A

Hi, it's Jim. This episode originally ran during the summer, but it's been one of our most popular episodes. So I thought I'd run it again this weekend. If you're listening to it for the first time, I think you're going to enjoy it. And even as a replay, I still think it's hellishly interesting and there's a lot of nuances and details you might pick up. David Shipley will be back with the regular news on Monday, and I'll be back in the news chair on Wednesday. Have a great weekend. So welcome to Cybersecurity Today. My guest today is Tammy Harper from Flare I.O. you might have heard her on. She's become a regular panelist on our Month in Review. And part of that discussion that we had was as we looked through the dark web and ransomware and all of those threats that we had, really, people don't have a chance to explore and find some of the basics of this and really get and see it. And probably for good reason. As I've pointed out, I really don't want you on your computer in my IT department exploring the dark web. I don't even want you doing it on your home computer. There are ways to do it. There are people who are trained at doing this. They take the appropriate precautions, and it's part of their job. So what we've done today is invited Tammy in to give us an introduction to the ransomware ecosystem, something she knows really well. This is one topic that we're going to do. I framed it with my favorite for the old people out there, take a walk in the wild side for people who are Lou Reed fans. And if you're not a Lou Reed fan, Google it. So welcome, Tammy.

B

Thank you so much for having me back.

A

I've been looking forward to this. So we're going to go through. I'm going to let you make this presentation. I'm going to jump in and ask questions. As I've said before, I'm not afraid to ask dumb questions because I. I just like to find stuff out. So I'll let you walk us through this, and as we go through it, we're going to break this up into areas where we can ask questions. If you're listening to this and you have questions, please put them in the comments in the various places and we'll give you a little bit at the end. But add those comments and we'll come back and I'll make sure that Tammy answers those questions. We'll add them to an episode at a later Date. So consider yourself involved and what. Welcome Tammy. Take it away.

B

Thank you very much. So this is a presentation that I did for the Flare Academy, but this is something. And I made a new version just for your show. This is a very, very interesting topic and ransomware ecosystem is everywhere and it's a multi billion dollar industry. So a little bit about myself. So I'm a senior threat intelligence researcher and certified dark web investigator at Flare. My job is to basically, as a researcher, I am a walking encyclopedia when it comes towards ransomware, cybercrime, the underground economy, so how to crypto, anything like that. So it's my job to really stay on the bleeding edge of all that is what the threat actors are doing, all that is happening in the world in terms of cybercrime. And as a certified dark web investigator, I've learned the tools and the trade to conduct investigations on the dark web. So I know how to protect myself and to do things properly and to ensure the evidence is forensically viable. On a little bit more of a personal level, I'm a cat mom, I love photography, I am a astronomy nerd and a. I'm a huge techno head, so I love listening to techno music. That QR code there, it goes to my LinkedIn page. This is my only social media page and that's where I post all of my research. So you can follow me there. So I was thinking about starting a bit with some terminology, just to get a base foundation of what we're dealing with here and what we're going to be covering. So in the term of ransomware ecosystem, what is, what is this? What are we talking about? So this is a business platform, this is a business model and it really has a bunch of different things that happen. So ransomware as a service is built as an mlm. So it's like a bit like a pyramid scheme where you have someone who offers the platform, they'll take usually an 8020 cut of the total ransom. So let's say a ransom is a hundred thousand dollars. The affiliate will get 80%, usually the bigger chunk. So $80,000 and then 20% will go towards the developers, the maintainers, the admin of the group. Right. Of the provider of the platform. So then the affiliate has that $80,000. So what they have to do is then they have to launder that, but then they also have to pay off whoever they were dealing with, which is sometimes initial access brokers. So initial access brokers are these individuals that have a hyper specialization in providing access to corporate environments and enterprises or networks. And so they go around exploiting zero days on your VPNs, your Edge devices, and essentially establishing persistence or a backdoor and selling that access to a ransomware affiliate, saying like, hey, I've got access to this company, it is based in the States. I've looked up their domain. It looks like they make about a hundred million of revenue a year. And I have domain level admin Access. And the EDR or the antivirus in that environment is Sentinel 1 or Microsoft Defender. Right. So basically you could pay this an individual like 5,000, 10,000 depending on the ease of access and how juicy and how profitable that's return on investment could be. It's all speculation. And so you could pay up to $5,000 for an access like that. And so then that's your cut. So then like 75, go like you're now at 75 and it goes down.

A

Can I stop you there? And if you're going to answer this later, let me know. But I always talk about, we talk about initial access brokers, but there's so many passwords and usernames that are just out there. What is special about what they do?

B

So initial access brokers are the ones that are going to get into usually the bigger, more juicy environments that don't have credentials leaked everywhere. Right. So like leaked credentials is a massive issue. It happens all the time. Like Snowflake was, was one was potentially linked to leaked credentials. But also we're seeing ransomware operators because everybody has access to the leak credentials. Right. So there's a chance that these leak credentials have already been used that have already been changed. So what these initial access brokers do, they can almost guarantee that the access is fresh and has never been sold to anyone. And that is only one hand will get them. The one hand is a concept that is, that is said a lot on the, on the dark web means basically only one person is going to get access to this. This is an exclusive cell. Sometimes you'll see I'm doing two hands or three hands. So that's like three cells, three individuals or three teams will have access to it. So there's a difference. And initial access brokers usually have better access.

A

No. Great, thanks.

B

Yeah, so then we'll go a little bit further into it. But basically most of the models nowadays feature around double extortion. And double extortion is essentially the first level of extortion is encryption and then the second level is exfiltration. And now we're seeing triple extortion, quadruple extortion. And essentially those are levels anything above double extortion. So if you're doing like double extortion plus a DDoS attack, the DDoS would be a triple extortion. If you're doing like going to be notifying regulatory bodies, that's a triple extortion. So these are the blogs that the threat actors use to shame their victims. And this is like probably one of the cornerstones of the whole business model. And this is something that a lot of victims will get featured on. And this is one of the most public and way that people will interact with ransomware operators is through the blog. Like Lockbin had a famous one, Rebull had a famous one. Most ransomware operations have a very famous one. And this is where you'll see all the victims. Right now there are free tools out there that essentially free and open source tools that monitor these leak sites. So like for example, Ransom look is one of them. And so you can basically go on that open source project and see every single victim that gets published. Now the builder is something that the ransomware operators will create that basically allows them to create the encryptor and the decryptor pair. And this allows. So I would take the encryptor, encrypt the network and I have the decryptor that is paired with the encryptor to decrypt it afterwards. Now you want to, you don't want to lose that decryptor because that's okay.

A

Hang on. Two things. First I'm going to just jump back and just make a note for everybody. I'm going to push you to give me a links for any of these places you've mentioned links. So they'll be posted in the show notes or underneath in the show notes on YouTube. So relax.

B

Yeah, no worries. So the dedicated leak site is basically where the threat actors will shame the victims of their of their attacks. So for example, Lockbit had a very famous one and Revil had a very famous one where it was called Happy Blog. And essentially what happens is, is that they're going to post the name of the victims, they're going to say like we attacked you, we have your data. And then and if there's usually like a countdown to continue the pressure of you need to pay the ransom or else we are going to leak all of your data or we're going to delete the decryptor and you won't be able to recover your data. So depending if it's a single or double extortion, a lot of this is done on this public facing forum of shaming you publicly into capitulating with our demands. It's a very unique aspect to ransomware. With the pseudo anonymity of ransomware, you need to have that calling card and that ransom note because it builds legitimacy, it builds notoriety, it builds a threat. And if you don't follow through on your actions and on your threats, then people won't take you seriously.

A

And you can see them.

B

They're on the dark web. So these are done through Tor and mostly through onions. Yeah, Onion websites.

A

And we can give a quick. I'm sure most people know that, but we'll give a quick explanation of what that, that really means throughout the presentation, I'm sure. But how does everybody know about it then? Because everybody seems to know when somebody hits one of these sites and they've been hacked, how do you find that out?

B

So it's usually through these. I work on a very famous and popular dark web monitoring service called Ransom Look. And what that does is it basically scrapes all of these dedicated leak sites. We're currently tracking like 473 across 2,000 unique onions. What we do with that is we put them onto the notification goes on the RansomWooks IO's website and everybody can see which companies are getting hit in a live sense, like Ransom look updates every 15 minutes. So it's basically. And the research portion of it is me, because there's no Google of the dark web. You have to infiltrate these groups, you have to be part of the community to see the latest groups that are popping up. And so that we can import these onions into Ransom look so that you can basically have the latest information. So it's. We're always looking for the newest and latest groups.

A

Wow, cool.

B

Yeah, it's really, really something. I want to talk about the, the history of ransomware. And so ransomware is really not a new concept. Locking a system and encrypting data has not really been a new concept. In 1989, you had the AIDS Trojan. This was the first augmented ransomware attack and was created by Joseph Popped. He was a biologist working for the World Health Organization. And he distributed this malware on floppy disks that attended the AIDS conference in New York. Essentially what that did is, is that this was to bring attention to the AIDS crisis that was happening at the time. And basically this was. This would lock your system up. And so this was like hacktivism. Now we can see the evolution of this. In 2005 and 2006, you had GP code, you had archivists you had cotton. So these were examples of early file encrypting malware. And. But they really lacked like strong encryption. So they used like RC4, they used some very rudimentary encryption mechanisms. So they were quickly reverse engineered things were they like, they changed your desktop, they encrypted your files like. So this has been around since like 2005.

A

But then I remember mailing off for our first floppy disk we had, we had to get it delivered by courier, a floppy disk with apparently the remedy for a virus that we had on our systems. It was amazing.

B

I remember when growing up, I had live CDs of Linux distros. And so I would basically boot up into Canopics or Ubuntu and basically try to install from there and use that. So that was definitely something that was crazy. And then, for example, 2013, 2015, we saw the early rise of RAs, like ADS, where as a service, so things started to shape up now and people started, started to say like, hey, how can we monetize this a little bit more? Because back then it was, I'm going to send to my victim, one victim, I'm going to send my entire ransomware payload and hopefully they click on it and then it would encrypt their device. It was effective, but it was not efficient is what I meant to say. But then in 2016 you started to see people considering this a little bit more and refining the process a little bit more. And the affiliate model really started to pop up in around 2016. And so this is where, for example, Satan RAS came out and essentially allowed people to download their encryptors and to organize their payments and their ransom negotiations on a panel on the Dark Web on onions. And so this was all being controlled from a web panel and this was all the way back in 2016, and we're still seeing that today. And in 2017, Cerber, which we still see source code of today in variance today, really started to shape up. And this is where we saw Cerber was distributed via exploit kits and spam and had basically ransom notes innovation features. And Philadelphia Ras, which was another one, basically was delivered through malicious YouTube ads, advertisements or links on YouTube. So you click on it and it would, you would basically download something because you saw that, oh, it's crack software, for example, but it was, it was ransomware. So. And then in 2017, we have to talk about the massive WannaCry attack that happened on the UK's NHS and how that changed the game. And because this was one of the first wormable Ransomware where it spread because of the EternalBlue exploit. And it just kept spreading and spreading and spreading. Luckily, there was a kill switch in the source code and essentially this was discovered and shut down. When someone registered the domain for a kill switch, it was like this random string of letters and numbers and ended in like dot com, for example. And once that was registered, the malware basically stopped spreading. In 2018, 2019, we saw like Gang Crab and Revil pop up. So this is right before the pandemic, and this is where they started treating this as a really, as a business model. So you had like support networks affiliated to it. And this, for example, Revil was one of the first ones to offer like a 70% split on attacks. And so really taking, making sure that the affiliates were getting paid the most. This really motivated people to start using this. Because if I get a ransom of $100,000, I'm making $70,000 now on this. So it really motivated people to start.

A

Conducting attacks and did this sort of the, the big growth of this was this the fact that these groups, I guess, are protected or hidden in some way so that they're able to launder the money or at least take care of payment. Because that always seems to be the thing about ransomware. Until we had encryption, until we had some distancing and some safety, you can't. Yeah, I can encrypt somebody's site, but I'm not. What are they going to do, phone Jim and send the money to my bank account? I mean, that, that payment structure must have really enabled this. Is that how these groups started developing?

B

Yeah, so the ability to receive crypto payments is what really started to change everything. So coin payments. Because the way I see crypto, there's. Crypto is just a vessel and a means of transferring value. It's not necessarily a bad thing. Crypto is not a scam in itself or anything like that. It's not malicious in itself. It's not negative. It's just a means of trans, transferring value. And so when you have the ability to transfer in a pseudo anonymous way money from the average Joe or from the average company to somewhere in like Eastern bloc, ex Soviet countries, like, and then they had the ability to go to an exchange and cash out. This changed the game because now you're not using, you're not going through the regulated financial systems, but you're basically going through the blockchain, which allows anybody to really monetize this. So that was a huge, huge reason why we started to see this evolution. And Just also the refinement, people putting thought into this more. Now when the pandemic happened, this exploded, everything exploded. And this is where we saw, for example in 2020 we saw Maze, which is a ransomware Maze, ransomware. And Maze really pioneered the double extortion because at that point everyone was just encrypting the data. But Maze basically said, we're going to encrypt and steal the data. So you have to pay to basically pay us to not leak your data and pay us to decrypt your data. So this was our big moneymaker for Maze. And essentially after that it just started to steamroll from there. You saw in 2022, Lockbit really started to make headwinds from their 2.0 to their 3.0 variations. They became the biggest group out there, basically delivering a hundred, like hundreds of victims a week. They were extremely, extremely effective. Conti in 2022 shut down. And we're going to talk a lot about Conti in a bit. But Conti shut down because they sided with Russia. And this is when the, in 2022, this is when Russia started attacking Ukraine. And in 2023 this is when we saw Black Cat or ALV and also play and other RAS fragmentation start to happen. So we started more, seeing more and more groups popping up in 2023 and in 2024 this is where law enforcement started to fight back more and we started to see more takedowns. And specifically we saw Lockbit get taken down by Operation Cronos. Lockbit had been around since the 2019. They've been around for almost five years at that time. But basically they went for a doxing of the administrator and that's how they were able to disrupt Lockbit. Because seizing infrastructure is one thing, but if you can discredit the administrator, nobody wants to conduct business with you if you're completely out in the open anymore. So where does that bring us today? That essentially now RAAS or ransomware as a service is completely decentralized. It's no longer just like the old guard, the ex contis, the ex revil. Guys like working on the latest and greatest. Now anybody can be part of it, especially with AI. Like you can basically leverage AI or leverage the leaked source code. Like Lockbit has leaked source code, Van Helsing has leaked source code to create your own full blown operation. And also now you see a lot of cross pollination with infostealers, brokers, access markets. Like all these forums now are supplying the ransomware ecosystem. They're all working in tandem Together. So let's take a deeper dive into what these groups look like. And like, we have to talk about Conti.

A

Absolutely.

B

Because Conti is what really started everything and how everything is based off of Conti nowadays. So Conti started around December of 2019, all the way until mid-2022. They were also purely Russian speaking and their predecessor was Ryuk, which was just a ransomware. Conti is considered the spiritual frontrunner of Ryuk. They really operated as a corporate structure. What's fascinating is that when Conti has. Because Conti has suffered a devastating leak at the end in 2022. And essentially what happened was that someone, a researcher from Ukraine, leaked all of their internal communications. And this showed that they were really structured like a business. So they had hr, they had payroll, they had recruitments, they had tech support, they had managers. It was really, really well structured. And they're responsible for over a thousand attacks globally.

A

A friend of mine got hit through that time and his comment was, he's a CIO from another organization. His comment was, I wish my help desk was as efficient. Yeah, I don't think people realize just how well set up they were. I mean, we all got the leak and we heard about it, but I don't think we realized just how effective this organization was.

B

Yeah, absolutely. And they made over $150 million in crypto. And that's what like what we were able to trace and what we know of and some of their famous victims is like Ireland's HSE or even the Costa Rican government and plus hundreds and hundreds of U.S. organizations. So they were hitting everyone, especially European and American institutions. So as I mentioned, the Conti was basically attacked. Well, not attacked, but an insider leaked a bunch of documents. They were making so much money that they were able to pay salaries, monthly salaries for core members. And so this ranged like up to $2,000 USD per month. And in some of these countries that some of these users were based. This is a lot of money, right? And a lot of individuals were joining this because this is one of the ways to make the most money. Right. I know it's a crime that they were committing, but in these parts of the world, sometimes this is the only choice you have. And they know it's illegal, they know it's a crime, but sometimes you don't have a choice. And so this was the best that there was. And so they were making, they were offering to pay a lot of money to these individuals so that you could work with them.

A

We think when we don't pay attention to other economies in the world. And if we devastate these other small countries, that it has no impact on us. One thing it does is it drives people to desperate situations to feed their families. And this is just one area of crime that becomes part of that. And I think that's something that we all have to be aware of, that we're part. There's no borders anymore. You can't insulate yourself.

B

Absolutely. It's exactly what happens here. And, and we see this in the even more recent leaks of like blackbasda leak, where they were hired this Pakistani individual and he was working for 20 a day, sorry, $20 a week. And he's trying to feed his. His family and his wife was pregnant. So what I want us to also, like, if you're on the. The YouTube stream here, this I'm showing right now, basically a layout of what the Conti Group looked like because it spans over the years. It spans so much. And everything came out of it. You had a bunch of different type of ransomware that operations that came out. And when Conti shuttered its doors, it split up into three teams. Conti Team 1, Conti Team 2, and Conti Team 3, which are still in operation today. This goes all the way to like, for example, Chaos Ransomware. This is the latest group that is still in. You can trace back the lineage to Conti. But how did this. This is like the business model that we were just talking about. But let's dive into now how they were able to technically succeed in this environment.

A

If you're watching this on YouTube, you can see it. If you're listening to this as part of the podcast, you can't see it, but we will post some links so that you can get copies of these. But essentially what you've shown here is Conti gave birth to almost everybody that. That is hitting us. There's a common name on your slide here. They've split off into all of these different groups, fractured out to really start. Most of the other groups that we have is that. Did I get that correctly?

B

Exactly, exactly. They started like, we're going to get to it in a bit, but they basically spun off into Royal Xeon, Quantum Black Suit, and then parts of it into Black Basta and now Chaos. These are all like huge, huge names. Black Basta, if you're in Canada, was the group that hit the Toronto Public Library. And so they're very, very much still active and hitting everyone today. For example, Wazawaka, Mikhail Matsoviv, he is a mercenary. He worked with everyone. He Worked with Lockbit, he worked with Alvi, he worked with Conti. Like these are all, they're all sharing affiliates, they're all sharing tools, they're all sharing like tactics and techniques and procedures. They all know each other, right? Some of them hate each other, but they all know of each other. They're all connected.

A

And is it too early to ask how they operate? You know who some of them are? We know who some of them are. How do they stay safe?

B

So a lot of the times they are located in non extradition countries, mainly Russia. So you can to essentially go to like they can't leave Russia essentially anymore. And if they do they have to go to other countries that don't have extradition to the United States or to the European Union. Because I was traveling in Germany and I was heading to Canada and when I was going through passport control they had wanted posters of a bunch of different people like drugs, human trafficking and of course they had a bunch of Conti guys. Like they had wanted posters up for Conti guys. It was so funny because I was like hey, I know this guy, I know of this guy. And. And they were like do you know him? And I was like well not know him.

A

Watch what you said. Especially in today's world, right?

B

So I had to clear up a little bit of a misunderstanding there. But yes I want, cause I wanted to take a picture of the wanna poster and they basically allowed me to do that. But I, I was like hey, I know this person. Wrong choice of words. But yes, phrasing very important. So I just wanna get back into it and talk about like Emotet, Trickbot and nice id because these are the tools of the trade that allowed Conti to. Because they designed these tools and it allowed them to first of all gain access to the network and then also to conduct a post exploitation framework to continue and persist under conducting their attacks once they were inside of the network. So the first one that we talk about is Emotet. So Emotet was delivered by spam and this was like a trojan. And essentially what it was is that it deployed Tridbot and from there Conti was able to connect to Chitbot and conduct their attacks. Emotet was very spread like a worm. It basically spread through Outlook and it used polymorphic code to evade anti viruses and it was able to constantly change itself so that signature based detection was completely useless against it. You had to look at heuristics and like kill chain analysis to really figure out if this was emotet and emotet has been disrupted many times by law enforcement and in 2023, and it sort of like had a little bit of a revival and it's still kicking around a little bit. Then we have Iced ID or backbot. And so this is what Emotet dropped. And this was really. Or you could also just drop ICE ID on itself. And this was mainly a banking Trojan, a loader. And essentially what it was is that it was way more surgical than imtet. It helped once you were inside of the network, it helped you pivot into active directory environments, so you were able to directly go to the domain controller and conduct your attacks. It had escalation privileges and lateral movement. It had a whole bunch of really, really fancy features. This was given to mid tier and above affiliates that were part of Conti, because this was such a good tool. This was part of the toolkit that Conti would give to its affiliates to conduct these attacks.

A

The first one's a distribution method. The second one is the attacker.

B

It could also be used as a distribution method if you needed to. This was the main one. ISID was the main one. But if IST got picked up, you could basically wrap it in Emotet. And because Emotet was more evasive, you could hopefully get the emotet in and then it would drop ICE id. They had a lot of different tools. And then of course, trickbot. Now trickbot was essentially this post exfiltration tool. This acted a lot like Cobalt Strike. Essentially. This was able to dump credentials, it was able to map out networks. Once you get into this network, you need tools to work right. Trickbot allowed them to come in with a little bit of a tool belt. It allowed them to dump mimikats and to dump the hashes to pivot to basically start working directly from chitbot. Nowadays we see most people use, like Cobalt Strike, but this is before Cobalt Strike was a thing, and we saw everyone was using Trigbaut back then.

A

But this is a set of tools that allows you to do the things that. Because I'm always amazed at how people can move laterally through networks. They can do these things. It's not. I'm not. I'm not the world's greatest network technician. I'm not. But I'm no idiot, but I would. I'm just amazed at how fast people can move through networks, how they can negotiate their way around. And are they using these tool sets to do that?

B

Well, nowadays they're using Ludwittel or Cobalt.

A

Strike or the evolution of these, but basically, yeah, the foundation kit that would have gone out initially.

B

Exactly. This is what we're seeing now. Everyone's using this or they're using custom tools. Like there's a new tool by a group called Global that just came out and it's called. I wrote a piece about it on my LinkedIn page. It's called Kylo Ren from Star Wars. And essentially this is like a reinvented version of trickbot, because they don't want to use Cobalt Strike. So they're basically saying like, hey, we're going to build our own. So a lot of groups now are trying to go back to its roots and building these modular Trojans and post exploitation tools because everyone knows now that there's Cobalt, the Strike trick. So essentially the whole framework was initial access brokers deployed EMOTET and ICE ID via phishing, the malware installs, the loader example like TrickBot. And then the affiliates would reconnaissance, move laterally. They would deploy mimikats, do a Cobalt strike, and from there they would essentially dump the credentials, brute force them, or do some form of kerberosing and then gain access to the domain controller. And then they would pass it off to the main Conti core team. And from there Conti would deploy the ransomware and exfiltrate the data. So in five steps, everything was done. And this would usually last back then, in 2019-2022, this would probably take about a month or two. But now, nowadays everything is so much faster. We're seeing now people essentially conducting attacks in a week. So it's very, very fast now.

A

Sorry to keep interrupting you, but just always fascinated by this is at one time people would hang around, we'd hear that they'd hang around in networks forever and do their reconnaissance. Are you saying that things have speeded up now or they, they just. Is there a difference in terms of attacks?

B

So nowadays they're, they're not hanging around networks forever. The. Because EDRs have gotten better and they don't want to risk getting kicked out. So now attacks are getting conducted way, way, way faster. We see people essentially get into a network in a week and by the end of the week they're done. They've. Because the tools and the process, everything has been refined so much. Right. So they're basically getting in, getting out. Yeah. So I'm going to talk a little bit about the Conti leaks. So the Conti really started to see the cracks in the Ras empire. And so this happened in February of 2022. Conti publicly declared support for Russia after the Ukrainian invasion in 2022. And then the Ukrainian aligned insiders leaked all of Conti's internal jabber chats. This is where we were, like I said before, we were able to see that they were organizing a company and how much people were making. And then In May of 2022, Conti announced their shutdowns and. And in June of 2022, the final known Conti ransomware payload was deployed to attack the Costa Rica government. Conti's leak was substantial. It was 60,000 internal jabber chats. It really showed everything, their names, their aliases, their handles, their emails, and also where they operated from. Because a lot of it was, hey, I'm going to the office. And then they were basically describing their environment, which allowed people to figure out who was who. So it really was what spawned all the teams to go out. And we now can see where the evolution came from. So essentially now from there, from Conti, we had Black Basta, we had Karakurt, Royal and Black Suit, Quantum. Everyone's coming out of this now. And like groups all had their specialties. Like Karakurt was really focused on extortion only like exfiltration, Black Basta as well. But they also had their own payload. They maintained like these two really maintain a low profile and were really had a very high victim volume count. And then you had like Royal and Black Suit, like they were more polished, they were very aggressive and went for high victim count. But nowadays, because this is all the ex Conti guys, new players were coming into the arena. And so one of them is called Lockbit, which we briefly discussed a little earlier. And so they were the Red Princes. And they were not necessarily affiliated with Conti, but they were definitely known by Conti. And it's also important to say that during this time there was a codename Wizard Spider. This is a codename given by Proudstrike that this group like Lockbit was trying, was trying to organize a cartel. They basically got approached by ransom cartel back in the day. This was a group trying to organize like Conti together, Lockbit together, revil together. And they were trying to basically say like, hey, like the Sinaloa cartel in Mexico saying like, hey, we can organize something together and we can all work to benefit each other. This ransom cartel did not last very long. Voc Beth was seen as a problem child and essentially did not want to collaborate with them anymore. It was very, very short lived. It only lasted a couple of months, but they were still able to pull off some attacks together. So in looking at what it looked Like Lockbin had connections to a bunch of what Conti was connected to. Right? They were connected to the Conti teams, the Storm 0506 and the financially motivated groups like Thin7, which is also related to Klopp. Goal ish is one of the maladvertisement campaigns that they were really behind to. So these groups are very, very well known. So Lockbit was around from 2019 to 2024. Again, Russian speaking, they began as ABCD ransomware. And one of the things that really made them stand apart from the rest of the competition at the time was that it had one of the fastest lockers and a really strong affiliate support and slick marketing. And by slick marketing, I mean they were paying affiliates, not affiliates, but they were paying forum users or just users a thousand US dollars to tattoo themselves with their lock bit logo on their bodies. So this really. And they were also doing writing contests and. Oh, and they had like a bug lounge program. They attacked Boeing, Royal Mail, the city of Oakland, Sick kids in Canada, the California Department of Finance. Like you name it, they were attacking. They were the biggest ones at the time. And they were really known for using the same thing. ICE id. Everybody shared tools in this space, right? Why reinvent the wheel when you can just, if you all know each other? And so they really conducted these types of attacks. One thing that's really interesting is blockbid really tried to explore with triple extortion. So they would encrypt the data, steal the data. They would DDoS people call the affiliates, sometimes would call the companies to harass them into paying it. And this is something that's becoming more and more popular, even Killin right now, essentially setting up call centers to look through the data and attack these victims. Now. So this is something that's fascinating. Now we have something because Lockbit was so popular and there was some affiliates started to basically be creating these smaller subgroups within Lockbit. One of them was called the National Hazard Agency, or nha. This, this was a group that was spearheaded and commanded, if you want to say by a user called Basterlord or Fisheye. Basterlord grew up in Luhansk, Ukraine during wartime poverty, worked as a freelance designer and later was recruited into cybercrime and started National Hazard Agency. He wanted to help his mother, which was very sick at the time. And this was his motivation to pay for her healthcare. And so he had somewhat noble intentions, but he was still committing crimes to get this done done. And it really shows, like you mentioned, Jim, this is people's lives. And sometimes if they're desperate. They will do desperate things. Solord has since retired and was able to walk away with a couple million dollars. So it's a fascinating story with these individuals. Lord has a really big environment. He was very, very active for a few years. He was part of Revil, he worked with avadon, and in 2021 he published the first ransomware manual. This is basically a manual of how to conduct attacks. And this manual sold for thousands of dollars. And In December of 2022 he released a volume two. And volume two was, when it first came out, was going up for $10,000. And it basically was, you got to spend money to make money and was how to deploy the latest zero days. And it was an entire training manual on how to conduct these attacks. And this was the manual that was given to Lockbit Affiliates. And because he was part of Lockbit, in March of 2023, this became part of the repertoire and training material for Lockbit and like the onboarding material for Lockbit. So a lot of these individuals work really hard on these things. I have a copy of these manuals and if you really want one, reach out to me on LinkedIn and I will happily give you a copy of it for research purposes, of course. And it covered everything. It covered the MassCan 40 gate scanners, EternalBlue, zero logon abuse, how to deploy Mimikats. This is better than some sans cores in some aspects.

A

This is a lot of work. I mean you put a lot of time and work into this.

B

And everything was written in Russian too. Yeah.

A

And have you seen these? So obviously, I mean, are these used in training now for defender training? Are they?

B

I hope so. I am writing a 10 piece on this now and it's going to be really, really interesting to see how people react to this because a lot of the data information, especially in volume one is dated. It goes up to like 2021. But 2020, the second volume covers stuff from 2022, 2023. And we all know that there's a massive lag in patching systems. And like some systems, like 2023 was only two years ago, 2022 was only three years ago. And I know there are still systems out there that are vulnerable to the exact playbook of both of these volumes, volume one and volume two. So these are still very, very dangerous even today because of the lag in patching and in upgrading infrastructure. Like these things still work.

A

Amazing. Yeah. And we've seen people go ripping through, you know, on site, Microsoft email systems, SharePoint, old systems that are just out there and sitting available for hacking that have not been updated. I could probably point you to a couple places where I know people probably haven't updated the systems in years.

B

Exactly. It's still 100% vulnerable to all of this. We can talk a little bit about how actually the ransomware negotiations happen.

A

I just wanted to do a quick recap of for everybody because there's been a lot of information. You've talked about the start of ransomware. You've talked about the groups. You've talked about Conti that was fractured into the many groups that we have today, the evolution of the techniques, how they. How sophisticated these are now. And that's really, I think, where we've come from so far. And now you're going to talk about ransom negotiations. I think that's great. Let's talk about that.

B

Yeah, absolutely. So ransom negotiations is really cool, actually. So there's this project called Ransom Chat, and it allows you to essentially go read the actual negotiation chats of a bunch of different ransomware operations there. So you can see the victims talking to the attackers. But you also have to understand that not every single victim is just like the CEO or like the head tech support or the like. Like the SOC talking to these. This is. Sometimes these are lawyers, sometimes these are trained negotiators, sometimes it's law enforcement talking to Lock. But you'll never know. Right. But it's fascinating to know that this is. It could be anyone from the victim side talking to these. To these attackers. So reading it and really see, like, how much they charged, the. The pressure tactics that they employ. So this is a fantastic project that you can actually. It's free. You can just go ahead and basically read the whole chat logs. And so there's a lot of differences between how Conti, for example, and Lockbit conducted their negotiations. And because they're two completely separate groups. And you can definitely see like. And you mentioned this a little earlier in our conversation, Jim was just how methodical and how professional Conti was. And then you can see how immature and how brazen and unstable Lockbit was. So we can definitely see the two.

A

Different sides and doing stories on them. You caught posts and you can hear the language that they use and the way they talk from their posts. Really, really different personalities. Great observation.

B

So, for example, Conti would be like, we always keep the terms of the contract. And in a similar segment of the negotiation, Lockpit would be, you think I'm a fool. I have your files. I know how much money you have. So very manipulative aggressive, trying to badger and beat down the victims into submission. And Conti was all about framing it as a business transaction.

A

Is this where the breakdown started to happen? Because I know at one point the feeling that we would have as CIOs from the professionalism you saw was that, and I'd heard this many times, pay the ransom, they're going to give you the key back. Why? Because they want to make sure that you're a satisfied customer. It sounds sick, but it was, you know, that they were, they were going to keep their reputation and that was how they guaranteed they'd get payment. And that broke down at one point.

B

Like, Lockbit always operated like that. Right. Conti was just very professional. They were above and beyond. And they, again, they were equally as dangerous and equally as sick as Lockpit was. But they just had a better business acumen, if you want to go that way, and how to conduct business. Another example is Conti set high but also negotiable ransoms. Like, they would say, okay, give me $500,000, but we are also ready to accept 256,000. And Lockbit was like extremely high. And we like, don't. Like, they would ask for 15 million, for example, but they're like, don't offer me like 1, 2, 3 million. It's ridiculous. For your company size. There was a very big difference. Like, Lockbit uses prices to dominate and humiliate. But Conti was always showing control concession. And I was trying to use discounts to portray being reasonable and ready to negotiate.

A

Yeah. If you've done this in business for a while, you've read a number of books on negotiations. One of the beautiful ones is never split. The difference sounds like these guys had taken MBA courses in, in contract negotiation. Different flavors, but, but you know, that whole thing of stake a high price and then, then they'll be happier with the lower one. These guys are smart negotiators. Wow.

B

Yeah. And here's a final example. So Conti imposes business day countdowns. So there would be like two business days left before we start uploading your private data. But Lockbit, on the other hand, used the timer and they didn't care if the data would go up on a Sunday or on a Saturday or on a holiday. For example, they would just reference the timer and see the timer and nobody's going to wait for you. They were. Lockbit always tried to push the victims into panic, while Conti used like soft clock with like, like, like just a bit like a law firm on retainer. Like we're going to give you two business days. Yeah.

A

Are you allowed to have an opinion on this? It should. Should people get a professional negotiator?

B

So yeah, I always say, well, my professional opinion on this is whatever your insurance companies tells you to do, that's what you should do. Because some, your insurance company will say part of your package, you can get a negotiator or you have to go through or we can do it for you. So just listen to your lawyers.

A

Yeah, good, good, good point on that.

B

And so there's a bunch of different options here and how they were able to really pressure and emotionally like pressure your victims. But it really boiled down to Conti being calm, structured. It really tried to package everything as a service and their reputation was everything. And Lockbit was all about media spectacle. And you can see the difference because Conti was very much more like a invite only group. It was very much more controlled in terms of who could join the group. But Lockbit had over a hundred affiliates at one point at their biggest. And so it was very hard to keep the same language going and it was hard to keep consistency. Right. So you had a whole bunch of people doing negotiations. So there's also this thing that you can do and this is one of my favorite things is there's actually a ransomware chat simulation. So this is part of the Ransom Chats service that I just spoke about a project a little earlier. But you can basically run this as a Python script and you can actually plug in your ChatGPT API key and you. It'll basically load all the chats in terms of like a little file and you can basically. So it's like quickly trains the AI and then from there you can basically like practice negotiating with the different types of groups. You can practice negotiating with Conti if you want to learn what it feels like. This is a really cool little ransomware chat simulation.

A

We'll post a link to this. I'm actually going to do a bit of a demonstration with you at one point down the road of how that works. That sounds fascinating. We'll give you a link for that. But I think we could do a little digging into that.

B

Absolutely. It's really fascinating how negotiations work. We can also talk about the modern arena and what that looks like. Now this is Ransom Look. Ransom look is an open source project aimed at assisting users tracking ransomware. This is the service that was the open source project service that I was talking about earlier. Tracking a whole bunch of different groups and across a whole bunch of different relays and Onions. And with this type of service, you can really see that throughout the evolution. Now even something like this chart here, if you're on YouTube you can see it, but it's basically showing that SafePay in the past week had like 20 victims posted. But the thing is like if you look at it today, El Dorado is no longer there. Interlock Lynx is no longer there. Wayro is barely posting. Black Suit got seized. Archus Media maybe Won Devman is not posting much anymore. Ransom House isn't posting. Kairos isn't really posting. Embargo is selling their source code. And this is since April. Right.

A

So just for those who can only hear us, we're looking at a chart and it looks like a hockey stick. There's a whole pile of groups that are doing not much in the way of posting frequency. And then a huge spike of larger groups. Like you've got Killin, you've got safepay. So does that mean that they're the dominant ones today and the other ones, there's still some massive effort from some of the other ones. So you've got some dominant players, some mid level players and then some ones that are maybe on the fringes.

B

Yeah, exactly. So it's really something that these groups, Arcana Security, got absorbed into Killin at the very left side of the chart. A lot of these groups pop up, conduct a few attacks and then it is severe. It's fascinating how that works because a.

A

Lot of this still seems like the tech industry. You get some dominant players that absorb people. You've got some mid level players, you got little ones that pop up and manage to get some attention. The whole business ecosystem.

B

Exactly. So one of my, as a researcher, I have this affinity for these groups. So I can say my favorite group or I think what this group is cool. I don't support these groups, but we get it.

A

But it's hard not to. I would admire is not the right word.

B

It's not the right word.

A

These are the, the ones that are doing this are successful businesses.

B

Yes, exactly.

A

We may not like them, but that's. You have to at least respect their abilities. I guess maybe the.

B

You can't underestimate them is essentially what I'm getting at.

A

You actually participate in some chats or can you talk about that?

B

Right.

A

We never know what you've been talking about.

B

Yeah, what I do, part of my job is infiltration. And so a lot of it is because infiltration is not meant to last very long. Right. I'm not. Because I can't conduct actual crime. I can't conduct attacks. All I can do as a private citizen and as a researcher is lie. So I basically con my way into these groups without breaking the law and essentially try to gain access to their control panels or to their source code or to their builders or to their hierarchy of their teams in their chats and export and screenshot as much as I can because I know I'm going to get marked and it's going to get, I'm going to get burnt very, very quickly and I have to. There's also a massive delay in terms of what I can publish publicly. And a lot of this, 99% of the stuff that I work on is not never published publicly, but a lot of this stuff that I get gets passed on to the proper parties that can be government, that can be law enforcement, that can be various different organizations and essentially they take care of that. It's also like, yeah, like it's trying to be as sly as possible without getting in trouble.

A

And is this next group Medusa? Can you give us a little profile on that? Is that.

B

Yeah. So Medusa is one of the groups that popped up on a Russian speaking forum called Ramp. And so they originally started and it was a pretty big. They were trying to become a new RaaS, a new service. They weren't connected to Conti, they weren't connected to glockbit. When they first launched they had one of their servers leaking their clear web IP and essentially they were hosting out of the uk. They've since patched that and they've been around for a while. This was around 2023, but they're often confused with another group called Medusa Locker. Medusa specializes in spear phishing emails to obtain credentials and to deploy the malware. And one of their best known TTPS is to use AnyDesk, Atera or ConnectWise for persistence and control. So they love to live off the land of your existing remote connection tools to basically keep that in the network. Another one that we briefly talked about is Killin or Quilen. This group really originally did not like English so they really tried to emphasize Russian speaking partners. But in the few months since they've really opened up to English speakers, especially Scattered Spider, which is not necessarily a group, it's more like just a community. And they really opened up to English speakers in that sense because they know that they can leverage these, these individuals to gain access to more infrastructure through their social engineering techniques. So killing is been around for a while but they've really reinvented themselves in the past year, especially since Ransom Hub was dethroned as number one. And so now they're probably number one.

A

Right now and they're using the. Because we've, we've talked about this, we've talked about this on cybersecurity today of groups that are really effectively using North American or English speaking, I presume, teenagers who are doing some incredible spear phishing. And again I'm going to say, but as you, I don't condone it but they, they're, they're incredible in terms of how they can spearfish, how they can get credentials, how they can get past help desks. Is that, is that the same group?

B

Yeah, exactly. The Scattered Spider. So it's not necessarily group, it's like a loose, loosely connected group. Scattered Spider. It's in the name, it's scattered, it's, it's thousands of individuals. Right. And it's really like a lot of them. Like this recruitment for Scattered Spider like happens on clear web social media platforms because it is indeed like, like you said, teenagers of English speaking countries like the uk, like European countries, Canada, the US and essentially anyone that can get past voice verification or talking to a help desk properly like that will really get you far in these groups. And it's all, a lot of it is about the lifestyle. Right. And they're seeing money, they're seeing girls, they're seeing guys, they're seeing cars, they're seeing drugs, they, they, it's all about that live large and fast lifestyle. Right. So a lot of the teens get absorbed in this and mesmerized and infatuated with this lifestyle. So they all want to be part of it. But yeah, it's, it's a big problem.

A

And sorry if I'm jumping ahead for where you might be going to explain this already, but Killen is exploiting part of that group as well now you're saying.

B

Yeah, exactly. So they basically partnered up with them and so has Dragonforce, which we're going to get to in a bit too. But groups now are paying attention to Scattered Spider more because of how successful they've been. Like Alzeeb Black Cat did that exact point in 2023 with the MGM resort attacks. And that was a Scattered Spider initial access. Right. And so, but it was Alphie Black Cat ransomware that ended up being deployed. So these groups are very well connected. I wanted to talk about Ransom Hub really quickly here.

A

Sure.

B

And Ransom Hub is essentially was at the right time, at the right place to capitalize on the void. This happened right. In 2023. That's right. In 2024. Sorry. And right when Lockbit and Alphie had been disrupted, especially Black Cat, Ransom Hub positioned itself to, to be. Hey, we. When AlphaV Black Hat basically got seized, Ransom Hub was like, come join me instead, let's make. And a lot of the affiliates from Black Hat jumped over to Ransom Hub and Ransom Hub had a very, very generous 90, 10 split and which was a lot better than what Alfie was giving a lot of the affiliates. So Ransom Hub showed a lot of development, like they were updating their platform constantly. Over the course of the next few months they became number one for all of 2024. They were originally based off of the Knight ransomware code base, but they really focused on exploitation of public facing applications like Confluence and VMware. They did phishing for credentials. They purchased initial access from brokers. They did double extortion. They did it all right. They were very, very, very, very well.

A

Established for this and they moved into exfiltration as well. They were one of the first ones that got into the exfiltrate and as, as the only, the only thing they did is that. Did I get that correct?

B

No. So they did double extortion. So they'd encrypted and also leaked the data. They were just well positioned to take over like the lock bit groups like Affiliates and the Alphie affiliates that were. Because they had just been disrupted. Those, those number one and number two groups got disrupted within a couple of months of each other. So Ransom Hub was very opportunistic and had an amazing opportunity to seize that number one spot of come work for us. Right. And they filled that void very, very quickly. It's a mystery of how they disappeared. It is a bit of a known industry secret or what happened. But essentially they've just stopped responding to. And this is known a bit of like in some circles, some would say this was an exit scam. But I'm not saying that this is what happened to Ransom Hub, but essentially, yeah, they're no longer around, the affiliates are. But Ransom Hub as a brand is no longer around. And I wanted to talk finally about two last groups, Dragon Force and Akira. Dragon Force was a very interesting group because essentially what they did was they were like, hey, we want, we want, we want a gun for Ransom Hub's number one spot. And when Ransom Hub at the in early of 2025 shuttered and was having issues, Dragon Force basically tried to be opportunistic and said, hey, we're going to spin up our own cartel and we want everybody to join. Anybody can join. And we're going to white label ransomware as a service. That was supposed to be the next evolution of it. It hasn't really materialized, but essentially they're saying that if you want to create a ransomware as a service now, all you need to do is contact Dragonforce. You have to pass an interview, you have to be vetted, of course, and you have to put a deposit. This is not just like someone can just walk in and start a ransomware operation, but they're trying to make it as easy as possible. And from there they'll spin up the infrastructure for you. They'll give you access to the code, like code base to build builders, encryptors, decryptors in negotiation panels. They'll do all of that for you for an 80, 20 split. So they'll take 20% of all the ransom payments that you make and essentially to pay for your infrastructure. Now this can be very expensive, but you don't have to basically write a single line of code and you can have your whole ransomware operation. And it would be like Stargate by, By. By Dragon Force type of thing. Right. It was like a white label powered by Dragonforce. So they tried to do that. It hasn't really took off yet because the 2080 is a pretty steep asking price to run infrastructure and run this type of service. But I'm sure that once more people. Because it's also really hard to run this type of infrastructure, especially if you're running on bulletproof holsters and servers across the world. You're trying to manage all that stuff, it becomes something that people would want to pay for convenience. Especially the criminals that want to do this.

A

Yeah. And well, they didn't. They made promises and didn't keep them. They are part of the software industry.

B

Yeah. And they. So they really tried to make the cartel happen. But they've been around for a while, like they've been around since August of 2023. And this was a ransomware group that started originally on Breach forums. Right. And they were the ones that attacked the UK retail sector and the aviation sector in recent news. So they've been very, very busy. And so they have a bunch of different types of ttps and they try really hard to exploit vulnerabilities in public facing applications like VPNs and RDP to gain access. And they do collaborate with Scattered Spider. So this is a very, very busy, busy group and they're very, very dangerous. We can definitely talk about Scattered Spider.

A

I think we have to because it has become a big piece of what's happening out there. And you've described, you educated me on this. Which they're not really a group, right? They're more of a, a coalition or coalition.

B

And they have a bunch of different names like because. And this is the thing about the nomenclature and the naming standards of like threat intelligence and the cybersecurity world is whoever names a group, it's hard to. Each company, big company will or threat intel firm will have their own name for something like UNK 393944 or Octotempest like roasted octopus, Muddled Libra. These are all different names for Scattered Spider. And like Scattered spider has been around since 2022. And they're like, like we said, they're primarily English speaking individuals aged like 19 to 22 from the US and the UK. One famous one, for example intel broker from Breach forums was part of this community and basically was. Started his cybercrime career doing swatting and bomb threat calls at the age of 17 and was picked up by the NCAA at the time and said like, hey, you're a good kid, you're a smart kid, like come intern with us, let's take you under our wing and you can actually turn your life around hopefully. But like the world is so different and these individuals are so influential and the type of people that they associate with aren't very nice. So they get caught up in a whole bunch of different things. Right. And there's some very powerful people that work in these environments. A lot of these individuals end up getting caught up in drugs and a whole bunch of different things. And it's just a lifestyle that they can't really escape from sometimes. So yeah, their specialty is social engineering and they really specialize in SIM swapping and impersonation of IT help desk and are hijacking phone numbers. So they're a very dangerous group and.

A

They'Ve gotten past some incredibly, I think incredible. Incredible is maybe the wrong word. Some organizations that are pretty sophisticated and these are in many cases North American or at least English speaking. They could be anywhere in the world. But they're also caught up in this lifestyle. Is there an escape for them? Are they trapped in it? What is? Or they just stay there? Because the thrills.

B

Yeah, because the thrills. Right. A lot of it is the thrills. A lot of it is this life is better than what they have in other ways. But also they, in some ways they are very much trapped. Right. And there are some people that just can't leave. It's. It's very much like organized crime. It is organized crime. Like getting out is no longer an option for some of them.

A

And we've seen some extensions of organized crime where people are brutally attacked in other ransomware and those types of attacks. So it's not beyond the pale that people, they could be threatened as well.

B

Yeah, it's a very dangerous group. They're very, very dangerous. And I wanted to finish up with a group called Akira. Now Akira is a group that has connections to Conti, but it's not necessarily one that is considered part of the lineage. And they've been around since March of 2023. They transitioned their payloads from Go to Rust and this is something that a lot of ransomware groups are doing like they're writing their, their payloads in Rust. So this provides like enhanced stealth and cross platform capabilities. Because Rust can run on Linux, it can run on Windows, it can run on a bunch of different things. And especially if you're targeting like ESXi Infrastructure, this is what you want to do. They really focus on public facing applications for Internet VPNs, backups and replication. And they will purchase a lot of stolen credentials from stealer logs. Right. And they love RDP and they've also been known to conduct attacks through phishing emails.

A

And I think Fortnite's been hammered over the past year. Are these the people who are primarily doing that work? Because it's just. I don't want to run a Fortnite story all the time because every week there's a new one. Yeah. And I don't, I'm not saying that it is an attack on Fortinet, great company and all that sort of stuff, but they're just hit and hit.

B

Yeah. So this is one of the groups that's been attacking Fortinet. Medusa was another one that attacks Fortinet quite a bit as well. So these groups are constantly trying to find out the latest attacks on all of the public facing applications, not just Fortinet.

A

No, it's not just Fortinet but I guess the more market share you have, the more they hit you or something. Yeah. Wild.

B

So yeah, there's. We can finish off with talking about the initial access market and then basically this is the last slide here. And just to give you the people that are watching this on YouTube thus far, I sort of described this at the beginning of what this looked like, but this is an Advertisement for a 1 billion company. And so essentially how it's going to be, what's going to be asked for is like this is a $5,000 ad. This is a company that's based in the US you have access to the domain admin, local user admin and root access on Unix. And the access type is RDP via HTTPs, the Unix reverse shell. And you also have a metasploit reverse shell. And there's 500 computers, all Windows OS and the price is $5,000. So what you would do is you would contact the seller and purchase this access.

A

And so this is an ad and for those I can see it and for those who are listening, I think you've given the elements of it. But this is like a complete made to order access to. And this is quite sophisticated.

B

Yeah. And one of the most popular basically example of a famous initial access broker was called Broker and essentially Broker would sell access on us, Canada, China, uk, a bunch of different countries. And it was very, very, very sophisticated. Broker was essentially disrupted in 2023 and the individual was connected to like Irish like a virus connection. So essentially what was really interesting was initial access can also become like a business. Like Broker was running it very much like a professional business. They constantly had hundreds of different types of. This isn't just like stealer logs or compromised credentials that he was selling, but this was stuff that his team would go out and basically guarantee that this was never before seen. And these were really big companies and a lot of it was targeted so because he was exploiting vulnerabilities in like in public facing appliances. So this was very much targeted and became one of the bigger and more well known initial access brokers on the market.

A

So just if you're going to these initial access brokers and they will they post the credentials they have and I don't even ask this but can you order the things from a particular industry? Because people tend to move through verticals. Are they. Do they specialize in this? How do I get the access for a particular vertical? Is it just by looking around or.

B

Yeah, so it would be like it goes by country because the, some individual like you don't want to hack where you live. Right. So like. Or where I can get extradited too. But you also want to, you also want to attack countries that have the highest chance of paying out. So countries like that have very high privacy standards. US, Canada, uk, like the, the European Union, those will have like a lot of protections and they have like the chances of you getting a ransom payment are higher. It's not guaranteed, but it's just higher. And also like companies would tend to have the money to pay because of insurance. Right. But if you're like, you wouldn't want to target like a company that does not make a lot of money, right? Because then you're, you're just wasting your time. So this is again, this is all targeted by country. And a lot of it is they try to attack in terms of industries, like sometimes they'll. Some groups will say we don't attack hospitals. But some groups will say, yeah, we attack hospitals because we've had a lot of success receiving ransom payment from hospitals or the healthcare industry or the financial industry. But sometimes groups do not want it to attack. They have a hard no on like I'm not attacking the indus those industries. Yeah. And again, all this stuff is so fascinatingly, it's available everywhere. You can go on Telegram and you can download these logs, right? And these are massive data dumps of like zip files that contain like millions of leak credentials, right. And you can just quickly download them. Like they're on forums, they're on Telegram and you can basically try to create automated scripts that would just continuously test new access and credentials. So this is like password spraying. This is where this type of attack comes from. And essentially this is where you would like this is part of the fulfillment process of this.

A

Wow.

B

That is it.

A

That's amazing. So that this has been incredible. I hope people have been able to pick through it. If you're watching this on YouTube, like I said, you've been able to see the slides and I'll post a link for that for anybody who's listening into the audio version of this as well. So you go back to that. But I think you sort of walked us through this. I mean, and I guess the question really is you follow this all the time. What most fascinates you in terms of where this is all going? What's the next thing that you're most watching for?

B

So I'm really paying attention to the stratification of ransomware. What that means is a lot of these groups now, like the biggest issue that they're having is finding affiliates like the we're the peak of 2023 because ransomware really explode. It's still a big increasing. It's not over. One of the biggest years was 2023 and 2024, but like 2025 has not been a typical year for ransomware. And so what's happening is that a lot of the groups are trying to attract experienced attackers. And how they're doing that is they're trying to create more in house tools and diversify their offerings. One specific group, Blacklock and Global Global is like super AI assisted like you. When you're negotiating, there's AI there. Now Killin is basically saying, hey, we have lawyers on standby that if you need help during your negotiation, you can loop in a lawyer. We have call centers that we're rolling out to harass the victims. So they're trying to like, incentivize saying, hey, we have all of these extra things that you can now use as part of the, of the groups. So I'm trying to see where that's going to happen. And we're starting to see. One of my predictions is that we're going to start to see more subgroups of bigger groups and that's going to be definitely become a thing. Like we saw that a little bit with like NHA but a national hazard agency. But we're going to start seeing more subgroups popping up of bigger groups and.

A

Law enforcement has been disrupting them. They are under attack. There are pressures not to pay ransoms. Is any of that really working? Is that starting to reduce the threat?

B

Yes, it absolutely is. The disruptions are working. Absolutely. The biggest example is Lockbit. They seized Lockbit infrastructure. They were able to seize all of it, but they basically destroyed the reputation of Lockbit. And by doing so, nobody wants to publicly affiliate or associate with Lockbit anymore. So Lockbit is back in the shadows. Rebranding. It's not over. They're just rebranding and going to be recreating a new program. And when they're ready, they're going to launch it. Hopefully it takes off like previously, but the field now is so full of competition and it's hard to attract talented attackers. So a lot of these groups now are training the next generation. Right. So it's, it's, it's a really big challenge.

A

Amazing. And again, I, we talked about this being as an industry. I've known it intellectually, but walking through this, I'm just. This is a whole ecosystem that exists, something you spend a lot of time studying. Tammy, thank you so much for, for walking us through this. And I will. I'm going to make a, a commitment on feel. That's okay. But if people have questions and they want to get those back to us, they can find you on social media or they can just go to our website at technewsday CA or technewsday.com, get the contact us form and pop in some questions and we'll design another question and answer show perhaps for a later time.

B

Perfect.

A

That'd be great. My guest today has been Tammy Harper. She's with Flare IO. This was an introduction to the ransomware ecosystem. A great presentation. Again, if you have questions, leave them for me. Great to have you on the show. For all of you out there, thank you so much for listening to this. We hope that we've given you some information that you can at least expands how you see this and maybe just fascinate you. If you're listening to this on the weekend, David Shipley will be in the news chair on Monday morning. And I'll be back next Wednesday. Thanks a lot. Talk to you soon.