top of page
Search

The Underworld of Ransomware

Writer's picture: Kaiju SecurityKaiju Security

In today's digital landscape, stealing data has become easier than pilfering gold, making it a lucrative avenue for criminals. Ransomware, a term many associate merely with malicious software, represents just the tip of the iceberg. Beneath its digital façade lies a vast network of underground criminal enterprises, orchestrating these sophisticated attacks with precision forged from years of experience. let's go on an adventure where we take a look at the intricate ties between ransomware and the shadowy world of organized crime, where hopefully you'll see that the threat we face is not just from the software itself, but from the malevolent syndicates that wield it.

When the term "ransomware" comes to mind, many envision a nefarious "gang" deploying a malicious file, which, once uploaded, swiftly spreads and encrypts an entire system.

Though this portrayal often dominates headlines, the current landscape of ransomware is far more intricate and layered than such a straightforward narrative suggests.

Dominating the ransomware arena, five formidable groups emerge: AlphV, Lapsus$, Hive, Conti, and LockBit. While popular narratives might paint them as mere digital thugs encrypting data for ransoms, the reality is far more complex. These aren't just rogue hackers in dimly lit rooms, ok well there ARE rogue hackers in dimly lit rooms, but beyond that, they're sprawling, multi-million-dollar operations. In 2021 alone, ransomware services raked in over $766 million. In the business realm of ransomware, the overhead is virtually non-existent. Once the malicious "product" is developed, it can be distributed to countless affiliates at no additional production cost. The sales model is in the negotiation of the ransom, which puts the "company" at a distinct advantage as the "customer" needs something that only THAT company can provide. Cold calling amounts to looking for an open door to a system, or trying to talk someone into opening a door for you. The risk for these organizations remains minimal, primarily because many are either backed by nation-states or operate from regions where they remain beyond the reach of law enforcement.

In essence, it's a business model of diabolical brilliance.

While some of this might be familiar territory for you, delving deeper into the world of ransomware reveals a more intricate landscape. Many of these so-called ransomware "enterprises" operate affiliate programs. Below you'll see a screenshot taken from the company's blog that outlines what being an affiliate looks like, detailing the perks and processes. This comprehensive guide offers instructions, services, and support. Should you find yourself struggling with ransom negotiations, these companies stand ready to intervene, leveraging their vast experience from countless successful negotiations to ensure a favorable outcome.


Lockbit Affiliate Program


LockBit isn't special in this regard, this is the status quo for these organizations, not only do they run their own attacks, but they have hundreds if not thousands of affiliates running attacks for them, and they simply take a percentage of that in order to provide them with the tools to do so. Still not sold on the idea of this being a company? These ransomware "gangs" are simply acting as franchisor's in a sense, providing other fledgling affiliates a blueprint on how to build a company of their own. Lockbit in this case, is simply providing the McRansom burger to the franchise and they are churning out those same McRansom burgers in an exchange for an initial fee and royalties. This is following the exact model of a franchise. 

Hopefully this begins to shed some light on why these attacks are so common, why they are quickly becoming systemic in the world and how difficult it is to keep up. Your company isn't defending against a few dozen ransomware organizations, it's having to defend against thousands, all of them utilizing similar current, for lack of a better term, "state of the art" malware. The majority of the malware used in many of these attacks is HIGHLY sophisticated. Much of it is fire and forget, if someone can just simply get it ON your system, it's too late, you've been pwnd which leads us into our next topic, dwell time. 

As good as companies believe their security is, the fact of the matter is, the average dwell time, or time AFTER a company has been breached and a malicious actor has access until that company figures it out, is approximately 55 to 60 days. It's also essential to understand that before deploying the actual ransomware, attackers often spend time exploring the network, escalating privileges, identifying critical assets, and ensuring they can maximize the impact (and thus the potential ransom). These ransomware companies could lock you down in most cases immediately, however much of this time is used in data exfiltration. Locking down your company is one thing, locking it down AND taking a significant part of your companies information and releasing it is another. This puts your company in an awkward bind, losing data is bad, losing it and everyone knowing about it, as well as having it used by others are all far worse scenarios. 

In a twisted turn of events, one might even admire the ingenuity of these ransomware enterprises. Their business acumen is evident in the crafted pricing strategies they employ post-encryption. Seeking an extension? For a mere $3000, your wish is their command! The options they present are as varied as they are infuriating: from merely decrypting your files while retaining the stolen data to a complete purge of the pilfered information. Each choice, each price point, is dictated by the whims of these organizations, ensuring they always hold the upper hand. (At the time of penning this piece, the following is an active ransom demand.)


Ransomware Deadline


Not enticed by the allure of affiliation? Fear not, for these cunning enterprises have another card up their sleeve, a lucrative bug bounty. Fancy pocketing a swift million? Merely submit your XSS vulnerabilities, locker glitches, or even innovative concepts (indeed, suggestions to enhance their operations). And here's the catch: unlike conventional corporations, they're willing to reward handsomely for a truly groundbreaking idea. 


Bug Bounty


And last but certainly not least, Doxing! (Doxing refers to the practice of researching and publicly disclosing private or identifying information about an individual without their consent) 



Doxing


The only apparent shortfall in this dark empire? Healthcare and benefits. Yet, with payouts reaching the millions, one wonders if they even feel its absence.

I can't tell you how many times I've been asked, "What's the actual risk?" or "What are the chances?" With a look of dismissive doubt and skepticism etched across their faces as I stand and give a debrief to a company we just walked through in a Red Team. And make no mistake, such doubts aren't confined to mere customers; they permeate every echelon of nearly every organization.

But for those with the acumen to look for the signs and trace the digital footprints, the evidence is overwhelming. Directories brimming with terabytes of stolen data, megalith firms trying to position themselves as the guardians against such breaches—like members of the renowned big four: Deloitte, PwC and EY, all compromised by the likes of CL0p via MOVEit.

There is one parallel between these shadowy entities and conventional corporations that is more pronounced than most would admit. They too are prone to errors and occasional oversights. Take, for instance, Darktrace's vehement denial of any breach. Yet, not long after, Lockbit unveiled files for public consumption. A closer inspection revealed the data to be from Darktracer, not the genuine Darktrace based in the UK. But in these investigative forays, it's not just the breaches that astonish—it's the sheer audacity and scale of operations.


Names omitted due to the comments. 


What was truly astounding? The magnitude of accessible data, available for anyone with the inclination and ability to seek it out. While utilizing such data for malicious intent is of course, illegal, we must remember we're delving into the realm of the criminal underworld where legalities are meaningless. The image above captures just a fragment of the vast expanse. Delving deeper into CL0p's file list reveals a trove of data from thousands of companies, all laid bare for the taking. And if you happen to be a customer of these companies? It's highly probable that your data is nestled within those folders. Do you have a habit of recycling passwords or tweaking them slightly? HotSumer2023! anyone? If so, tread with caution...



CL0p 1


CL0p 2


CL0p 3


With this new information, one might ponder the likelihood of an impending threat, so let's ask that question one last time. "What are the chances?" The stark reality is this: in the current climate, the odds are not just significant, they're inevitable. It's less about "if" and more about "when" you'll find yourself under the malevolent gaze of the underground adversaries. Relying solely on periodic external penetration tests or utilizing threat modeling and the MITRE ATT&CK framework has never actually been a sufficient shield. A word to the wise: the sophisticated citizens of the criminal underworld view such frameworks with a mix of amusement and mocking disdain. Their modus operandi? Whatever strategy yields success. The attempt to confine these masterminds into a standardized "attack pattern" is, at best, an optimistic oversimplification and frankly, plays right into their hands. It's reminiscent of the age-old ploys where snake oil salesmen promise a panacea, all the while hoping to ensnare you into their web of commerce.

