Cyber sleuths reveal how they infiltrate the biggest ransomware gangs
How do you break into the bad guys' ranks? Master the lingo and research, research, research
Feature When AlphV/BlackCat's website went dark this month, it was like Chrimbo came early for cybersecurity defenders, some of whom seemingly believed law enforcement had busted one of the most menacing cyber criminal crews.
The excitement lasted just five days, though, and its website is now back online, albeit in worse shape than before. New victims are already being posted to the site. Regardless, many are skeptical of the ransomware group's explanation that a "hardware fault" was to blame, and rumors that police infiltrated the ring are still wafting throughout the industry.
Though it happens rarely, it's always a good day when a ransomware group is taken down by law enforcement. Rarer still is a takedown where one gets a detailed look at the methods that were used in these infiltrations.
Singapore-based Group-IB celebrated its 20th anniversary in the cybersecurity industry this year, and during this time its researchers have broken into an array of ransomware groups and their affiliates. The full number remains a secret.
Before the authorities got their hands on Hive at the start of this year, Group-IB's researchers were inside as early as 2021, tricking their affiliates into accepting them, learning how they operated, and ultimately gathering the kind of information usually reserved for insiders only.
In 2023 alone, the serial intruders have infiltrated affiliates from Qilin and farnetwork, and over the past few years there have been many more to add to that list, though the details of which have scarcely been made public.
Group-IB's threat intelligence team spoke to The Register about how they're able to consistently break into cybercriminals' ranks and the vast work that goes into each operation.
The initial infiltration, Group-IB says, can be broken down into four key stages all connected by the common theme of gathering as much information about the ransomware-as-a-service (RaaS) group as possible.
"First, the team is gathering intel about a specific RaaS of interest. Certain RaaS programs, such as Qilin and Hive, are very private and close, hence it's important to learn about it as much as you can before you engage with the threat actor.
"Consequently, threat intelligence specialists start looking for RaaS programs' terms and conditions for affiliates, entry prerequisites, etc. Any valuable information we could use during the interview stage.
"Then the team starts obtaining contact information for the ransomware manager associated with the targeted RaaS program and attempts to establish communication with them. The most intricate phase is the interview typically facilitated through encrypted messengers."
All of this sets up the researchers for the later stages of the intrusion, and having a deep understanding of how the criminals operate proves especially useful during the interview if the target group has a particularly stringent vetting process, though this isn't always the case.
Some groups will spend time assessing each candidate for their RaaS program, including their technical expertise and grasp of specific terms, while others will simply grant access to an affiliate program seemingly with little to no thought.
It's generally understood, by the good guys and the bad, that the cybercrime underworld is teeming with researchers trying to unearth secrets from ransomware groups and as a result, it's becoming a vastly more difficult feat to infiltrate them.
Getting to the interview stage is the next step in the intrusion and where the quality of the research into the group will determine the success of the operation.
Questions will typically revolve around the candidate's prior experience with attacking organizations, which is where the preparation shines. RaaS managers will quiz potential affiliates on the ransomware landscape generally, and how other groups operate, discussing unconventional tactics, techniques, and procedures, the researchers say.
They'll also ask about the candidate's own experience in attacking organizations – light work for researchers whose job it is to analyze exactly how attacks unfold day in, day out. It's a case of taking an incident they examined recently and reciting it to pass themselves off as a genuine bad guy.
Just like any other employer, RaaS groups will also do their due diligence as regards a candidate's character, as well as their capability. Group-IB says it's important to apply for affiliate positions through conversations on cybercrime forums, using accounts that have been developed for years, given they operate in a landscape where infiltration attempts are rife.
Using mature accounts that appear to be genuine members of, and active participants in, the cybercrime community is vital in dampening suspicions of foul play. The team isn't willing to discuss with us the specifics of how to make an account seem genuine, through fear of jeopardizing future intrusion attempts. We're told they're being as genuine as can be, but will naturally be holding some details back.
It requires a great deal of leg work just to make sure the intruders appear genuine online, in the digital realm, but doing so in the actual interview, without giving oneself away, is another challenge entirely.
