Ransomware Groups Seek Fresh Tactics Following Hive TakedownSocial Engineering and Decentralization Surge, Says Researcher Yelisey Bohuslavskiy Mathew J. Schwartz (euroinfosec) • March 27, 2023
Stung by the FBI's infiltration and takedown of the Hive ransomware group, other ransomware operators have been retooling their approaches to make their attacks more effective and operations tougher to disrupt, says Yelisey Bohuslavskiy, chief research officer at threat intelligence firm Red Sense.
Credit needs to go to defenders both public and private, he says, for having upped their game. In response, ransomware operations have been forced to find replacements for tools and strategies they previously relied on, including botnets, Cobalt Strike beacons and dedicated blogs for naming victims and dumping stolen data.
"Groups that are operating now, they're going away from this blog-centric infrastructure," Bohuslavskiy says. "Some of them, like Karakurt for instance, or Silent Ransom Group, they're not even using blogs for extortion. They communicate with their victims via ProtonMail, exactly in order to avoid a situation in which you have all your negotiations being taken over by the government."
In this video with Information Security Media Group, Bohuslavskiy also discusses:
- Major "damage amplification" innovations across what he characterizes as the three modern ransomware eras - from WannaCry to REvil to the post-Conti landscape;
- How "hacking is weaponized creativity" for cybercriminals;
- Why ransomware groups are ready to embrace social engineering and business email compromise attacks.
Bohuslavskiy is chief research officer and a partner at Red Sense. He previously served as co-founder and head of research and development at threat intelligence firm Advanced Intelligence. He has also worked in other roles including cyberthreat intelligence analyst at Flashpoint and due diligence researcher at Kroll.
Mathew Schwartz: How has the ransomware ecosystem been changing? I'm Mathew Schwartz with Information Security Media Group, and it's my pleasure to welcome Yelisey Bohuslavskiy, the chief research officer and partner at Red Sense to our studio to talk ransomware. Yelisey, great to have you on today. Thanks for being here.
Yelisey Bohuslavskiy: Thank you so much, Mathew.
Mathew Schwartz: You are a keen, I think it's fair to say, ransomware researcher, and I've always been fascinated to review your research reports and see what is happening with ransomware. Because there's a lot happening that we know about, or that we think we know about. And there's a lot happening behind the scenes.
Just to set us up for our discussion today about where things are, where things are headed, you've broken out what we know about ransomware now into roughly three generations: I think maybe 2017 to 2019 being the first one, the WannaCry era. Give us a recap. Why do you look at that as the first generation, if you will, of modern ransomware?
Yelisey Bohuslavskiy: WannaCry was a defining shift, because before WannaCry ransomware has not been essentially damaging, it was more a sort of a low-tier vandalism, I would say, and the same way that WannaCry revolutionized the damaging aspect of ransomware in 2017, is exactly the same way as the second generation ransomware - which I would define from 2019 to 2022, groups like REvil, or GandCrab that started it - they revolutionized it, again, also from this damage amplification perspective.
Mathew Schwartz: Now, I know we're recapping, and it's so fascinating to see the innovation that these groups brought to bear. So just really briefly, what were some of the innovations that you saw. I don't know if we want to go back to the 2017 to 2019 era, and just highlight what they were doing that was so effective for them?
Yelisey Bohuslavskiy: I feel this entire conversation at the end of the day would be around innovation, because the 2023-throughout landscape is absolutely fascinating, because this would be a year of change, and this change would be exactly accumulating innovations that happened previously, but will manifest to the full capacity in this year, and most likely in the coming years, shaping the new "throughout" landscape. So innovation is fundamentally ingrained in cybercrime and [the] cybercrime underground, ransomware in particular.
