CyberWire Daily - Groove Gang making a name for themselves. [Research Saturday]
Episode Date: October 16, 2021Guest Michael DeBolt, Chief Intelligence Officer from Intel471, joins Dave Bittner to discuss their work on "How Groove Gang is shaking up the Ransomware-as-a-Service market to empower affiliates." Mc...Afee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself. The research can be found here: How Groove Gang is shaking up the Ransomware-as-a-Service market to empower affiliates Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Affiliates are kind of wanting to get their name out there and say, hey, you know, we do great work on ourselves.
We don't need to be cast in the shadows of the ransomware operators.
We can kind of make a name for ourselves.
That's kind of what we're seeing right now.
That's Michael DeBolt.
He's chief intelligence officer at Intel 471.
intelligence officer at Intel 471.
The research we're discussing today is titled How Groove Gang is Shaking Up the Ransomware-as-a-Service Market
to Empower Affiliates.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with
Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Well, first of all, big shout out to the McAfee Advanced Threat Research team
who we collaborated with on this.
If you haven't already, check those folks out.
They do amazing stuff.
Yeah, as far as, you know, kind of understanding and wrapping our heads around
what we mean by a shakeup of the traditional model,
I think it's first really important to understand
really the nuts and bolts of what we mean by the traditional ransomware as a service model.
And when you think about it, for the most part, ransomware operations is split into two distinct roles.
You have affiliates and you have service operators.
Sometimes we call those developers as well.
Affiliates, those are the folks who nowadays, and it hasn't always been like this, but nowadays they're fairly skilled penetration testers. Their job is to basically go out and find and gain access to new target networks, move laterally, escalate privileges, ultimately find their way to an organization's domain controller, and then hand off the keys basically to service operators or the ransomware service operators we call developers as well.
operators we call developers as well. They develop the actual ransomware malware. They run the infrastructure needed to successfully extort the victims. They have the decryption keys. They run
the name and shame blogs. They do all the payment processing and sometimes even the call centers.
So historically, you have these two distinct roles. It's been almost like a structured
hierarchical setup with the service operators being at the very, very top, kind of calling the shots, and the affiliates, as I would call the workhorses, at the very bottom.
Yeah, and so you have this situation where historically it's been a very hierarchical setup.
Now, as we're seeing with this bad book, Fallout, we'll talk about that, I'm sure, the affiliates are kind of wanting to get their name out there and say, hey, you know, we do great work on ourselves.
We don't need to be cast in the shadows of the ransomware operators.
We can kind of make a name for ourselves.
So that's kind of what we're seeing right now is breaking up the hierarchical structure.
Now, is it fair to say that this hierarchical structure was functioning fairly smoothly for a while? At the outset, as it was established, it seemed like all parties were doing well and profiting from it?
ransomware has been prolific over the last two years.
I mean, there's nothing to suggest that anything is necessarily wrong with the hierarchical model.
It's been quite successful.
People have made, you know, cyber criminals have made tons and tons of money, billions of dollars.
But what we've seen is a shift in, you know, back in the day when you had ransomware back in 2014 and even earlier,
you had affiliates kind of casting a wide net, if you will.
So they would be botnet operators looking for installs. It was more of a quantity game versus a quality game. Whereas now the skills that an affiliate needs to have is more about big game
hunting. So finding the juicy nuggets, finding the targets that are really going to pay off in the end, and that requires a little bit more of a skill set.
So you're starting to see this, I would say this imbalance emerge between the skills that are required for a ransomware operator and what's required of an affiliate.
And affiliates are starting to realize that they can make a name for themselves.
that they can make a name for themselves.
Well, take us through, I mean, when did we start to sense that there was some unhappiness between the developers and their affiliates?
Yes, it really started earlier this spring, back in April of 2021.
This saga, if you will, started back in April when we saw the DC Metropolitan Police were
actually breached and their data was leaked by a ransomware group we called BetBook.
This gained a lot of really unwanted public attention from the group and also from the underground community at large.
So what they did was they announced that they were shifting tactics.
