CyberWire Daily - Encore: When big ransomware goes away, where should affiliates go? [Research Saturday]
Episode Date: January 1, 2022Our guest Doel Santos, Threat Research Analyst at Palo Alto Networks, joins Dave Bittner to talk about Unit 42's work on "Ransomware Groups to Watch: Emerging Threats." As part of Unit 42’s commitme...nt to stop ransomware attacks, they monitor the activity of existing groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study tactics, techniques and procedures. During their operations, Unit 42 observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future. Doel discusses these (AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0) with Dave. The research can be found here: Ransomware Groups to Watch: Emerging Threats Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The initial thought of this was when big ransomware says
Revol, DarkSide, and others go away,
if I'm an affiliate, where should I go?
And that evolution of trying to keep track
of these ransomware families
that are now trying to get a piece of that cake.
That's Doel Santos.
He's a threat intelligence analyst
at Palo Alto Network's Unit 42.
The research we're discussing today is titled
Ransomware Groups to Watch Emerging Threats. threats. Well, let's go through it together. I mean, there are four main groups that you
highlight here. Can we start off just by listing who did we cover in this report?
Sure, yeah. In this particular report, I selected Avos Locker, Hive Leaks, LogPick 2.0,
and Hello Kitty as part of the initial part of the report.
Well, let's go through them together one at a time and point out some of the specifics about each group. Why don't we start with Avos Locker?
Yeah, Avos Locker is quite interesting.
The way that I stumbled across this ransomware
was taking a look at a dark web discussion forum called Dread.
For those who don't know, Dread is similar to Reddit of the dark web.
So people post news, post information over there.
And across all those posts and news, post information over there. And across all those posts and news, I saw a user announcing the
launch of a new ransomware as a service called Avos Locker. And they claimed, you know, tell all
of the features that the ransomware had and how to contact them to start doing all these operations.
And I remember seeing people commenting, hey, I'm interested, hit me up. And that's why I started seeing, well, maybe this is like a new ransomware and this could become
a bad thing. So I started tracking that one specifically.
And what sort of specifics are there about Avos Locker that sets
it apart from some of the other ones out there? Sure. I mean, at the
beginning, I wouldn't say too much, right? They were pretty basic
because they were starting out. Some of the features just included like a simple sample, not as fast as the other ones.
But what I can say is recently they updated their site. They redesigned their terms and conditions
for affiliates. They are now offering different variants, right? Not only they're affecting Windows environments, they're now affecting Linux and VMware XE platforms
and offering DDoS attacks, harassment call
service, access brokers, and all the good stuff that Affiliate could
use to carry out a successful attack.
So they've really, I don't know, expanded their range of offerings there?
Exactly, yes. When I take a look at it before, when I released this report, they were pretty basic.
It's like a small company trying to understand how to operate on the market.
And now that they know what works, they just redefine it a little bit.
So what are you seeing from them in terms of their success?
Are folks adopting their services?
Are they finding customers out there? Yes, indeed.
I'm sure that when I started writing about it
in the Unit 42 report, they only had like eight victims
or eight or five victims listed. So that tells us
that not too many people were using it or not many people were aware.
But as of today, they have 21 victims.
And they're now selling the data as well.
So they're not only exporting it for free,
now they're selling it to other third parties that are interested.
Interesting.
And what are you seeing in terms of ransom demands from this group?
Their ransom demands are not as high as other groups such as Revol.
But they're quite up there.
They started with at least the
instances that I've observed was like $50,000 to $75,000. And if the ransom is not paid on that
particular period of time, it doubles, right? So we're talking about $100,000 or $125,000 ransom.
Wow. Yeah. Any idea who might be behind this group or where they're coming from?
I can't say really.
I don't have visibility into what's going on behind the operation of these ransomware
groups.
But what I can say is that this ransomware group specifically tries to carry out operations
and promote themselves on the dark web forum.
So it could be quite a number of people.
Yeah.
Well, let's move on to the Hive ransomware group.
What's going on with them?
Hive Leaks is, if I can be completely honest with you,
is one of the best good-looking leak sites that I've seen
from all the ransomware operators.
And the interesting thing about them is that they refer to their affiliates
as their sales department.
Because they themselves think their ransomware is a business, right?
They have their product, which is a decryptor.
And they audit, you know, air quotes here.
They audit the victim for their attacks.
And they say, well, if you want your files back, you have to pay us.
It's quite interesting how they got to this professional approach.
Hive recently announced that they were going to leak the data
of the Missouri Delta Medical Center,
which tells me and tells the people that have been tracking this ransomware
that this ransomware specifically don't have any code of ethics
or any kind of conduct about what kind of organizations they can target.
Yeah, and I mean, that's really been a pattern here, hasn't it?
That no matter what these organizations say,
they make claims that they're going to leave certain organizations alone.
That really doesn't seem to pan out.
Exactly.
They really have little regard to whatever impact they may do
to this kind of healthcare organization or critical organization that we depend on.
And are they going about things in a similar way?
I mean, are they using the double extortion technique here of both encrypting files and
then threatening to make them available online?
Yeah, pretty much what they do is steal all the data they can.
They're very personistic.
They host it on their leak site.
What's interesting about what they're posting on the leak site is
that they even include social media sharing.
So more people could share like, hey, we compromised this company.
Try to get their word out, for example.
And pretty much try to disclose everything they can
if the negotiations don't go as planned.
It's fascinating.
It sounds like somebody in their organization really has a focus on marketing.
Exactly. These groups, we need to think about it as businesses.
They have their own assets. They have their marketing.
They have rebrands. They have their R&D. They have everything
they need for it to be successful
because they want to maximize profits.
