A

You're listening to the Cyberwire network, powered by N2K.

B

And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested US citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI hello everyone and welcome to the Cyberwires Research Saturday. I'm DAV and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

A

There was just something strange going on. We kind of felt like the larger families were not as prevalent anymore. It was like it was getting scattered and looking at it. We kind of pieced the little puzzle pieces together and we saw like, hey, there's something happening in the underground.

B

That's John Focker, head of Threat Intelligence at Trellix. The research we're discussing today is titled Gang Breaking Trust Among Cybercriminals.

A

We Strongly believe and we can see it. And we have a couple where cyber crew Mongols are starting to distrust each other, which I am actually, I say that almost with a smirk, with a smile because yeah, it's, it's, it's, it's interesting to see because it's the longest time there were always strong alliances. And when cybercriminals, I say this quite often, when they trust each other, that's when innovation happens. That's when they built these strong empires. That's when they, they attack at large and they can scale up. And especially if you look at ransomware, to do that from A to C, like the whole kill chain from not only building software, but distributing it, distributing it and then like doing the engagement with the victim, negotiating, then getting the funds, laundering the funds.

B

That's.

A

There's so many steps involved that you can, it's almost impossible to do everything yourself so that you're always confined to team up with people. You're always in a partnership. And these partnerships take trust. So when the, when there's. Now the trust goes out the door. Yeah, those partnerships are much harder to establish. So that's, that's something that we're seeing and we, we really wanted to highlight this as, like, very often you see blogs about the new ransomware on the block and all that stuff. And we, we jumble. Actually, myself, we wanted to zoom out and see like, okay, but can we describe what we're seeing? Can we find reasons why and why it's happening? So that, that was kind of triggered us to, to write this blog.

B

Well, let's talk about ransomware as a service and how that model evolved into something that kind of resembles criminal empires. And it seems to me like what you're saying is maybe that setup could be unraveling. Can we talk about a little bit of the history?

A

Yeah, sure. So years back you had like, we're not going too far back, but mostly the, the ransomware was targeted at consumers. And that was the time when you had like CTB locker, crypto locker cryptowall to name a few. And you would see threat actors are mostly focused on spreading it at large, so getting so as many installs as they called it as possible. So you see a lot of spam campaigns or exploit kits being used. And it was mostly targeted at end consumers. And then there was a shift because at that time I was actually working at the police and we were very closely with all the banks and the larger, larger organizations say, like, yeah, ransomware is not really a problem for us because we can just like load up a new image when it's one workstation and then we're good to go. So that kind of, it's kind of a spray and pray mentality that the threat actors were using. And that changed with samsam. And Samsung was one of those ransomware versions which eventually turned out to be Iranian operatives, but they were actually performing more pen testing related tasks. So they would go through the network, establish a foothold, establish like going after the domain admin credentials, having control over the network and then launching their ransomware, basically paralyzing the whole network, the whole organization. And that was a shift. And then we saw other groups doing the same thing, from Gang, Crab and Maze and all the other old names that we know. And they were doing the same thing that we call like big game hunting. And then there was a phase that came with ransomware. Service was, okay, yeah, we've got your system locked up, but maybe we put some public pressure on you. So what they were doing was naming and shaming on the websites. And then there were thinking as well. It's like, oh yeah, we've attacked. If you look at the CIA pyramid, like confidentiality, availability and integrity. Yeah, we're attacking the availability by encrypting your organization. But what if we steal some sensitive data beforehand and we threaten to publish this? Then we can also extort you on the confidentiality. And yeah, if you're a paper backup company and you deal with secrets, let's say you're a law firm, then the availability is probably lesser of a concern than the confidentiality. So that's where we saw also the uptick of the introduction and later the uptick of data extortion and these elements and that big game hunting with the immense amounts of ransoms that were demanded that really, really grew almost out of proportion kind of create these like, yeah, like we said, empires where you had people at the top directing teams and it was almost like a corporate structure as one might say. If we looked, we looked at the Conti League chats and that was run like a business. And blkbasta that we spoke about recently as well, same thing. And you would see groups that would have people on payrolls or they would pay out a commission or a percentage from the ransom. But it still is a really lucrative threat for threat actors. However, as an empire and as a large organization, like I said in the beginning, there is a lot of steps involved. There's a lot of things that need to go well or you need to organize in order to be successful. And that's something that relies on trust. And trust can be that you're paying people what they're owed or that you, that people are keeping their promises and then, or they're not running away with money as we saw with like black hat alpha fee. So there's no exit scam and all these things. So the affiliates, the partners in this scheme that are actually doing the break ins, they need to feel like they belong and they're getting an equal share or a share that's equal to them, that they think it's fair. These are all elements that need to be in place in order for that empire to be, to sustain and to grow. And yeah, when you start torning those down and the cracks start to appear, then you can see that people are turning their backs. And then I chose a picture for the research blog that we put online and it's just so telling. And actually I got this from a friend of mine from an ex NCAA officer and he's like, because I spoke about the concept, he's like John, this is just like the last, the final scene of the rest of our docs where they're all pulling the guns at each other and everybody's Just pointing at each other. Where they first started off as friends, now they can't trust each other. And it kind of. That whole crime group crumbled and cracked. I was like, yeah, that's very telling. And that's essentially what we're seeing now as well.

