October 8, 2020

There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in. But judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today’s attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained.

One of the most common ways such access is monetized these days is through ransomware, which holds a victim’s data and/or computers hostage unless and until an extortion payment is made. But in most cases, there is a yawning gap of days, weeks or months between the initial intrusion and the deployment of ransomware within a victim organization.

That’s because it usually takes time and a good deal of effort for intruders to get from a single infected PC to seizing control over enough resources within the victim organization where it makes sense to launch the ransomware.

This includes pivoting from or converting a single compromised Microsoft Windows user account to an administrator account with greater privileges on the target network; the ability to sidestep and/or disable any security software; and gaining the access needed to disrupt or corrupt any data backup systems the victim firm may have.

Each day, millions of malware-laced emails are blasted out containing booby-trapped attachments. If the attachment is opened, the malicious document proceeds to quietly download additional malware and hacking tools to the victim machine (here’s one video example of a malicious Microsoft Office attachment from the malware sandbox service any.run). From there, the infected system will report home to a malware control server operated by the spammers who sent the missive.

At that point, control over the victim machine may be transferred or sold multiple times between different cybercriminals who specialize in exploiting such access. These folks are very often contractors who work with established ransomware groups, and who are paid a set percentage of any eventual ransom payments made by a victim company.

THE DOCTOR IS IN

Enter subcontractors like “Dr. Samuil,” a cybercriminal who has maintained a presence on more than a dozen top Russian-language cybercrime forums over the past 15 years. In a series of recent advertisements, Dr. Samuil says he’s eagerly hiring experienced people who are familiar with tools used by legitimate pentesters for exploiting access once inside of a target company — specifically, post-exploit frameworks like the closely-guarded Cobalt Strike.

“You will be regularly provided select accesses which were audited (these are about 10-15 accesses out of 100) and are worth a try,” Dr. Samuil wrote in one such help-wanted ad. “This helps everyone involved to save time. We also have private software that bypasses protection and provides for smooth performance.”

From other classified ads he posted in August and September 2020, it seems clear Dr. Samuil’s team has some kind of privileged access to financial data on targeted companies that gives them a better idea of how much cash the victim firm may have on hand to pay a ransom demand. To wit:

“There is huge insider information on the companies which we target, including information if there are tape drives and clouds (for example, Datto that is built to last, etc.), which significantly affects the scale of the conversion rate.

Requirements:
– experience with cloud storage, ESXi.
– experience with Active Directory.
– privilege escalation on accounts with limited rights.

* Serious level of insider information on the companies with which we work. There are proofs of large payments, but only for verified LEADs.
* There is also a private MEGA INSIDE , which I will not write about here in public, and it is only for experienced LEADs with their teams.
* We do not look at REVENUE / NET INCOME / Accountant reports, this is our MEGA INSIDE, in which we know exactly how much to confidently squeeze to the maximum in total.

According to cybersecurity firm Intel 471, Dr. Samuil’s ad is hardly unique, and there are several other seasoned cybercriminals who are customers of popular ransomware-as-a-service offerings that are hiring sub-contractors to farm out some of the grunt work.

“Within the cybercriminal underground, compromised accesses to organizations are readily bought, sold and traded,” Intel 471 CEO Mark Arena said. “A number of security professionals have previously sought to downplay the business impact cybercriminals can have to their organizations.”

“But because of the rapidly growing market for compromised accesses and the fact that these could be sold to anyone, organizations need to focus more on efforts to understand, detect and quickly respond to network compromises,” Arena continued. “That covers faster patching of the vulnerabilities that matter, ongoing detection and monitoring for criminal malware, and understanding the malware you are seeing in your environment, how it got there, and what it has or could have dropped subsequently.”

WHO IS DR. SAMUIL?

In conducting research for this story, KrebsOnSecurity learned that Dr. Samuil is the handle used by the proprietor of multi-vpn[.]biz, a long-running virtual private networking (VPN) service marketed to cybercriminals who are looking to anonymize and encrypt their online traffic by bouncing it through multiple servers around the globe.

Have a Coke and a Molotov cocktail. Image: twitter.com/multivpn

MultiVPN is the product of a company called Ruskod Networks Solutions (a.k.a. ruskod[.]net), which variously claims to be based in the offshore company havens of Belize and the Seychelles, but which appears to be run by a guy living in Russia.

The domain registration records for ruskod[.]net were long ago hidden by WHOIS privacy services. But according to Domaintools.com [an advertiser on this site], the original WHOIS records for the site from the mid-2000s indicate the domain was registered by a Sergey Rakityansky.

This is not an uncommon name in Russia or in many surrounding Eastern European nations. But a former business partner of MultiVPN who had a rather public falling out with Dr. Samuil in the cybercrime underground told KrebsOnSecurity that Rakityansky is indeed Dr. Samuil’s real surname, and that he is a 32- or 33-year-old currently living in Bryansk, a city located approximately 200 miles southwest of Moscow.

Neither Dr. Samuil nor MultiVPN have responded to requests for comment.


29 thoughts on “Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work

  1. JCitizen

    Maybe the “good” Dr. will go corporate soon; and who knows, be listed on an stock exchange somewhere, if not already! With the success of ransomware crime, I can certainly see it going big business! This article points to just how big it is getting to be.

    1. Hoop

      Ahhh, all he needs to do is change his title to “contractor” and market to governments, he’ll be listed on the SEC in no time.