Yeah.
Well, let's talk about Hello Kitty.
I have to say my favorite of the names that we're listing here,
if not the group itself.
So what's going on with them?
Hello Kitty is quite interesting, not only because of the name, right?
It's really a catchy name, but just because how they operate versus the other ones.
Hello Kitty itself doesn't have a leak site at all.
They do all the negotiations and all the transaction between the customer and the affiliate through chats that they set up on the dark web.
the dark web. So when they're taking a look at their chats and their interaction between victims and the threat actors, they share the wallet address which has received around a million
dollars as of today. So that tells me that they are really good at negotiating without having to
provide any kind of visual proof of like, we compromised your network. You know what I mean?
And the thing is that the samples that we found
were not only specific to Windows,
but to VMware Axie, you know, a whole different market.
Hmm.
So they're not hosting the files.
Let me back up for a second here.
Are they exfiltrating files at all?
They are.
They are exfiltrating the site, the files,
but they are not
posting it publicly for everyone to see, right? They are just extorting the victim through chats
like, hey, this is a proof, this is a picture of a file we got from your system just to establish
that, yeah, we compromised you, we were the ones who did it, and start from there, right? They
don't share it to another link site or post it publicly, at least not that we
could have identified.
And in terms of ransom demands,
this group is sort of swinging for the fences.
Yes, this
group asked around
$4 million in ransom demands.
In some cases, they were very
strict about trying to be
all the transaction happened through Monero.
But they're after the money, so they're quite flexible.
So depending where you are and, you know, depending on the regulations that you have,
you can buy Monero.
So everything's accessible.
It's more like Bitcoin.
So it's interesting to see that they sell it like we only accept Monero transactions
and they say, well, we can do Monero, we can do Bitcoin.
And they're like, OK, for trying't do Monero. We can do Bitcoin. And they're like, okay, 4Chain.
Here's a wallet address for the Bitcoin.
Interesting.
Well, let's move on to LockBit 2.0, the last of the group that we're talking about here today.
What sets them apart?
LockBit 2.0, it's interesting because they shut down for a little bit after this big report on the procedures and tactics and everything Logbee was released back in July.
So they shut down for two weeks or so, and they rebranded as Logbee 2.0.
That's like an improved version of it.
They are pretty proud that their ransomware is the fastest in the market, at least from their terms and conditions list.
And they even include a comparison table between all the ransomware families that are active right now versus them obviously placing them on the top.
LockBit 2.0 also was very fortunate that Revol and DarkSide kind of shut it down operations in the same time frame
that LockPay 2.0 kind of launched. So it's suspected that most of the affiliates that
were conducting under Reval or DarkSide moved to LockPay 2.0. Interesting. So they were kind
of in the right place at the right time. Exactly. And that speaks for itself because when we,
when this started, it had no victim whatsoever. It's just like, yo, we're going to launch in a week from now. And then suddenly you start seeing 10, 15, 20 victims being listed. So that means that there were a couple of affiliates working all day, all the time to get those listed over there.
the time to get those listed over there.
So when we look at these four groups together, how much of the market do we think they represent?
To what degree are these the major players today?
I think LockBit is up there.
LockBit is quite prevalent in what they're doing with their way they're targeting victims,
trying to be like high target victims, high profile victims versus the other two.
I think the other ones need a little bit of tweaking, need a little bit of growing to do for them to be up there.
But Logbit is definitely on the right place.
What about the marketplace in general?
I mean, as organizations like these pop up, as, you know, these operators get the entrepreneurial bug and set out to do these things.
Does the community accept new players in the market generally?
How does that go for them?
I wouldn't say they do because they have to compete with each other. I think that if you have a ransomware as a service, you want to be the best there is.
Just like businesses, you want to be the best business.
You don't want competition.
You want to be the best there is.
Just like businesses.
You want to be the best business.
You don't want competition.
But I guess that these groups usually have a lot of fallouts because of their internal struggles.
Because we're talking about random people doing business with random people.
They don't know each other at all. So there are no guarantees that they will get paid or they'll get a cut or whatsoever.
So they're always like between the operators.
No, they don't want more of them groups.
They want a bigger piece of the market.
But as for affiliates perspective, they want a couple of options
because you as an affiliate, you don't want to be stuck to one.
Because if that shuts down, then you don't have anything else to do.
You have to jump to another one.
Oh, that's interesting.
Yeah.
So the ecosystem itself benefits from having multiple players to survive if one is shut down.
Exactly.
If you imagine that only Reval or Darkseid or Black Matter were the ones that are running the ransomware game, right?
If the three of them shut down, did premise need to come with a new one
or see what you can do to focus on other areas of cybercrime?
What are you expecting as we head towards the end of the year
and into 2022?
Are we expecting that we're going to see more of the same here
or are there any changes or evolutions
that you and your colleagues are tracking?
Here in Virginia 42, we don't have any reason to believe that the ransomware crisis is going to slow down anytime soon.
As long as ransomware is profitable, they're going to keep popping up.
One way to think of it is that ransomware is like a hydro source.
You chop one head down, two more will pop up, right?
They all want to claim that piece.
So it's something that I will expect to be quite relevant for the following years.
Yeah, I wonder if, as we see some of these groups attempting to professionalize this,
as we said, they're getting smarter with their marketing and improving the services.
I wonder if we might see some consolidation as well.
There's a couple of groups that operate under
cartel sorts. Mount Locker, specifically, is one of
those main groups that operate. Under them,
the group has Sing Locker, Astro Team, and others that were independent on their own,
but they all partnered together to carry on the same attacks.
Thank you. in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.