Podcast Summary
The Dangers of Online Scams and the Role of Threat Intelligence Analysts in Combatting Cybercrime: Online scams are on the rise and it is crucial to protect personal information and avoid sharing sensitive details on social media. Threat intelligence analysts play a vital role in tracking down malware and combating cybercrime.
The story of Gustavo and his friends, who used stolen identities and money laundering techniques to create fake driver accounts for rideshare and food delivery apps, is an example of the growing issue of online scams that are becoming more prevalent. This highlights the importance of being careful with personal information and avoiding sharing sensitive details, such as drivers licenses, on social media. Threat intelligence analysts, such as Will, play a vital role in combating cybercrime and tracking down malware, such as REvil, which evolved from another malware variant called GandCrab that pioneered 'big game hunting', where entire systems are held hostage until a ransom is paid to regain access.
The Rise of GandCrab and Big Game Hunting Criminals in Ransomware Attacks: Ransomware attacks are becoming more sophisticated and targeting larger organizations with higher payoffs. It is crucial to have strong security measures in place to prevent initial access and protect against ransomware attacks.
GandCrab was a ransomware developed and deployed by a group of criminals that pioneered big game hunting. The group focused on infecting big companies and those that had a lot of money. They would buy their way into the company's network by using initial access brokers. To figure out the demand and the companies to hit, they did OSINT and targeted companies with a lot of money. Companies were paying this ransom hand over fist which contributed to the group claiming that they earned $2 billion. This highlights the importance of having strong security methods in place to stop the initial access and prevent ransomware attacks.
The rise and evolution of ransomware as a service by cybercriminals.: Cybercriminals have adapted to offering ransomware as a service with an emphasis on profit-sharing, while their recruitment efforts have become more sophisticated, and their operations more difficult to shut down.
GandCrab, a ransomware group made huge profits by offering ransomware as a service that allowed people to pay and infect a company with ransomware. GandCrab then took care of everything else from collecting money to decryption. They recruited more people to their team who spoke Russian from forums that they recruited customers from. It was difficult to stop cyber-criminals operating out of Russia because Russia doesn't seem to care too much about attacks on other countries. Eventually, GandCrab retired and reappeared as REvil with a new and improved ransomware malware that was even more profitable. They focused on offering ransomware as a service that allowed criminals all over to infect systems and split the ransom with whoever deployed it on that company.
How the REvil Ransomware Group Attacks Companies: The REvil Ransomware Group gains initial access to networks through vulnerabilities in servers, then wipes out backup servers and demands payment for data recovery. Having reliable security protocols and backups is crucial in preventing and recovering from ransomware attacks.
REvil ransomware group exploits vulnerabilities in public-facing servers to gain initial foothold inside networks, do reconnaissance, spread across the network, and escalate privileges to domain administrator level. Once they gain access to all the computers in the network, they introduce the ransomware and wait for payment from the victim company. They purposely wipe out the backup servers and leave no path for rebuilding so that the victim company has to pay ransom for data recovery. The victim companies do pay ransom to get things up and running because of the high cost of being down and losses; a clear backup plan is crucial. Having backups and reliable security protocols help prevent ransomware attacks.
The Unprecedented Methods and Tactics of the REvil Cyber-Gang: The REvil cyber-gang was more than just a typical ransomware group, engaging in double extortion, DDoS attacks, leaking and stealing data, and using fear and intimidation tactics. Companies needed to be prepared to negotiate and avoid negative consequences.
The REvil cyber-gang was ruthless in their tactics, which went beyond ransomware attacks to include leaking and stealing data on Tor websites, engaging in double extortion, and DDoS attacks. They worked with affiliates to split the ransom and provided a complex decryption system. The cyber-gang leveraged fear and intimidation to extort companies and even left threatening voicemail messages. They were willing to damage businesses and release sensitive data to competitors and the media if demands were not met. Companies needed to negotiate to recover their data and avoid negative consequences. This behavior crossed the line from a ransomware group to street gang behavior.
The Dangerous Tactics of REvil Cyber-Gang: REvil, a financially motivated cyber-gang, utilizes a turnkey solution to target companies, escalate privileges, steal sensitive data, encrypt files, and demand ransom. Victims should take proactive cybersecurity measures to prevent such attacks.
REvil is a dangerous cyber-gang that targets companies and steals data. They deploy a turnkey solution that makes it easy to commit crimes, by selling access to their affiliates who then escalate privileges and steal more data before deploying REvil. They destroy backups and encrypt everything before taunting the victim until they pay the ransom. The Texas government and GSM Law were among the victims who suffered from their attacks. REvil demanded a ransom of $2.3 million from the Texas government for attacking 22 different government entities, while they demanded $42 million from GSM Law for stealing data from their clients, including Donald Trump. Though REvil is believed to operate out of Russia, they claim to be apolitical and are financially motivated criminals.
The Growing Threat of Ransomware and the Lucrative Business Behind It: Ransomware has become a lucrative way for cybercriminals to make money, with criminal groups making millions of dollars. Companies need to take the threat seriously and be prepared to deal with negotiations and money laundering tactics.
Ransomware has become a lucrative way for cybercriminals to make money by putting a network hostage and demand large ransom payments in Bitcoin. Criminal groups like REvil and DarkSide have made millions of dollars using ransomware attacks, and other criminal groups like FIN7 have switched from robbing banks to ransomware as a service business. Due to the ease of making money with ransomware, criminals are beginning to focus on developing their own ransomware to avoid giving a cut to others. When companies pay ransomware in Bitcoin, it can be a wild negotiation process, and criminals like REvil are good at laundering money by converting it into untraceable Monero. Ransomware is a growing threat that companies need to take seriously.
The Role of Ransomware Negotiators in Cybersecurity: Ransomware negotiators assist companies in paying ransoms, but buying large amounts of Bitcoin can be challenging. Choosing a reputable and trustworthy negotiation firm is essential, and the JBS attack emphasizes the need for secure supply chain management.
Ransomware negotiation firms are experts in guiding companies on paying ransoms, buying cryptocurrency, and making sure all checks and balances are met. However, buying large amounts of Bitcoin can become a huge ordeal as exchanges have daily limits and can raise red flags if they suspect the Bitcoin is being used for ransom payments. Ransomware negotiators keep track of all the wallets and contact details of each ransomware group, and there are legitimate companies providing negotiation and payment services. However, some companies can take advantage of the situation and charge higher fees. The JBS ransomware attack highlights the importance of having a secure supply chain as critical infrastructure, and the company paid $11 million as a ransomware equivalent.
The Rising Threats of Sophisticated and Costly Ransomware Attacks: Ransomware attacks are a growing threat to businesses and individuals, targeting their supply chains and demanding high ransom fees. Cyber insurance can cover the costs of such attacks, but proactive cyber protection measures are crucial to prevent them from happening.
Ransomware attacks are becoming more sophisticated and devastating, with cybercriminals targeting not just individual companies but also their supply chains and insurance companies. The latest attack by the REvil group on Kaseya and its customers impacted as many as 1,500 networks and resulted in one of the highest ransom demands in history. Cyber insurance is becoming increasingly important as it can cover the cost of both the ransom and the expensive cleanup and restoration process that follows. The US government is taking a stronger stance against such attacks and is investigating whether Russia was involved. As these attacks are not going away, companies and individuals alike need to be vigilant and proactive in protecting themselves against cyber threats.
Kaseya collaborates with FBI in ransomware attack.: Collaborating with law enforcement agencies during a cyber attack can lead to faster resolution and recovery. The decision to contact the FBI or local authorities will depend on the severity and impact of the attack.
Kaseya didn't pay the ransom demanded by REvil, but called the FBI for assistance, who sprang right into action and provided their expertise and intelligence to help Kaseya and its customers. FBI was able to obtain a decryption key that unlocked Kaseya's customers' data and strategized with inner agency partners to help the most companies possible, both by providing the key and by maximizing the government's impact on adversaries. This case demonstrates the importance of working with law enforcement in situations like ransomware attacks and extortion. However, individuals may wonder what level of cyberattack warrants contacting the FBI rather than local authorities. The threshold and protocol for contacting law enforcement may depend on the severity and impact of the cybercrime.
FBI's decryption key and international cooperation lead to arrest of ransomware attacker: The FBI's successful arrest of a ransomware attacker highlights the importance of international collaboration in cybercrime investigations and the value of open-source intelligence in identifying perpetrators. However, reporting a computer problem to the FBI does not guarantee a response due to high volume.
The FBI was able to obtain a decryption key for the REvil ransomware attack, leading to the indictment and arrest of Yaroslav Vasinskyi, the alleged author of the malware. The arrest disrupted REvil, and the FBI also seized funds from another attacker. The FBI's success in this case highlights the importance of international cooperation in combating cybercrime, as most of the people involved with REvil were in Russia and cannot be easily prosecuted. Additionally, open-source intelligence (OSINT) played a significant role in identifying Vasinskyi and his associates. It's worth noting that if you've ever called the FBI with a computer problem, it's unlikely that they would be able to get back to everyone who reports a problem given the high volume of calls and problems they receive.
The Arrest of REvil Cyber-Gang: What It Signifies for the Future of Ransomware Attacks and Media Control: While holding cyber criminals accountable is important, caution must be exercised to ensure that the news cycle is not being manipulated for political gains. As other groups step up to fill the gap, investigating cyber-attacks will become more crucial.
The arrest of REvil cyber-gang might not be what it seems, and could be an attempt by Russia to control the news cycle. Although they claimed to have arrested the alleged criminals, it is unclear if they were actually punished or if it was just a way to recruit them for the Russian government. This creates a suspicious and uncertain future for ransomware gangs, as other groups like Evil Corp, Conti, and LockBit step up to fill the gap. It is important to continue investigating cyber-attacks and hold criminals accountable, but it is also crucial to be aware of potential manipulation and control of the media narrative.