CyberWire Daily - When big ransomware goes away, where should affiliates go? [Research Saturday]
Episode Date: October 23, 2021Our guest Doel Santos, Threat Research Analyst at Palo Alto Networks, joins Dave Bittner to talk about Unit 42's work on "Ransomware Groups to Watch: Emerging Threats." As part of Unit 42’s commitme...nt to stop ransomware attacks, they monitor the activity of existing groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study tactics, techniques and procedures. During their operations, Unit 42 observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future. Doel discusses these (AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0) with Dave. The research can be found here: Ransomware Groups to Watch: Emerging Threats Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The initial thought of this was when big ransomware says Revolve, DarkSide and others go away.
If I'm an affiliate, where should I go?
and others go away, if I'm an affiliate, where should I go, right?
And that evolution of trying to keep track of these ransomware families that are now trying to get a piece of that cake.
That's Doel Santos.
He's a threat intelligence analyst at Palo Alto Network's Unit 42.
The research we're discussing today is titled
Ransomware Groups to Watch Emerging Threats.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, let's go through it together.
I mean, there are four main groups that you highlight here.
Can we start off just by listing who did we cover in this report?
Sure, yeah.
In this particular report, I selected Avos Locker, Hive Leaks, LogPick 2.0, and Hello Kitty.
That's the initial part of the report.
Well, let's go through them together one at a time and point out some of the specifics about each group.
Why don't we start
with Avos Locker? Yeah, Avos Locker is quite interesting. The way that I stumbled across this
ransomware was taking a look at a dark web discussion forum called Dread. For those who
don't know, Dread is similar to Reddit of the dark web. So people post news, post information over there. And across all those posts and news,
I saw a user announcing the launch
of a new ransomware as a service called Avos Locker.
And they claimed, you know,
tell all of the features that the ransomware had
and how to contact them to start doing all these operations.
And I remember seeing people commenting,
like, hey, I'm interested, hit me up. And that's why I started seeing, well,
maybe this is like a new ransomware and this could become a bad thing.
So I started tracking that one specifically.
And what sort of specifics are there about Avos Locker that sets it apart from some of the other ones out there?
Sure. I mean, at the beginning, I wouldn't say
too much, right? They were pretty
basic because they were starting out. Some of the features just included like a simple sample,
not as fast as the other ones. But what I can say is recently they updated their site.
They redesigned their terms and conditions for affiliates. They are now offering different
variants, right? Not only they're affecting Windows environments, they're now affecting Linux and VMware XE
platforms and offering DDoS attacks, harassment call service, access brokers, and all the
good stuff that affiliate could use to carry out a successful attack.
So they've really, I don't know, expanded their range of offerings there?
Exactly, yes.
When I take a look at it before, when I started to release this report, they were pretty basic.
It's like a small company trying to understand how to operate on the market.
And now that they know what works, they just redefine it a little bit.
So what are you seeing from them in terms of their success?
Are folks adopting their services?
Are they finding customers out there?
Yes, indeed.
I'm sure that when I started writing about it in the Unit 42 report, they only had like eight victims or eight or five victims listed.
So that tells us that not too many people were using it or not many people were aware.
But as of today, they have 21 victims.
And they're now selling the data as well.
So they're not only exporting it for free,
now they're selling it to other third parties that are interested.
Interesting.
And what are you seeing in terms of ransom demands from this group?
Their ransom demands are not as high as other groups,
such as Revol, but they're quite up there.
They start with at least the instances that I've observed was like $50,000 to $75,000.
And if the ransom is not paid on that particular period of time, it doubles, right?
So we're talking about $100,000 or $125,000 ransom.
Wow. Yeah.
Any idea who might be behind this group or where they're coming from?
I can't say really.
I don't have visibility into what's going on behind the operation of these ransomware groups.
But what I can say is that this ransomware group specifically tries to carry out operations and promote themselves on the dark web forum.
So it could be quite a number of people.
Let's move on to the Hive ransomware group. What's going on with them?
Hive Leaks is, if I can be completely honest with you,
is one of the best good-looking leak sites that I've seen
from all the ransomware operators.
The interesting thing about them is that they refer to their affiliates
as their sales department.
Because they themselves think their ransomware is a business, right?
They have their product, which is a decryptor.
And they audit, you know, air quotes here,
they audit the victim for their attacks.
And they say, well, if you want your files back, you have to pay us.
It's quite interesting how they got to this professional approach. Hive recently announced
that they were going to leak the data of the Missouri Delta Medical Center, which tells me
and tells the people that have been tracking this ransomware that this ransomware specifically don't
have any code of ethics or any kind of conduct about what kind of organizations they can target.
Yeah, and I mean, that's really been a pattern here, hasn't it?
That no matter what these organizations say,
they make claims that they're going to leave certain organizations alone.
That really doesn't seem to pan out.
Exactly.
They really have little regard to whatever impact they may do to this kind of healthcare organization or critical organization that we depend on.
And are they going about things in a similar way?
I mean, are they using the double extortion technique here of both encrypting files and then threatening to make them available online?
Yeah, pretty much what they do is steal all the data they can.
They're very personistic.
They host it on their leak site.
What's interesting about what they're posting on the leak site is that they even include social media sharing.
So more people could share like, hey, we compromised this company.
Try to get their word out, for example.
And pretty much try to disclose everything they can if the negotiations don't go as planned.
And pretty much try to disclose everything they can if the negotiation don't go as planned.
It's fascinating that, I mean, it sounds like somebody in their organization really has a focus on marketing.
Exactly.
These groups, we need to think about it as businesses, right?
They have their own assets.
They have their marketing.
They have rebrands.
They have their R&D. They have everything they need for it to be successful because they want to maximize profits.
