The anatomy of a modern-day ransomware conglomerate
If school administrators, medical organizations and other crucial industries haven’t already had enough bad news over the past year, a new hacking group that relies on emerging techniques to rip off its victims should fulfill that need.
What makes the pain even worse is that the group is using an innovative structure that’s becoming more common in the cybercrime underworld.
This ransomware gang, dubbed Egregor, in recent months appears to have hacked more than 130 targets, including schools, manufacturing firms, logistics companies and financial institutions, according to the U.K.-based security firm Sophos. Egregor works much like other strains of ransomware — holding data hostage until a victim pays a fee — though in some ways the group behind it also exemplifies the current state of the hacking economy.
Rather than relying on lone hackers who mastermind massive data breaches, or dark web forums frequented only by Russian scammers, today’s cybercriminals function as part of a kind of cooperative shadow industry that rewards innovation and reputation. It’s like an informal professional network in Silicon Valley, only based on extorting schools rather than generating engagement.
“We’re seeing some of the same individuals who were active years ago still active now,” said Jason Passwaters, chief operating officer at the threat intelligence firm Intel 471. “They’re providing the same services they provided back then, it’s just that everybody is interdependent on each other.”
Just as hundreds of people may be involved in the transportation of a Chiquita banana from its origin to a grocery store, security researchers suggest that dozens of individuals might be involved in a given data breach or digital extortion attempt. It’s not unique to the Egregor group. Hackers using the malware strains known as Conti, Thanos and SunCrypt, among others, also have deployed similarly cooperative techniques.
It’s a style with roots in the mid-2000s when a hacker using the name “slavik” released the Zeus malware, a hacking tool that helped accelerate what’s known now as an affiliate model. The FBI has identified a Russian man, Evgeniy Bogachev, as “slavik,” and has listed him on the bureau’s list of most wanted fugitives. Bogachev’s Zeus malware is responsible for financial losses of more than $100 million, the FBI says, even as the creator has posed in ostentatious outfits in social media pictures.
“It was the way he licensed the malware, in terms of the affiliate model and customer success,” Passwaters says now. “He would sell the malware as a service, rather than as a full malware, to multiple clients who would run it through a service platform.”
A Russian man who stole more than 100 million usernames and passwords from LinkedIn and Formspring in 2012, for instance, immediately provided that data to another suspect who tried selling the data to a third party for €5,500, according to a U.S. indictment. U.S. charges against another accused cybercriminal, Maksim Yakubets, also say that Yakubets once told an associate that he “has two teams who worked with his malware and botnets and that each team has their own spammers.”
The increased specialization in cybercrime also seems to be a contributing factor in the growing size of ransomware demands. The average extortion payment was $178,254 in the second quarter of 2020, up 60% from the first quarter, according to the most recent numbers from Beazley, an insurance firm. The price previously climbed by more than 100% from the first quarter of 2019, even as more hacking groups threatened to publish stolen data.
Typically, this kind of nefarious supply chain starts with development of malicious software code, usually done either by an individual or a small group that specializes in programming hacking tools. The success of that code rests on combining it with a so-called crypter service, which hides the code so attackers can avoid detection.
Then hackers test the malware against an external criminal antivirus service, another similar tool that scans the fresh code against popular antivirus tools to assess whether it will work, according to Bob McArdle, a director of threat research at TrendMicro.
“That way, they know that before they even press play and send ransomware, it will work,” he said.
In many cases, the next step involves leasing a hacked network already breached by another gang of attackers. That rental usually represents the product of an entirely separate enterprise, when scammers use a botnet or other means to steal usernames and passwords, then infiltrate a network belonging to a bank, for instance, or a manufacturing company.
“They’ll triage all kinds of information available to understand if it’s a Fortune 500 firm or a mom-and-pop shop,” McArdle said. “Then you can get an administrator in there to actually deploy the ransomware tool and infect as many systems as you can.”
From there, the original hacking group may outsource work to another team. Some small shops specialize in ransomware negotiation, for example, and contract with other groups to provide a kind of black market customer support, and facilitate extortion payments while taking a cut along the way.
The result is that, in some cases, one hacking group commissions another to breach a network, and then hires a third party to do much of the dirty work, McArdle said.
“There are people who act almost as a call center for three or four ransomware groups and deal with customers or Conti, Ryuk and others,” he added. “That means everyone is taking a cut.”