Ransomware Gangs on the Dark Web

Ransomware Gangs on the Dark Web

In this episode of The Dark Dive we look at how ransomware gangs use the dark web in their operations.

In this episode of The Dark Dive we look at how cyber defenders’ biggest nemeses – ransomware gangs – use the dark web.

Returning threat intelligence experts Jim Simpson and Louise Ferrett cover some of the biggest groups*, take a fascinating look at how they work with each other, and host Aidan Murphy learns the difference between “state-backed” and “nation-backed” threat actors.

*Note – this episode was recorded before the takedown of LockBit in the international law enforcement action, Operation Cronos.


Aidan Murphy - Searchlight Cyber

Aidan Murphy


Jim Simpson

Director of Threat Intelligence at Searchlight Cyber

Louise Ferrett

Senior Threat Intelligence Analyst at Searchlight Cyber

This episode of the dark dive covers:

The functions of a ransomware leak site

Hosted on the dark web, ransomware gangs use their leak sites to publicize their attacks, apply additional pressure on their victims, and monetize the data they have stolen.

How ransomware group members use dark web forums

Many ransomware groups are active on hacking forums, which they use to promote their activity, recruit affiliates, and buy exploits from Initial Access Brokers.

The benefits of monitoring ransomware activity

Cybercriminals can gather intelligence on ransomware groups from their activity on the dark web.


Aidan Murphy: Hello, and welcome to The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’ll be your host, as each episode we look at a different aspect of the dark web, the part of the internet that is intentionally obscured. In the podcast feed, you’ll find episodes on how the dark web works, the criminal activity that takes...

Aidan Murphy: Hello, and welcome to The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’ll be your host, as each episode we look at a different aspect of the dark web, the part of the internet that is intentionally obscured. In the podcast feed, you’ll find episodes on how the dark web works, the criminal activity that takes place on hacking forums and dark web marketplaces, and how security professionals and law enforcement can tackle it. In this episode, we’re going to focus specifically on ransomware, one of the most prevalent cybersecurity threats. We’ll be discussing how ransomware groups use the dark web, why they use it, and the opportunity this creates for security professionals that are looking to get the upper hand on cyber criminals. Joining me to discuss this topic are two colleagues of lethal cunning, Jim Simpson, Director of Threat Intelligence at Searchlight Cyber. Hello, Jim.

Jim Simpson: How are we doing? Does that mean that I’m, like, the master lethal cunning person?

Aidan Murphy: Well, no, we’re just going in a random order, Jim.

Jim Simpson: Oh, right, okay. Because I was going to say, that’s more Lou’s bag than mine.

Aidan Murphy: And Louise Ferrett, Senior Threat Intelligence Analyst at Searchlight Cyber. Hello, Louise.

Louise Ferrett: Hi, Aidan.

Aidan Murphy: How’s it going?

Louise Ferrett: Yes, not bad. You know, lethal cunning, all those kinds of things.

Aidan Murphy: Yes, day to day, great. So, before we jump into what is a pretty big topic, we’ve got a lot to talk about, can I just get each of you to do a really quick introduction to yourselves for our listeners? I’ll start with you, Jim.

Jim Simpson: So, I’m Jim Simpson, I’m Director of Threat Intelligence at Searchlight Cyber. I’m also a SANS certified instructor candidate teaching the Cyber Threat Intel course for SANS, that’s 578. I enjoy looking into the threats and the intelligence we can take from the dark web. Previous to this, I was Director of Cyber Threat Intelligence at Blackberry Cylance as well, so I have background from the malware side of things and from the dark web side of things. So, I can hopefully bring a bit of perspective on the whole ecosystem as it exists and what that means for security professionals.

Aidan Murphy: Brilliant. Louise?

Louise Ferrett: I am Louise Ferrett, I am Senior Threat Intelligence Analyst here at Searchlight. I tend to look mainly on our data collection, sort of, operations, as well as ensuring data consistency and integrity, and also a lot of stuff on ransomware, which helps with this episode. And yes, just, sort of, poking around on the dark web and seeing what’s interesting there.

Jim Simpson: Being all round cunning.

Aidan Murphy: Yes.

Louise Ferrett: Exactly.

Aidan Murphy: I think we’re speaking to the right person. Definitely, poking around the dark web is what we’re going to be talking about. Awesome, so, we obviously have a very intelligent and informed listenership. We don’t need to go into too much detail for them. But I do think, just to ensure we’re on the right page, as we start off, it is worth just defining what we mean by ransomware. Ransomware is a big topic, it’s talked about in the news a lot, but it has changed, and we just want to make sure that everybody is following. So, I don’t know, maybe I can call on you, Jim, just to give, like, a very, very quick Director of Threat Intelligence overview of what ransomware is?

