August 5, 2021

It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation.

A rough timeline of major ransomware operations and their reputed links over time.

Reinvention is a basic survival skill in the cybercrime business. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.

Cybercriminal syndicates also perform similar disappearing acts whenever it suits them. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members — such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.

I put together the above graphic to illustrate some of the more notable ransom gang reinventions over the past five years. What it doesn’t show is what we already know about the cybercriminals behind many of these seemingly disparate ransomware groups, some of whom were pioneers in the ransomware space almost a decade ago. We’ll explore that more in the latter half of this story.

One of the more intriguing and recent revamps involves DarkSide, the group that extracted a $5 million ransom from Colonial Pipeline earlier this year, only to watch much of it get clawed back in an operation by the U.S. Department of Justice.

After acknowledging someone had also seized their Internet servers, DarkSide announced it was folding. But a little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks.

DarkSide’s demise roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack let REvil deploy ransomware to as many as 1,500 organizations that used Kaseya.

REvil demanded a whopping $70 million to release a universal decryptor for all victims of the Kaseya attack. Just days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

A REvil ransom note.

Whether that conversation prompted actions is unclear. But REvil’s victim shaming blog would disappear from the dark web just four days later.

Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.

But one thing is clear, Arena said: “Likely we will see them again unless they’ve been arrested.”

Likely, indeed. REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” Gandcrab bragged.

And wouldn’t you know it: Researchers have found GandCrab shared key behaviors with Cerber, an early ransomware-as-a-service operation that stopped claiming new victims at roughly the same time that GandCrab came on the scene.

GOOD GRIEF

The past few months have been a busy time for ransomware groups looking to rebrand. BleepingComputer recently reported that the new “Grief” ransomware startup was just the latest paintjob of DoppelPaymer, a ransomware strain that shared most of its code with an earlier iteration from 2016 called BitPaymer.

All three of these ransom operations stem from a prolific cybercrime group known variously as TA505, “Indrik Spider” and (perhaps most memorably) Evil Corp. According to security firm CrowdStrike, Indrik Spider was formed in 2014 by former affiliates of the GameOver Zeus criminal network who internally referred to themselves as “The Business Club.”

The Business Club was a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide. In 2015, the FBI offered a standing $3 million bounty for information leading to the capture of the Business Club’s leader — Evgeniy Mikhailovich Bogachev. By the time the FBI put a price on his head, Bogachev’s Zeus trojan and later variants had been infecting computers for nearly a decade.

The alleged ZeuS Trojan author, Evgeniy Mikhaylovich Bogachev. Source: FBI

Bogachev was way ahead of his colleagues in pursuing ransomware. His Gameover Zeus Botnet was a peer-to-peer crime machine that infected between 500,000 and a million Microsoft Windows computers. Throughout 2013 and 2014, PCs infected with Gameover were seeded with Cryptolocker, an early, much-copied ransomware strain allegedly authored by Bogachev himself.

CrowdStrike notes that shortly after the group’s inception, Indrik Spider developed their own custom malware known as Dridex, which has emerged as a major vector for deploying malware that lays the groundwork for ransomware attacks.

“Early versions of Dridex were primitive, but over the years the malware became increasingly professional and sophisticated,” CrowdStrike researchers wrote. “In fact, Dridex operations were significant throughout 2015 and 2016, making it one of the most prevalent eCrime malware families.”

That CrowdStrike report was from July 2019. In April 2021, security experts at Check Point Software found Dridex was still the most prevalent malware (for the second month running). Mainly distributed via well-crafted phishing emails — such as a recent campaign that spoofed QuickBooks — Dridex often serves as the attacker’s initial foothold in company-wide ransomware attacks, CheckPoint said.

REBRANDING TO AVOID SANCTIONS

Another ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of a ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5 million bounty on the head of Evil Corp., and the Treasury Department’s Office of Foreign Asset Control (OFAC) said it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group.

Alleged Evil Corp leader Maksim “Aqua” Yakubets. Image: FBI

In early June 2021, researchers discovered the Dridex gang was once again trying to morph in an effort to evade U.S. sanctions. The drama began when the Babuk ransomware group announced in May that they were starting a new platform for data leak extortion, which was intended to appeal to ransomware groups that didn’t already have a blog where they can publicly shame victims into paying by gradually releasing stolen data.

On June 1, Babuk changed the name of its leaks site to payload[dot]bin, and began leaking victim data. Since then, multiple security experts have spotted what they believe is another version of WastedLocker dressed up as payload.bin-branded ransomware.