My former business partner, Vitali Kremez, taught me this amazing formula that hacking is weaponized creativity, and I think this is exactly what has been going on through the last five years. WannaCry was a damaging thing, but definitely more of a single case. The innovation happened when that became a fulfilling business model - fulfilling for the criminals. When GandCrab became a thing, when REvil became a thing. REvil actually revolutionized the threat landscape several times, they created the ransomware-as-a-service system. They created the new approaches to infiltrating networks. But most importantly, the absolutely fundamental divide between after-2019 and pre-2019, was the addition of the social element to ransomware, which was data extortion. Before that it was only data vandalism, destroying data, maybe encrypting data, and then obviously asking for a ransom to decrypt it.
After REvil, we got the social aspect of that with stealing data, and then offering it for sale, which immediately brought the regulatory level, the legal level, the reputational level, the financial level. All the things which were initially never really associated with cybercrime or cyberattacks, and as a result of that we got a completely new landscape, and this landscape is changing again.
Mathew Schwartz: As you say, they were finding ways to creatively make life really difficult for victims. Adding pressure with the successive waves. One of the things I remember from GandCrab turning into REvil: I think they were customizing the software to meet the needs of their users - being the affiliates - who would take it and infect victims. One of the things they customized or added, if I recall correctly, was the ability to hit managed IT service providers. So they could hit the provider and then do a different ransom for each of their managed customers, and we just keep seeing innovation like this, don't we?
Yelisey Bohuslavskiy: Absolutely, and this would be among the things that would, to my belief, define the threat landscape in the future. The REvil attacks against MSPs, they were extremely strategic, and this has not really been the case for ransomware through most of this time. Actually, REvil, in a sense, was more of an exception than the rule.
But now this is changing. We're seeing ransomware groups at the beginning of 2022 - and 2022 would be probably when we could start talking about the shift to third-generation ransomware - so in 2022 we start seeing formalized written strategies, annual strategies, strategies for the development of new offensive tools, definitely strategies for the development of new patterns of attacks.
So what REvil was doing intuitively, the contemporary ransomware groups are trying to do institutionally and strategically. And this is why, for instance, at Red Sense, we coined this term "ransomware APTs," because it's so much more than ransomware at this point. It's more of a private criminal corporate espionage that is typically used for profit. But because at this point ransomware crystallized to this extremely sophisticated and extremely powerful - from a standpoint of skills of people involved - network, at this point, obviously the governments are very interested in utilizing that more.
So with this, APTs … traditionally have a political background, and that's also something that has come into the landscape, very quickly at the beginning of 2022.
Mathew Schwartz: So when we look into this 2019 to 2022 period, so pre-figuring what we're seeing today, you mentioned you've got groups like REvil having created this ransomware-as-a-service model, working with affiliates. Some of the groups, I guess, have large internal teams. Some of them are using botnets. We're seeing a lot of creativity still. There's no one right way to a pay day. That seems to continue - I guess - until just last year, right?
Yelisey Bohuslavskiy: Yes, I think, Mathew that in a way now, looking at 2019 to 2022 in hindsight, we actually could say that at these years, ransomware was guided by the idea of a silver bullet or a magic key. Finding one solution for all issues. And, to be honest, they had a reason to do that, because it's just the defense landscape was kind of offering them this. We had huge attack surfaces, we had … absolutely tremendous amounts of unprotected endpoints, and they were thinking about scale rather than quality. And this is why botnets were such a thing, because botnets are a very scalable, universal attack tool. That's why Cobalt Strike was used - still is, but not to the extent as it was - but Cobalt Strike was the absolutely one major attack tool all groups were using. Because again, it was scalable and universal.
Now this is actually changing. Now we're entering a very sharp phase of diversification and decentralization of TTPs and decentralization of attack patterns and attack vectors which honestly makes a life of defense way harder. I really remember my times at AdvIntel with a lot of nostalgia, because looking at TrickBot, let's say, or Emotet, you can cover like two-thirds of the landscape, because everyone was using TrickBot and Emotet. And now, when the botnets are essentially dying, now when Cobalt Strike extreme detection rates - also kudos to the original Cobalt Strike team because their being people on defense, they have obviously been putting a lot of countermeasures to the fact that their tool's exploited by the bad guys - so the criminals are now losing those silver bullets. They're losing those magic keys, and they need to innovate to survive.
