features that the ransomware had and how to contact them to start doing all these operations. And I remember seeing people commenting, hey, I'm interested – hit me up. And that's when I started seeing, well, maybe this is a new ransomware and this could become a bad thing. So I started tracking that one specifically.

Dave Bittner: And what sort of specifics are there about AvosLocker that sets it apart from some of the other ones out there?

Doel Santos: Sure. I mean, at the beginning, I wouldn't say too much, right? They were pretty basic because they were starting out. Some of the features just include like a simple sample, not as fast as the other ones. But what I can say is recently they updated their site, they redesigned their terms and conditions for affiliates. They are now offering different variants, right? Not only they're affecting Windows environments, they're now affecting Linux and VMware ESXi platforms, and offering DDoS attacks, harassment call service, access brokers, and all that good stuff that an affiliate could use to carry out a successful attack.

Dave Bittner: So, really, I don't know, expanded their range offerings there

Doel Santos: Exactly, yes. When I took a look at it before, when I started released this report, they were pretty basic. It's like a small company trying to, you know, understand how to operate on the market. And now that they know what works, they just redefine it a little bit

Dave Bittner: So what are you seeing from them in terms of their success? Are folks adopting their services, or are they finding customers out there?

Doel Santos: Yes, indeed. I'm sure that when I started writing about it in the Unit 42 report, they only had like eight victims, or eight to five victims listed. So that tells us that not too many people were using it or not many people were aware, but after today, they have twenty-one victims. They're now selling the data as well. So they're not only exporting it for free – now, they're selling it to other third parties that are interested.

Dave Bittner: Interesting. And what are you seeing in terms of ransom demands from this group?

Doel Santos: The ransom demands are not as high as other groups such as REvil, but they're quite up there. They start with at least – the instances that I've observed was like fifty thousand dollars to seventy-five thousand dollars. And if the ransom is not paid in that particular period of time, it doubles. So we're talking about a hundred thousand or a hundred-twenty-five thousand dollars ransom.

Dave Bittner: Wow. Yeah. Any idea who might be behind this group or where they're coming from?

Doel Santos: I can't say, really, I don't have visibility into what's going on behind the operator, the operation of these ransomware groups. But what I can say is that this ransomware group specifically tries to carry out operations and promote themselves on the dark web forums, so it could be quite a number of people.

Dave Bittner: Yeah. Well, let's move on to the Hive ransomware group. What's going on with them?

Doel Santos: Hive Leaks is, in fact, going to be completely honest with you, is one of the best, good-looking leak site that I've seen from all the ransomware operators. And the interesting thing about them is that they refer to their affiliates as their sales department. Because they themselves think they're ransomware is a business, right? They have their product, which is the decryptor, and they audit – you know, air quotes here – they audit the victim for their attacks, and they say, well, if you want your files back, you have to pay us. It's quite interesting how they they got to this professional approach. Hive recently announced that they were going to leak the data of the Missouri Delta Medical Center, which tells me and tells the people that have been tracking this ransomware that this ransomware specifically don't have any code of ethics or any kind of conduct about what kind of organizations they can target.

Dave Bittner: Yeah. And I mean, that's really been a pattern here, hasn't it, that no matter what these organizations say, you know, they make claims that they're going to leave certain organizations alone – that really doesn't seem to pan out.

Doel Santos: Exactly. They really have little regard to whatever impact they may do to this kind of healthcare organization or critical organizations that we depend on.

Dave Bittner: And are they going about things in a similar way? I mean, are they using the double extortion technique here of both encrypting files and then threatening to make them available online?

Doel Santos: Yeah, pretty much what they do is steal all the data they can. They're very opportunistic. They host it on their leak site. What's interesting about what they post on the leak site is that they even include social media sharing, so more people could share, like, hey, we compromised this company. Trying to get the word out for example, right? And pretty much try to disclose everything they can if the negotiation doesn't go as planned.

Dave Bittner: That's fascinating that, I mean, it sounds like somebody in their organization really has a focus on marketing.

Doel Santos: Exactly. These groups, we need to think about it as businesses, right? They have their own assets, they have their marketing, they have brands, they have their R&D. They have everything they need for it to be successful, because they want to maximize profits.

Dave Bittner: Yeah. Well, let's talk about HelloKitty – I have to say my favorite of the names that we're listing here, if not the group itself...

Doel Santos: (Laughs)

Dave Bittner: ...So what's going on with them?

Doel Santos: HelloKitty is quite interesting, not only because of the name – it's really a catchy name – but just because of how they operate versus the other ones. HelloKitty itself doesn't have a leak site at all. They do all the negotiations and all the transaction between the customer and the affiliate through chats that they set up on the dark web. So when they're, you know, taking a look at their chats and their interaction between victims and the threat actors, they shared a wallet address, which has received around a million dollars as of today. So that tells me that they really good at negotiating without having to provide any kind of visual proof of, like, we compromised your network, you know what I mean? And the thing is that the samples that we found were not only specific to Windows, but to VMware ESXi – you know, a whole different market.