“Looks like EvilCorp is trying to pass off as Babuk this time,” wrote Fabian Wosar, chief technology officer at security firm Emsisoft. “As Babuk releases their PayloadBin leak portal, EvilCorp rebrands WastedLocker once again as PayloadBin in an attempt to trick victims into violating OFAC regulations.”

Experts are quick to point out that many cybercriminals involved in ransomware activity are affiliates of more than one distinct ransomware-as-a-service operation. In addition, it is common for a large number of affiliates to migrate to competing ransomware groups when their existing sponsor suddenly gets shut down.

All of the above would seem to suggest that the success of any strategy for countering the ransomware epidemic hinges heavily on the ability to disrupt or apprehend a relatively small number of cybercriminals who appear to wear many disguises.

Perhaps that’s why the Biden Administration said last month it was offering a $10 million reward for information that leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to trace and block cryptocurrency payments.


28 thoughts on “Ransomware Gangs and the Name Game Distraction

  1. Miglen

    Great piece, I believe that efforts to deter ransomware gangs are in the early days, and vendors, specifically OS and storage vendors need to think about controls that would help users to protect as instead of spending millions of dollars later on when it’s already too late. I believe more in prevention, especially if agencies put more effort into educating the young tech talent looking for quick money while extorting and writing malware.

  2. StanleyManley

    “Organizational Reboots” I like it. In my legitimate working career I have undergone such changes in the business model. If the model does not work change it. rename it. Also, I am noticing the same happening on the other side of the mirror. Security providers are changing as well.

  3. BaliRob

    Brian, I have a very simple question to ask you because I am insufficiently qualified to understand the repucussions
    that might be damaging to innocent people….

    And that is – what is there to stop all governments from totally banning cyber currency like Bitcoin and the like?

    As you may remember I was one of Kryptolocker’s very first victims and for a few years now have proposed the banning of Crypto Currency on yours and other higly respectable security forums. To my knowledge NOBODY has ever replied to my posts NOBODY. Why do you think this could be?

    My last post covered the Chinese Government’s intention to ban Cryto Currency completely – I would never normally endorse anything eminating form the Chinese Peoples’ Republic but on that occasion I was of course 100% in support.

    I have always respected your pages and would love to hear what you think is the answerto the question posed in para 3.

    I think the obvious equasion is NO Crypto Currency = NO RANSOMEWARE QED – please tell me why I appear to be in the
    minority.

    1. WK

      “I think the obvious equasion is NO Crypto Currency = NO RANSOMEWARE QED – please tell me why I appear to be in the minority.”

      Ransomware was a thing before Bitcoin and it will still exist even if somehow all cryptocurrencies were banned and shut down. Cryptocurrencies are merely the easiest way to transfer the amounts of money extortionists ask for.

      Going after cryptocurrencies is at best attacking a symptom instead of the cause and at worst spending all your energy flailing at shadows while criminals continue with business as usual.

    2. BamaB

      This is not an unheard of idea. There have been a lot of articles about this, including in the WSJ after the Colonial attack. There are a number of problems with just banning crypto, though.

      For one thing, the total value of all crypto currency is about $1.5 trillion and most of that is Bitcoin and Ethereum. A lot of rich people have gotten richer by investing in crypto and a lot of new millionaires have been minted with its rise through legitimate means. If the US government suddenly said it was going to outlaw crypto the value would certainly tank and that could ripple through the economy in a number of potentially destructive ways. If there’s one thing people hate it’s messing with their money, so you can bet there would be a lot of political ramifications.

      Then there’s also the problem of how you would actually enforce such a ban. The decentralized nature of crypto currency makes this very difficult. Not every country is going to agree to such a ban and exchanges would either just go underground and/or move to countries that allow them. Millions of Americans own crypto currency, so you have to find a way to enforce the ban on an individual level also. Would it be smart to criminalize a significant portion of the population over night?

      You also have to consider if banning cryptocurrency would even make a difference in the ransomware problem. Even if you could actually stop all cryptocurrency transactions (which I don’t think is possible), then what’s to stop criminals from pivoting to other forms of receiving payment? Ransomware existed before any cryptocurrency did. An actual effective ban that eliminates 100% of crypto transactions might reduce ransomware, but I don’t think it would stop it. And then there are the unintended consequences.

      Plus, banning stuff is what tyrannical regimes do and probably shouldn’t be the go-to solution for democracies.

