No honor among thieves.

[ Music ]

Dave Bittner: Hello everyone and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

 

John Fokker: There was just something strange going on. We kind of felt like the larger families were not as prevalent anymore. It was like it was getting scattered and looking at it, we kind of pieced the little puzzle pieces together and we saw like, hey there is-there's something happening in the-in the underground.

 

Dave Bittner: That's John Fokker, Head of Threat Intelligence at Trellix. The research we're discussing today is titled "Gang Wars: Breaking Trust Among Cyber Criminals." [ Music ]

 

John Fokker: We strongly believe, and we can see it, and we've had a couple of cases, where cybercriminals are starting to distrust each other which I am actually, I say that almost with a smirk, with a smile, because yeah, it's-it's interesting to see, because it's a the longest time there were always strong alliances and when cybercriminals I say this quite often, when they trust each other, that's when innovation happens, that's when they build these strong empires, that's when they attack at large and they can scale up. And especially, if you look at ransomware, to do that from A to Z, like the whole kill chain from not only building software, but distributing it-distributing it and then like doing the engagement with the victim, negotiating, then getting the funds, laundering the funds, that's-there's so many steps involved that you can-it's almost impossible to do everything yourself. So, that you're always confined to team up with people; you're always in a partnership. And these partnerships take trust. So, when the-when there is now the trust goes out the door, yeah, those partnerships are much harder to establish. So, that's-that's something that we're seeing and we really wanted to highlight this as like very often you see blogs about the new ransomware on the block and all that stuff, and we-we jumble actually myself, we wanted to zoom out and see like, okay but can we describe what we're seeing? Can we find reasons why and why it's happening? So, that was kind what triggered us to write this blog.

 

Dave Bittner: Well, let's talk about ransomware as a service and how that model evolved into something that kind of resembles criminal empires. And it seems to me like what you're saying is maybe that setup could be unraveling. Can we talk about a little bit of the history?

 

John Fokker: Yeah, sure. So, years back you had like we're not going too far back, but mostly the ransomware was targeted at consumers, and that was the time where you had like CTB-Locker, CryptoLocker, CryptoWall to name a few, and you would see threat actors are mostly focused on spreading it at large, so getting as many installs, as they called it, as possible. So, you see a lot of spam campaigns, or exploit kits being used and it was mostly targeted at consumers. So, then there was a shift, because at that time I was actually working at with the police and we were very closely with all the banks and the larger organizations, say like "Yeah, ransomware is not really a problem for us, because we can just like load up a new image when it's a one workstation and then we're good to go." So, that kind of-its kind of a spray and pray mentality that the threat actors were using. And that change was SamSam, and SamSam was one of those ransomware versions which eventually turned out to be Iranian operatives. But they were actually performing more pentesting-related tasks. So, they would go through the network, establish a foothold, establish like going after the domain admin credentials, having control over the network, and then launching their ransomware basically paralyzing the whole network, the whole organization and that was a shift. And then we saw other groups doing the same thing from GanCrab and Maze and all the other old names that we know. And they were doing the same thing that we call like big game hunting. And then there was a phase that came with Ransomware-as-a-Service was, "Okay, yeah we've got your system locked up, but maybe we put some public pressure on you." So, what they were doing was naming and shaming on the websites. And then they're were thinking as well, as like, "Oh! Yeah, we've attacked, if you look at the CIA pyramid," like confidentiality, availability, and integrity, "yeah, we're attacking the availability by crafting-encrypting your organization. But what if we steal some sensitive data beforehand and we threaten to publish this? Then we can also extort you on the confidentiality." Yeah, if you're a paperback upped company and you deal with secrets, let's say you're a law firm, then the availability is probably lesser of a concern than the confidentiality. So, that's where we saw also the uptick of the introduction [inaudible 00:05:36], the uptick of data extortion. And these elements and that big game hunting with the immense amounts of ransoms that were demanded that really, really grew almost out of portion, kind of create these, like yeah like we said, empires where you had people at the top directing teams and it was almost like a-like a corporate structure as one might say; if you-if we looked-we looked at the ContiLeaks chats, and that was run like a business and Black Basta that we-we spoke about recently as well; same-same thing and you would see groups that would have people on payrolls or they would payout a commission or a percentage from a ransom, but it was really-it still is a really lucrative threats for threat actors. However, as an empire and as a large organization, there is like I said in the beginning, there is a lot of steps involved. There is a lot of things that need to go well or you need to organize in order to be successful. And that's something that relies on trust and trust can be that you're paying people what they're owed or that you-that people are keeping their promises and then, or they're not running away with money, as we saw with like BlackCat ALPHVs, so there is no exit scam and all these things. So, the affiliates, the partners in this scheme that are actually doing the break-ins, they need to feel like they belong and they're getting an equal share or a share that's equal to them that they think it's fair. These are all elements that need to be in place in order for that empire to be, to sustain and to grow, and yeah, when you start toning those down and the cracks start to appear then you can see that people are turning their backs and then-I chose a picture for the research blog that we put online and it's just so telling, and actually I got this from a friend of mine from an ex-NCA officer. And he's like, because I spoke about the [inaudible 00:07:36] like, "John, this is just like the final scene of the 'Reservoir Dogs' when they're pointing the guns at each other and everybody is just pointing at each other, what had first started off as friends, now they can't trust each other." And the kind of that whole crime group crumbled and cracked. I was like, "Yeah, that's very telling." And that's essentially what we're seeing now as well.