    2. Jay Smith

      I think the ‘corporatization’ of crimeware groups and actors is becoming pretty standard. It already is huge business.

      As touched on by the article, you will see many of these groups, ransomware operators specifically, actively mitigating and offloading risk by proactively recruiting and developing talent. They provide associates/contractors, who are often fairly entry-level unskilled actors, the playbooks, tools, and knowledge (As noted above, sometimes specific insider knowledge), required to compromise organizations they would otherwise likely be unable to on their own.

      Additionally and related, many actors and groups are taking advantage of the *aaS economy by using specialization and automation to provide related service offerings in attempt to remove themselves from the actual crimes they enable and try to make themselves less attractive targets for investigators and LE.

      I honestly would not be surprised if some of them sought out and hired business consultants to try and optimize their processes.

    1. why

      its racisim to mention nationality criminal can be usa same as russian its not only russians !!

      1. Chris Holland

        Nah, it’s only racist if the offenders’ skin tones are of less than the pale persuasion. As well, of course, xenophobic, populist, ageist and everyotherist.

      2. Rob

        No, their nationality is a matter of fact. It’s racist to judge someone differently based on their race. Nobody is saying “they are Russians so they all hack” nor are they saying “They are hackers and so they are all Russian.” Every country has hackers, in this case, they are on Russian language forums and believed to be Russian.

        If it was happening on Nigerian language forums you could assume they were Nigerian. You might also assume they were black in that case because statistically that would be likely. What you can’t do is treat anyone differently because of a characteristic like their skin colour, nationality, sexual preference, religion, or total lack of understanding of things like this. ^^

      3. sergi tolstoy

        Racism – the direct reference to the racial/origin genetic makeup of a human in exploitation situation.

        Russian is not a race, but a ethnic variety of the caucasian race.

        Be accurate in posting

    2. Gary

      About a third of the internet runs on Nginx, which is basically Russian software.

  2. Gary

    Just a FYI on any.run. Unless you know what you are doing, I wouldn’t download suspicious files period end of story full stop. (Is that enough emphasis?) The only thing a casual end user should do is send suspicious links to virustotal.com. And that presumes you know how to copy a link from email without opening it.

    1. BrianKrebs Post author

      The point of the any.run link was to show a video of how an infected doc works in the background upon opening. I’m not suggesting people download malicious files.

      1. Gary

        I didn’t think you were suggesting it. But you can never caution people enough. Unless you are in a VM, don’t click on links you don’t trust.

        Other than some RBLs, I don’t filter my email much. I get a malware link about once a week based on virustotal.com. Most of the links I get are deemed phishing.

        The thing to note is not all the participants in virustotal.com agree. Usually when something is deemed malware, about half a dozen indicate this. So most antivirus will miss malware. This is why the best antivirus is between your ears.

  3. Dave Horsfall

    Another reason to wait before activating the ransomware is to give the infected software time to spread over all your backups, rendering them useless.

  4. Peter S. Shenkin

    This isn’t outsourcing. It’s pretty close to franchising, though.

  5. Robert Waters

    I came from corporate IT a decade ago but now have a senior in college and one in high school – which means I keep up on IT education. I hear little about how students are trained in this challenging cyber security realm. Does it begin in college – or simply on-the-job or in certification classes only?

  6. Fred Mora

    Interesting quote from Dr Samuil’s ad”

    “There is huge insider information on the companies which we target, including information if there are tape drives and clouds (for example, Datto that is built to last, etc.), which significantly affects the scale of the conversion rate.”

    So this ransomware provider sees Datto as a hard-to-beat backup method that hampers the efficiency of their attacks, to the point where it is a deterrent.

    This is good. It means that businesses that back up their machines (in a way that provide quick restore of the full system) are considered a bad “business prospect” for ransomware attackers.

    As long as juicy targets keep paying ransoms rather than investing in quick-restore solutions, ransomware will keep plaguing us.

    The lesson here is: Use a quick-restore backup solution such as Datto or tape libraries, make sure attackers can easily discover this as early as possible, and let them turn their attention to other, less-protected targets.

    1. mealy

      Good eye, that’s interesting – but also common sense stuff really.

  7. mark

    So much through email.

    There’s an amazingly simple answer that will kill most of the phishing: STOP READING YOUR EMAIL AS HTML!!! Insist that everyone use PLAIN TEXT email.

    Since I have always done this, I was amused a few years ago by the Important Email From the IRS, who were going to so me. For some odd reason, the “IRS” was sending email from Brazil (.br). In HTML view of email, you’d never see that.

    1. Steve

      That info is in the header, not in the message body. So it doesn’t matter whether you’re viewing it as HTML or plaintext. You just need to view the full header data.

    2. Malk

      Nobody will ever take so harsh a step backward as to enforce plaintext emails. Sanitizing email content URIs, however…

    1. BrianKrebs Post author

      It’s a historical record of a malicious file submitted to the any.run sandbox. It can’t harm your system. There is a video in the middle which you can click on and watch the infection process.

      1. Peter

        Ok I see! You can delete my comment below this one.

  8. Peter

    What happens if you click and download the different executable files in the app any run link you provided. It seems very suspicious.

  9. James

    Why doesn’t the article mention the specific forums where the Dr is posting?

  10. Letsfaced

    Let’s face the reallity?!
    The btc hackers ransome guys they Got a lot btc.. Now they need a lot Liquity… Right? Who it will be?
    USA investment Institutions

Comments are closed.