      Ultimately, unscrupulous but highly skilled people are going to focus their time and effort on things that offer the best return for that investment. Right now that’s ransomware, but if it became more profitable to commit identity theft, steal sensitive information, or steal IP then these same folks who are creating and distributing ransomware would probably just turn to those crimes and still reap huge financial rewards. It may take more effort and be more risky in some ways, but I think you’d just see the type of cybercrime shift from one category to another.

      I personally think that at this point cryptocurrency is doing more harm than good, but it’s probably too late to put the genie back in the bottle. I think the better and more realistic approach from the financial side to the problem is to ban insurance payments for ransomware. That would have a similar effect but probably fewer negative side effects.

      Ultimately, though, what we need is legislation that requires compliance with some sort of serious cybersecurity standard to ensure that critical infrastructure and services are doing what they should be to protect themselves from all sorts of attacks. This is going to be hard politically because it’s going to cost a lot of money, but it needs to happen before a major attack results in serious consequences up to and including people dying.

      1. JamminJ

        Thank you for the long and detailed response. I was thinking/drafting something similar, but glad you it.

        I do want to add a few points. You are right about crypto becoming an massive industry, with it’s own millionaires who now have the power to “lobby” governments to prevent any such ban. This is the nature of letting a new industry get too powerful. Now we can’t stop it.

        A similar thing happens whenever there is a new financial “product”. Not a real tangible product, but just something that can be bought and sold on a market. Remember when Mortgage Backed Securities were the new hotness? Bundled subprime mortgages were traded as if they were real products. The “derivatives” market is rife with these “products”.

        The problem happens when things are deregulated and the free market gets out of control with greed. Yes, millionaires are made quicker with these new derivatives and cryptocurrencies. But when you really think about how people “earn” money, and what “value” means. Wealth is created and destroyed virtually and near instantaneously. Like quarks popping in and out of existence. The economic concepts of trading real goods and services become meaningless, as money just begets money which begets money.

        It’s all just a new type of casino game. And I personally would not care if they tax it into oblivion.
        – –
        Of course whether by taxation, strict regulation, or a complete ban, the result will be a shift to an underground market. As you pointed out.

        But even so, it depends on the outcome we want and the price we’re willing to pay.
        Legislation and regulations are needed in the cryptocurrency markets.
        We could regulate and tax crypto exchanges so that dealing in the market becomes too much of a burden, and the perceived value crashes as a result. No, it would not STOP ransomware. But it certainly could reduce it down to levels below “epidemic”, which is what we are facing now.
        – –
        We also need to bring more private industry into the umbrella of what is considered “critical infrastructure”. Right now, much of what people think is critical, does NOT fall under that definition. Which means they aren’t held to the laws and regulations that do exist. This means funding the efforts to boost security of private industry too.

        1. BamaB

          Great point at the end, Colonial was a private company, but is obviously part critical infrastructure. I would say JBS falls into that category too. The problem with forcing private companies to comply with some sort of legislation around security is the cost, though. It’s expensive to implement robust cybersecurity in an environment where it has always been an afterthought, if it exists at all. Maybe expiring tax credits could be used to offset some of the burden.

          Government entities face the same problem, though. Earlier this year I did a lot of risk assessments for critical infrastructure own by county and municipal governments in rural areas, and holy moly are they in bad shape. Two were doing a really good job on cybersecurity, but the vast majority were extremely vulnerable. None of these entities have onsite IT staff, they all utilized MSPs. They also have no money to put into cybersecurity without making big sacrifices elsewhere. It’s a Catch 22, if they invest in cybersecurity they have to cut other services, but if they don’t invest in cybersecurity and get attacked the resultant costs could be an order of magnitude higher than what it would have taken to put decent defenses in place.

          The infrastructure deals being considered now have $2 billion in federal money that could help these entities, but realistically I expect at least 50% of that money to be squandered by decision makers who don’t know what they are doing but are influenced by vendors with big promises. In the end, a couple of billion dollars spread among 85,000 county and municipal governments is chump change.

          1. JamminJ

            Yeah. No simple solution.
            Even more problematic is the idea of insurance paying out for ransomware victims.
            That was the whole point of cyber security insurance in the first place. So that smaller companies who could not afford to overhaul their security postures, could be willing to accept the risk that they might be attacked.
            On one hand it seems like we’re rewarding the criminals. But on the other hand, it’s a crucial tool for businesses who simply can’t have large sudden expenses for either complete security overhaul or a ransom payment.

      1. JamminJ

        The original FBI report includes a very important caveat that seems to get omitted in news articles focused on downplaying the ransomware epidemic.