 

Dave Bittner: Well, what are the signs or the behaviors that indicate that this ecosystem is cracking, that we're seeing loyalty giving way to suspicion or betrayal?

 

John Fokker: Yeah, that-there are some telltale signs though. And that's, it could be internally, so like we can see signs from the threat actor I mean, like within the community, as well as external pressure. And with external pressure, one of the big factors is law enforcement for instance. So, there is a lot individuals that are residing in countries that the Western world does not really have a treaty with when it comes to like, okay, we can send them a request and they will arrest the person. That's extremely difficult. So, if you cannot put the silver bracelets on those folks and we've already tried taking down their infrastructure and they rebuilt it or whatever, what else can you do to really damage their repute-to really make an impact? And that's damaging their reputation, because their businessmen, so if you damage that reputation, you break their trust, they seem un-not trustworthy; it will have a ripple effect and will-it will ripple, it cascade longer down and will have a larger effect for a longer time than just taking down infrastructure, because then their trust is not damaged, it's just their infrastructure. So, perfect example of this was how the FBI and the NCA worked on LockBit, where they infiltrated the system and then they kind of used that leak site where they published the stolen data and they trolled LockBit phenomenally. And this really had an impact on the reputation for LockBit. People scurd-scattered away, they went different parts and he was fighting really hard to build his reputation. And another example would be exit scams. So, there is pressure on a system. They-and with the system I mean a ransomware family or a group, and you would see that the leadership runs out with all the money. You can do that, like if it happens once, but if that happens often, then affiliates, people who are basically doing a lot of the work for the group and the expect a payout; if they know there is a higher chance that the leadership would walkout with all the money, yeah they're not really inclined to do a lot of work. So, that's another one. Another thing that breaks trust is the vice or in cryptor and we saw this in the past already with a book actually with, who was it, Mikhail Matveev when they did the Metropolitan Police hack where they encrypted the Washington Metropolitan Police and the encryptor worked, but the decrypt and decryptor, the decryption portion of their attack failed. So, essentially they corrupted all the data that they encrypted and the victim couldn't get their files back. So, that's tempering on the business model. You're not getting your files back for at cost, because that was always the success for ransomware, is like "Okay, we encrypt where we-you can get everything back." And that's another one that really, really damages the reputation, because then the affiliate is doing all the work and it's like, "Hey, listen, like I gave my word or I promised something and then, yeah it doesn't work." And you can do that once or twice and then the reputation of the whole group gets damaged. So, that's how we saw Bubble crumble as well. So, there is different ways and then, yeah the outcome is fascinating how we see it, like they're basically throwing each other under the bus; they're doxxing each other. Unfortunately, we also see examples where like the data that was stolen from one victim ends up in multiple other families and it's either, we can imagine that the threat actor behind it actually moves to the different family and then post the data again, but we have a case where we talked about a health care provider that got extorted, a very large one. They paid the first time and then the extortion went on, because that group was BlackCat ALPHV, they did an exit scam and the individual, moniker "Notchy" who was responsible for that breach, he didn't get paid. So, he was pissed off. So, he moved to RansomHub and then they re-extorted that victim. So, what this tells me is like, it's at the same-I love that the cybercriminals are a kind of fighting against each other and that they have less attention for others. There are situations where a victim can get extorted twice, so this is just for me, it's also a word of caution to anyone that's extorted with stolen data, do not pay. Because it's, yeah, you have no guarantee it's going to be erased and you can get extorted again. [ Music ]

 

Dave Bittner: We'll be right back. [ Music ] Let's dig into that, you know, the consequences for the defenders out there, because, you know, it strikes me that-I mean it sounds funny to say "back in the day" when it comes to ransomware operators, but you know reputation was a big part of what they did that you knew that if you did business with them, chances are they we're going to hold up their end of the deal. Where do we stand today?