To truly fortify your defenses, a holistic approach is paramount: encompassing physical, social engineering, and logical security measures. To stay ahead, you must think like the very adversaries you hope to defend against. This means constantly pivoting, embracing unconventional tactics, and constantly challenging the norm. In essence, deploying a genuine Red Team with a singular mandate: Unleash Havoc.

Before we sum this up, let's take some of what we learned and play my all time favorite Red Team game of "What if". 

What if I as a pentester just took my scans and gave them to one of these organizations but never actually did the hacking? I could probably retire just by doing that alone. 

What if I hated my Executive Vice President because they are a horrible human being? Was cheating on their spouse? Screwing people out of bonuses? I could get one million dollars for doxing them? As a secretary I'll never make that in my life, I'm also pretty much Robin Hood at this point, this is just fighting back leveling the playing field against people like that, right? 

What if some of those testing credentials were to somehow wind up in Lockbits hands? If they lock the system down, and it's never unlocked no one would ever know. I'm sure they could remove it anyway! 

The above is likely the confessions of a jaded employee gone awry, but never discount the human mind's ability to displace blame and justify an action, especially one that follows a perceived slight to them. This could just as easily be a delivery driver plugging in to any computer in your company, or even dropping usb sticks at your office. Knowing what you know now, has the "likely hood" of the above just increased or decreased in your mind?

The TLDR: 

In this vast expanse of our digital world, where data theft has become as effortless as swiping gold from an unguarded vault, we find ourselves at the crossroads of technology and treachery. Ransomware, while often dismissed as mere malevolent code, is but a glimpse into a deeper, murkier world that you hopefully have a better understand of. Beneath this digital veneer lies a sprawling empire of organized crime, operating with a finesse honed over countless heists.

The illustrious list of ransomware kings, featuring the likes of AlphV, Lapsus$, Hive, Conti, and LockBit, isn't just a rogue's gallery of basement-bound hackers. No, these are full-fledged enterprises, raking in hundreds of millions of dollars, with operations that would make legitimate businesses pale in comparison. Their reach isn't confined to their own day to day operations; they've broadened those horizons, offering affiliate programs that mirror the franchisor-franchisee dynamics we see in the corporate world. This franchising approach has amplified the scale and frequency of their digital onslaughts, leaving companies scrambling in their wake.

Going back to the average time these digital marauders lurk undetected within a company's systems, known as dwell time, is at an alarming 55 to 60 days. This isn't a mere waiting game; it's a meticulously planned operation aimed at extracting every ounce of value, ensuring that when the ransomware dagger finally strikes, it hits where it hurts the most.

Post digital ambush, companies find themselves not just grappling with encrypted files but navigating a veritable bazaar of 'services'. From extensions to data purges, each with its own price tag, it's a grim shopping list for the besieged. And just when you thought their entrepreneurial spirit ended there, these ransomware moguls also roll out the red carpet for bug bounties, lavishing rewards on those who offer vulnerabilities or even ingenious ideas to bolster their illicit operations. Too "nefarious" for you? How about simply doxing your boss? It's not just about holding your data hostage; it's a game of reputational Russian roulette, adding insult to injury. All this with a million dollar price tag for anyone willing to deliver. So the question quickly becomes, are you defending against the dark overlords of the criminal underground? Their affiliate armies? Or your own employees or contractors? 

The realm of ransomware isn't just a tale of codes and cryptocurrencies. It's an intricate ballet of organized crime, dancing to a tune that's as sophisticated as it is sinister. As we navigate this digital odyssey, it's imperative to recognize the multi-faced nature of the threat looming in the shadows. It's not just a battle of firewalls and compliance; it's a war of wits, strategy, and resilience in the face of an ever-evolving adversary. An adversary most of you barely understand.


Having someone by your side that understands this world is invaluable. 


Have you ever danced with the devil in the pale moonlight? One way or another, you will. 

2 views0 comments

Comments


bottom of page