B

What are the signs or the behaviors that indicate that this ecosystem is cracking where we're seeing loyalty giving way to suspicion or betrayal?

A

Yeah, there's some telltale signs. So. And that's. It could be internally. So like we can see signs from the threat actor, I mean, like within the community as well as external pressure. And with external pressure, one of the big factors is law enforcement, for instance. So there's a lot of individuals that are residing in countries that the western world does not really have a treaty with when it comes to, like, okay, we can send them a request and they will arrest a person. That's. That's extremely difficult. So if you cannot put the silver bracelets on those folks, and we've already tried taking down their infrastructure and they rebuilt it or whatever, what else can you do to really damage their reputation or to really make an impact? And that's damaging their reputation because they're businessmen. So if you damage that reputation, you break their trust. They seem un. Not trustworthy. It will have a ripple effect and it will ripple or it will cascade longer down and will have a larger effect for a longer time than just taking down infrastructure, because then their trust is not damaged, it's just their infrastructure. So perfect example of this was how the FBI and the NCA worked on Lock bit where they infiltrated the system and then they kind of used that leak site where they publish the stolen data and they, they trolled Lockbit phenomenously. And this really had an impact on the reputation for Lockbit. People scur. Scattered away. They went different parts. And he was fighting really hard to build his reputation. And another, another example would be exit scams. So there's pressure on a system. They. And with a system, I mean a ransomware family or a group, and you would see that the leadership runs out with all the money. You can do that. Like that happens once, but if that happens often, then affiliates, people are basically doing a lot of the work for the group and they expect a payout if they know there's a higher chance that the leadership would walk out with all the money. Yeah, they're not really inclined to do a lot of work. So that's another one. Another thing that breaks trust is device or an encryptor. And we saw this in the past already with Babuk, actually with. Was it Mikael Matvev, when they did the Metropolitan Police hack where they encrypted the Washington Metropolitan Police and the, the encryptor worked, but the decrypt and decryptor, so the decryption portion of their attack failed. So essentially they corrupted all the data that they, that they encrypted and the victim couldn't get their files back. So that's tempering on the business model. You're not getting your files back at cost because that was always the success for ransomware. It's like, okay, we encrypt it, but you can get everything back. And that's another one that really, really damages the reputation because then the affiliates doing all the work and it's like, hey, listen, I gave my word or I promised something and then yeah, it doesn't work. And you can do that once or twice and then the reputation of the whole group gets damaged. So that's how we saw Bubble crumble as well. So there's, there's different ways and then. Yeah, the outcome is, is fascinating how we see it like they're, they're basically throwing each other under the bus. They're doxing each other. Unfortunately, we also see examples where like the data that was stolen from one victim ends up at multiple other families. And that's either. We can imagine that the threat actor behind it actually moves to a different family and then posts the data again. But we have a case where we talked about a healthcare provider that got extorted, a very large one. They paid the first time and then the extortion went on because that group was black eyed Alpha fee. They did an exit scam. And the individual by the moniker Nachi who was responsible for that breach, he didn't get paid, so he was pissed off, so he moved to Ransom Hub and then they re extorted that victim. So what this tells me is like it's at the same. I love that the cybercriminals are kind of fighting against each other, that they have less attention for others. There are situations where a victim can get extorted twice. So this is just for me. It's also a word of caution to anyone that's extorted with stolen data. Do not pay because it's. Yeah. You have no guarantee it's going to be erased and you can get extorted again.

B

We'll be right back. What's your 2am Security worry? Is it. Do I have the right controls in place? Maybe. Are my Vendors secure or the one that really keeps you up at night. How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber foreign they know cyber security can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales's industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world world rely on Talas to protect what matters most, applications, data and identity. That's Talas. T H A L E S learn more@talasgroup.com cyber well, let's dig into that. The consequences for the defenders out there because you know, it strikes me that, I mean it sounds funny to say back in the day when it comes to ransomware operators, but you know, reputation was a big part of what they did, that you knew that if you did business with them, chances are they were going to hold up their end of the deal. Where do we stand today?