 

John Fokker: That's harder and harder to maintain for a threat actor. There is a saying like a reputation of years can be damaged in seconds, but it was interesting to see like I did a long study on REvil and they were referencing not only our blogs, but other industry blogs as well saying like, "Oh, yeah the decryptor actually works." So, they were saying like well don't take our word for it, look at the industry. Look at what they write, because the decryptor is solid. So, it was like unvoluntarily we gave them actually some help which we didn't mean to, but yeah, yeah, it's almost crazy, right? You would think that you cannot trust a criminal now. Who would have thought?! But that's the situation we're in, that there is a lot of these splintered groups and we've been tracking a lot other groups with the public disclosures and it just skyrocketed. So, every week there is a new family; every week there is a new group spurting out and making a claim to fame. Yes, there are still some bigger groups, like Quilin and RansomHub and some others, and DragonForce, but overall there is such-they are so scattered and to be honest, like a lot of these smaller groups, they do not focus on the encryption part. They mostly focus on the data extortion, because that's skillset that a smaller group of people can do, because penetrating in that work, so by infiltrating and exfiltrating data; that is something that a pentest or a red team is quite confident in doing. Building a solid encryption tool that can also decrypt in all circumstances even with VMware or ACSI [assumed spelling] servers, and hypervisors and all that stuff, that is a different ballgame; making that fully undetectable for any EDR or an endpoint solutions, defense solutions, that's a whole other ballgame. And then let alone like building all the negotiations and everything else. So, we also see some discretion there as well. We wrote about it in one of our blogs, that you're now seeing also these like dedicated services that say like, "Hey, we do not want to anything to do with ransomware. We just offer you a place where you can host your stolen data so you can extort people." So, you can see that it is kind of a splinter movement not only on the-on the ransomware actors, but all the adjacent services as well.

 

Dave Bittner: It seems to me like, you know, instead of having these alpha predators, you know, a great white shark cruising around, it's more like having a river full of piranha where everybody wants to take their little bite.

 

John Fokker: That's a great analogy. I'm going to use that. I'm going to use that one with your permission.

 

Dave Bittner: Great. Feel free.

 

John Fokker: I've often said, like yeah it's like this school of bull sharks and they-they kind of like or tiger sharks, they're not really always specifically targeting you, but if you are in the water and they can smell you, they will go after you. They'll take a bite. And that was with ransomware, but you're right. Yeah, it's more like piranhas now.

 

Dave Bittner: So, what do you hope that people get from this research? What are the takeaways that you want CISOs and security teams to come away with?

 

John Fokker: Yeah. That's-it's like we've been talking about for almost 20 minutes and it doesn't seem very, very positive what we're saying, right? But I can see this as this is a transitional phase that we're in. I'm always very positive, like yes crime is hard to beat and we're not going to solve all crime, but there are things that we can do and I-and I'm a big advocate for solving distrust and breaking the trust among cybercriminals, because that will only show-A) show that they're human and that's something that's a very important message to Trellix as well, is like we don't like to mythologize threat actors. We don't want to put them on a pedestal. They're criminals. And for organizations that need to defend themselves, they need to understand how they operate and they need to understand that they're humans, because-yeah, it's that just helps you if you-as soon as you understand a threat, you're not fearing it. You can act upon it. And, yeah, we used to fight families and now we're fighting franchises and freelancers. But I say it like, when you break the trust that empire will fall. We see-we see the effects. So, yeah the data-data infiltration, the extortion that's something we can work on and the yes there is still encryption going on, but also that, but the bigger families are making it much, much harder to consist-to exist sorry, and that's another thing like that we're doing is, and this may be a bit off topic Dave, but we're doing a dark web roast, so not only ransomware, but every month we put out research where we actually roast threat actors. So, anything that we saw in the underground and them making mistakes or whatever, we'll just roast them and the second one is now out for July. And we're doing this with the goal to put a face on the adversary, show them that they make mistakes, because I think-and at the same time, I really hope that if there is any threat actors listening, they can send it to Trellix and they can reference my name and say like "Hey, I have info on threat actor X and whatever and I want you to throw them under the bus" or whatever. I'm all for it. My-my goal is that our blogs are being read by the underground and that they can say like "Oh, this is true?" And, "Oh, yeah that guy actually did make a fool out himself." Because when they do so, yeah, they don't see the other as a professional. They see him as somebody that messes up and then it becomes less likely that they will trust and do business and that breaks them. Now, I'm explaining my ulterior motive here. I shouldn't do that, but. But it helps break that trust cycle and that [inaudible 00:19:42].

 

Dave Bittner: Do you think this is the shape of things to come. I mean, that you know with this step up of law enforcement around the world, has it just made it harder for these operators to operate at the high-level they used to, so what we're looking at for the future is more of this kind of fighting for scraps?

 

John Fokker: Yeah. That could be the case. Another theory that we also have is like, maybe ransomware the way we knew it as the-like those empires of partnerships and all that stuff, wasn't supposed to happen in the first place. And why I'm saying that is, if you look at other businesses up in the cybercriminal underground, they're very much freelancers, they're very much having their own business and they're-the organizational structure is less like a hierarchy, but it's more like an network-based model. So, one could argue that maybe through all this, ransomware has evolved into a structure that is more aligned with how the cybercriminal underground operates. So, everybody provides a certain part of a service and a certain part can be the equation, and there is no overarching larger organization that controls all. [ Music ]

 

Dave Bittner: Our thanks to John Fokker from Trellix for joining us. The research is titled, "Gang Wars: Breaking Trust Among Cyber Criminals." We'll have a link in the show notes. And that's "Research Saturday" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We will see you back here next time. [ Music ]