They were going to move away from traditional encryption-based extortion.
They were only going to do data exfiltration and
then naming and shaming. They released their ransomware source code to the public as sort of
proof that they were going to do this. And they shut down their affiliate program. What they were
trying to do is get back below the radar, operate in the shadows, basically telling the world that
they were done with locking up victim computers. And this was really the beginning of Bad Book's fallout and the eventual rise of what we now see as the new Ramp Forum,
which we detail in the blog, and also a corresponding group we know as Groove,
which are likely ex-affiliates or perhaps even a subgroup of Bad Book. And then in May,
we saw the Colonial Pipeline attack happen, and then in may and we saw the colonial pipeline attack happen and really the
form administrators from across the popular forums they got real nervous uh they started reacting
saying oh no what's going on you know we're kind of getting exposed out there in the public this
media attention is a little bit too much that we want to deal with so they started banning all this
ransomware activity on their platforms which was quite a big deal. They wanted to, again, stay away from the heat caused by that
high-profile event. They mentioned DC Metropolitan Police hack as another high-profile incident.
Underground community was becoming toxic and dangerous. Those are the kind of words that they
used. So they banned all these ransomware operators. So you kind of start seeing some,
you know, the fallout of a book in early April, then you see the ransomware operators getting banned. It's kind of setting the stage here for these affiliates who are, like I said,
kind of this underlying workhorse for these ransomware operators saying, you know what,
maybe it's time for us to start making a name, making a name for ourselves. So then in July,
we saw this new form emerge called ramp and this group called groove.
And interestingly, as we detail in the blog,
this new forum and the blog that was created was hosted on the same tour
based resource that was previously hosted by bed book,
their name and shame blog.
So there's some connections there that were quite interesting
between this new group and BetBook.
Can you give us some details about this Ramp Forum itself?
I mean, was it a brand new thing that spun up in order to host this sort of thing,
or was it pre-existing and they welcomed,
since there was a vacuum, a place for folks to advertise these sorts of wares?
Yeah. So this is not the first time we've seen, I guess, what we would call a network access
marketplace. There's a couple of other ones out there. What makes this one interesting is the
connection between a known ransomware group in by book and actually
there's also connections to another ransomware group we call black matter but it was the
connection between ramps administrator the actor known as orange and the previous group called by
book and the fallout so really ramp is around offering a platform for affiliates or
anybody else that wants to make money off of stolen network access to go and sell those wares.
This actor who created Ramp claimed that the new forum was for ransomware-related actors
who were ousted from the main forums back in May. And he claimed that this groove gang had
been in operation for two years doing cyber industrial
espionage like i said likely as affiliates or a subgroup of bedbook and and also at least another
ransomware group called black matter and they were basically looking to expand beyond the shadows of
ransomware looking to become more self-sufficient in their aim to make more money on their own in
fact one of the things that they said was we don't. We don't care who we work with and how. You've got the money,
we're in. So you mentioned the word orange and that being a name that someone is using here.
Can you clarify that a little bit? Who is this entity using the name orange?
Sure. And as with anything that you do in the cyber crime
underground uh you really take a grain of salt with some of these handles and aliases that actors
use but this is essentially the handle that was used by the administrator who created the the forum
all right well how about the groove gang themselves? I mean, what are the details there? What have you learned about that organization?
by not only Bedbook, but other ransomware groups as well,
which tells us, gives us a strong hint that the Groove Gang was one of these affiliates
that were really fueling the ransomware surge
that we've seen within the last year and a half or two years
by providing those network accesses.
So this is probably a group of Eastern European individuals,
small group, trusted group,
who are highly skilled in penetration testing.
They understand how to go about targeting big whale, big game hunting operations using
credentials, stolen credentials and vulnerabilities.
And they know how to monetize that through ransomware and other means.