Mathew Schwartz: So just to put an extra sharp point on that, it sounds like defense, at least to an extent, has been working. We saw a lot of moves in western governments, the United States, the U.K., focusing on business resilience among the different strategies they were using to try to combat ransomware, because obviously arresting all the criminals hasn't worked or isn't feasible. Business resilience has been a real focus, and I think we've heard of a lot of organizations better getting their house in order. Is this what you're seeing or hearing in the cybercrime underground, from chatter, and has this been driving some of the more recent changes?
Yelisey Bohuslavskiy: You know it's almost paradoxical, amazingly paradoxical, because I'm seeing a lot of that in the cyber underground. I'm not seeing the appreciation of defense on the - you know - legitimate side of businesses. I feel that we need to give way more credit to defense than we currently do - all sides of defense. Government of course, but also the private sector, the insurance market in particular, I think they were one of the major proponents. The insurance market has been one of the major moving forces of progress here.
My vision of this in general is that we live in a bit of a mythological approach to this, when we think that the offense is the one setting the rules, that the offense is having the first turn, and to be completely honest when we look at the cybercrime underground, this is not truly matching the facts.
The defense is the one that is constantly setting the rules, when the defense - in this case, regulatory defense and customer-rights defense - began introducing sharp and immediate frameworks for data protection and data privacy, the ransomware groups began using extortion. That wasn't their idea. They looked at GDPR and, like CCPA, and all the other regulatory [laws], and tried to adapt. When the defense - in this case, it would be government defense - when the government really started to pressure ransomware groups and started to catch affiliates, they completely disbanded the affiliate model and shifted to something else.
And then, most importantly of course, was the implementation of compliance and due diligence. I came to this industry from Kroll; compliance officer was my first position. I guess this kind of shifts my approach, in general. But specifically in this case, if we think about ransomware in the long term, ransomware has always been considered by the criminals themselves as something scalable, but very technologically primitive. I remember the times when ransomware groups were not, well, they weren't groups even at that point. Ransomware affiliates, let's say. They were not even allowed onto top-tier Russian-speaking forums, because what they were doing was considered a very cheap intellectual shortcut to the sophisticated art of hacking. And I think this combination of scalability and lack of development and technological side, it actually followed ransomware for quite a while, because they were crazy successful in 2019 and 2020, exactly because there was this humongous attack surface of millions of companies, that had, like, RDPs with the password "1234," and if you have a botnet and you target like, you know, 10,000 endpoints, there would be one you could hit.
And then what started to happen in 2021 was the insurance market, and the government, was basically saying: You need to have very strict, clear compliance and due diligence involved, if you want to get covered when you get hit. And at this point we started just to see numerous groups just dying out because … they didn't have the fresh [victims] that previously came from the unprotected endpoints, and that changed everything. Everything that we see with the third generation ransomware, or ransomware APTs, post-Conti landscape and all that, it all, in one way or another, is connected to that major shift in 2021, when essentially the defense was able to take care of as many unprotected endpoints as possible, and essentially the ransomware completely lost the ground under its feet.
Mathew Schwartz: We've seen some huge shifts, obviously some of the big-name bogeymen groups have gone away. The likes of REvil, for example, seems to have finally, well, you know, died out. Maybe it's restarted in some other capacity. But we also saw other big groups like Conti, which was long a fixture, having retired at least the brand name. And then we saw kind of the coup de grâce so far, if you will, of law enforcement disruption, which was the Hive - not just takedown - but infiltration. So how have the criminals who are attempting to better monetize ransomware putting these lessons, whether positive or negative as far as they're concerned, to work as they design the next generation?
Yelisey Bohuslavskiy: Well, one of the key lesson they are learning is, of course, decentralization. This would be applicable to actually all, I think, all three groups you've named are great examples for that. And again this would be something defining the third-generation ransomware.
