CyberWire Daily - Ransomware is coming. [Research Saturday]
Episode Date: February 10, 2024Jon DiMaggio, Chief Security Strategist for Analyst1, is discussing his research on "Ransomware Diaries Volume 4: Ransomed and Exposed - The Story of RansomedVC." While there is evidence to support th...at RansomedVC runs cybercrime operations, Jon questions the claims it made regarding the authenticity of the data it stole and the methods it used to extort victims. The research states "I uncovered sensitive information about the group's leader, Ransomed Support (also known as Impotent), relating to secrets from his past." In this episode John shares his 6 key findings after spending months engaging with the lead criminal who runs RansomedVC. The research can be found here: Ransomware Diaries Volume 4: Ransomed and Exposed - The Story of RansomedVC Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
When the Ransomware Diaries 3 had come out, I was looking on one of the Russian forums,
and this person who had just created an account the day before started chiming in,
and in their signature block, it said, owner and creator of RansomVC.
That's John DiMaggio, chief security strategist for AnalystOne. The research we're
discussing today is titled Ransomware Diaries, Volume 4, Ransomed and Exposed, The Story of
Ransomed VC. Of course, at the time, I didn't know who that was because it was like a day after their operation had started.
But I just started looking into it from there.
And as the following month went on, I started to hear more and more about them.
So I figured if they had an interest in my work, maybe I could leverage that to gain access to them and see what I could figure out.
And that's basically where it started.
to them and see what I could figure out. And that's basically where it started.
Before we dig into the specifics here, can you paint a little picture for us of what it's like to be on these types of forums?
Well, you know, being on the forums themselves, you know, gaining access sometimes can be
difficult. But once you're there, I would not say that in comparison to doing
engagements directly with threat actors, that just being on the forums is a scary place. It's a great
source for intelligence, especially for cybersecurity researchers. But if you're doing
any sort of interaction where you're communicating with a threat actor, even with a fake persona,
anytime you're directly reaching out, that's a
little unnerving. And obviously, you know, doing that brings greater risk. But, you know, there's
two methods to that. One is, you know, to have an account just to watch and observe. And then
there's, you know, another technique where you're actually building up a fake persona and getting
people to believe that you are someone else and to gain credibility so that you're actually building up a fake persona and getting people to believe that
you are someone else and to gain credibility so that you can actually talk and communicate with
your real target, that's much more difficult. And yes, that's very unnerving and takes a lot
more risk when you do that. Yeah. Well, let's walk through this specific example here. I mean,
how do you begin your interaction with this person
who's saying that they're the proprietor of Ransomed VC? Yeah, so this one was a little bit
different because normally, you know, there is only a few ways to communicate with a threat actor.
And Ransomed VC, one of the things that caught my attention was, you know, their footprint was so
much broader.
They had social media accounts on several platforms.
They even had two accounts actually on TikTok.
They were on Twitter.
They were on several different types of social media.
So that in itself made them much more accessible.
When I did decide to reach out to them, I reached out to them both
publicly on Twitter and said, hey, I want to talk to you. And I also sent them a message on an
application that many threat actors use to communicate that's called Tox, T-O-X. And it's
just, it's an encrypted communication platform that you run on a local system. It's not social media. But I sent a message on both.
They responded on Twitter, and then they asked me to transition and talk to them on Telegram.
So we ended up doing most of our conversations there on Telegram
over the course of about two and a half months.
Second platform, John. Second platform. Never moved to a second platform.
half months. Second platform, John, second platform, never moved to a second platform.
I think they were more comfortable with Telegram than Twitter, just from a monitoring perspective.
Whether they're correct or not is another story. But because, you know, Telegram was supposedly designed for privacy and incorporates encryption, I think they feel safer using that
to get away sort of from the
monitoring of law enforcement or government eyes type of thing. So now that you've established
contact here, what's your strategy? Yeah, so that's something that has become,
that's something I've spent a lot of time doing. So if I can just take one step back at Symantec, I spent seven years there and there and my entire career prior to that was always in the government. And there you're dealing with zeros and ones. You're going through data to make these assessments. You're not actually doing direct engagements.
don't have access to customer data here. So I had to get creative. And I literally just started to read everything I can on human behavior, profiling, reading things, academic papers, things. I read
stuff from the FBI's behavioral analysis unit. I even reached out to them. I read about different
techniques. But at the end of the day, what it comes down to is just sort of trial and error, which can be scary.
And using fake personas was a little bit easier because I wasn't myself.