So in terms of the way that they're operating here, this group who's sort of broken
away and become independent of the previous developers, are they using the same tactics,
techniques, and procedures as they were previously, or have they evolved things to suit their own
purposes? Yeah, they're going to do what has been successful in the past. Their tactics, techniques, and procedures they've
used to gain initial access into large organizations is not going to change. And it really
is around, unfortunately, it doesn't sound too exciting, but a lot of these groups,
Groove and others that we've seen are using stolen credentials as initial access
techniques. They're perusing shops, automated shops that sell credentials in bulk. They're also
in some cases running their own botnets, information stealer botnets, where they're
capturing malware logs and then parsing through those logs for juicy targets,
mostly network access points like RDP and VPN and others, Citrix, and then
basically going through that, prioritizing what they have and gaining initial access
at that point and leveraging that for further on exploitation.
Getting to the domain controller is the main goal.
And then once they're in, what happens next?
How do they go from there?
Well, if they're working with a ransomware operator, i.e. they're working with a bad book or they're working with one of the other pick one ransomware group,
they'll go ahead and sell that access to the group.
The ransomware operator will deploy the ransomware from there, and then they'll take a cut based on whatever the payout scheme is and whether the victim decides to pay.
The other option is they can go into the underground market.
There's a whole marketplace for selling network accesses.
And at that point, you're selling it wholesale and to the top bidder.
And the top bidder gets to do whatever they want with those network access credentials at that point.
And the top bidder gets to do whatever they want with those network access credentials at that point.
Is there any sense within the online forums, the places where these folks trade their wares, are they receiving respect?
Do people admire the work that they're doing?
Is there resentment from some of the people who were here first or any threats of retribution?
Or do you track any of that sort of thing?
Certainly there's, I mean, we're talking about a community of criminals here. So we're not talking about the most upstanding individuals.
So certainly you'll have situations where there's arguments and, you know, blacks being opposed against other actors for, you know, a lack of service uptime or whatever
ends up being.
But I guess for the most part, there's almost a, there's definitely a competition that these
network access brokers have right now.
But I don't, I don't see any, you know, major conflict between, between them.
And maybe that's because we're seeing kind of the start of this conglomeration,
if you will, of network access brokers kind of banding together, like we do see with Groove.
Previously, we've seen these network access brokers come into the market almost as individual
operators. We've seen some connections and maybe there could be groupings of one or two individuals,
but nothing like the hierarchical setup that we've seen with ransomware
operations in the past. So it's still kind of a hodgepodge of network access brokers coming into
the market, kind of doing their own thing. And really, the demand is there. And people want,
you know, these actors, they want network accesses so they can leak data, they can enter into a corporate network, try to escalate their privileges and get to the domain controller and do whatever they want at that point.
So they're just, these network access brokers and the Groove gang, you know, they're just going to meet that demand and meet that need.
Do you suspect that we're going to see this sort of thing continue, this kind of professionalization of these sorts
of services? Absolutely. I think we're seeing it with Groove. I think we're seeing it with Ramp,
with the network access marketplaces. I think you'll have pen testing as a service is something
we're starting to see a little bit more professionalized as people in the underground,
they start to realize that they can also contract that
out. That can also be a service that they don't necessarily have to upskill themselves on. They
can go and rent that service, if you will. For the network defenders out there, how does
the information you're sharing here inform how they approach protecting themselves?
inform how they approach protecting themselves?
Sure. Well, like I said before, a lot of this has to do with initial access, right? I mean, this is what's fueling the ransomware serves that we have is individual and sometimes one or two
individuals who have formed a group are going out there looking at any opportunity they can
to access a big game target through network accesses,
through stolen credentials, really. Some of them we're seeing using exploited vulnerabilities,
but for the most part, they're looking for credentials. So it's a low-hanging fruit.
We say it over and over and over again, but multi-factor authentication is going to help you
quite a bit to remove yourself
from being on the list of a low-hanging fruit target from some of these actors.
Our thanks to Michael DeBolt from Intel 471 for joining us. The research is titled How Groove Gang is Shaking Up the Ransomware as a Service Market to Empower Affiliates.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Trey Hester, Brandon Karp, Puru Prakash,
Justin Sabey, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.