CyberWire Daily - No honor among thieves. [Research Saturday]
Episode Date: October 11, 2025John Fokker, Head of Threat Intelligence at Trellix is discussing "Gang Wars: Breaking Trust Among Cyber Criminals." Trellix researchers reveal how the once-organized ransomware underworld is collapsi...ng under its own paranoia. Once united through Ransomware-as-a-Service programs, gangs are now turning on each other — staging hacks, public feuds, and exit scams as trust evaporates. With affiliates jumping ship and rival crews sabotaging each other, the RaaS model is fracturing fast, signaling the beginning of the end for ransomware’s criminal empires. The research can be found here: Gang Wars: Breaking Trust Among Cyber Criminals Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program,
which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at CS.com.
JhU.edu slash MSSI.
Hello everyone and welcome to the Cyberwires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and
vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
There was just something strange going on.
We kind of felt like the larger families were not as prevalent anymore.
It was like it was getting scattered.
And looking at it, we kind of pieced the little point.
puzzle pieces together, and we saw like, hey, there's something happening in the underground.
That's John Falker, head of threat intelligence at Trellix.
The research we're discussing today is titled Gang Wars, Breaking Trust Among Cybercriminals.
We strongly believe, and we can see it, and we have a couple of cases,
where cybercriminals are starting to distrust each other.
which I am actually, I say that almost with a smirk, with a smile, because yeah, it's, it's interesting to see because it's the longest time there were always strong alliances and when cyber criminals, I say this quite often, when they trust each other, that's when innovation happens. That's when they built these strong empires. That's when they attack at large and they can scale up. And especially if you look at ransomware to do that from A to C, like the whole
kill chain from not only billing software, but distributing it and then like doing the
engagement with the victim, negotiating, then getting the funds, laundering the funds.
There's so many steps involved that you can, it's almost impossible to do everything yourself.
So you're always confined to team up with people.
You're always in a partnership.
And these partnerships take trust.
so when there's now the trust goes out the door
yeah those partnerships are much harder to establish
so that's something that we're seeing
and we really wanted to highlight this as
like very often you see blogs about the new ransomware
on the block and all that stuff and we jumble actually myself
we wanted to zoom out and see like okay but can we describe
what we're seeing can we find reasons why and why it's happening
So that was kind of triggered us to write this blog.
Well, let's talk about ransomware as a service
and how that model evolved into something
that kind of resembles criminal empires.
And it seems to me like what you're saying
is maybe that setup could be unraveling.
Can we talk about a little bit of the history?
Yeah, sure.
So years back, you had, like,
we're not going too far back,
but mostly the ransomware was targeted at consumers.
And that was the time when you had like CTB Locker, Crypto Locker, Crypto Wall, to name a few.
And you would see Threatctors are mostly focused on spreading it at large.
So getting as many installs, as they called it, as possible.
So you see a lot of spam campaigns or exploit kits being used.
And it was mostly targeted at end consumers.
And then there was a shift because at that time I was actually working at the police.
and we were very closely with all the banks
and the larger organizations say,
yeah, ransomware is not really a problem for us
because we can just load up a new image
when it's one workstation,
and then we're good to go.
So it's kind of a spray-and-pray mentality
that the threat actors were using,
and that changed with Sam-Sam,
and Samsung was one of those ransomware versions,
which eventually turned out to be Iranian operatives,
but they were actually performing more pen-testing-related
tasks. So they would go through the network, establish a foothold, established like going after
the domain admin credentials, having control over the network, and then launching their ransomware,
basically paralyzing the whole network, the whole organization. And that was a shift. And then we saw
other groups doing the same thing from gangrab and maize and all the other old names that we know.
And they were doing the same thing that we call like big game hunting. And then there was a phase,
that came with ransom as a service was,
okay, yeah, we've got your system locked up,
but maybe we put some public pressure on you.
So what they were doing was naming and shaming on the websites.
And then there were thinking as well,
it's like, oh, yeah, we've attacked if you look at the CIA pyramid,
like confidentiality, availability, and integrity.
Yeah, we're attacking the availability by encrypting your organization.
But what have we steal some sensitive data beforehand,
And we threatened to publish this, then we can also extort you on the confidentiality.