Yeah. Well, let's talk about Hello Kitty. I have to say, my favorite of the names that we're
listing here, if not the group itself. So what's going on with them?
Hello Kitty is quite interesting, not only because of the name, right? It's really a catchy name, but just because how they operate versus the other ones.
Hello Kitty itself doesn't have a leak site at all. They do all the negotiations and all the
transaction between the customer and the affiliate through chats that they set up on the dark web.
So when they're taking a look at their chats and their interaction between victims and the affiliate through chats that they set up on the dark web. So when they're taking a look at their chats and their interaction between victims and
the tradactors, they share the wallet address which has received around a million dollars
as of today.
So that tells me that they are really good at negotiating without having to provide any
kind of visual proof of like, we compromised your network.
You know what I mean?
And the thing is that the samples that we found
were not only specific to Windows,
but to VMware Axie, you know, a whole different market.
So they're not hosting the files.
Let me back up for a second here.
Are they exfiltrating files at all?
They are.
They are exfiltrating the site, the files, but they are not posting it publicly for everyone to see, right?
They are just extorting the victim through chats.
Like, hey, this is a proof.
This is a picture of a file we got from your system just to establish that, yeah, we compromised you.
We were the ones who did it.
And start from there, right?
They don't share it to another link site or post it publicly, at least not that
we could have identified. And in terms of ransom demands,
this group is sort of swinging for the fences.
Yes, this group asked around $4 million in ransom demands
in some cases. They were very strict about trying to
be all the transaction happen through Monero.
But they're after the money, so they're quite flexible.
So depending where you are and depending on the regulations that you have, you can buy Monero.
So everything that's accessible is more like Bitcoin.
So it's interesting to see that they established like we only accept Monero transactions.
And they say, well, we can do Monero.
We can do Bitcoin.
And they're like, OK, for a time.
Here's a wallet address for the Bitcoin.
Interesting.
Well, let's move on to LockBit 2.0, the last of the group that we're talking about here today.
What sets them apart?
LockBit 2.0, it's interesting because they shut down for a little bit
after this big report on the procedures and tactics
and everything LockBit was released back in July.
So they shut down for two weeks or so,
and they rebranded as LockBit 2.0.
That's like an improved version of it.
They are pretty proud that their ransomware is the fastest in the market, at least from their terms and conditions list.
And they even include a comparison table between all the ransomware families that are active right now versus them obviously placing them on the top.
I also was very fortunate that Reval and DarkSide kind of shut down operations in the same timeframe that Lockpick 2.0 kind of launched.
So it's suspected that most of the affiliates that were conducting under Reval or DarkSide moved to Lockpick 2.0.
Interesting. So they were kind of in the right place at the right time.
Exactly. And that speaks for itself because when this started, it had no victim whatsoever.
It's just like, yo, we're going to launch in a week from now. And then suddenly you start seeing 10, 15, 20 victims being listed.
So that means that there were a couple of affiliates working all day, all the time to get those listed over there.
affiliates working all day, all the time to get those listed over there.
So when we look at these four groups together,
how much of the market do we think they represent?
To what degree are these the major players today?
I think LockBit is up there.
LockBit is quite prevalent in what they're doing with their way. They're targeting victims, trying to be high-target victims,
high-profile victims versus the other two.
I think the other ones need a little bit of tweaking,
need a little bit of growing to do
for them to be out there.
But Logbit is definitely on the right place.
What about the marketplace in general?
I mean, as organizations like these pop up,
as these operators get the entrepreneurial bug
and set out to do these things.
Does the community accept new players in the market generally?
How does that go for them?
I wouldn't say they do because they have to compete with each other.
I think that if you have a ransomware as a service,
you want to be the best there is, just like businesses.
You want to be the best business is. Just like businesses. You want to be the best business.
You don't want competition.
But I guess that these groups usually have a lot of fallouts because of their internal struggles.
Because we're talking about random people doing business with random people.
They don't know each other at all.
So there are no guarantees that they will get paid or they'll
get a cut or whatsoever so they're always like between the operators no they don't want more
more of them of them groups they want a bigger piece of the market but as for affiliates
perspective we they want a couple of options because you as an affiliate you don't want to
be stuck to one because if that shuts down then you don't have anything else to do. You have to jump to another one.
Oh, that's interesting. Yeah.
So the ecosystem itself
benefits from having multiple
players to survive
if one is shut down.
Exactly. If you imagine that only Reval
or Darkside or Blackmatter
were the ones that are running
the ransomware game,
if the three of them shut down,
did premise need to come with a new one
or see what you can do to focus on other areas of cybercrime?
What are you expecting as we head towards the end of the year
and into 2022?
Are we expecting that we're going to see more of the same here
or are there any changes or evolutions
that you and your colleagues are tracking?
Here in Weekend42,
we don't have any reason to believe
that the ransomware crisis
is going to slow down anytime soon.
As long as ransomware is profitable,
they're going to keep popping up.
One way to think of it
is that ransomware is like a Hydra sorts. You chop one head down,
two more will pop up, right? They all want to claim that piece. So it's something that I will
expect to be quite relevant for the following years. Yeah. I wonder if, as we see some of these
groups attempting to professionalize this, as we said, they're getting smarter with their marketing
and improving the services. I wonder if we might see some consolidation
as well. Yeah, I mean, there's a couple of
groups that operate under cartel sorts.
Like Mount Locker specifically is one of those main groups that they
operate.
And under them, the group has Sing Locker, Astro Team, and others that were independent on their own,
but they all partnered together to carry on the same attacks. Our thanks to Doel Santos from Palo Alto Network's Unit 42 for joining us.
The research is titled Ransomware Groups to Watch Emerging Threats.
We'll have a link in the show notes.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening. We'll see you back here next week.