Dave Bittner: Hmm. So, they're not hosting the files – let me back up for a second here. Are they exfiltrating files at all?

Doel Santos: They are. They are exfiltrating the files. But they are not posting it publicly for everyone to see, right? They are just extorting the victim through channels like, hey, this is a proof, there's a picture of a file we got from your system, just to establish that, yeah, we compromised you, we were the ones who did it, and start from there, right? They don't they don't share to another leak site or post it publicly, at least not that we could have identified.

Dave Bittner: And in terms of ransom demands, this group is sort of swinging for the fences.

Doel Santos: Yes, this group asks around four million dollars in ransom demands, in some cases. They were very strict about trying to be all the transaction happened through Monero, but they're after the money, so they're quite flexible. So, depending where you are and, you know, depending on the regulations that you have, you can buy Monero. So everything is accessible. It's more like bitcoin. So it's interesting to see that they – like we only accept Monero transactions. And they say, well, we can't do Monero, we can do Bitcoin, and they're like, OK for trying, here's a wallet for Bitcoin.

Dave Bittner: Interesting. Well, let's move on to LockBit 2.0, the last of the group that we're talking about here today. What sets them apart?

Doel Santos: LockBit 2.0 is interesting because they shut down for a little bit after this big report on the procedures and tactics and everything LockBit was released back in July. So they took they shut down for two weeks or so and they they rebranded as LockBit 2.0 and that's like an improved version of it. They are pretty proud that their ransomware is the fastest in the market, at least from their terms and conditions list, and they even include a comparison table between all the ransomware families that are active right now versus them, obviously placing them at the top. Allow me to point out, I also was very fortunate that REvil and DarkSide kind of shut down operations in the same time frame that LockBit 2.0 kind of launched. So it's suspected that most of the affiliates that were conducting under REvil or DarkSide moved to LockBit 2.0.

Dave Bittner: Interesting. So they were kind of in the right place at the right time.

Doel Santos: Exactly. And that speaks for itself, because when this started, it had no victims whatsoever. It's just like, yo, we're going to launch in a week from now. And then suddenly you started seeing ten, fifteen, twenty victims being listed. So that means that there were a couple of affiliates working all day, all the time to get those listed over there.

Dave Bittner: So when we look at these four groups together, how much of the market do we think they represent? To what degree are these the major players today?

Doel Santos: I think LockBit is up there. LockBit is quite prevalent, and what they're doing with the way they're targeting victims, trying to be like high target victims, high profile victims, versus the other two. I think the other ones need a little bit of tweaking, you know, a little bit of growing to do for them to be out there, but a lot of it is definitely on the right place.

Dave Bittner: What about the marketplace in general? I mean, as as organizations like these pop up, as you know, these operators get the entrepreneurial bug and set out to do these things, does the community accept new players in the market, generally? How does that go for them?

Doel Santos: I wouldn't say they do, because they have to compete with each other, right? I think that if you have a ransomware-as-a-service, you want to be the best there is. Just like businesses – you want to be the best business. You don't want competition. But I guess that these groups usually have a lot of fallouts because of their internal struggles. Because we're talking about random people doing business with random people – like, they don't know each other at all. So there are no guarantees that they will get paid or they'll get a cut or whatsoever. So they're always – like, between the operators, no. They don't want more of those groups because they want a bigger piece of the market. But as for affiliates perspective, they want a couple of options because, you as an affiliate, you don't want to be stuck to one, because if that shuts down, then you don't have anything else to do. You have to jump to another one.

Dave Bittner: Oh, that's interesting. Yeah. So the the ecosystem itself benefits from having multiple players to survive if one is shut down.

Doel Santos: Exactly. If you imagine the only REvil or DarkSide or BlackMatter were the ones that are running the the the ransomware game, right? If the three of them shut down, they pretty much need to open a new one, or see what you can do if you focus on other areas of cyber crime.

Dave Bittner: What are you expecting as we head towards the end of the year and into 2022? Are we expecting that we're going to see more of the same here? Or are there any changes or evolutions that you and your colleagues are tracking here?

Doel Santos: Here at Unit 42, we don't have any reason to believe that the ransomware crisis is going to slow down anytime soon. As long as ransomware is profitable, they're going to keep popping up. One way to think of it is that ransomware is like a hydra of sorts. You chop one head down, two more will pop up, right? They all want to claim that piece. So it's something that I will expect to be quite prevalent for the following years.

Dave Bittner: Yeah, I wonder if, as we see some of these groups attempting to professionalize this – as we said, you know, they're getting smarter with their marketing and improving the services – I wonder if we might see some consolidation as well.

Doel Santos: Yeah, I mean, there's a couple of groups that operate under a cartel of sorts. Like MountLocker, specifically, is one of those main groups that they operate, and under them, the group has like XingLocker, Astro Team, and others that were independent on their own, but they all partnered together to carry on the same attacks.

Dave Bittner: Our thanks to Doel Santos from Palo Alto Networks' Unit 42 for joining us. The research is titled, "Ransomware Groups to Watch: Emerging Threats." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.