Let's start with REvil. REvil was indeed decentralized but poorly controlled. REvil had numerous affiliates who were working without any proper control, and at some point they pretty much ended up crossing the political line. In the former Soviet Union, there was a very strict rule: You don't cross the political lines. It doesn't only go to ransomware - like, you know, media says that there is a rule that you shouldn't target Russian-speaking populations. It's kind of more than that. You shouldn't cross the political line in general. You shouldn't mess with the state, and REvil actually did that. They started to cross political lines with their attacks. And you know the Russian government had to talk with the American government about that, and they pretty much messed with the state because they were poorly controlled, and a lot of them ended up in jail.
So REvil did evolve for the third-generation ransomware, and we were seeing amazing cases where the former top-tier affiliates of REvil, the best of the best, they're now working as a small team. A small team would be the term I would keep using through the entire talk, because this is the most fundamental operational shift that we are seeing right now. So they're working as a small team, a very tight collective of people who personally know each other, a very tight collective of people who could work as a single organism when they are in the network, who have ultimate trust, and who have ultimate connection with, you know, the larger groups. And they, for instance, they're working for groups like Royal, or Black Basta, or Black Cat, all the post-Conti environment, and they're not directly reporting to them, but they're working in a very tight liaison with them. So it's like this kind of cyber ronin thing: they lost their master, but instead of disbanding, they became this strong, elite group of cyber mercenaries.
And this is exactly the evolution that brings up resilience. They're decentralized in the sense that if someone takes down Royal, they won't get hit. But also they're in this situation of control in which it wouldn't happen that one of them takes down a pipeline, and now - you know - they need to be arrested by the Russian government. Well, it's … I'm using the case of pre-war; everything obviously changed with the war. But I think you see what I'm saying.
Conti is another great example of that. They were taking a lot of advantage from centralization until a point when centralization started to work against them, when they openly affiliated themselves with the Russian government. After that, they had to disband, and recreate in a new manner, and their new decentralized manner is definitely way more effective, because, like, you could count like four teams, six teams, it really depends on who you count as Conti and post-Conti. But let's say it's four main teams: Royal, Zeon, Black Basta and Silence Ransom Group, plus Karakurt; Karakurt is somewhere in between, so let's say five.
So those teams, they all have their own approaches. They all have their own tools. They all have their own lockers. They all have their own ways of negotiation. At the same time, they are all a part of the same ex-Conti gang. So decentralization definitely works here. And probably the epitome of how decentralization could help cybercriminals was Hive, because Hive was essentially the last second-generation ransomware, and looking at how Hive, looking at the takedown, we could actually see what was second-generation ransomware, and speaking of the takedown, one of the amazing things about that operation was that the FBI, they hit the critical node. They knew exactly how the second-generation ransomware worked, and they hit exactly where there needs to be a hit, to deliver fatal damage.
So second-generation ransomware was entirely centered around the blog. The blog was used for data extortion, of course. They were putting all their leaks on the blog. But most importantly, the blogs served as the fundamental infrastructural node, because when you, or the affiliate, or the core team, when they execute the locker, there would be a locker ID generated, and that would be the ID that would be tied to the blog, and there would be a negotiation chat within the blog. So if you take down the blog like the FBI did, you simultaneously take their ability to extort data and threaten its publication. You have all the decryption keys. You have all the victim negotiations, and you're able to offer the decryption keys to all the negotiations, and obviously, if you have the decryption keys, you can kill the future operations. And also you have access to all the affiliates, because affiliates are connected to the blog.
This is probably the last time we're seeing that. All other groups that are operating now, they're going away from this blog-centric infrastructure. Up to the point that some of them, like Karakurt for instance, or Silent Ransom Group, they're not even using blogs for extortion. They communicate with their victims via ProtonMail, exactly in order to avoid a situation in which you have all your negotiations being taken over by the government, or something like that. And this is definitely a fundamental change that we would be seeing through the entire year and onwards.
Mathew Schwartz: So smaller groups; is there an optimum size for these groups that you're seeing?
