ransomware gangs

 
 

How do ransomware gangs work?

Ransomware groups, also known as ransomware operators or cybercriminal gangs, work as organized entities to execute ransomware attacks on various targets, including individuals, businesses, government institutions, and more. These groups often operate in a sophisticated and coordinated manner to carry out their malicious activities. Here's how ransomware groups typically work:

Organization and Structure: Ransomware groups operate as criminal organizations with a hierarchical structure. They consist of various roles, such as developers, operators, affiliates, negotiators, and customer support representatives. Each role contributes to different aspects of the attack process.

Ransomware Development: Some ransomware groups have skilled developers who create the malicious ransomware software. This software is designed to encrypt victim's files and display ransom notes, demanding payment for the decryption key.

Initial Access: Ransomware groups find ways to gain initial access to a victim's network or system. This can involve exploiting software vulnerabilities, using phishing emails, leveraging compromised credentials, or utilizing other techniques. The goal is to infiltrate the target's environment without being detected.

Privilege Escalation and Lateral Movement: Once inside the network, the attackers work to escalate their privileges to gain access to more critical systems and data. They move laterally across the network, searching for valuable assets and sensitive information that can be encrypted for ransom.

Data Encryption: Ransomware operators use the deployed ransomware to encrypt the victim's files. They often use strong encryption algorithms to ensure that the victim's data cannot be easily recovered without the decryption key. 

Ransom Note and Communication: After encrypting the victim's data, the ransomware displays a ransom note that informs the victim about the attack and provides instructions for payment. This note might be in the form of text files, pop-up messages, or even wallpapers.

Negotiation and Payment: Some ransomware groups offer victim assistance through customer support channels or dedicated websites. Negotiators may engage in discussions with victims to establish the ransom amount and payment process. Payments are usually demanded in cryptocurrencies like Bitcoin, which can be harder to trace.

Decryption (Possibly): If the victim pays the ransom, the ransomware operators provide a decryption key that can be used to unlock the encrypted files. However, there's no guarantee that paying the ransom will lead to successful data recovery, as some groups may not provide a working decryption key after payment.

Data Exfiltration (Optional): Some ransomware groups engage in a tactic called "double extortion," where they steal sensitive data before encrypting it. They threaten to release the stolen data unless the victim pays the ransom. This adds another layer of pressure for victims to comply.

Exit Strategy: After successful payment or once the attackers decide to move on, they may provide the decryption key and disengage from the victim's network. However, traces of their activity might remain in the compromised systems.

It's important to emphasize that ransomware attacks are illegal and cause significant harm to individuals and organizations. Prevention is key, and maintaining robust cybersecurity practices, including regular data backups, software updates, employee training, and intrusion detection systems, can help defend against ransomware attacks.

Diving deeper into organization and structure

Leadership and Developers:

  • At the top of the hierarchy, there are leaders or core members who oversee the operations and make critical decisions.

  • Skilled developers are responsible for creating the ransomware malware. They write the code that encrypts victim data, displays ransom notes, and communicates with command and control (C2) servers.

 Operators:

  • Operators manage the technical aspects of the attacks. They deploy the ransomware within target environments, move laterally across networks, and escalate privileges to gain access to critical systems.

  • Operators may also be responsible for spreading the ransomware to multiple targets, often using automated tools and techniques.

 Affiliates:

  • Some ransomware groups operate on an affiliate model, where they recruit external hackers to carry out attacks on their behalf in exchange for a percentage of the ransom payment.

  • Affiliates may have varying levels of technical expertise, and the ransomware group provides them with the necessary tools, infrastructure, and guidance to conduct successful attacks.

Negotiators and Customer Support:

  • Negotiators are responsible for communicating with victims after an attack. They handle ransom payment negotiations and provide assistance to victims who are attempting to decrypt their files after payment.

  • Some ransomware groups provide a level of customer support to maintain a semblance of professionalism and encourage victims to pay.

Distribution and Exploitation:

  • Some groups have members who specialize in finding vulnerabilities and developing or purchasing exploit kits to exploit these vulnerabilities.

  • Distribution experts focus on spreading the ransomware through various means, such as phishing campaigns, malicious attachments, compromised websites, or exploiting vulnerabilities in software.

Data Theft and Leaks (Double Extortion):

  • Some ransomware groups engage in data theft alongside encryption. They steal sensitive information from compromised systems before encrypting it.

  • These groups threaten to leak the stolen data unless the victim pays the ransom. This tactic adds pressure on victims to comply to protect their data from being exposed.

Money Laundering and Payment Processing:

  • Once a victim pays the ransom, the criminal organization needs mechanisms to launder the proceeds and convert cryptocurrencies into usable funds.

  • Money laundering experts may be involved in facilitating these financial transactions while attempting to obfuscate the trail.

Operational Security:

  • Ransomware groups place a strong emphasis on operational security to avoid detection by law enforcement and cybersecurity researchers.

  • They use techniques like encrypted communication channels, compromised servers, and anonymous email services to hide their identities and locations.

Infrastructure and Hosting:

  • Ransomware groups maintain a network of command and control servers to communicate with infected systems and manage their attacks.

  • They might rent or compromise servers to host ransomware payloads, ransom payment websites, and other malicious infrastructure.

