Ransomware Unmasked: Dispute Reveals Ransomware TTPs

May 26, 2021

05 / 26 / 2021

Key Findings

  • A recent “public” dispute on the dark web between actors affiliated with the “REvil” ransomware group and an actor offering to negotiate with victims has shed light on the rise of “ransomware consultants” and revealed the operational methods of ransomware hackers.
  • Ransomware consultants research victims to gather intelligence for realistic ransom demands and conduct the negotiations on behalf of the ransomware group. The core reason that ransomware groups are looking for these types of services is that although they are proficient at gaining access to victims and encrypting data, they are less proficient at extracting ransom payments.
  • The REvil affiliate “evil_genius” claimed to be the hacker behind the recent ransomware attacks against Apex America and the Taiwanese-company Quanta Computer. evil_genius expressed reluctance to launch ransomware attacks against other large Taiwanese companies due to Taiwan’s strict anti-money laundering laws, demonstrating that even the most capable hackers find it more difficult to target entities bound by laws that make them less likely to pay a ransom.
  • The actors discussed the methods they use to compromise a victim’s network once they have gained initial access, including the tools they leverage to bypass cybersecurity software and ensure a long-term, undetected presence in the victim’s network.

Background

As criminal profits for ransomware attacks grew to nearly $370 million in 2020, the ecosystem of accompanying services and actors continues to undergo greater professionalization. Within this context, there are three major groups of relevant actors:

  • Ransomware groups: These are the groups, such as “DarkSide” and “REvil”, that create the actual ransomware used to encrypt companies’ data. Some of these groups then rent out access to their ransomware to experienced hackers for a percentage of the profits, and most also conduct ransomware attacks themselves.
  • Ransomware affiliates: These are the experienced hackers that actually gain access to victims, solidify their presence in the victim’s network, and encrypt the data. They rent the ransomware group’s malware to encrypt the data.
  • Ransomware consultants: These are the most recent actors to enter the sphere. They provide “consulting” services to ransomware groups and affiliates by researching victims and conducting negotiations.

Gemini has previously reported on how ransomware groups hire and work with affiliates to target victim companies, but a recent “public” dispute on the dark web between a consultant and a ransomware group and its affiliate has shed new light on how these actors work together to target victims. The dispute itself broke out on a top-tier dark web forum on May 10, 2021 when the actor “UNKN”, the public face of the REvil ransomware group, accused the actor “Signature”, a ransomware consultant, of failing to solicit the ransom payment from two victim companies. In response, Signature provided logs of personal correspondences between themself and UNKN and UNKN’s affiliate, “evil_genius”. The correspondences were conducted via the messengers Jabber and qTox. While cybercriminals have frequently used Jabber in the past, qTox has gained popularity in recent months. The content of the correspondences reveals both the increasing professionalization of ransomware “consulting” services and the TTPs of the REvil ransomware group and its affiliates.

In the correspondences provided by Signature, UNKN uses the moniker “8-800-555-35-35”, Signature uses the moniker “Premium”, and UNKN’s affiliate uses the moniker evil_genius. For the purposes of consistency and clarity, this report refers to the actors by their forum accounts. These three actors all speak Russian and their correspondences primarily occur in Russian.

Image 1: Signature posted correspondences between themself (using the moniker “Premium”) and UNKN (using the moniker “8-800-555-35-35”) to a top-tier dark web forum. In the portion of the qTox correspondence above, the actors begin discussing the ransom payment from Quanta Computer.

The Actors Involved: The Ransomware Group, Consultant, and Affiliate 

In the past six months, Signature has created multiple dark web forum posts concerning ransomware attacks and their consultancy services. These posts have included general advertisements for their services and specific responses to ransomware actors seeking negotiators for victimized companies, which included a victimized Saudi Arabian company. In addition, Signature has posted job offers for technical specialists with the following skills related to ransomware attacks:

  • Expertise in WIN networks and Active Directory networks
  • Proficiency with the tools Metasploit, Cobalt Strike, Koadic, Merlin, and rclone, as well as red team tools to download passwords from memory and saved passwords from browsers and applications
  • Experience writing .ps1 scripts for task automation through Group Policy Object, Group Policy Management Console, and Group Policy Management Editor 

Signature repeatedly claimed in their correspondences with UNKN and in other forum posts that they partner with an “outsourcing company” led by an unidentified “Swiss banker” to gather intelligence about victims and conduct negotiations. However, it is more likely that Signature is simply aggrandizing services provided by themself and a small team. Ultimately, the services that they offer are valuable for ransomware groups and their affiliates, as showcased by the evident demand; however, the intelligence required for the services could be gathered through alternative open-source resources.

