Features Chrimbo seemed to come early to cybersecurity advocates this month when the AlphV/BlackCat website went dark. Some of them apparently believed that law enforcement had arrested him as one of the most threatening cyber criminal groups.
But the excitement lasted only five days, and the website is now back online, but in worse shape than before. New victims have already been posted on the site. In any case, many are skeptical of the ransomware group’s explanation that a “hardware failure” was the culprit, and rumors of police infiltration of the ring are still floating around the industry.
Although this rarely happens, it’s always a good day when a ransomware group is cracked down by law enforcement. Even more unusual are the takedowns that allow us to examine in detail the methods used in these break-ins.
Singapore-based Group-IB celebrates its 20th anniversary in the cybersecurity industry this year. During this time, the researchers infiltrated a series of ransomware groups and their affiliates. The full number remains confidential.
Before authorities took possession of the hive earlier this year, Group-IB researchers went inside as early as 2021, tricked affiliates into accepting it, learned how to operate it, and eventually returned to normal operations. was collecting the type of information that is only available to insiders.
In 2023 alone, serial intruders infiltrated Qilin and farnetwork affiliates, and over the past few years more intruders have been added to that list, though few details have been made public.
Group-IB’s Threat Intelligence Team said: register How they are able to continuously infiltrate groups of cyber criminals and the huge amount of work that goes into each operation.
4 step basics
According to Group-IB, the initial intrusion was divided into four main stages, all tied together by a common theme: collecting as much information as possible about the ransomware-as-a-service (RaaS) group. Masu.
“First, the team collects information about the specific RaaS of interest. Certain RaaS programs, such as Qilin and Hive, are very private and intimate, so we know what we can do about them before engaging with threat actors. It’s important to learn as much as possible.”
“As a result, threat intelligence professionals start looking for valuable information that they can use during the interview stage, such as affiliate terms and conditions for RaaS programs and prerequisites for participation.
“The team then begins to obtain contact information for the ransomware managers associated with the targeted RaaS program and attempts to establish communication with them. The most complex stage is typically done through an encrypted messenger. This is an interesting interview.”
All of this allows researchers to prepare for the later stages of an intrusion, and a deep understanding of how criminals operate means that target groups have particularly rigorous vetting processes. This is especially helpful during interviews if you have a specific person (which is not always the case). .
Some groups spend time evaluating each candidate for their RaaS program, including their technical expertise and understanding of specific terminology, while others simply grant them access to their affiliate program with seemingly little thought. there is.
The cybercrime underworld is full of researchers trying to uncover the secrets of ransomware groups, making it extremely difficult for both good and bad actors to penetrate them. Generally understood.
interview
Moving to the interview phase is the next step in the infiltration, and the quality of the interrogation of the group will determine the success of the operation.
Questions typically revolve around the candidate’s previous experience with an attack organization, and this is where preparation comes into play. Researchers say RaaS managers ask potential affiliates questions about the ransomware landscape in general, how other groups are operating, and use unconventional tactics, techniques, and procedures. They are planning to talk about it.
Candidates are also asked about their own experience in attacking organizations. It’s an easy task for researchers whose job it is to analyze exactly how attacks unfold on a daily basis. It’s a case of them taking a recent case they’ve investigated and reciting it to make themselves out to be the real bad guys.
Like any other employer, RaaS Group performs due diligence on candidates, taking into account not only their abilities but also their personality. Given that Group-IB operates in an environment where intrusion attempts are prevalent, it is possible to apply for affiliate positions through conversations on cybercrime forums using accounts developed over many years. states that it is important.
Using mature accounts that appear to be genuine members and active participants in the cybercriminal community is essential to allay suspicions of fraudulent activity. The team is not willing to discuss with us the details of how to make an account appear authentic for fear of jeopardizing future break-in attempts. They are reportedly being as honest as possible, but will understandably withhold some details.
It takes a lot of effort to verify the authenticity of an intruder in the online digital realm, but doing it without exposing yourself in an actual interview is a whole other challenge.
Communication is very important here. Unlike Brad Pitt, director of Tarantino’s masterpiece “Basterds,” which depicts a Nazi tavern scene, researchers understand that native speakers can easily weed out foreigners. One gaffe or misuse of words on his part could make or break the success of the operation. Diverse teams lead to success.
“The most difficult thing is to establish trust without arousing suspicion,” the researchers say.
One of the less simple methods used by RaaS managers is to assess a candidate’s language use. They pay special attention to nuances in communication, such as idioms that may suggest that they are not native speakers of whatever country they claim to be from.
Group-IB’s Threat Intelligence division has fluent speakers of Chinese, English, Arabic, Russian, Turkish, Hindi, Dutch, French, Spanish, Thai, and “many other languages.” and can help you avoid this filter.
As expected, candidates will also be required to demonstrate a technical understanding of how attacks are carried out, including knowledge of the various tools used.
Access is granted and timer is started
Passing the interview stage is the biggest hurdle, and once that is completed and basic trust is gained, the real information gathering begins.
During our previous infiltration, the Group-IB team published various revelations about the world’s top ransomware gang.and hivewe were able to not only determine the exact number of attacks, but also make an educated guess about how many companies paid ransom demands to keep their data private.
of fur network The incident exposed the group’s payment structure and policies regarding the initial infiltration of the victim’s network. Qilin’s operation also revealed lucrative payment structures and the inside scoop on how affiliates used the group’s builders to construct his custom ransomware payloads.
But there are limits to what can be accomplished before a lack of criminality is discovered and researchers become confused. Researchers remain adamant that if an attacker finds himself in a situation where he must “prove his existence” by carrying out an attack or other illegal act in order to maintain some level of trust, the operation ends there. There is.
“As threat intelligence analysts, it is important to emphasize that illegal methods should be strictly avoided,” they say.
“The main objective is to obtain as much information as possible about the victim in order to mitigate further harm. For example, during an interview with farnetwork, a set of compromised credentials was provided to us. identify the victim, determine the cause of the breach, and notify affected businesses.
“It is essential to operate within the law. When security researchers engage in illegal activities to catch the ‘big fish’, they become indistinguishable from cybercriminals themselves.”
value of operation
If illegality is out of the question, these operations inherently have a limited shelf life. Researchers who are unable to fully gain the trust of criminals by becoming part of them should secure long-term access to her RaaS groups necessary to understand how they work at a deep level. You can not. The question then arises: “What is the use of such efforts?” Is it worth the resources?
Group-IB insists that is definitely the case. As demonstrated in previous encounters, insiders can help victims recover by alerting them to what the attacker has stolen, even if the attack itself cannot be undone at the time. We can help you manage it. These intrusions also provide defenders with information that can inform broader investigative efforts in the future and help support industry-wide mitigation efforts.
“Such information could reveal the specific capabilities of the gang’s builders, how malicious actors pay group owners, and the content of manuals provided by RaaS owners to affiliates. to help us understand and track malicious infrastructure,” the Threat Intelligence team said.
“These insights not only assist in cybercrime investigations, but also enhance our incident response capabilities by allowing us to analyze new malware samples and gather valuable information for identifying indicators of compromise and threats. This will ultimately help us better understand how to protect our customers from cybercriminal ransomware threats. ”
But as Group-IB said earlier, none of this is possible without a team, and they say, “You can never do it alone.” When targeting RaaS affiliates, it’s important to be able to rely on a bank of intelligence, years of collective experience, and, in the case of interviews, multilingual colleagues.
And they say they’re really after everyone – any group that is of interest to customers and that the industry needs to better understand is a target for team intruders.
Thanks to careful preparation and an experienced team, we almost always succeed on the first try. May it continue for a long time. ®