        “Regarding ransomware adjusted losses, this number does not include estimates of lost business,
        time, wages, files, or equipment, or any third-party remediation services acquired by a victim. In
        some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low
        overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via
        the IC3 and does not account for victim direct reporting to FBI field offices/agents.”
        -FBI, Internet Crime Complaint Center (IC3), 2020 Internet Crime Report

        Wire fraud (whether initial compromise computer related or not) is nearly always reported through the FBI.
        While for most businesses attacked by ransomware, it’s still optional to even report it.

        With BEC wire fraud, the victims don’t have much choice. The major federal crime that was committed, was illegal transfer of money.
        With ransomware, the crime is computer intrusion and extortion. The money hasn’t changed hands yet. Very different class of crime. And the FBI recommends to NOT pay.
        Also with ransomware, the victim is coerced into sending money. Many think they are being complicit in the crime, and won’t report it. Often, the ransomware also threatens to release sensitive data, so victims feel pressure not to report incidents.

        So you cannot really say the “most expensive cyber threat” is not ransomware.
        There is a huge gap in the reporting for this particular type of crime, to this particular agency (thru the IC3 division of the FBI).
        Ransomware is an epidemic and big reason is that we don’t really know the cost of this cyber threat.

  4. BaliRob

    Please alter the errors lines 1,2,3,4 = one para

    Spelling error – repercussions – line 3 above

  5. Ed

    Earlier celebrations about the recovery of extortion money (i.e. Colonial for example) were, to my mind, hollow and sad indications of the impotence of victims and law enforcement. Gutless enforcement doesn’t give anyone confidence this crime will ever be halted. Recovering “some money” is laughable since the cost of the investigative infrastructure alone plus the specific event’s investigative resources markedly outweighs the value of the $’s recovered. These are not crimes that can be deterred by the occasional financial loss to the criminal. Variable reinforcement schedules (i.e. the occasional clawback of some successfully traced, ill-gotten gains) do more to sustain the behavior than deter it. That’s criminology 101. There is only one way to bring it down: the nature of the response has to be decisively, permanently painful to the perpetrators and their investors.

    1. JamminJ

      They recovered $4 million out of $5 million.
      That’s not insignificant. That kind of victory SHOULD be celebrated.

      What is disappointing, is how rare it is to recover anything at all.

      1. Marina Teramond

        I absolutely agree with you. This is already a victory. Especially when you consider what a difficult financial period we are now in.

        1. smallchange

          Ransom itself makes little to no difference economically, trends matter.
          Attackers are not disincentivized. Beatings will continue unimpeded.

          1. mealy

            Rewarded, ransomed beating sure will. We need disclosure laws on this.
            If they’re going to be caught flatfooted and pay the footpad, document it.
            Let the free market do the rest.

  6. barely ablemann

    Most Excellent, Sir,
    I am going to forward this to my son-in-law who helps keep the servers running at several Amazon data centers. If he takes the time to read it, he may develop a much greater understanding of all the pieces in play in our ‘modern’ web-infused world.
    Personally I am more of an ignorant Luddite, unschooled and lacking in any real understanding of 99% of these matters. But I do see the writing on the wall. About 20 years ago while working with the Boy Scouts, it occurred to me that War was no longer necessary, or had moved to a new arena, and would be conducted in a much more ‘virtual’ way than we had previously imagined. As much as many of the boys were deeply into gaming, there did not seem to be a lot of focus on all the ways, many things online could go astray. Fast-forward to our current situation, my intuitions were not totally wrong.
    Since I think we delude ourselves into thinking that we are a lot more ‘modern’ than we really are, I guess we will keep on warring and preying on each other as we have always done. Mores the pity. But fore-warned is fore-armed, so I greatly appreciate all your efforts.
    I would also greatly appreciate seeing a list of the ‘good guys’, as far as it is possible. Sometime ago I discovered ‘BleepingComputer’, Bruce Schneier, You, and a few others I regard highly, and I would be interested in finding more ‘Lighthouses’ to follow for those of us who are just simple computer users, but do not really know much about all the possible contortions that go on. I did have to replace a credit card recently after someone tried to use it in Moscow, a city where I seldom visit, as in ‘never’. Thank you again, Mr. Krebs, for an outstanding analysis.