Jim Simpson: Yes, for sure. I was all ready to go with, like, a whole long explanation and you told me to be quick, so this will be the cut down version, the abridged version. Ransomware, as we see it today, isn’t how it’s always been. The first real case we can point to with this was back in 1989, a guy called Dr Joseph Popp created what was known as the AIDS ransomware back in the ’80s. Late ’80s, the AIDS epidemic was spreading and there were a bunch of people doing research on it. Dr Joseph Popp created some software that he shipped around to all of these different research places on floppy disks. I know many of our newer listeners or younger listeners won’t remember what a floppy disk was, but it was, like, the three and a half inch floppy disks. It implemented a counter. Well, basically people would start using the software and think, ‘Oh, this is brilliant. It’s been shipped for free, a load of features inside of it.’ It would count the number of reboots on the system, and when the reboots hit 90, it would lock the system. It would then prompt you with a reminder that this was actually paid for software and you had not paid your license fee. You had to mail a check in the post to a PO Box, I think it was in Panama somewhere, in order to get your system unlocked.

So, ransomware’s been around for a long time. The idea of ransomware has been around for a long time. The reason why it’s so prevalent nowadays is maybe not as obvious. If you are a big ransomware group, you don’t want people mailing checks around the world. They can get stopped. The banking sector is very good at spotting these transactions and picking up on these transactions. And ultimately, putting names to faces for this kind of stuff. So, one of the biggest things that we need to look at in the mix of attributes that makes ransomware function today is the rise of cryptocurrency. So, back in the 2010s, crypto obviously started to emerge. And where we start to think of ransomware today, like, the early part of ransomware back then was the type of CryptoLocker thing, which usually went after people at home, encrypting photos. You wanted to get your photos back because it’s got a load of memories in there, and it would charge you a single bitcoin to recover that, which you might gasp in shock that you would have to pay for a bitcoin with it. Bitcoin back then was worth about $300, so it was nowhere near as big of a thing. Which points to another thing, the guys can make an awful lot of money off it, not just by extorting crypto, but the rise in crypto and the fluctuations in the crypto market means that if they manage to get hold of ten bitcoin ten years ago, then they’d be massively rich by now just holding onto that bitcoin.

There’s also been the rise in tooling that helps facilitate this. There are both offensive security tools, so tools that are created by legit companies to help pen testers do things, get out there and get leaked. One of the most well known ones is Cobalt Strike. You also have the proliferation of techniques from multiples leaks over the years, Vault 7 leaks, the Hacking Team leaks, a whole bunch of different cases where sophisticated methodologies have been leaked to the criminals so that they can use them, and you have the willingness of people to pay. So, you mix all of those three things together, the crypto, the tooling, and the willingness of people to pay, and you end up with a viable market to go after if you’re a ransomware operator. You can then move it onto the likes of the ransomware as a service model where you have affiliates. So, someone will create the ransomware, you can then loan that ransomware binary to go and do you ransomware things. You, as the affiliate, you as the person using it, you don’t have to develop your own capability, but you are implementing it, you will take a percentage of the cut, and the creator of the ransomware will take a smaller percentage. So, it’s a way that they can scale, as in the developers and managers of it, can scale their business by bringing in, sort of, subcontractors to do the hands-on work.

And then you’ve moved into, sort of like, that double extortion. The idea early on was we are going to hold your files to ransom and you have to pay us to get those decryption keys back. They’ve then moved onto double and triple extortion, double meaning we are going to ransom your files, but then we will also steal them and threaten to leak them. Triple extortion is they will do both of those things, and then, on top, they will go and talk to your customers and say, ‘This is how bad their security is.’ So, they’re trying to find ways to keep putting the pressure on people to keep paying. So, if there is no willingness to pay, they will find other ways to make you feel like you have to.

Aidan Murphy: There’s a lot to unpack there. But I guess just pulling on that last point, so, even though obviously the methods have moved on from floppy disks and checks, thanks for bringing those up, that’s definitely alienated Gen Z, even though the methods have moved on, like, the technology both on the finance and, I guess, the hacking side have moved on considerably, the same principle still applies. It’s encryption software that stops you getting what you want. Obviously the double extortion, triple extortion thing, we can get onto in a second. But still, the core of what ransomware is is, ‘I’m stopping you using your system how you would like to use it, and you have to pay me money in order to get it back.’ Is that fair enough to say?

Jim Simpson: Pretty much, yes. ‘I’m going to find a point of pain within your organization, and I’m going to leverage that point of pain for my financial gain.’ It keeps evolving as things change. It keeps changing, new methods and ways of doing it. And right now, we’re seeing double, triple extortion, but expect that to change. As people refuse to pay for those reasons, they will try and find another way to do it. There is a lot of money to be made.

