It’s good when ransomware gangs have their bitcoin stolen, malware servers shut down, or are in any other case compelled to disband. We cling on to those occasional victories as a result of historical past tells us that the majority ransomware moneymaking collectives don’t go away a lot as reinvent themselves underneath a brand new title, with new guidelines, targets and weaponry. Certainly, among the most damaging and expensive ransomware teams are actually of their third incarnation.
Reinvention is a primary survival talent within the cybercrime enterprise. Among the many oldest tips within the ebook is to faux one’s demise or retirement and invent a brand new id. A key objective of such subterfuge is to throw investigators off the scent or to quickly direct their consideration elsewhere.
Cybercriminal syndicates additionally carry out comparable disappearing acts each time it fits them. These organizational reboots are a chance for ransomware program leaders to set new floor guidelines for his or her members — akin to which kinds of victims aren’t allowed (e.g., hospitals, governments, important infrastructure), or how a lot of a ransom fee an affiliate ought to count on for bringing the group entry to a brand new sufferer community.
I put collectively the above graphic for example among the extra notable ransom gang reinventions over the previous 5 years. What it doesn’t present is what we already know concerning the cybercriminals behind many of those seemingly disparate ransomware teams, a few of whom had been pioneers within the ransomware area nearly a decade in the past. We’ll discover that extra within the latter half of this story.
One of many extra intriguing and up to date revamps entails DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this yr, solely to look at much of it get clawed back in an operation by the U.S. Department of Justice.
After acknowledging somebody had additionally seized their Web servers, DarkSide announced it was folding. However a bit greater than a month later, a brand new ransomware associates program referred to as BlackMatter emerged, and consultants shortly determined BlackMatter was utilizing the identical distinctive encryption strategies that DarkSide had used of their assaults.
DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted greater than $100 million from victims. REvil’s final huge sufferer was Kaseya, a Miami-based firm whose merchandise assist system directors handle massive networks remotely. That assault let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya.
REvil demanded a whopping $70 million to launch a common decryptor for all victims of the Kaseya assault. Simply days later, President Biden reportedly instructed Russian President Vladimir Putin that he expects Russia to behave when the US shares data on particular Russians concerned in ransomware exercise.
Whether or not that dialog prompted actions is unclear. However REvil’s sufferer shaming weblog would disappear from the darkish internet simply 4 days later.
Mark Area, CEO of cyber risk intelligence agency Intel 471, mentioned it stays unclear whether or not BlackMatter is the REvil crew working underneath a brand new banner, or whether it is merely the reincarnation of DarkSide.
However one factor is obvious, Area mentioned: “Doubtless we are going to see them once more until they’ve been arrested.”
Doubtless, certainly. REvil is broadly thought-about a reboot of GandCrab, a prolific ransomware gang that boasted of extorting greater than $2 billion over 12 months earlier than abruptly closing up store in June 2019. “We live proof that you are able to do evil and get off scot-free,” Gandcrab bragged.
And wouldn’t you already know it: Researchers have discovered GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the identical time that GandCrab got here on the scene.
GOOD GRIEF
The previous few months have been a busy time for ransomware teams seeking to rebrand. BleepingComputer lately reported that the brand new “Grief” ransomware startup was simply the newest paintjob of DoppelPaymer, a ransomware pressure that shared most of its code with an earlier iteration from 2016 referred to as BitPaymer.
All three of those ransom operations stem from a prolific cybercrime group recognized variously as TA505, “Indrik Spider” and (maybe most memorably) Evil Corp. In keeping with safety agency CrowdStrike, Indrik Spider was shaped in 2014 by former associates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.”
The Enterprise Membership was a infamous Japanese European organized cybercrime gang accused of stealing greater than $100 million from banks and companies worldwide. In 2015, the FBI offered a standing $3 million bounty for data resulting in the seize of the Enterprise Membership’s chief — Evgeniy Mikhailovich Bogachev. By the point the FBI put a value on his head, Bogachev’s Zeus trojan and later variants had been infecting computer systems for practically a decade.
Bogachev was manner forward of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that contaminated between 500,000 and 1,000,000 Microsoft Home windows computer systems. All through 2013 and 2014, PCs contaminated with Gameover had been seeded with Cryptolocker, an early, much-copied ransomware pressure allegedly authored by Bogachev himself.
CrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their very own customized malware generally known as Dridex, which has emerged as a serious vector for deploying malware that lays the groundwork for ransomware assaults.
“Early variations of Dridex had been primitive, however through the years the malware grew to become more and more skilled and complex,” CrowdStrike researchers wrote. “In truth, Dridex operations had been vital all through 2015 and 2016, making it one of the vital prevalent eCrime malware households.”
That CrowdStrike report was from July 2019. In April 2021, safety consultants at Examine Level Software program discovered Dridex was still the most prevalent malware (for the second month working). Primarily distributed by way of well-crafted phishing emails — akin to a recent campaign that spoofed QuickBooks — Dridex typically serves because the attacker’s preliminary foothold in company-wide ransomware assaults, CheckPoint mentioned.
REBRANDING TO AVOID SANCTIONS
One other ransomware household tied to Evil Corp. and the Dridex gang is WastedLocker, which is the newest title of a ransomware pressure that has rebranded a number of instances since 2019. That was when the Justice Division put a $5 million bounty on the top of Evil Corp., and the Treasury Division’s Workplace of Overseas Asset Management (OFAC) mentioned it was ready to impose hefty fines on anyone who paid a ransom to the cybercrime group.
In early June 2021, researchers found the Dridex gang was as soon as once more making an attempt to morph in an effort to evade U.S. sanctions. The drama started when the Babuk ransomware group introduced in May that they had been beginning a brand new platform for knowledge leak extortion, which was supposed to enchantment to ransomware teams that didn’t have already got a weblog the place they’ll publicly disgrace victims into paying by steadily releasing stolen knowledge.
On June 1, Babuk modified the title of its leaks web site to payload[dot]bin, and started leaking sufferer knowledge. Since then, a number of safety consultants have noticed what they consider is another version of WastedLocker dressed up as payload.bin-branded ransomware.
“Seems like EvilCorp is making an attempt to move off as Babuk this time,” wrote Fabian Wosar, chief expertise officer at safety agency Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker as soon as once more as PayloadBin in an try and trick victims into violating OFAC rules.”
Consultants are fast to level out that many cybercriminals concerned in ransomware exercise are associates of a couple of distinct ransomware-as-a-service operation. As well as, it’s common for a lot of associates emigrate to competing ransomware teams when their current sponsor immediately will get shut down.
The entire above would appear to recommend that the success of any technique for countering the ransomware epidemic hinges closely on the flexibility to disrupt or apprehend a comparatively small variety of cybercriminals who seem to put on many disguises.
Maybe that’s why the Biden Administration mentioned final month it was offering a $10 million reward for data that results in the arrest of the gangs behind the extortion schemes, and for brand new approaches that make it simpler to hint and block cryptocurrency funds.