And, yeah, if you're a paper backup company and you deal with secrets, let's say you're a law firm,
then the availability is probably lesser of a concern than the confidentiality.
So that's where we saw also the uptick of the introduction and later, the uptick of data extortion.
And these elements and that big game hunting with the immense amounts of ransoms that were demanded that really, really grew almost out of proportion, kind of create these like, yeah, like we said, empires where you had people at the top directing teams and it was almost like a corporate structure, as one might say.
If we looked, we looked at the Conti League chats and that was run like a business.
and Black Basta that we spoke about recently as well, same thing.
And you would see groups that would have people on payrolls
or they would pay out a commission or a percentage from a ransom.
But it still is a really lucrative threat for threat actors.
However, as an empire and as a large organization,
like I said in the beginning, there's a lot of steps involved.
There's a lot of things that need to go well or you need to organize,
in order to be successful.
And that's something that relies on trust.
And trust can be that you're paying people what they're owed
or that people are keeping their promises
or they're not running away with money,
as we saw with like Black Cat Loth fees.
So there's no exit scam and all these things.
So the affiliates, the partners in this scheme
that are actually doing the break-ins,
they need to feel like they belong
and they're getting an equal share
or a share that's equal to them, that they think it's fair.
These are all elements that need to be in place in order for that empire to be, to sustain and to grow.
And yeah, when you start turning those down and the cracks to start appear,
then you can see that people are turning their backs.
And then I chose a picture for the research blog that we put online.
And it's just so telling.
And actually, I got this from a friend of mine from an ex-NCA officer.
and he's like, because I spoke about the concept,
and he's like, John, this is just like the final scene of the reservoir dogs
where they're all pulling the guns at each other
and everybody's just pointing at each other.
When I first started off as friends, now they can't trust each other.
And it kind of, that whole crime group crumbled and cracked.
And it's like, yeah, that's very telling.
And that's essentially what we're seeing now as well.
What are the signs or the behaviors that indicate that this ecosystem is cracking?
We're seeing loyalty giving way to suspicion or betrayal.
Yeah, there's some telltale signs.
And it could be internally.
So we can see signs from the threat actor, I mean,
like within the community, as well as external pressure.
And with external pressure, one of the big factors is law enforcement, for instance.
So there's a lot of individuals there are residing in countries
the Western world does not really have a treaty with when it comes to like, okay, we can send
them a request and they will arrest a person. That's extremely difficult. So if you cannot put
the silver bracelets on those folks, and we've already tried taking down their infrastructure
and they rebuilt it or whatever, what else can you do to really damage their reputation or
to really make an impact? And that's damaging their reputation, because they're businessmen.
So if you damage that reputation, you break their trust, they seem not trustworthy, it will have a ripple effect and it will ripple or it will cascade longer down and it will have a larger effect for a longer time than just taking down infrastructure because then their trust is not damaged, it's just their infrastructure.
So perfect example of this was how the FBI and the NCAA worked on lock bit, where they infiltrated the system and then they kind of used that leak.
site, where they published a stolen data, and they trolled LockBitt phenomenously.
And this really had an impact on the reputation for LockBit.
People scattered away doing different parts, and he was fighting really hard to build his reputation.
And another example would be exit scams.
So there's pressure on a system.
And with a system, I mean a ransomary family or a group.
and you would see that the leadership runs out with all the money.
You can do that like that happens once,
but if that happens often,
then affiliates,
people are basically doing a lot of the work for the group
and they expect a payout.
If they know there's a higher chance
that the leadership would walk out with all the money,
they're not really inclined to do a lot of work.
So that's another one.
Another thing that breaks trust is
device or an encryptor
and we saw this in the past already with
Babuk actually with
what was it, Michael Matfeth
when they did the
Metropolitan Police hack
where they encrypted the Washington
Metropolitan Police and the
encryptor work
but the decryptor
so the decryption portion of their
attack failed so essentially
they corrupted all the data
that they encrypted and
the victim couldn't get their files
back. So that's tempering on the business model. You're not getting your files back for at cost,
because that was always the success for ransomware. It's like, okay, we encrypt it, but you can get
everything back. And that's another one that really, really damages the reputation, because then
the affiliate is doing all the work. And it's like, hey, listen, like, I gave my word or I promised
something. And then, yeah, it doesn't work. And you can do that once or twice. And then the
reputation of the whole group gets damaged. So that's how we saw bubble crumble as well.
So there's different ways.
And then, yeah, the outcome is fascinating how we see it.
Like they're basically throwing each other under the bus.
They're doxing each other.
Unfortunately, we also see examples where, like, the data that was stolen from one victim
ends up at multiple other families.
And it's either we can imagine that the threat actor behind it actually moves to the different
family and then post the data again.
But we have a case where we talked about a health care provider that got extorted, a very large one.
They paid the first time, and then the extortion went on because that group was Blackhead, Elfathy.
They did an exit scam.
And the individual, but a moniker not she, who was responsible for that breach, he didn't get paid.
So he was pissed off.
So he moved to Ransom Hub, and then they re-extorted that victim.
So what this tells me is, like, it's at the same, I love that the cybercriminals are kind of fighting against each other and that they have less attention for others.
There are situations where a victim can get extorted twice.
So this is just, for me, it's also a word of caution to anyone that's extorted with stolen data.
Do not pay because it's, yeah, you have no guarantee it's going to be erased and you can get extorted again.
we'll be right back
what's your 2 a.m. security worry is it do i have the right controls in place maybe are my
vendors secure or the one that really keeps you up at night how do i get out from under
these old tools and manual processes that's where vanta comes in vanta automates the
manual works so you can stop sweating over spreadsheets chasing audit evidence and
filling out endless questionnaires.
Their trust management platform
continuously monitors your systems,
centralizes your data,
and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready,
all the time.
With Vanta, you get everything you need
to move faster, scale confidently,
and finally, get back to sleep.
Get started at Vanta.com
slash cyber. That's V-A-N-T-A.com slash cyber.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS, you can secure what matters most. With TALIS's industry-leading platforms,
you can protect critical applications, data, and identities, anywhere and at scale with the
highest ROI. That's why the most trusted brands and largest banks, retailers, and health care
companies in the world rely on Talis to protect what matters most. Applications, data, and
identity. That's Talis. T-H-A-L-E-S. Learn more at Talisgroup.com slash cyber.
Well, let's dig into that, the consequences for the defenders out there, because, you know, it strikes me that, I mean, it sounds funny to say back in the day when it comes to ransomware operators, but, you know, reputation was a big part of what they did, uh, that you knew that if you did business with them, chances are they were going to hold up their end of the deal. Where do we stand today?
that's harder and harder to maintain for a threat actor there's a saying like a reputation of years can be damaged in seconds but it was interesting to see like I did a long study on re-evil and they were referencing not only our blogs but other industry blogs as well saying like oh yeah the decryptor actually works so they were saying like well don't take our word for it look at the industry look at what they write because the
crypto is solid. So it was like involuntarily, we gave them actually some help, which we didn't
into. But yeah, yeah, it's almost crazy, right? You would think that you cannot trust a criminal
now. Who would have thought? But that's the situation we're in, that there's a lot of these
splintered groups, and we've been tracking a lot of the groups with the public disclosures, and
it just skyrocketed. So every week there's a new family. Every week there's a new group
spurting out and making a claim to fame.
Yes, there's still some bigger groups like Kulin and Ransmub and some others and on Dragon
Fours, but overall, they're so scattered.
And to be honest, like a lot of these smaller groups, they do not focus on the encryption part.
They mostly focus on the data extortion because that's the skill set that a smaller group
of people can do because penetrating a network.
So by infiltrating and exaltrating data,
that is something that a pen test or a red team is quite confident in doing.
Building a solid encryption tool that can also decrypt in all circumstances,
even with VMware or XSI servers and hypervisors and all that stuff,
that is a different ballgame.
Making that fully undetectable for any EDR or endpoint solutions, defense solutions,
that's all another ballgame.
And then let alone, like, building all the negotiations and everything else.
So we also see some dispersion there as well.
We wrote about it in one of our blogs that you're now seeing also these like dedicated
services that say like, hey, we do not want anything to do of ransomware.
We'll just offer you a place where you can host your stolen data so you can extort people.
So you can see that it's like kind of a splinter movement, not only on the on the ransomware
actors but all the adjacent surfaces as well it seems to me like you know instead of having
these these alpha predators you know a great white shark cruising around it's more like having a
river full of piranha where everybody wants to take their little bite that's a great analogy
i'm going to use that i'm going to use that one with your permission feel free i often said like
yeah it's like the school of bull sharks and they they kind of
like, or tiger sharks, they're not really always specifically targeting you, but if you
are in the water and they can smell you, they will go after you. They'll take a bite. And that
was revengeable. But you're right. Yeah, it's more like piranhas now.
So what do you hope that people get from this research? What are the takeaways that you want
Sissos and security teams to come away with? Yeah, it's like we've been talking now for almost 20
minutes and it doesn't seem very positive what we're saying, right? But I can see this as this is
a transitional phase that we're in. I'm always very positive. Yes, crime is hard to beat and we're
not going to solve all crime, but there are things that we can do. And I'm a big advocate for
sowing distrust and breaking the trust among cyber criminals because that will only show,
A, show that they're human, and that's something that's a very important message to Trellix as well.
It's like, we don't like to mythologize threat actors.
We don't want to put them on a pedestal.
They're criminals.
And for organizations that need to defend themselves, they need to understand how they operate,
and they need to understand that they're humans.
Because, yeah, that just helps you.
As soon as you understand a threat, you're not fearing it.
You can act upon it.
And, yeah, we used to fight families and now we're fighting franchises and freelancers.
But I say it, like, when you break the trust, that empire will fall.
And we see the effects.
So, yeah, the data exaltration, the extortion, that's something that we can work on.
And yes, there's still encryption going on, but also that.
But the bigger families are making it much, much harder to consist.
to exist, sorry.
And that's another thing
that we're doing is,
and that's maybe a bit off-topic day,
but we're doing a dark web roast.
So not only ransomware,
but every month we put out research
where we actually roast threat actors.
So anything we saw in the underground
and then making mistakes or whatever,
we'll just roast them.
And the second one is now out for July.
And we're doing this with the goal
to put a face on the adversary,
show them that they make mistakes.
And at the same time,
I really hope that if there's any threat actors listening,
they can send it to Trellix
and they can reference my name and say,
like, hey, I have info on Fed Actor X and whatever,
and I want you to throw him under the bus or whatever.
I'm all for it.
My goal is that our blogs are being read by the underground
and that they can say, like, oh, this is true.
And, oh, yeah, that guy actually,
did make a fool out of himself because when they do so, yeah, they don't see the other as a
professional. They see him as somebody that messes up. And then it becomes less likely that they
will trust in the new business. And that breaks the, now I'm explaining my ulterior motive here.
I shouldn't do that. But it helps break that trust cycle. And that will slow down to start with.
Do you think this is the shape of things to come? I mean, that, you know, with the step
up of law enforcement around the world, has it just made it harder for these operators to operate
at the high level they used to? So what we're looking at for the future is more of this kind of
fighting for scraps. Yeah, that could be the case. Another theory that we also have is like maybe
ransom or the way we knew it as the emp-like those empires of partnerships and all that stuff
wasn't supposed to happen in the first place.
And why I'm saying that is
if you look at other businesses in the cybercriminal
on the ground, they're very much freelancers,
they're very much having their own business
and the organizational structure is less like a hierarchy,
but it's more like a network-based model.
So one could argue that maybe through all this,
ransomware is evolving to a structure
that is more aligned with how the cybercriminal underground operates.
So everybody provides a certain part of a service, a certain part in the equation,
and that there's no overarching larger organization that controls all.
Our thanks to John Falker from Trellix for joining.
us. The research is titled Gang Wars, Breaking Trust Among Cybercriminals. We'll have a link in the show
notes. And that's Research Saturday, brought to you by N2K Cyberwire. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating
and review in your favorite podcast app. Please also fill out the survey in the show notes or
send an email to Cyberwire at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the eighth annual Data Tribe Challenge takes.
center stage as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers around
breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. Discover the
startups building the future of cyber. Learn more at c.id.d. datatribe.com.
Thank you.