Three key ransomware actors changed jobs on October 18 – the same day REvil went dark
Underground industry grows in complexity and sophistication, says Santander Group researcher
Updated October 18, 2021, was a tricky day for the ransomware industry. First, the gang that ran the REvil ransomware had its servers compromised, and then three individuals with key roles changed jobs.
That version of history was told today by Juan Antonio Velasco – a cybersecurity analyst at Spanish financial services giant Santander Group. Speaking at CyberCrimeCon 21, an event convened by threat-hunting and security software company Group-IB, Velasco’s talk tracked the recent career moves of four ransomware actors named Orange, MRT, Kajit and 999.
All have been active on various crime forums for some time. Orange served as the main administrator on a Russia-centric forum called Ramp. He or she reported details of the ransomware gang Babuk's activities after the group infamously infected The Metropolitan Police Department of Washington DC in April 2021.
999 was Ramp's forum moderator. Kajit also performed some moderation duties and was active on rival forums such as XSS.is and exploit.in.
- Wind turbine maker Vestas confirms recent security incident was ransomware
- The inside story of ransomware repeatedly masquerading as a popular JS library for Roblox gamers
- Ukrainian cuffed, faces extradition to US for allegedly orchestrating Kaseya ransomware infection
They all changed jobs on October 18. Orange, MRT, and 999 decided to go private, while Kajit was named the admin of Ramp. Velasco's analysis of traffic on crime forums suggests he or she now has a line of contact to the masters of the REvil ransomware once enjoyed by Orange. Kajit has also launched a redesign of Ramp.
Ramp has recently started to court Chinese actors, in addition to its usual Russian-and-English-speaking clientele. Velasco was unable to explain why that's happened, but thought the increasing interaction between Russian and Chinese actors was notable.
He also noted that October 18 is the day REvil's servers went offline – but didn't explicitly link the change of gigs to the (possible) demise of the (probably) Russian gang.
The researcher discussed the job moves in the context of his probes of how ransomware groups operate an increasingly sophisticated and diverse supply chain. Velasco said labor is now divided among groups that compromise networks and then sell access to brokers, who in turn resell to those who do the actual infiltration of networks, installation of ransomware and exfiltration of data.
Access brokers have even divided into retailers and wholesalers. The latter sell bundles of compromises for between $10,000 and $20,000. Retailers sell individual networks for between $300 and $1,000.
All players are actively recruiting affiliates – often in forums that are abuzz with news of new exploits to try, offers of work or commissions, or threat actors claiming that their tools were behind recent exploits and therefore worthy of attention.
Long-term relationships are emerging between access brokers and criminals, Velasco said. Ransomware groups are especially keen to work with brokers to find targets.
Velasco said forums are responding by creating secure transaction tools – so that crims can do business without having to leave for services like Telegram.
Crims, meanwhile, are gravitating to more exclusive or more focused forums in search of the information they think will turn into a score. Or sometimes – as was the case for Orange, MRT and 999, graduating to something else entirely. ®
Updated at 23:30 UTC, December 2nd
The Register has been contacted by researchers and parties claiming they are familiar with RAMP and some of the actors mentioned in our story, and suggesting that Velasco's presentation may not reflect the actual state of affairs. We're told that some of the named actors may be the same person, and that changes that Velasco represented as innovative have been present on ransomware forums for some time. We're also advised that RAMP's interest in China is as a source of new exploits.