  7. Steve

    @BaliRob,
    Speaking for myself, I think any currency is the wrong long-term target. Digital currency is not inherently bad it’s always what people do that is the problem, something I’m sure you realize. Look at all the crimes committed with normal currencies.
    True, digital ones have that secrecy feature but again I see it as the wrong target.
    If digital currencies were only used by criminals then OK, that could be an obvious target. But there are millions of non criminals that use it and for many it’s a lifesaver.
    One could argue that cars should not be allowed to go past 25 miles per hour as that’s when the survival odds when hitting a little girl and not killing her she has an 80% chance of survival while 80% odds of dying at 35 miles. Think of the millions of lives saved…
    Look at drug trafficking, per my own observations the majority of these guy get into it because they felt it was the only line of income they could get into. Clearly not all but when a few factors comes together like broken education and not being allowed to contribute from an early age you set the stage which easily allows for the criminal mindset of no exchange.
    What has been suggested, by Brian I believe, is to monitor and jump on the clear transactional profiles that these crims have. They are quite unique and is a great filter to use when looking for these cats.
    Allowing ALL people to have the same opportunities is another important factor. Few people are only “suited” for a criminal career but when some people feel they are threatened by competition added to ignorance they sometimes try to hold down others and people start to subscribe to that idea, those who are suppressed will find some way out. Suppressing a normal urge will result in weird behavior. See the priest’s son who kills his rape victim because she was clearly “the devil” who made him commit the act. Meanwhile I believe you are as valuable as you can help others. Finding and using the right target is vital for any long-term success.

  8. Steve

    @Ed,
    Unfortunately punishment does not work too well, see the volume of people in prison. Education and compassion are the only path out. If you make a mistake helping the person through personal wins from honor and integrity, where the person regains respect for himself, which can be a long and slow road for some, is how you help a person out of the hole. Not throwing him into prison with nothing but degrading experiences is not the way out.
    When you live in a non caring society where everyone are individualized, unlike for example the native tribes where everyone is helping each other. (Minus the odd ones out that have been ever so present, but fortunately the few.) But of course when we came here in our ignorance we thought ourselves better because we were not barefoot and other ignorant concepts. Instead of learning the values of the locals we attacked them forcing them to fight back. The only reason we are still here is because there were many more of us than them. (Not suggesting that the native was the ideal society, but when a tribe raises the child you get a more balanced person, rather than left to his/her own through the transforming years.)
    Man needs to realize that we are all sitting on the same rock hurling through space and have constant self education part of his long-term goals in life. How to better himself to be more able to help others would certainly increase our survival potential as a species, actually for all species. 🙂
    The eye for an eye idea is not a sustainable concept. Getting to the bottom and finding the real why’s is vital for a successful life.

  9. Petuna with Cat on head

    bylat cyka

    If LaChina James CCP is the future super power and super economy.. and they are banning crypto, watch out below for current digi coins.
    Until they develop their own CCP coin then they will support it to control everyone including all ransomware zero day hacks.

    1. Charlie Murphy...UNiTY!!!

      p.s.. yeah ccp has a crypto already, but just wait for the coming payloads and tracking attached to future versions and possible higher adaption saturation in china if successful. Goodbye small dumpling shop.. hello world buffet of gullible hackable noobs seeking security and profit over real freedom from the state.

      1. Navalny-ever-afraid

        “hello world buffet of gullible hackable noobs seeking security and profit over real freedom from the state.”
        Norton will keep the APT 29-400 out, if only we renew the subscription.
        Piss Norton off though..

  10. Bea

    So I knew a Sys Admin from Fife Scotland who was, in a former life, a coal miner. Back in the past miners in the UK went on strike and Russia (who were the Soviet Union back then) sent support for the miners and even sent some families on free vacations to resorts on the Baltic Sea. Those acts gained quite a few supporters for the Soviets and Russia, the Sys Admin being innhis youth being one.

    Russian foriegn security forces personel cultivated those ties and would later ask for any info the SA could give them about western networks and systems he had access to. He gave it to them.

    He was not and is not alone in giving them the support they needed. Wending your way through an attack, profiling targets, etc. can be difficult and it always helps to have a local in or familiar with the area/business you are targetting.

    The SA wasn’t a “spy” in the classical sense but he was certainly developed like one. And that is telling. Spy agencies tend to stick to tried and true methods for getting things done.

    And if anyone can reinvent themselves, Russians in former Soviet agencies and their proteges certainly can.

  11. Josep

    I agree with you. It is better to prevent by educating young people who are looking for quick money with malicious codes.

  12. DomainKeys Identified Mail (DKIM)

    This is exactly what I think. I agree with you. It is better to prevent by educating young people who are looking for quick money with malicious codes.
    Thanks for share nice blog

Comments are closed.