But with the popularity of the ransomware diaries, I've found that I get farther just communicating as myself.
And so in doing that, you have to be very careful.
And I've taken the approach of just being straightforward, right off the bat,
telling them what my intent is, why I'm talking to them, if I plan to write research. I always
ask them if they've read my previous research so they understand the type of thing that's going to
come from an engagement with me. And if they're still willing to talk to me, then we move forward.
One of the things, though, that I have to do is even though it's myself, they'll say lots of things that I don't agree with or I don't like or I think that are
outrageous. But I have to remember that even though I'm presenting myself as me, I need to
get information. So I still have to say things and do things that I wouldn't do in real life.
And there's more of a risk there because they could dump all of our chat logs and to the untrained eye, people might think that, okay, well, this guy's buddies with them or he's stroking their ego or he's telling them the things that because I'm able to get people comfortable enough to talk to me and share details about attacks and about things that they do in their attacks that are not public and no one else would know if it wasn't for that human engagement.
So it takes a lot of work.
Honestly, sometimes after like with this one, I spent months talking to these guys and it's not just one person.
I've talked to about four different people that were involved with the gang. But by
the time it's done, it takes a toll on you emotionally. It affects your personal life.
There's no vacation when you're doing this because if you're doing an engagement with a threat actor,
it could be a Saturday. If they pop up and want to talk to
you, then that's an opportunity to get information. It's kind of hard to say no. So you can get
burnout easily. There's a lot of risk. You have to live a paranoid life, things of that nature.
So it's not been easy, but I've had a lot of success for it. And I feel like the good that
comes from the research is greater than the bad.
The bad side being I'm shining a light on them.
They want to talk to me because they want to be famous in the criminal world.
But I know my research is making a difference because usually after I write, I have both – I write previously.
I've had law enforcement and government agencies from all over the world reach out to me and ask me questions about it. So that tells me that it's good information if those type of organizations
are finding things that I'm publishing to have new and unknown information in it. So
I keep the fight as long as I feel like I'm making a difference. But yeah, it's tough.
Help me understand the kind of balance that I feel like you must take here between folks like this being flattered by your interest, but also I would imagine that they're kind of circumspect about sharing too much with you.
Yes, yes. So that balance is why I have to do things like, for example, if they say something extremely
racist or they make a terrible joke, not saying, why would you say that?
That's awful.
I don't appreciate that.
Don't say that sort of thing.
While you don't encourage it, you have to kind of bite your tongue and just sort of
move on with the conversation in a way that doesn't necessarily alienate them. But you don't, I also,
you know, you can't encourage that either. So it is a tight walk, but here's the thing. It's not
just one little thing like that. It's trust that's built up. I don't do just one engagement. This
isn't like a 30-minute interview with them. I do this, you know, for four or five days at a time
over a course of anywhere from one to three months, usually, when I do this for four or five days at a time over a course of anywhere from one to three months,
usually, when I do this type of research. The goal is to build and establish a relationship
with that threat actor. As an example, just today, I had a conversation with the LockBit
threat actor. And I was talking to them because they had just popped a hospital that
is in Chicago where they have a children's cancer ward. They specialize in helping
homeless people and other people that can't afford treatment. And so I reached out to LockBit
trying to, because I talked to this person's relationship being like, hey man, you've made
all this money. Remember you're a human. Just give these people their decryption key and move on.
I don't know whether he's told me he has to think about it. But my point is that it's months of
building these relationships and getting them to have some trust because they feel like they get
to know who I am. And I don't lie to them. I tell them right off the bat what I'm doing.
And there are certain things that they've shared with me where they say, I'll tell you this, but it has to be off the
record. And while I put everything in my research that I find, if they do tell me something off the
record, I have to abide by that because when you're talking to criminals, that's all you have
is a reputation. And I think I've built a pretty good reputation of being straightforward with them. So it is difficult. They say horrible things. They say,
like, for example, a lot of Russian bad guys like to use the N word a lot. And that's a word that I
would never use in my vocabulary that they use. So it makes me uncomfortable, but I also can't
show them that I'm uncomfortable. So again, it all comes down to risk because like I said, all these things
that wouldn't make me look great,
but the fact that I'm not standing up and saying,
hey, don't do that.
But what everybody has to remember is it's the end game.
I'm trying to get them to trust me.
I'm building that trust.
It's just weird now because I do it as myself.
When I was using fake personas, it was much easier.
But it's all about the end game of getting that intel and being able to fill in gaps that will help defenders and law enforcement
better protect and apprehend these type of criminals.
We'll be right back.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have
spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over
year increase in ransomware attacks and a $75 million record payout in 2024, these traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Are you typically communicating in English?
It depends.
So with Ransom VC, everything was in English because all of the people I spoke to could either write or speak coherently in English.
So I was able to do that and communicate much easier.
So I was able to do that and communicate much easier.
With Lockbit, they talk in broken English, so it's a little bit harder.
But I do have colleagues at AnalystOne that are Russian and can speak the language.
So I do have the ability to do both. But obviously, when I can communicate without speaking a language that I don't know myself, we get a lot farther and I
don't have to wait on other people and things of that nature. Well, let's go into some of the
details of what you learned about Ransom VC. I mean, what are some of the highlights of your
research that you can share with us? Yeah, so I would say, you know, there's a number of things. I think the most significant aspect of my research was I talked to this hacker who goes by the handle USDOD.
He was a very interesting person because this past September, Brian Krebs had wrote a blog about him.
Apparently, this individual had hacked this network called InfraGard, which contained a bunch of information on the FBI, people who work for the FBI, so employees of the FBI, and released that.
And he also targeted NATO and these other organizations, and he released it all on September 11th and was sort of labeled as a terrorist.
Well, he's not – I'm going to go on record and say he is not a terrorist.
He's not, I'm going to go on record and say he is not a terrorist.
He's a person who made some poor decisions in what he did, but he does not have this strong anti-US sentiment about him.
But he did some dumb things, made some poor choices, but he had also joined Ransom VC.
So when I talked to him, he was giving me bits and pieces of information and he seemed
very straightforward with me, as opposed to when I talked to the person who runs the operation who goes by the name
Ransom Support, you know, he outright admitted that he lies a lot and admitted some of the things
that he's publicly done that have been lies. And, you know, he told me a lot of things that I knew
were untruthful. So I had one individual who, again, I'm going on my gut feeling here, which isn't always right, but it is pretty good. One individual who I believe is being truthful, or at least believes he's being truthful with me, and this other individual who half the things that he's telling me are lies.
that one gives me to try and see if I can,
I don't want to say catch the other off guard,
but get them to give me a comment by the way I present it that would fill in the gap and find the truth of what really happened.
So with that, the ransom support, the leader of Ransom VC,
had been saying some bad things about this guy.
And this was like one of the top hackers in the world who worked for him,
and he's trash-talking him.
So when we were talking and I shared some of the things that was said about him and asked him if he
still worked for them or if he had any concerns about them, he told me no, he had stopped working
with them. And to speed up the story here, at the end of the day, by being able to show that that other person did not
actually care about them and wasn't in their best interest to protect them, USDOD became comfortable
and shared information with me that led me to identify that the person who created Ransom VC
was previously associated with the Ragnar Locker ransomware gang who had just been arrested in October, October 30th exactly.
And that was very relevant because RansomVC had started a new forum only seven days prior,
and it was a ransomware-based forum. Now, starting a forum takes money and resources,
and that shows they were expanding their operation, not ending it. So seven days later,
I'm sorry, it was October 22nd when they started this forum, and October 23rd,
there was some arrests for RagnarLocker, and October 30th, Ransom VC announced they were
selling the forum. So they showed they
were expanding. They spent time and money. A day later, there's arrests for a completely unrelated
ransomware group. And seven days after that, Ransom VC makes an announcement that they're
shutting down. But here's the key. They made the announcement that they were shutting down
because he said six people that were associated with him, ransom support, the leader of the group,
had been arrested or he believed that they had been arrested. And at the time, everybody
discounted this as another lie because there was no news of anyone from Ransom VC being arrested.
Well, no one, including me, connected the dots. He was not talking about Ransom VC.
He was talking about Ragnar Lager. Those men that had been arrested were part
of Ragnar Lager, and he was associated with them, and he was concerned that they would give
information that could possibly lead to him. Then USDOD told me that they had had the ransom support
from Ransom VC, and Ragnar Lager had had some sort of falling out and claimed that ransom support
actually leaked information to Europol that helped
lead to their arrests out of spite.
Now, that is sort of a sin, even amongst criminals.
I don't know if that's true or if that's just a story based on the crazy things ransom
support may have said to USDOD.
But again, I believe that what the guy told me, he actually believed was true.
And that's pretty crazy.
the guy told me he actually believed was true. And that's pretty crazy. From a cybersecurity perspective, no one was aware that he did any sort of business with this other ransomware group.
But the fact that he may have actually had something to do with taking them down is just,
that's unheard of. But again, I want to be careful with that because I don't have evidence that he
did that. I have two people's claims that differ, but I felt that that was a really significant finding in my report.
I'm curious, you know, having the kind of access that you have
and the experience that you have with these folks,
how does that inform your attitude?
How has that changed your thoughts on approaching day-to-day cybersecurity?
It's changed it a lot because I never saw the actual human side behind it. And when you spend
all day defending against attacks or trying to chase live attackers out of your network, it's still all at a binary level,
if you will. And you don't really see the side. You sort of forget that this is a human being
just like me. So what's changed about it is I've really learned that there is a human side to this. And while some of these people might be completely crazy,
well, others are not and just have had poor life circumstances
and made some poor ethical decisions.
But there is a difference.
There are people that are really bad and will always do bad things.
And then there's others that I have found that have done bad things,
that's like USDOD, who I think do have good in them.
And I hope that the relationship that I end up having on them persuades them or helps persuade them to change their ways.
I may never be successful in that, but it's something that I strive to do when I do find someone that I think has good in them.
But to answer your question,
it's made me take a step back. And whenever I hear about these, about attacks, well,
most people are looking at it from the perspective of how I used to look at it,
which was only, how do we defend? How do we mitigate? And how do we protect ourselves
moving forward? And I look at it differently, like how do we permanently stop
this sort of attack? And getting to know these people and reaching out, getting this information,
it only takes one slip up for somebody to give away too much information that might be the one
key that could be used by law enforcement to find these people. And I think that when you add that,
sort of the human intelligence part
on top of the ones and zeros from a cyber perspective,
it just really increases the value
of that intelligence product.
Now, the stuff that I write is exactly what I just said.
It's cybersecurity-related information
coupled with the human aspect. But now
I've gotten to a point because I love to write and I'm getting these people's stories, I like to
really tell a story and try to make it entertaining in addition to simply being, you know, just an
intelligence report that can be used, you know, for defensive purposes. I want people to enjoy
reading it. I want to increase the knowledge base
on this. I want people who don't typically read this or understand this to read it and be
interested in it. So I've sort of taken it to this other level. Not everybody loves that I do that,
but I thoroughly enjoy making interesting stories and sharing the human side of this,
whether it's good or bad, and providing context to the ones and zeros of cyber attacks.
Yeah. To what degree do these folks tend to consider themselves invincible, or are they
looking over their shoulders, or do they feel like any day that knock on the door could be
law enforcement? Yeah. Well, it does differ, but let me give you a couple examples.
With Lockbit, for example, the leader of that group is extremely paranoid and careful. He's
probably one of the most careful people that I've ever dealt with when it comes to his
operational security. According to him, he spends a lot of time, especially before he began this operation, really learning about OPSEC and making sure that everything he did provided minimal risk that would make it difficult to identify or catch him.
And every decision he makes, you can see the things that he's doing to incorporate keeping him a few steps away from anyone finding him,
or there's a reason that we haven't seen law enforcement take down their infrastructure.
There's a reason we don't have names of the people directly in that management ring of that gang,
because they're so careful. And then you have groups, I'll just use Ransom VC since we're
talking about them as an example, where they definitely worry much more about their door being kicked in. You know, other researchers and criminals have doxed
them and, you know, made claims about their identities. I don't know if they're right,
because I don't get into doxing. That's a headache I don't want to deal with. But the point is,
is that, you know, they're very concerned that there's going to be a knock at the door.
that they are very concerned that there's going to be a knock at the door. So I really think that it depends on not just the person and the group itself,
but it also depends on how comfortable they are that they have done everything possible to make it difficult to find them.
And they believe that they don't make mistakes because they're careful.
And those people are also a lot more,
they're more difficult to talk to.
You know, it's like a lot that used to talk to me
and we would have water cooler talk.
And now it's, I call him Mr. Grumpy Pants
because whenever we talk to him now,
it's all business.
He doesn't want to share anything else.
And I get it.
I wrote a ton of research on them.
I understand. But it's a very different relationship now. So each one is a little
bit different, but I feel like that's why it's important to sort of profile them so
you know how to approach them and you don't scare them away.
Our thanks to John DiMaggio from AnalystOne for joining us.
The research is titled Ransomware Diaries Volume 4,
Ransomed and Exposed, The Story of Ransomed VC.
We'll have a link in the show notes. Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. networks. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliot Peltzman. Our executive
producers are Jennifer Iben and Brandon Karpf. Our executive editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening.