Cybercrime experts reveal how to infiltrate ransomware gangs The Register
p
Oh no youre thinking yet another cookie popup
Well sorry its the law We measure how many people read us
and ensure you see relevant ads by storing cookies on your device
If youre cool with that hit Accept all Cookies
For more info and to customize your settings hit
Customize Settings
pp
Heres an overview of our use of cookies similar technologies and
how to manage them
You can also change your choices at any time by hitting the
Your Consent Options link on the sites footer
pp
These cookies are strictly necessary so that you can navigate the site as normal and use all features Without these cookies we cannot provide you with the service that you expect
pp
These cookies are used to make advertising messages more relevant to you
They perform functions like preventing the same ad from continuously reappearing ensuring that ads are properly displayed for advertisers and in some cases selecting advertisements that are based on your interests
pp
These cookies collect information in aggregate form to help us understand how our websites are being used
They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites If people say no to these cookies we do not know how many people have visited and we cannot monitor performance
ppFeature When AlphVBlackCats website went dark this month it was like Chrimbo came early for cybersecurity defenders some of whom seemingly believed law enforcement had busted one of the most menacing cyber criminal crewsppThe excitement lasted just five days though and its website is now back online albeit in worse shape than before New victims are already being posted to the site Regardless many are skeptical of the ransomware groups explanation that a hardware fault was to blame and rumors that police infiltrated the ring are still wafting throughout the industryppThough it happens rarely its always a good day when a ransomware group is taken down by law enforcement Rarer still is a takedown where one gets a detailed look at the methods that were used in these infiltrationsppSingaporebased GroupIB celebrated its 20th anniversary in the cybersecurity industry this year and during this time its researchers have broken into an array of ransomware groups and their affiliates The full number remains a secretppBefore the authorities got their hands on Hive at the start of this year GroupIBs researchers were inside as early as 2021 tricking their affiliates into accepting them learning how they operated and ultimately gathering the kind of information usually reserved for insiders onlyppIn 2023 alone the serial intruders have infiltrated affiliates from Qilin and farnetwork and over the past few years there have been many more to add to that list though the details of which have scarcely been made publicppGroupIBs threat intelligence team spoke to The Register about how theyre able to consistently break into cybercriminals ranks and the vast work that goes into each operationppThe initial infiltration GroupIB says can be broken down into four key stages all connected by the common theme of gathering as much information about the ransomwareasaservice RaaS group as possibleppFirst the team is gathering intel about a specific RaaS of interest Certain RaaS programs such as Qilin and Hive are very private and close hence its important to learn about it as much as you can before you engage with the threat actorppConsequently threat intelligence specialists start looking for RaaS programs terms and conditions for affiliates entry prerequisites etc Any valuable information we could use during the interview stage ppThen the team starts obtaining contact information for the ransomware manager associated with the targeted RaaS program and attempts to establish communication with them The most intricate phase is the interview typically facilitated through encrypted messengersppAll of this sets up the researchers for the later stages of the intrusion and having a deep understanding of how the criminals operate proves especially useful during the interview if the target group has a particularly stringent vetting process though this isnt always the caseppSome groups will spend time assessing each candidate for their RaaS program including their technical expertise and grasp of specific terms while others will simply grant access to an affiliate program seemingly with little to no thoughtppIts generally understood by the good guys and the bad that the cybercrime underworld is teeming with researchers trying to unearth secrets from ransomware groups and as a result its becoming a vastly more difficult feat to infiltrate themppGetting to the interview stage is the next step in the intrusion and where the quality of the research into the group will determine the success of the operationppQuestions will typically revolve around the candidates prior experience with attacking organizations which is where the preparation shines RaaS managers will quiz potential affiliates on the ransomware landscape generally and how other groups operate discussing unconventional tactics techniques and procedures the researchers sayppTheyll also ask about the candidates own experience in attacking organizations light work for researchers whose job it is to analyze exactly how attacks unfold day in day out Its a case of taking an incident they examined recently and reciting it to pass themselves off as a genuine bad guyppJust like any other employer RaaS groups will also do their due diligence as regards a candidates character as well as their capability GroupIB says its important to apply for affiliate positions through conversations on cybercrime forums using accounts that have been developed for years given they operate in a landscape where infiltration attempts are rifeppUsing mature accounts that appear to be genuine members of and active participants in the cybercrime community is vital in dampening suspicions of foul play The team isnt willing to discuss with us the specifics of how to make an account seem genuine through fear of jeopardizing future intrusion attempts Were told theyre being as genuine as can be but will naturally be holding some details backppIt requires a great deal of leg work just to make sure the intruders appear genuine online in the digital realm but doing so in the actual interview without giving oneself away is another challenge entirely ppCommunication here is crucial Unlike Brad Pitts Basterds in Tarantinos masterpiece of a Nazi tavern scene the researchers understand that native speakers can flush out a foreigner with ease One slip of the tongue or misused turn of phrase can make the difference in the operations success A diverse team is a successful oneppThe most challenging part is to establish trust without arousing suspicion the researchers sayppOne of the less straightforward methods RaaS managers use is to evaluate the candidates use of language Theyll specifically look at the nuances in their communication such as idioms that could suggest theyre not native speakers from whichever country they claim to beppGroupIBs threat intelligence unit is blessed with proficient speakers in Chinese English Arabic Russian Turkish Hindi Dutch French Spanish Thai and many other languages to help them bypass this filterppPredictably a candidate will also be expected to demonstrate their technical understanding of how to carry out an attack including their knowledge of the different tools they useppPassing the interview stage is the biggest hurdle to surmount and once thats done and a base level of trust is earned the real intelgathering can beginppDuring previous infiltrations the GroupIB team has published various revelations about the worlds top ransomware gangs With Hive it was able to identify the exact number of attacks as well as make an educated assumption about the number of companies that paid their ransom demands to keep their data confidentialppThe farnetwork case revealed the groups payment structure and policy around initial intrusions into victims networks The Qilin operation also revealed a lucrative payment structure as well as an inside look at how affiliates build their custom ransomware payload using the groups builderppHowever there is a limit on what can be achieved before the lack of criminality will be spotted and the researchers are rumbled If it ever got to the point where they had to prove themselves to keep a degree of trust by carrying out an attack or any other illegal act the researchers are staunch in their position that the operation would end thereppIts important to emphasize that as a threat intelligence analyst you should strictly refrain from any illegal methods they say ppYour primary objective is to obtain as much information about the victim to mitigate further damage For example during the interview with farnetwork we were provided a set of compromised credentials We established the victims found the source of the breach and sent the notification to the affected companyppIt is essential to operate within the confines of the law If security researchers engage in unlawful activities to catch a big fish they become indistinguishable from cybercriminals themselvesppWhen illegality is out of the question these operations have an inherently limited shelf life Researchers who cant ever fully earn the trust of criminals by becoming one of them will never secure the longterm access to a RaaS group thats required to understand how it operates on a deep level Which raises the question What use is such an endeavor Is it worth the outlay of resourcesppGroupIB says it absolutely is As demonstrated during previous encounters insiders can help victims manage their incidents by alerting them to what the attacker has stolen even if the attack itself cant at that point be reversed These infiltrations also provide defenders with information that can help inform a wide range of investigative activities down the line and support industrywide mitigation effortsppSuch information helps understand the specific capabilities of gangs builders how malicious actors make payments to group owners what manuals RaaS owners provide to affiliates and track malicious infrastructure its threat intel team saysppThese insights not only aid cybercrime investigations but also enhance our incident response capabilities as we are able to analyze new malware samples gather Indicators of Compromise and valuable information for threat attribution This ultimately helps us to better understand how to protect our customers against the threat of ransomwareppHowever as the GroupIB mentioned earlier none of this would be possible without a team you simply cannot do it alone they say Being able to rely on a bank of intelligence years of combined experience and in the case of the interview multilingual colleagues is crucial to target any RaaS affiliateppAnd they really do go after anyone they say any group of interest to their customers and that the industry needs to understand more deeply is a target for the teams infiltratorsppThanks to extensive preparation and an experienced team in most cases theyre successful on the first attempt Long may it continue ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982024
p
Oh no youre thinking yet another cookie popup
Well sorry its the law We measure how many people read us
and ensure you see relevant ads by storing cookies on your device
If youre cool with that hit Accept all Cookies
For more info and to customize your settings hit
Customize Settings
pp
Heres an overview of our use of cookies similar technologies and
how to manage them
You can also change your choices at any time by hitting the
Your Consent Options link on the sites footer
pp
These cookies are strictly necessary so that you can navigate the site as normal and use all features Without these cookies we cannot provide you with the service that you expect
pp
These cookies are used to make advertising messages more relevant to you
They perform functions like preventing the same ad from continuously reappearing ensuring that ads are properly displayed for advertisers and in some cases selecting advertisements that are based on your interests
pp
These cookies collect information in aggregate form to help us understand how our websites are being used
They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites If people say no to these cookies we do not know how many people have visited and we cannot monitor performance
ppFeature When AlphVBlackCats website went dark this month it was like Chrimbo came early for cybersecurity defenders some of whom seemingly believed law enforcement had busted one of the most menacing cyber criminal crewsppThe excitement lasted just five days though and its website is now back online albeit in worse shape than before New victims are already being posted to the site Regardless many are skeptical of the ransomware groups explanation that a hardware fault was to blame and rumors that police infiltrated the ring are still wafting throughout the industryppThough it happens rarely its always a good day when a ransomware group is taken down by law enforcement Rarer still is a takedown where one gets a detailed look at the methods that were used in these infiltrationsppSingaporebased GroupIB celebrated its 20th anniversary in the cybersecurity industry this year and during this time its researchers have broken into an array of ransomware groups and their affiliates The full number remains a secretppBefore the authorities got their hands on Hive at the start of this year GroupIBs researchers were inside as early as 2021 tricking their affiliates into accepting them learning how they operated and ultimately gathering the kind of information usually reserved for insiders onlyppIn 2023 alone the serial intruders have infiltrated affiliates from Qilin and farnetwork and over the past few years there have been many more to add to that list though the details of which have scarcely been made publicppGroupIBs threat intelligence team spoke to The Register about how theyre able to consistently break into cybercriminals ranks and the vast work that goes into each operationppThe initial infiltration GroupIB says can be broken down into four key stages all connected by the common theme of gathering as much information about the ransomwareasaservice RaaS group as possibleppFirst the team is gathering intel about a specific RaaS of interest Certain RaaS programs such as Qilin and Hive are very private and close hence its important to learn about it as much as you can before you engage with the threat actorppConsequently threat intelligence specialists start looking for RaaS programs terms and conditions for affiliates entry prerequisites etc Any valuable information we could use during the interview stage ppThen the team starts obtaining contact information for the ransomware manager associated with the targeted RaaS program and attempts to establish communication with them The most intricate phase is the interview typically facilitated through encrypted messengersppAll of this sets up the researchers for the later stages of the intrusion and having a deep understanding of how the criminals operate proves especially useful during the interview if the target group has a particularly stringent vetting process though this isnt always the caseppSome groups will spend time assessing each candidate for their RaaS program including their technical expertise and grasp of specific terms while others will simply grant access to an affiliate program seemingly with little to no thoughtppIts generally understood by the good guys and the bad that the cybercrime underworld is teeming with researchers trying to unearth secrets from ransomware groups and as a result its becoming a vastly more difficult feat to infiltrate themppGetting to the interview stage is the next step in the intrusion and where the quality of the research into the group will determine the success of the operationppQuestions will typically revolve around the candidates prior experience with attacking organizations which is where the preparation shines RaaS managers will quiz potential affiliates on the ransomware landscape generally and how other groups operate discussing unconventional tactics techniques and procedures the researchers sayppTheyll also ask about the candidates own experience in attacking organizations light work for researchers whose job it is to analyze exactly how attacks unfold day in day out Its a case of taking an incident they examined recently and reciting it to pass themselves off as a genuine bad guyppJust like any other employer RaaS groups will also do their due diligence as regards a candidates character as well as their capability GroupIB says its important to apply for affiliate positions through conversations on cybercrime forums using accounts that have been developed for years given they operate in a landscape where infiltration attempts are rifeppUsing mature accounts that appear to be genuine members of and active participants in the cybercrime community is vital in dampening suspicions of foul play The team isnt willing to discuss with us the specifics of how to make an account seem genuine through fear of jeopardizing future intrusion attempts Were told theyre being as genuine as can be but will naturally be holding some details backppIt requires a great deal of leg work just to make sure the intruders appear genuine online in the digital realm but doing so in the actual interview without giving oneself away is another challenge entirely ppCommunication here is crucial Unlike Brad Pitts Basterds in Tarantinos masterpiece of a Nazi tavern scene the researchers understand that native speakers can flush out a foreigner with ease One slip of the tongue or misused turn of phrase can make the difference in the operations success A diverse team is a successful oneppThe most challenging part is to establish trust without arousing suspicion the researchers sayppOne of the less straightforward methods RaaS managers use is to evaluate the candidates use of language Theyll specifically look at the nuances in their communication such as idioms that could suggest theyre not native speakers from whichever country they claim to beppGroupIBs threat intelligence unit is blessed with proficient speakers in Chinese English Arabic Russian Turkish Hindi Dutch French Spanish Thai and many other languages to help them bypass this filterppPredictably a candidate will also be expected to demonstrate their technical understanding of how to carry out an attack including their knowledge of the different tools they useppPassing the interview stage is the biggest hurdle to surmount and once thats done and a base level of trust is earned the real intelgathering can beginppDuring previous infiltrations the GroupIB team has published various revelations about the worlds top ransomware gangs With Hive it was able to identify the exact number of attacks as well as make an educated assumption about the number of companies that paid their ransom demands to keep their data confidentialppThe farnetwork case revealed the groups payment structure and policy around initial intrusions into victims networks The Qilin operation also revealed a lucrative payment structure as well as an inside look at how affiliates build their custom ransomware payload using the groups builderppHowever there is a limit on what can be achieved before the lack of criminality will be spotted and the researchers are rumbled If it ever got to the point where they had to prove themselves to keep a degree of trust by carrying out an attack or any other illegal act the researchers are staunch in their position that the operation would end thereppIts important to emphasize that as a threat intelligence analyst you should strictly refrain from any illegal methods they say ppYour primary objective is to obtain as much information about the victim to mitigate further damage For example during the interview with farnetwork we were provided a set of compromised credentials We established the victims found the source of the breach and sent the notification to the affected companyppIt is essential to operate within the confines of the law If security researchers engage in unlawful activities to catch a big fish they become indistinguishable from cybercriminals themselvesppWhen illegality is out of the question these operations have an inherently limited shelf life Researchers who cant ever fully earn the trust of criminals by becoming one of them will never secure the longterm access to a RaaS group thats required to understand how it operates on a deep level Which raises the question What use is such an endeavor Is it worth the outlay of resourcesppGroupIB says it absolutely is As demonstrated during previous encounters insiders can help victims manage their incidents by alerting them to what the attacker has stolen even if the attack itself cant at that point be reversed These infiltrations also provide defenders with information that can help inform a wide range of investigative activities down the line and support industrywide mitigation effortsppSuch information helps understand the specific capabilities of gangs builders how malicious actors make payments to group owners what manuals RaaS owners provide to affiliates and track malicious infrastructure its threat intel team saysppThese insights not only aid cybercrime investigations but also enhance our incident response capabilities as we are able to analyze new malware samples gather Indicators of Compromise and valuable information for threat attribution This ultimately helps us to better understand how to protect our customers against the threat of ransomwareppHowever as the GroupIB mentioned earlier none of this would be possible without a team you simply cannot do it alone they say Being able to rely on a bank of intelligence years of combined experience and in the case of the interview multilingual colleagues is crucial to target any RaaS affiliateppAnd they really do go after anyone they say any group of interest to their customers and that the industry needs to understand more deeply is a target for the teams infiltratorsppThanks to extensive preparation and an experienced team in most cases theyre successful on the first attempt Long may it continue ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982024
p