A

That's harder and harder to maintain for a threat actor. There's a saying like reputation of years can be damaged in seconds. But it was interesting to see like I, I did a long study on re evil and they were referencing not only our blogs but other industry blogs as well, saying like, oh yeah, the decryptor actually works. So they were saying like, well don't take our word for it, look at the industry, look at what they write because the decryptor is solid. So I, it was like involuntarily we gave them actually some help which we didn't mean to. But yeah, it's almost crazy, right? You would think that you cannot trust a criminal. Now who would have thought? But that's the situation we're in, that there's a lot of these splintered groups and we've been tracking a lot of the groups with the public disclosures and it just skyrocketed. So every week there's a new family. Every week there's a new new group spurting out and making a claim to fame. Yes, there's still some bigger groups like Kulin and Ransom Hub and some others and Dragon Force, but overall there's such. They're so scattered. And to be honest, like a lot of these smaller groups, they do not focus on the encryption part. They mostly focus on the data extortion. Because that's the skill set that a smaller group of people can do. Because penetrating a network so by infiltrating and exfil trading data, that is something that a pen test or a red team is quite confident in doing. Building a solid encryption tool that can also decrypt in all circumstances, even with VMware or XCSI servers and hypervisors and all that stuff, that is a different ballgame, making that fully undetectable for any EDR or endpoint solutions. Defense. Defense solutions. That's all not a ball game. And then let alone like building all the negotiations and everything else. So we also see some dispersion there as well. We wrote about it in one of our blogs that you're now seeing also these like, dedicated services that say, like, hey, we, we do not want anything to do with ransomware. We'll just offer you a place where you can, you can host your stolen data so you can extort people. So you can see that it's like kind of a splinter movement not only on the ransomware actives, but all the adjacent surfaces as well.

B

It seems to me like instead of having these alpha predators, a great white shark cruising around, it's more like having a river full of piranha where everybody wants to take their little bite.

A

That's a great analogy. I'm going to use that. I'm going to use that one. With your permission. Feel free.

B

Feel free.

A

I often said, like, yeah, it's like this school of bull sharks and they, they kind of like. Or tiger sharks, they don't. They're not really always specifically targeting you, but if you are in the water and they can smell you, they will go after you. They'll take a bite. And that was revenge. But you're right. Yeah, it's more like piranhas now.

B

So what do you hope that people will get from this research? What are the takeaways that you want CISOs and security teams to come away with?

A

Yeah, we've been talking now for almost 20 minutes and it doesn't seem very positive what we're saying. Right. But I can see this as, this is a transitional phase that we're in. I'm always very positive, like, yes, crime is hard to beat, and we're not going to solve all crime, but there are things that we can do. And I'm a big advocate for sowing distrust and breaking the trust among cybercriminals, because that will only show that they're human. And that's something. That's a very important message to Trellix as well. It's like, we don't like to mythologize threat actors. We don't want to put them on a pedestal. They're criminals. And for organizations that need to defend themselves, they need to understand how they operate, and they need to understand that they're. Because, yeah, it's, it's that. That just helps you if as soon as you understand the threat, you're not fearing it, you can act upon it. And yeah, we used to fight families, and now we're fighting franchises and freelancers. But I say it like, when you break the trust, that empire will fall and we see, we see the effects. So, yeah, the data, data exfiltration, extortion, that's something that we can work on. And, and yes, there's still encryption going on, but also that. But the bigger families are making it much, much harder to consist, to, To. To exist. Sorry. And, and that's another thing like, that we're doing is. And that's maybe a bit off topic, Dave, but we're doing a dark web roast. So not only ransomware, but every month we put out research where we actually roast threat actors. So anything we saw in the underground, and they're making mistakes or whatever, we'll just roast them. And the second one is now out for July. And we're doing this with the goal to put a face on the adversary, show them that they make mistakes. Because I think, and at the same time, I really hope that if there's any threat actors listening, they can send it to Trellix and they can reference my name and say, like, hey, I have info on Fed Actor X and whatever, and I want you to throw them under the bus or whatever. I'm all for it. My goal is that our blogs are being read by the underground and that they can say like, oh, this is true. And oh, yeah, that guy actually did make a fool out of himself. Because when they do so, yeah, they don't see the other as a professional. They see him as somebody that messes up, and then it becomes less likely that they will trust them to do business. And that breaks the. Now I'm explaining my ulterior motive here, that I shouldn't do that, but it helps break that trust cycle and that will slow down solid product.

B

Do you think this is the shape of things to come? I mean, that with the step up of law enforcement around the world, has it just made it harder for these operators to operate at the high level they used to? So what we're looking at for the future is more of this kind of fighting for scraps.

A

Yeah, that could be the case. Another theory that we also have is like maybe ransomware the way we knew it as the, like those, those empires of partnerships and all that stuff wasn't supposed to happen in the first place. And why I'm saying that is if you look at other businesses in the cybercriminal underground, they're very much freelancers, they're very much having their own business. And the organizational structure is less like a hierarchy, but it's more like a network based model. So one could argue that maybe through all this, ransomware is evolving to a structure that is more aligned with how the cybercriminal underground operates. So everybody provides a certain part of a service, a certain part in the equation, and there's no overarching larger organization that controls all.

B

Our thanks to John Focker from Trellix for joining us. The research is titled Gang Breaking Trust among Cybercriminals. We'll have a link in the show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, DC. Discover the startups building the future of cyber. Learn more@ciddatatribe.com.