Collaboration and Partnerships:

  • Some ransomware groups collaborate with other cybercriminal groups, such as those specializing in distributing malware or stealing sensitive data.

  • These collaborations can help them increase the scale and effectiveness of their attacks. 

It's important to remember that the structure and organization of ransomware groups can vary significantly. Some groups are highly sophisticated, while others might be less organized and more opportunistic. Law enforcement agencies and cybersecurity experts work to track and dismantle these groups, but the evolving nature of cybercrime presents ongoing challenges in combating ransomware attacks.

How we gained significant insight

In late-February 2022 the ransomware gang Conti had their data leaked to the internet. In it contained internal communications dating back to June 2020. Brian Krebs did several great write-ups on the leaked files in early March.

Conti Ransomware Group Diaries Part I: Evasion 

Conti Ransomware Group Diaries Part II: The Office

Conti Ransomware Group Diaries Part III: Weaponry

Conti Ransomware Group Diaries Part IV: Cryptocrime

 

More recently Jon DiMaggio at Analyst1 did a deep dive into the Lockbit ransomware gang. He spent time on criminal forums and private chat groups to get a better understanding of the criminals behind the ransomware groups and how they operated.

Ransomware Diaries: Volume 1

Ransomware Diaries: Volume 2 – A ransomware Hacker Origin Story

 Ransomware Diaries: Volume 3 – LockBit’s Secrets

NCCGroup does a lot of good research on ransomware and other parts of the industry.

Unveiling the Dark Side: A Deep Dive into Active Ransomware Families - October 31, 2023

How to negotiate with a ransomware gang

Negotiating with ransomware groups is a complex and delicate process that should be approached with caution. While there's no guaranteed method for successful negotiation, if an organization decides to engage with the attackers, here are some general steps to consider

Contain the Incident:

As negotiations proceed, work with cybersecurity experts to identify and address vulnerabilities in your organization's systems. Contain the incident to prevent further spread of the ransomware. This will also help with making a cost-benefit analysis on recovery efforts verse acquiring a decryption key.

Engage cyber insurance company:

If the company has a cyber insurance policy then reaching out to the insurer will ensure proper steps and paperwork is completed as part of the containment and recovery efforts. A policy will have certain requirements and limitations around payouts.

Seek Legal and Law Enforcement Guidance:

Consult legal experts and law enforcement agencies in your jurisdiction to understand the legal implications of negotiating with cybercriminals. Some jurisdictions prohibit making ransom payments to criminal groups. There are different reporting requirements and timelines around notifications depending on the type of organization and the amount of data involved.

Establish a Dedicated Team:

Assign a dedicated team or individual within the organization to handle negotiations. This team should have strong communication skills, an understanding of the technical details of the attack, and decision-making authority. If there are no skills in-house identify a third-party organization that specializes in this will be able to handle the threat actor negotiations.

Assessment and Decision-Making:

Before entering negotiations, the organization should carefully assess the situation. Consider the value of the encrypted data, potential legal implications, the organization's financial capacity, and the likelihood of receiving a working decryption key.

Communication Channels:

If the ransomware group provides contact information, communicate through those channels. Be prepared for the possibility of encountering language barriers, evasive responses, or even hostile communication.

Stay Calm and Professional:

Maintain a professional and composed tone during negotiations. Avoid becoming emotional or confrontational, as this could negatively impact the negotiation process. Ego and frustration will only cause problems during negotiations. At the end of the day this is a business transaction.

Verify Data Recovery Capability:

Before making any payments, request proof that the ransomware group can indeed decrypt the encrypted files. This proof could be a sample of decrypted files or a demonstration of the decryption process. More and more scammers are catching onto the ransomware negotiations process and try to insert themselves into the process. Identifying the threat actor that can provide the proper decryption tool ensures the right payment is made if necessary.

Negotiate Payment Terms:

If the organization decides to proceed, negotiate the ransom amount and payment terms. Ransomware groups often demand payment in cryptocurrency to make transactions harder to trace. If using cyber insurance identify their level of involvement as they may require amount approvals. 

Payment Methods:

Use a secure and private method to obtain the required cryptocurrency for the payment. A third-party cryptocurrency transaction provider can help with payment. There is a transaction fee associated with payment. If using cyber insurance they may have a preferred set of third-party transaction partners.

Document Everything:

Maintain a thorough record of all communication, negotiation details, and payment-related information. This documentation can be useful for legal purposes, cyber insurance, and post-incident analysis.

Backup and Restore:

While negotiations are ongoing, explore options for restoring the affected systems and data from backups. Make sure backups are up-to-date, tested, and segregated from the rest of the network. Ransomware gangs are aware that their encryption may be ineffective if the company can restore from backups. They will try to identify an encrypt the backup system to cripple recovery efforts. A third-party Incident Response company can help with recovery efforts.

Summary:

It's important to emphasize that negotiation doesn't guarantee successful data recovery, and there's a risk of supporting criminal activities by paying ransoms. Prevention is always better than mitigation. Organizations should prioritize strong cybersecurity practices, regular data backups, employee training, and robust incident response plans to defend against ransomware attacks.

Created with help from ChatGPT