Yelisey Bohuslavskiy: At this point it's four people. Like, the most, the best groups we are seeing, small groups, is four people. They could work collectively within a larger group. Royal at this point, I estimate it to be between 50 and 60 people, but those individuals, they're working in small teams, all four or five people. I mean in general, for military-style operations, four is considered the sacred number. Like we have the SWAT squads, typically the initial [breaching] squad is four people. There are many examples why four is a really good, optimal number for operations, and it looks like they are also utilizing this knowledge, because four is most typically what we see.
Mathew Schwartz: So with this third generation, as you put it, of ransomware that we're in now, we're seeing these more decentralized teams making it more resilient - these organizations, for now, anyway.
Yelisey Bohuslavskiy: Yes.
Mathew Schwartz: More resilient against the kinds of takedowns they've seen previously. What happens next, I guess, is maybe a bit of an open question?
Yelisey Bohuslavskiy: Well, we will see more diversification of tools as well, because if you have many small teams working autonomously, you would expect them also to be experimenting with new tools. A good example of that would be all the alternatives to Cobalt Strike. I actually saw, that was at the very end of 2022, there was an Excel list disseminated within one of the post-Conti groups that listed, "What are the alternatives to Cobalt Strike?" And now some groups are doing that directly.
There have been a lot of experiments with Brute Ratel, there has been a lot of experiments with Sliver, and … there have been a lot of experiments, actually, with delivering attacks without Cobalt Strike or [using] similar tools at all.
So there is definitely this: the organizational diversity leads to operational diversity. And the second thing, of course, would be the integration of social engineering or business email compromise. It sounds like something obvious, and you know we would expect that this would be something, business email compromise, phishing, things like that that has been used in cybercrime for, like, decades, so this would be something that would be a part of ransomware, but … operationally it really hasn't until this point.
I was recently presenting at NetDiligence, a big cyber insurance conference, and typically at NetDiligence they start with a review of cyber claims. And year after year, you could see that cyber claims go into two large tabs: one is ransomware, the one is business email compromise. From what I'm seeing through 2022 and definitely right now, from what I am seeing, probably in a year, when we go to NetDiligence, or Advisen, or any other cyber claims conference, we won't even be able to distinguish between those tabs, because they're merging so hard.
With shrinking attack surfaces, with not being able to break things easily, with the need for innovation, the groups are definitely applying to the human factor, to social engineering. It's a very well-known thing within cybersecurity: the human factor is your best way to get somewhere, and we are seeing this social development here. The experiments with the BazarCall, call-back phishing, where we have those sophisticated techniques of spamming and phishing, the utilization of call centers. It didn't work, but the fact that they tried it, is actually revealing very well-developed teams that they call intelligence teams that are specializing on looking at the data inside networks for past breaches, and then they utilize the - typically it's the .PST files - they would utilize the email correspondence to mimic the emails from the previous victim to the next victim, [using a] very well-designed website for luring them to the websites. We have seen utilization of ChatGPT, which is something that helps them to just breach this language barrier, but also to create a more authentic, holistic framework.
Those tools, all together, they actually work as a force multiplier to one another. For instance, if you have the correspondence that you want to infiltrate by impersonating someone and you have the previous emails, you feed those previous emails to ChatGPT, and you get an authentic email because that AI tool is just so efficient, especially when you feed it some information. So the possibilities here are endless and this would be a very important segment of cybercrime, in particular ransomware, this year and next year: utilization of all the BEC and social engineering techniques.
Mathew Schwartz: So everyone following ransomware, brace for this fusion with the business email compromise attack strategies.
Yelisey Bohuslavskiy: Yes.
Mathew Schwartz: Well Yelisey, thank you so much for your time and insights today. It's always fascinating to get to talk to you about where ransomware has come from, where it's at and where it's probably going to be going. So thank you.
Yelisey Bohuslavskiy: Thank you.
Mathew Schwartz: I've been speaking with Yelisey Bohuslavskiy, the chief research officer at Redsense. I'm Mathew Schwartz with ISMG. Thank you for joining us.