Image 2: In a dark web forum post, Signature advertises their ransomware consultant services and seeks a pentester to join their team.

UNKN operates as the main representative of the REvil (AKA ”Sodinokibi”) ransomware group on dark web forums. The REvil ransomware group first appeared in May 2019 and has earned a reputation as one of the most notorious such groups. As covered in our recent report on Ransomware-as-a-Service (RaaS), REvil primarily operates through “affiliates” who rent access to REvil ransomware and use it to encrypt companies’ data after they have gained thorough access to the victim.

In the same report, Gemini found that UNKN has frequently created posts on dark web forums seeking new REvil affiliates members with various expertises. While this initially appeared to indicate that REvil intended to increase the scale of its operations, UNKN revealed in a correspondence with Signature that a large number of REvil affiliates have “retired” from ransomware after making significant criminal profits. As a result, UNKN claimed that REvil currently only has five teams and only two or three of them could carry out the attack they were discussing. 

Ultimately, the correspondences show that UNKN connected Signature with their “strongest team”, which turned out to be a single Russian-speaking affiliate operating under the moniker “evil_genius”. In a correspondence with Signature, evil_genius wrote that they have conducted industrial espionage for 20 years but now single-handedly gain access to high-profile entities for ransomware attacks.

In the course of the correspondences, evil_genius revealed that they are behind the recent attacks on Quanta Computer and Apex America; these ransomware attacks would go on to be the source of the ransomware payment dispute. Additionally, evil_genius indicated that they also have network access to much larger companies in Taiwan, but remarked that the strict anti-money laundering laws are causing ransom payment issues with Quanta Computer. evil_genius also noted that this is one of the reasons why they are reluctant to proceed with ransomware attacks against other companies in Taiwan.

Image 3: Signature posted correspondences between themself (using the moniker “Premium”) and evil_genius to a top-tier dark web forum. In the portion of the qTox correspondence above, evil_genius indicates that they were the hacker behind the ransomware attack on Quanta Computer.

Furthermore, evil_genius indicated that they had the capability to stop one of their victim’s manufacturing processes, but did not want to damage the company to that extent. Nevertheless, evil_genius claimed that they were willing to stop production in the future if there were further ransom payment delays. This actor additionally indicated that they have access to a Chinese company and claimed it is one of the top three manufacturers of display matrixes in the world. evil_genius proceeds to indicate that they can target large companies with profits over $1 billion and high growth rates projected for the next 5 years. 

What Are Ransomware Consultants?

Ransomware groups continue to expand their operations, disrupting businesses and threatening countries’ national security. Against this backdrop, a growing number of dark web actors and organizations are advertising their services as “ransomware consultants”. Whereas legitimate consultants may advise companies on marketing strategies, ransomware consultants offer to research victims to gather intelligence for realistic ransom demands and conduct the negotiations on behalf of the ransomware group. In the recent dispute on the top-tier dark web forum, the actor Signature claimed to partner with an unidentified “outsourcing company” to provide these ransomware consultancy services.

Chart 1: The workflow for collaboration between ransomware attackers and consultants as described by Signature.

In Signature’s posts concerning the dispute and in the correspondences with the REvil members, Signature claimed that they and the “outsourcing company” provide two major services: 1) analyzing potential victims to identify the most profitable target and 2) investigating and conducting negotiations with victimized companies. With the first service, the ransomware consultants analyze potential victims to ascertain if the victim is likely to pay the ransom and how large of a ransom the victim could afford to pay. With the second service, the ransomware consultants:

  • Obtain information about the victim’s management team
  • Determine how much financial damage the file encryption can inflict on ongoing projects
  • Research the capabilities of the cybersecurity firm that the victim hired to recover the encrypted data
  • Leverage the information from the three previous steps to negotiate a ransomware payment

According to Signature, the “outsourcing company” charges ransomware gangs 20% of the total ransom payment for their services, while the ransomware affiliate takes another 20% of the total payment. In the dispute between Signature and REvil, the disputed share amounted to $7 million for services concerning two companies. In a more recent post on Signature’s qTOX profile page, Signature indicated that in response to the dispute, the “outsourcing company” now charges between 20% and 50% of the ransom payment for their services and requires an upfront cryptocurrency deposit.