Aidan Murphy: I’m going to come back to double and triple extortion in just one second, but before we get there, in that timeline, I guess, between floppy disks and now, in my mind, and this probably just says more about when I started working in cybersecurity, 2017 was, kind of, a bit of an inflection point because of the WannaCry and NotPetya attacks. Is that fair enough to say? For me, that’s when ransomware went from, kind of like, a niche issue, or maybe not as mainstream as other cybersecurity issues at the time, and the dominant issue. Is that how you see things?

Jim Simpson: I think that, with those two cases, what you had was the scale of the issue right then was represented. They were single attacks that impacted a huge number of people. It, kind of, also overlaps with that offensive security tooling and the leaks we were talking about as well. I think WannaCry leveraged EternalBlue, which was an exploit developed by NSA, and it was leaked as part of the Vault 7 leaks. There was a patch available. It points to people need to patch, and if you don’t patch, you can get hit by these things. But because it was so vast and so impactful, like, it was hitting the NHS, the NotPetya stuff where it was impacting global companies who interacted with Ukraine and had to rely on using that Ukrainian tax software. It was the sheer number, the sheer volume of people, the sheer volume of victims that the imagination of people, and, like, this is serious. If it’s wormable, like WannaCry and NotPetya, then you don’t need human operators to go spreading it. It will spread itself. It’s written into the code to try and leverage those exploits elsewhere. And I think that all ties back together, to your point of this is when it really hit the media and the mainstream, because it was such a-, this point of imagination was, like, triggered as, ‘Oh no, the cyber threats are really here, and it’s going to affect people, not just us cybersecurity nerds sat in different organizations around the world crying about it and saying, ‘Look, this is a real problem.’ Everyone was impacted. And yes, it hits the mainstream news.

Aidan Murphy: The problem with that as well is that’s not just the victims or potential victims that hear about it, it’s also the criminals, and they get some ideas too. At which point, I might draw on Louise’s knowledge. Because I guess the other difference is WannaCry and NotPetya, I guess as you alluded to, Jim, they were nation backed, like, very, very clearly nation backed attacks. But, Louise, is it fair to say that the groups that we track at least, we’re talking about more, kind of like, financially motivated commercial operations than departments working with the Russian security services?

Louise Ferrett: Yes, broadly. When you said nation backed, although it is very similar, I know Jim was cringing internally because he recently made a big old point about how it should be state backed, not nation state. I digress.

Jim Simpson: No, it’s a fair point.

Aidan Murphy: Well, I mean, I guess for our listeners, what is the distinction, Jim?

Jim Simpson: So, state backed delineates a territory, so where you have borders involved, that’s a state. A nation is another way to look at a community of people. So, they revolve around a single ideology, or a single religion, or a single sense of community, right. So, if you have a nation state, it’s a single state, territory, that has the same ideology, or religious belief, or culture, or historic meaning behind it, which means everyone coalesces around that same thing. You can’t look at the UK and say we’re a nation state, because we aren’t. We’re, like, fractured all over the place and there’s loads of little communities within the UK, so we’re not a nation state. So, every time someone says nation, sort of like, a little twitch, little OCD thing goes on, but yes.

Aidan Murphy: No, I love it. We’ve all learned something today, that’s good.

Jim Simpson: State backed. State backed is always the way to go.

Louise Ferrett: Getting into anthropology as well. I bet you didn’t realize how versatile we were.

Aidan Murphy: We’re going to really have to think about how we categorize this podcast, but that’s cool. Okay, sorry, Louise. So, state backed. So, what I’m asking is the, kind of, profile we see of the groups now, financially motivated, is that fair enough?

Louise Ferrett: Yes, that’s definitely fair to say. With some of the record breaking ransoms that have been, sort of, demanded in recent years, I think Colonial Pipeline was a pretty astonishing one. Money is the name of the game for sure. I mean, the clue is in the title as well of ransomware. They’re after ransom payments. Broadly speaking, I think the, kind of, conventional wisdom is that, yes, these actors are not under the direct control of any one state. There is an argument, I suppose, especially with the, kind of, Russian cyber crime community that it’s tolerated rather than being instructed, that a blind eye is turned to it. Providing that you don’t hit any Russian companies or companies in Russia’s periphery. So, like, ex-Soviet states. I think the commonwealth of independent states. And you do see that quite often, when ransomware, kind of, as service operators are promoting their product, they do stipulate that it can’t be used to attack these specific countries. So, that, sort of, lends a bit of legitimacy to that argument. I suppose also the, sort of, secondary impact of ransomware is that it is very disruptive to the functioning of business and supply chains, which could be beneficial from a state point of view. But I think there are probably easier ways to do it than this, kind of like, stratified, all these different groups vying for the biggest catch. So, yes, I think characterizing it as primarily a financially motivated criminal, sort of, enterprise is accurate.

Aidan Murphy: There was a case, wasn’t there, of a ransomware group that was targeting Ukrainian infrastructure and not offering a decrypter, which suggested that it was very much about disruption rather than finances. And off the top of my head, I can’t remember which group it was. The overall categorization of those can be referred to as wipers rather than ransomware.

Louise Ferrett: Yes, in those instances, it’s more like a wiper.

Aidan Murphy: This might be a good point to ask a question that I imagine a lot of the audience will have, which is what kind of geographical placement, I guess, are we talking about when we talk about ransomware groups? So, there is definitely a perception-, I mean, I think a lot of people would associate Russia with ransomware. Whether that’s correct or incorrect, I’m not sure, but I guess from our experience, is it fair to categorize it that way? Are there groups outside of Russia? Or is it just too hard to say or attribute it in that way?

Louise Ferrett: So, I’m going to hedge mt bets here and say we never really know for sure, you know, where these groups are originating from, especially with the anonymizing properties of things like Tor and using the dark web. That being said, most of these groups do tend to advertise, which we’ll get onto a bit later, but they do tend to advertise on Russian language cyber criminal forums. So, even though a lot of that outfit is in English on their, sort of, extortion sites, the victim shaming sites, yes, Russian language in the forums when they’re communicating is widely seen. Jim, if you want to get onto whether that even matters at all, feel free.

Jim Simpson: Well, it obviously does matter to some people, but I’d say for the majority of people working in enterprise, the value of attribution isn’t that high. You really want to know how someone is doing something, and whether they’re targeting you, or whether you are likely to be a victim. The how helps you defend against it, and are you likely to be a victim. I mean, when you’re talking financially motivated, everyone’s on the table for being a victim, right. But you want to know, how do I need to defend against things, and what alerts do I need to prioritize? Whether that’s Russian backed, whether that’s Chinese backed, whether that’s North Korea, whether that’s from your own government. Like, it’s how people do things and when that might happen and how you work around your defenses is more important than attributing this to people. Where it does obviously matter for attribution is where you start looking at government or law enforcement, people who might want to impose sanctions or all those other things. That’s where attribution really matters. But for everyone else, it’s cool to talk about, but I mean, it doesn’t really add much value from the defendant’s perspective. I mean, that’s my take on it.

Aidan Murphy: There are more important things at the end of the day. No, that makes sense. Louise, you beautifully brought us onto the topic of, I guess, some of the ways that ransomware groups use the dark web. So, you mentioned leak sites and hacking forums. Let’s start with leak sites, I guess. So, what are we talking about when we talk about a ransomware leak site? What to they look like? Are they all the same? Like, do all ransomware groups use them? That’s four questions for your to answer.

Louise Ferrett: I will do my best to unravel those in a semi-coherent manner. So, leak sites, also known as ransomware blogs, extortion sites, name and shame sites, there’s all manner of monikers for them, are a crucial part of that double extortion model that Jim was talking about. The way that I, sort of, see it told is initially obviously people would have all of their files encrypted, or businesses would have all of their files encrypted, and they would feel compelled to pay the ransom in order to get those files back. As this became more of a, sort of, known risk of operation and companies and individuals started keeping more up to date system backups, the, sort of, threat of encryption on its own became a bit less effective at inducing a ransom payment because you could just restore from your backups a minimal loss of data. So, the way that I like to, kind of, imagine is the cyber criminals were sitting there thinking, ‘Well, we’ve already got access to these guys’ networks, so we’re wasting it by just scrambling all the data and then expecting that to be enough. If we’ve already got this foothold then would we be able to steal some of that data as well?’ And then the benefit of that is, kind of, twofold. You get the greater incentive for the victim to pay lest all of their confidential, you know, client or customer data be leaked, which is more of a big deal nowadays as well I feel with the rise of GDPR and other data privacy regulations coming into force.

The second benefit of doing that as, kind of, a fail safe is that even if you double extort someone and they refuse to pay, you have a chance of additional income stream if you were able to sell that data, or auction it off, which a lot of these ransomware as a service gangs do.

Aidan Murphy: The double extortion point, I think, is really the main one. So, that idea of, like, yes, just not having backups is enough. I think it’s a great example of how cyber crime and cybersecurity are always in competition, I think. I wrote a lot of stuff about how basically the response to ransomware was to have great backups. All of that is now redundant, because as you say, they’ve found a way to extort even if you had backups. So, it is really interesting. So, on that-, and the additional revenue stream thing, it comes back to, I guess, the point we were making of money. Money is the game, and they’re going to find every way to make money they can. I know personally I’ve been quite shocked by some of the leak sites you’ve shown me, Louise, I’m thinking of LockBit’s in particular, because they have those, kind of, different payment options. If you’re the victim, you can pay to stop the ransomware group doing what they’re doing, I guess. But they also have buyer options. That’s not speaking out of turn, is it? That’s right? So, if the cyber criminals get there first and they’re willing to pay the higher price, then, you know, the victim is working against the clock on that one.

Louise Ferrett: Yes, LockBit has three, kind of, payment tiers, I think. It’s quite mature. I think there’s one that you can pay as the victim to, sort of, add another 24 hours to the clock if you need more time to negotiate or deliberate on what you’re going to do. There’s one to ‘destroy the data’, I’m doing air quotes right now, because obviously you never fully know for certain whether that data is really gone. And the third one, yes, would be for a buyer, an interested third party that wants to purchase that data. So, yes, some sites, to get onto your, sort of, question about do they all look the same, there is quite a lot of variation in leak sites. Some of them, like LockBit’s, are quite mature. They’ve got a really nice UI, lots of different payment options and a different, kind of, chain of how they work through this data. So, they will typically post the victim, and then there’s a certain amount of time before they decide that negotiations are no longer working, or never took place, and they’ll leak or sell the data. Some ransomware gangs will only post the victim on there once negotiations have failed, and they might just post the data up for free for anyone to get, almost, sort of, like giving back to the community action. It gets more attention and more, sort of, publicity in the mainstream news.

I mean, we should not there are also ransomware gangs that don’t really post on the dark web at all. Like, they might have a presence on the forums, but not a leak site. Or vice versa, they might have a very basic leak site but not really be active on the forums. So, there is a real, sort of, diversity in the public personas of these operations. I did make a note that the leak sites are where you get some of the best statements from these gangs, e.g. Conti Costa Rica incident. Because, yes, the Conti, for those that are unaware was, like, the biggest ransomware operation up until early 2022, I think. And they, kind of, went into a tailspin in their final few months of attacking the government of Costa Rica encrypted a load of the government systems and were just posting really crazy stuff, for lack of a better word on their leak site like, updating it multiple times per day, denying allegations that they were actually another group as well that had recently come about called Black Basta. I think they called them kids specifically. Yes, you can get a lot of drama on those.

Aidan Murphy: That’s quite interesting. Apart from the outside, it sounds one, that the leak site it’s actually fulfilled a few functions. So, it’s like you say, this shaving aspect, there’s almost an e-commerce aspect of selling data. Like you said, there’s that giving back to the community stuff of giving away data, a comms platform. I guess, the sense I get of it is being very organized. Do you think it’s fair to say that the groups that, like you say, not all groups have leak sites, the one’s that do, are these the more organized, sophisticated groups and maybe the smaller ones are using Telegram and other methods? I know it’s quite hard for us to say, but your sense of how sophisticated these groups are that, you know, the Black Bastas of the world, are they on the relatively high end of cyber criminality?

Louise Ferrett: I think again, there’s a range. Just because you’ve got a nice site or a good web design it doesn’t necessarily mean that you’re sophisticated. And also, a lot of these sites, I’m pretty sure they allow the affiliates to upload their victims directly, which can lead to a lack of consistency in the quality of their post, which is an interesting, kind of, side effect of that specialization and that division of labor in the ransomware world.

Jim Simpson: I was just going to say, maybe it doesn’t look at it from the sophistication of the attack. The attack stuff that we see is world changing depending on the affiliate and if they’re following the playbooks and all that, kind of, stuff. I think what it does show you is a sophistication in the business model that they have. If they are going down the route of, and a lot of these groups, I don’t know if we’re going to get to this later on, but a lot of the groups, they will have like, HR. They will have dedicated people who will put pressure on people to pay, not just through potentially leaking data, but doing phone calls and stuff, but if you look at those sites, they’re decent web developers employed as well and you have HR departments and you have managers and a whole bunch of different stuff and I think you can’t draw a conclusion that the sophistication of the business itself leads to a higher sophistication of the attack. Although, that often is the case but what we’re seeing and what we’re looking at on the dark web side of things is that sophistication of the business model and they need to be well rounded in all areas and they’re putting investment into doing it. They’ve obviously got the money to do it and they see that there’s decent investment in there because the whole reason double extortion works is if enough people can get to the site to have a look at the details around it and hopefully from their perspective, hopefully the media gets there. So, they want to have something that’s well represented and yes, get fans all around the world, tattooing LockBit on themselves and all that, kind of, stuff, but do you know, that’s the point I’m trying to make.

Aidan Murphy: You have to explain the tattooing thing now.

Jim Simpson: I can’t remember what the offer was, but there was a spate of people posting pictures once they had the LockBit tattoo tattooed on themselves and I can’t remember what the-,

Louise Ferrett: I think he was offering the LockBit which is like the forum’s mouthpiece for the LockBit gang. He was offering people a grand, maybe if they got inked with the LockBit logo.

Aidan Murphy: Just another weird thing that happens on the dark web. I think we’ve talked around affiliates quite a lot. So, I think I just want to explicitly bring this into the conversation now. So, what we’re talking about here is ransomware as a service and Jim, you mentioned ransomware groups having affiliates and having playbooks. How does the affiliate model work and why has this become a new trend in ransomware?

Jim Simpson: Your ransomware groups are usually named around a variant of ransomware. So, like a computer virus that its purpose is to encrypt files to ship files elsewhere to handle all the key management. So, when you encrypt something, how do we get the keys off the system in a secure way that doesn’t leave those keys on the system so that people can de-crypt stuff themselves. That’s where we name the groups after it. You have to have a fair amount of resource going into developing something along those lines. I mean, you can develop a ransomware script, a lot of people could develop a ransomware script quite quickly, but to have something that is robust enough to evade anti-virus to do whatever it needs to do and to encrypt things quickly, takes some work. So, if your groups are developing the capability to do that, that doesn’t necessarily mean they’re specialized in being able to navigate through a network, identify where all the key files are, go after the systems that need encrypting. So, the idea of affiliates is that the ransomware group themselves will put the effort into developing that capability and then they will allow other people to come in and use that capability against victims and this is where the affiliates come in. They sometimes call them pen testers because they try to have the-, I don’t even know if it’s like necessarily intended, but they want to have this idea that they are legitimate. They are just doing pen tests and they might not have been asked to do that pen test, but they will prove that you have vulnerabilities and you paying the ransom is just a return for the services they’ve offered and that’s where these affiliates come in.

So, they recruit affiliates, they have affiliates on there. When the affiliates sign up for things, if they are maybe less mature affiliates who don’t exactly know what it is that they want to do when they land on a system, they have playbooks which instruct them on what commands to run to understand where in an environment you are, what level access you have, where you want to move to next and all those, kind of, things. So, they’ll walk through those playbooks in order to detonate the ransomware in the right place.

Aidan Murphy: It’s quite a major evolution of the way ransomware groups operate I guess, and I guess the problem for security professionals is whereas before you would just have maybe what I’m going to call the ransomware operator and they would go victim by victim, but maybe with limited scalability of that operation, there’s now a potential that they can target multiple organizations at once because they’re using these affiliates. Again, the commercial side of it for them is that they get a cut of the ransom that is potentially a much higher yield, is one way to put it of victims around the world.

Jim Simpson: Yes. From the ransomware operator or developing, I think to think of them as the developer and the gang coordinator or whatever we want to call it. They’ll look into scale. So, you’ll typically see that the affiliates are very single intrusion will pick up say 70% of whatever the ransom is that’s paid and the developers, they only get 30% and the idea is, there is, kind of, like a battle for the better affiliates between the ransomware groups offering different terms of how much they’ll get paid. So, they do fight for the affiliates, but it is that scale side of things. They can deal with a 30% cut of every single ransom if they’re looking at 100, 200 ransoms a year. They’re going to get more money out of it doing that way than going after what they could handle themselves, maybe ten a year. So, the whole tech world ransomware groups are also competing for tech talent.

Aidan Murphy: Yes.

Jim Simpson: It’s a never-ending problem, dude.

Aidan Murphy: I think this is a very important point because a lot of the discussions I’ve had with you, Louise when we’re talking about-, so, you mentioned, Jim, that most ransomware groups are known by the encrypter they use, but the affiliates can jump between groups. So, we often have circumstances where it might be the same actor, you know, who one day works for one group and the next day works for the other. It’s slightly more complicated than I think often the media gives it credit for. It’s not quite like there’s one ransomware gang over here and they only attack these, kinds of, organizations and there’s another gang over there. Often, there’s a lot of cross over or at least that’s how it feels to me. I don’t know if you’d add anything to that, Louise.

Louise Ferrett: Yes, that’s definitely true. Like Jim said, most of the developers are operational core of these ransomware as a service offering are fighting to get the best talent and yes, there’s definitely cases of well-known forum personas that have hopped between multiple different groups. They infamous actor Wazawaka. I think he’s currently on the FBI most wanted list, but he’s actually done interviews with places like The Record, Recorded Future’s, kind of, press outlet and has stated which groups he has worked for as a pen tester or an initial access, kind of, employee and that included like Hive, I think LockBit, it’s also suspected to have run the book ransomware, kind of, syndicate. It makes sense from like, it’s just a job, kind of, perspective. Job hoppers tend to make more money. So, why wouldn’t you bounce around to wherever has got the best deals and the best split of the ransomware payment?

Aidan Murphy: Yes. I mean, there’s a lot I think we could jump into. I think we could do a whole separate podcast on how ransomware groups talk to the media, because I just find that very fascinating but I’m going to jump slightly or sidestep slightly to I guess, kind of, the second where you said that ransomware groups use the dark web, which is attacking forums. So, do they find these affiliates in the hacking forums? Is that part of it? Or are they using the hacking forums for other things?

Louise Ferrett: Yes. So, the forums are used by these, sort of, developers as a recruitment pool. It’s not always the case. Some operators do like to go a bit more of a closed group model where they might reach out to known entities directly and recruit them. Obviously, we can’t really see that, but it is probably the case. A lot of people don’t like to do their business too out in the open. That being said, if you’re maybe a new group, you’re not as well known, you don’t have as much reputation or a social circle on the forums, then it would be more advantageous to put a public post out there and shield new recruits, usually yes, for the pen testing role. Sometimes they’ll recruit for developers also to maintain and write the new versions of the encrypters which is another thing. It’s rarely the case now that a ransomware payload is released and then it just stays the same. Obviously, there’s numerous companies and law enforcement agencies working on de-crypters and to find a way to get people their files back without having to pay criminals and this partially has motivated gangs to keep releasing new versions of their encrypters LockBit again is a good example. Also, groups like  AlphV, AKA Black Cat, they’ve had a couple of versions out.

So, that was very long-winded way of saying they’ll also recruit developers to keep their ransomware fresh and up to date. Quite often looking for people with skills in Golang or Rust, both pretty popular for ransomware code, but yes, the other use of the forums is honestly, a lot of arguments, a lot of beefing between different ransomware gangs. A lot of grievance airing as well maybe from affiliates that are dissatisfied and then maybe the ransomware PR spokes person will come back and list off all of their inadequacies as an employee and why they were booted out of the gang and why no one should ever work with them again. Yes, where a lot of the work that people do on the dark web is inherently illegal. There’s not a lot of official structural recourse you can go through. So, it is all based on honor and reputation and what your peers think of you. So, that can be really damaging if the PA spokes person of a big ransomware crew says, ‘Hey, don’t work with this guy, he can’t be trusted.’ So, yes, you can gain a lot of interesting intelligence from those, kind of, conversations.

Aidan Murphy: I find this fascinating and it’s just that thing of-, so, you described them as their PR spokes person. So, you mentioned LockBit earlier, that’s the PR persona, I guess of the LockBit group.

Jim Simpson: I think it might be shocking to some people listening that they operate in this way literally with a comms person.

Louise Ferrett: I should caveat that, that that’s how we characterize it but again, no one really knows for sure. LockBit could just be one go, but PR account could also be the person that’s writing the malware. I keep saying guy as well, it could be one girl.

Aidan Murphy: Yes, it’s a great point. I guess, what I’m driving at is that they are operating in someways, and this comes to the nature of the dark web I guess, in some ways quite publicly. I think people would be shocked at that. They’re not necessarily hiding what they’re doing on these hacking groups. I mean, how do they stay anonymous? How do they not get this used against them by security teams, law enforcement? How are they able to operate in the wild?

Louise Ferrett: Good question. I think this relates to ransomware as a whole and how it’s different in nature to other types of malware. Obviously, other types of malware do still get advertised on the dark web, but if we get down to what the purpose is of other types of malwares versus ransomware are you might have an info steal that wants to steal passwords, turning a victim’s machine into a proxy or making it part of the bot net, installing a crypto miner on there. All of these types of malware typically don’t want to be noticed because if they get noticed, that means that you’re going to find a way to get find of them. Ransomware on the flip side, the whole purpose is to extort the victim. Obviously, it doesn’t want to be noticed before it’s been executed, but once it has been executed, the whole point is that it wants to be seen and heard and taken notice of. Again, whereas other types of malware, such as a crypto jacker or turning a victim’s machine into a bot net wants to use the machines resources in order to make money. Ransomware uses the emobilization of that machine as a bargaining chip to then directly extort funds out of the victim.

So, that, kind of, difference in purpose, I guess also feeds into the way that ransomware operators and their PR personas, I guess operate online. It’s all the adage of any publicity is good. Publicity, I think that’s why they don’t mind arguing with each other in forum threads either because it’s getting that name out there. In terms of staying anonymous, operational security is the name of the games and the forefront of their minds, also known as OPSEC for short. So, that’s just pretty basic stuff. Using Tor, using secure communications, not posting your full name and address online. Pretty simple stuff. I mean, people do slip up on it occasionally or get their previous activity or forums correlated with their new activity and dox and things like that. There is also a few that want to veer into that, kind of, attribution territory that can get a bit dicey. Let’s say, at least some ransomware gangs or ransomware operators, affiliates are operating within the Russian federation. It goes back to that turning a blind eye. There’s only so much that foreign law enforcement agencies can do.

Aidan Murphy: Yes. I’m just going to jump in and explain. So, doxing is unmasking somebody’s actual identification. So, if someone’s operating under an alias, that is, kind of, exposing who they actually really are to other people on the dark web and potentially yes, law enforcement. But as well as what you said, Louise about OPSEC and things, using the dark web itself offers some degree of protection to the operators or the affiliates and the people interacting with them. There’s a reason they’re not operating on the clear web and in other podcast episodes, you can find out all about how the dark web works and the protection that offers. So, I won’t go into too much detail here, but I guess as we move towards wrapping up, I do often think of this of a bit of a paradox with ransomware operators in particular because like you say, Louise, they don’t want to be identified in a lot of ways because it would be bad from a law perspective but in other ways, the nature of what they do means they have to be quite public and as I said, on the outset of this podcast episode, that it offers an opportunity to cyber security professionals and law enforcement. Jim, maybe you could elaborate a little bit on that. What can we learn about ransomware operators or ransomware groups by monitoring the dark web?

Jim Simpson: Yes. I mean, if you can understand how people are getting access then you can start to monitor from where that access might be sold. So, if you take that initial access broker, sort of, supply chain few of things, initial access broker might not want to be part of ransomware at all. All they’re trying to do is get initial access, that foot hold into a company that they’re trying to sell. So, they’re doing this over and over and over again. If you can understand from previous reporting or whatever other sources you have that these ransomware groups or this ransomware group focuses on using initial access brokers to start with, then you can start monitoring for initial access broker posts and say, ‘Are we being targeted? Or does this post look like it could be us?’ You can start doing hunts and whatever off the back of that to look for signs of someone being inside of your environment based off of the information that’s from those initial access broker posts. You want to be able to take as much data as you can to inform your defenses. Like I said right up at the top, attribution isn’t where most of us are at. Law enforcement and government, absolutely, that should be an attribution thing, but from people who are trying to defend themselves against this stuff, attribution doesn’t help us in that, when we are trained to look for true attribution.

So, true attribution being the person behind it. We can attribute activities to specific group and that will help us, right? Because each of these different ransomware groups and ransomware operators and different playbooks that they have will go about doing things in different ways and we can learn from that to make sure our defenses are intact, make sure our detections are up to speed with this kind of stuff, so that if we do pick up a detection, we know that a certain TTP followed by another TTP is indicative of it being this group. Then we can make some educated guesses as to where they’re going next to try and get ahead of them before they manage to encrypt all your files or erostrate all your data and dark web is another one of those sources that you can use for it. You can see if there are any tensions, especially when you start looking at leaks and the conte leaks spring to mind. You can look for indicators of how people go about it based off their conversations and start to role play what that might look like inside of your environment and start to table start exercise. Those, kind of, things. It’s another data collection that’s going to help you with your intel requirements to go and do some really cool stuff and help your other defenders.

Aidan Murphy: Brilliant. We’ve spoken a little bit about law enforcement, but I guess there are also examples of where law enforcement has attributed per tax to particularly individuals and there are numerous examples of take downs or crack downs on people and people have been arrested.

Jim Simpson: Absolutely, and like Lou said from the attribution side of things, it’s going to be multiple data sources use dark web being one of them. If people are giving away any indicators of where they are if they’re talking about trying to buy something in a certain area, the dark web isn’t just used for threat actors to help further their bad activities but if they have needs when they are in a town that they don’t know about, they might turn to that town or turn to the dark web to ask for advice. Think of it like Tripadvisor in some instances as well. There are clues for who is asking for what and where they might be located, which then helps law enforcement go, ‘Okay, well, now I need collection in that area.’ And then they can follow those things on. Crypto is becoming a big one as well, tracking crypto things and you might not know who has what wallet until you go onto the dark web and then you can put a persona to a wallet, use that wallet to get into crypto, use that crypto, follow the change through and get to it and exchange and then you can go subpoena records for the exchange to find out the who behind it all. So, it used both from a law enforcement and a non-law enforcement perspective. One, to inform defenses or two, to look for those clues that are going to help you with attribution if you need to do attribution.

Aidan Murphy: Yes, I guess these days it’s not as easy as just following where the cheques are being post to.

Jim Simpson: No. That’s brought it full circle as well, dude.  

Aidan Murphy: I’m going to draw an end to this episode. We could talk for a long time about ransomware, but we have to stop somewhere. So, thank you for listening to this episode of the Dark Dive and a big thank you for Jim and Louise for joining me. You can follow us for free on Apple Podcast, Spotify or whatever podcast app you have on your device and get all of the episodes now. If you’d like to get in touch with us here at Searchlight Cyber, you can find our social media accounts and email addresses in the show notes or you can find plenty of information on our website, www.slcyber.io, but until next time, stay safe.

[Read more]

Threat Intelligence Report

More Groups, More Problems: Ransomware in 2023

On-Demand Webinar

Ransomware in 2024: Dark Web Trends, Groups & Insights