Communication here is crucial. Unlike Brad Pitt's Basterds in Tarantino's masterpiece of a Nazi tavern scene, the researchers understand that native speakers can flush out a foreigner with ease. One slip of the tongue or misused turn of phrase can make the difference in the operation's success. A diverse team is a successful one.
"The most challenging part is to establish trust without arousing suspicion," the researchers say.
One of the less straightforward methods RaaS managers use is to evaluate the candidate's use of language. They'll specifically look at the nuances in their communication, such as idioms, that could suggest they're not native speakers from whichever country they claim to be.
- Microsoft seizes websites used to sell phony email accounts to Scattered Spider and other crims
- UK government woefully unprepared for 'catastrophic' ransomware attack
- 2.5M patients infected with data loss in Norton Healthcare ransomware outbreak
- Memory-safe languages so hot right now, agrees Lazarus Group as it slings DLang malware
Group-IB's threat intelligence unit is blessed with proficient speakers in Chinese, English, Arabic, Russian, Turkish, Hindi, Dutch, French, Spanish, Thai, and "many other languages" to help them bypass this filter.
Predictably, a candidate will also be expected to demonstrate their technical understanding of how to carry out an attack, including their knowledge of the different tools they use.
Access granted, and the timer begins
Passing the interview stage is the biggest hurdle to surmount and once that's done and a base level of trust is earned, the real intel-gathering can begin.
During previous infiltrations, the Group-IB team has published various revelations about the world's top ransomware gangs. With Hive, it was able to identify the exact number of attacks as well as make an educated assumption about the number of companies that paid their ransom demands to keep their data confidential.
The farnetwork case revealed the group's payment structure and policy around initial intrusions into victims' networks. The Qilin operation also revealed a lucrative payment structure, as well as an inside look at how affiliates build their custom ransomware payload using the group's builder.
However, there is a limit on what can be achieved before the lack of criminality will be spotted and the researchers are rumbled. If it ever got to the point where they had to "prove themselves" to keep a degree of trust, by carrying out an attack or any other illegal act, the researchers are staunch in their position that the operation would end there.
"It's important to emphasize that as a threat intelligence analyst, you should strictly refrain from any illegal methods," they say.
"Your primary objective is to obtain as much information about the victim to mitigate further damage. For example, during the interview with farnetwork, we were provided a set of compromised credentials. We established the victims, found the source of the breach, and sent the notification to the affected company.
"It is essential to operate within the confines of the law. If security researchers engage in unlawful activities to catch a 'big fish,' they become indistinguishable from cybercriminals themselves."
Value of the operation
When illegality is out of the question, these operations have an inherently limited shelf life. Researchers who can't ever fully earn the trust of criminals by becoming one of them will never secure the long-term access to a RaaS group that's required to understand how it operates on a deep level. Which raises the question: What use is such an endeavor? Is it worth the outlay of resources?
Group-IB says it absolutely is. As demonstrated during previous encounters, insiders can help victims manage their incidents by alerting them to what the attacker has stolen, even if the attack itself can't at that point be reversed. These infiltrations also provide defenders with information that can help inform a wide range of investigative activities down the line and support industry-wide mitigation efforts.
"Such information helps understand the specific capabilities of gangs' builders, how malicious actors make payments to group owners, what manuals RaaS owners provide to affiliates, and track malicious infrastructure," its threat intel team says.
"These insights not only aid cybercrime investigations but also enhance our incident response capabilities as we are able to analyze new malware samples, gather Indicators of Compromise, and valuable information for threat attribution. This ultimately helps us to better understand how to protect our customers against the threat of ransomware."
However, as the Group-IB mentioned earlier, none of this would be possible without a team – "you simply cannot do it alone," they say. Being able to rely on a bank of intelligence, years of combined experience, and, in the case of the interview, multi-lingual colleagues is crucial to target any RaaS affiliate.
And they really do go after anyone, they say – any group of interest to their customers and that the industry needs to understand more deeply is a target for the team's infiltrators.
Thanks to extensive preparation and an experienced team, in most cases, they're successful on the first attempt. Long may it continue. ®