These ransomware consultant services help ransomware groups secure payments through time-tested negotiation tactics: 

  • Setting the initial demand at $0 to initiate contact with the victim
  • Identifying the victim’s weak points (finding particularly sensitive data to use in negotiations for leverage)
  • Calculating the cost for the victim to hire a cybersecurity firm and then using that to set a price that appears acceptable and ensures a more discreet outcome for the victim
  • Facilitating cryptocurrency payments and working around laws prohibiting ransomware payments, as intimated in Signature’s correspondences with evil_genius

The core reason that ransomware groups are looking for these types of services is that although they are proficient at gaining access to victims and encrypting data, they are less proficient at extorting victims for ransom payments.

Ransomware Actors Reveal Tools and Tactics

In the correspondence between Signature and evil_genius and the correspondence between Signature and UNKN, the actors go back and forth discussing the tools and tactics that they prefer to use once they have gained access to a victim network. As outlined in the chart below, Signature describes a fairly standard attack process for hackers: escalate user privileges, acquire credentials, gain access to domain administrator, use a private grabber to retrieve admin passwords, and deploy the software BloodHound to map out the network. The interesting aspect of the discussion arises from the specific tactics, timelines, and tools that the actors discuss for each step in the attack process.

Chart 2: The ransomware attack workflow and tools discussed by Signature and evil_genius. Bubbles marked with “e” indicate evil_genius’ suggestions and bubbles marked with “s” indicate Signature’s suggestions.

Signature points out that during the initial stage of the attack, it is critical to avoid encrypting basic users’ computers and to instead prioritize finding the large servers containing key information, such as AutoCAD schematics. Signature estimated that this step could take an experienced hacker 2-3 weeks to complete. Additionally, Signature states that the hackers must find all the subnetworks where system administrators typically hide backups, noting that it is particularly important to identify backups recorded on magnetic tapes. Ultimately, Signature indicated that ransomware groups and affiliates need a proficient hacker with network system administrator background to properly identify critical information on the network and all the backups that could be hidden in the subnetworks.

evil_genius indicated that they struggled with Symantec antivirus when trying to escalate privileges, because their malware did not have an EV code signing certificate. Notably, there are multiple services on the dark web that offer EV code signing certificates for any software. Signature pointed out that Zerologon could be used afterwards for privilege escalation in the network.

evil_genius claimed that during one of their recent ransomware attacks, they were able to monitor the actions taken by a prominent cybersecurity company to counteract their presence in the victim’s network.

To ensure that hackers are able to remain undetected in the victim network for “years”, Signature noted that hackers can add a modification to TeamViewer to create hidden connections through the use of hooks and process injects. evil_genius added that systems often have unpatched vulnerabilities that administrators neglect to patch, granting hackers the keys to remain in the system. 

Conclusion

The dispute on the dark web between Signature, UNKN, and evil_genius has offered an unusually open view into how the much-reported “professionalization” of ransomware has led to growth of adjacent services, including ransomware consultants and cybercriminal-side negotiators. With the recent public focus placed on ransomware in the light of the recent Colonial Pipeline attack, even dark web forums have reportedly attempted to distance themselves from ransomware groups in order to limit unwanted attention from law enforcement targeting ransomware groups. Within this context of lucrative ransomware payments but higher risks of legal repercussions and more robust ransomware remediation services, the services provided by ransomware consultants—from advising targets unlikely to provoke a strong reaction from national law enforcement to providing insight on how to exert greater pressure on victims—showcase the capacity of ransomware actors to continually evolve in the pursuit of profit.

This insight into ransomware teams’ strategies also highlights their vulnerabilities. Most strikingly, evil_genius expressed reluctance to launch ransomware attacks against large Taiwanese companies due to Taiwan’s strict anti-money laundering laws. While this has not completely protected Taiwanese companies from ransomware attacks, it demonstrates that even the most capable hackers find it impractical to target entities bound by laws that make them less likely to pay a ransom. A nation that seeks to deter ransomware attacks against companies or entities under its jurisdiction may find Taiwan a useful template for laws that disincentivize the most prolific threat actors on the dark web.

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

Ransomware criminal groups use specialists for negotiations or other aspects of the cybercriminals schemes. A dispute between a hacker gang and ransomware consultant reveals REvil's tactics specifically and ransomware TTPs in general.
%d bloggers like this: