B (4:52)

Your blog post mentions that the EO eventually just gave up and gave as sanctioned the free decryption key, correct?

A (4:59)

Yeah. So this is like. That was probably one of the most interesting findings, was that from the news, we kind of hear about Ascension getting attacked, and then we hear about a source close to the incident anonymously told the media that it was Black Basta. And that's kind of all we really knew until Pink Ascension's financial declarations came out, and we heard about how many people were impacted, which was something like 5.6 million patients. And then, you know, how long they were out. So out for like six weeks. But the funny thing is, like, the ransomware gang decided to basically give up and realize that they made such a massive mistake that they're going to give the decryptor over and even delete the data and even share a screenshot proving that they've deleted the data. And this is actually a very similar scenario to a situation I also investigated back in, I believe in 2021 or 2022, which was when the Irish health service executive, the Irish hse, was attacked by Conti. I actually came across the negotiation chat logs between the Irish HSE and Conti as well. And Conti actually did the same thing. So Conti actually decided to give the Irish HSE a free decryptor as well. And as we know, Blackbasta is actually basically made up of former Conti members. So it seems to be something that they recognize as, you know, kind of a playbook. Right. Once, once you hit a medical center, once it breaks the news, then you kind of step away, give up, and give over the free decryptors.

B (6:40)

I'm glad that's also one of the things you saw in the chats, because my take was true that they were very afraid of damaging outcomes such as loss of life. They also fear major or outages, such as a similar incident from what happened Colonial Pipeline, where it caused massive fuel outages across the US and then the White House eventually put pressure on Russia, the Kremlin, and that led to arrests in Russia of ransomware operators, which was kind of shocking at the time when it happened because they rarely do anything against ransomware gangs. Now what I see there is a fear that can be exploited, right? Like this actually makes them really, really vulnerable to, let's say, posting stories, PR setup, or like, you can just manipulate them. Just if you're a victim, you can go to journalists and say, oh my God, people lives at risk. We might stop the surface to a huge chunk of the U.S. like, do you see this as a weakness on their part that can be exploited by law enforcement and victims to obtain a free decryption key?

A (7:40)

I kind of can see that being an option. That's one of the main takeaways I try to explain in the blog is the fact that, yes, they are afraid of their own government. Right? Like, a lot of these ransomware gangs are based in Russia. They have members based in Russia, other countries as well. Maybe even there's kind of a trend of Russian nationals living abroad launching these ransomware attacks are the ones that we hear about being arrested. All the others are probably safely tucked up within the country. But they do actually appear to have a Fear of getting arrested by their own, you know, the police, but because of causing too big of an international incident. The funny thing about ransomware is if you do hit the wrong network, it can have real sprawling physical, real world impacts. Like with Colonial Pipeline. I think to most ransomware gangs that was basically a red line for them. They said, let's not attack giant organizations, critical infrastructure organizations, because then it's going to come back on us and have blowback on us. And they kind of assume that their own government knows who they are, it seems, and it's not too surprising really. But the fact that because of such other incidents have taken place, they are now appear to be a lot more cautious about who they attack or even if they do end up attacking, then they just kind of give over a free decryptor. I think the other thing to point out with these ransomware gangs is there seems to be kind of, it's not the most well organized type of structure, right? It seems to be, you know, that there's a management level that deals with, you know, ransom negotiations and money laundering and data leak, running the data leak blog and that kind of stuff. But then you also have these affiliates and these initial access brokers that are kind of a little bit disconnected right from the, you know, the main group, the RAAS operators, so to speak. And the affiliates are the ones that ultimately push the button to encrypt the systems. Right. And they don't really seem to have as much control over those as we think.

B (9:50)

They also push for ransom payments rather than free decryption keys, or at least that's what I understood when reading those chats. Like they're the rogue elements in these services usually. Like even if they know a RAAS platform has rules, they rarely stick to them. So that's what I got from it.

A (10:06)

Yeah, I think that's a valid point to take away as well. You know, there was multiple occasions where this happened with lockbit as well. In the lockbit ras they particularly had rules that said you cannot attack hospitals. There was numerous occasions where they still did anyway. So yeah, it is the affiliates that are the ones that there's kind of a lot of power in their hands and there's not that much control over them.

B (10:29)

Well, from the leaked chats, it was also very obvious that Black Bastard was absolutely terrified of CISA and the FBI, probably because they feared a hack back action, maybe sanctions and more like they're really, really scared of US authorities now. Did you get the same feeling from reading all these chats?

A (10:46)

I did I did. I got the same feeling. They mentioned it multiple times. They even mentioned takedowns by the FBI of the various botnets that they interact with. So a lot of these ransomware gangs, they gain initial access via sort of malicious email spam campaigns, or mal spam campaigns, as we call them as researchers. And one of the main mal spam campaigns that blackmaster used to rely on was Quackbot for initial access. And then the FBI basically were able to hack back, get into the command and control servers, and uninstall the entire botnet. So that was a major disruption for them that probably, you know, cost them a lot of money to kind of rebuild and retool. And for these ransomware games, it's all about the money, right? Anytime you can impose cost on them, you can, you can cause them to lose money, that is definitely going to alter their behavior. And then the other thing they mentioned as they were thinking about dealing with this case and how they're going to get the highest ransom, whether they're even going to get a ransom payment, is they were mentioning, yes, things like sanctions. So Evil Corp, another ransomware gang, has been sanctioned by the U.S. treasury OFAC Department. And basically, anytime an organization is hit by a ransomware family affiliated with Evil Corp, the companies were very, the victims were very reluctant to ever pay the ransom due to these sanctions. So for ransomware gangs, getting sanctioned is not great for business. It means they have to rebrand. It means they have to try and they go offline and go undercover for a bit and pop up later, potentially, or retooled. So it's really bad for business for them, obviously, de anonymization, that's another bad for business for them, because then everyone in the world, law enforcement, intelligence services, everyone in the world knows who they are. So they can no longer travel and they're at risk of being locked up by their own country, whether that's Russia or somewhere else.

B (12:46)

Now, I asked that question because if we look at what's happening in the US Right now, and we're seeing what the US Government is doing to itself with all these mass firings, we think these layoffs at CISA and the FBI would probably embolden gangs again to become more aggressive. Since both agencies may be a little bit shorthanded in the foreseeable future, I.

A (13:08)

Think that's potentially a concern to be worried about. But, I mean, the European agencies are definitely still very active. You've got Europol and the NDA, Dutch and German police. You know, they are, they are at full Capacity, really. And firing on all cylinders against these ransomware gangs without the US Though, you know, that would be a big hit to capabilities and just knowledge really. And unfortunately with these mass firings, a lot of those people who've dedicated their lives to law enforcement are going to be probably going to the private sector and working with all sorts of CTI vendors and other type of investigation companies. So it's not necessarily that the talent is lost, but it's just going to be hard to come by.

B (13:57)

One particular line in the chat that drew my attention was the one about holding a meeting in the office. You know it. Since it's also on your report. We've seen several Russian icrime groups basically work as fake pen testing companies. Do you get a feeling from reading all these chats that Black Basta might be one of those groups or at least the top brass might work from the same place?

A (14:19)

Yeah, that was a really interesting message I caught as well. And as there are other discussions of a so called office. Yeah, it is well known in sort of the ransomware research community that some ransomware gangs have, have in fact got their own sort of front company or actual office space to conduct meetings with the team or launch attacks from. Even back in 2022 we had the Conti leaks and I also analyzed those chat logs as well with a similar methodology that I'm using to go through these Ascension Health related chat logs. And again, there was mentions of an office, there was mentions of another team. There were. So if you feel, if you're, if you're another researcher and you're going through these chat logs yourselves, you need to pay attention to the fact that some of the conversations may seem like they abruptly end or pick up on on something that you're not quite sure. There's probably some conversations going on in real life in a physical office that aren't being captured here. And yeah, I mean, there's been examples of Evil Corp, as I mentioned earlier, they are known to have an office as well. And I think the Joe Tidy from the BBC even traveled to Russia and actually tried to, you know, call the Office and try and see if there was anyone in. I don't think anyone answered, but it was kind of a funny situation.

B (15:42)

Now, ever since this leaked, there's been a few theories about why they leaked, why these chats leaked. Some have attributed these to one of the group's members leaking the chest because one of the main blockbuster leaders attacked Russian banks with a brute force attack. But this doesn't, doesn't actually sound well to me and I'll explain why. Based on what? Prodaft claimed the leak occurred weeks after the group kind of stopped attacks altogether. Like if you ask me, this has nothing to do with those attacks on Russian banks. This looks like good old reputation trashing. Maybe, maybe not even someone from inside the gang. Maybe a rival gang wants to trust the reputation of blackbast admins and kind of steal all their affiliates if you ask me. What are your thoughts on this? Did you look at why and who might have leaked this?

A (16:35)

I haven't been able to really ascertain exactly who has leaked these files and shared them to Telegram and things. It is hard at the end of the day to try and and figure these things out if someone's not going to disclose it. I mean thinking back to other leaks I've analyzed, we had isoon and the isoon leaks was basically it could have only really have been done by an ex or current employee just due to the high level of access that they had. So whoever had managed to get into the Blackmaster Matrix server, which is a self hosted chat server. So you can't just managed to figure out how to find an invite and get in or something like that. It's not like a discord server of people coming and going. This is like a purpose built, end to end encrypted chatting server that they created just to launch their operations. They weren't using someone else's platform. Whether they patched all their vulnerabilities and so on managed to exploit it, that's another question. But it's unlikely that law enforcement would really dump the these messages to the public. They would probably more be more tactical and try and use it for sanctions and de anonymization and things themselves. So this like trying to do some sort of analysis of competing hypotheses and trying to discount different theories. You know, my gut feeling would be yes, there's some sort of insider someone who managed to get access or someone was part of the group, whether it was a Ukrainian researcher like the Conti Leagues or some sort of ex affiliate who's become, you know, trying to knock out one of their competitors. I think those are the sort of two most likely scenarios in this case.

B (18:21)

Now that just also showed how quick the group went from oopsie, we did a bad thing to time to rebrand. What do you think? Rebranding is such a popular break window in case of emergency mechanisms for these groups. Does it actually give them some breathing room from authorities and researchers like you?

A (18:40)

Yeah, I say it's quite funny because of who are the people who kind of interact with ransomware groups the most. If you think about it from a victim perspective, you have when a victim gets hit by a ransomware attack, you have the incident responders that come in, you have the cyber insurance that comes in, and they work together to try and figure out the situation and help the victim recover. Those are the types of people and organizations then cover ransomware gangs first, and then you. Eventually you'll have law enforcement involved, hopefully as early on as possible as most ransomware victims should contact law enforcement as soon as possible because they may have a decryptor and things as well. Right. But it's pretty. For a ransomware gang to do a rebrand, it's really hard. Well, I shouldn't say it's hard. It's actually, it's really hard for us to know, to take the time and figure out if they are connected to each other. Right. So from the time of Conti going down, shutting down, shutting off the leak sites and things to Blackbasta, Akira Royal, all these other brands popping up was pretty short, I think. Conti shut down in April and blackbasta appeared in April. So one method you can take is just purely by looking at leak sites. When one leak site goes down, which other leak site popped up recently and do they look kind of similar? Do they operate in a similar way? There's all sorts of ways you can tell that. But as a ransomware gang, it's not really that hard to do a rebrand, in my opinion. You know, all you do is change the kind of binary name. Well, if you want to make it really easy, you know, you could just change the leak site branding and you just change the HTML and css. It's not really that hard. But if you're truly trying to completely fool the security community, you know, security research community, for an extended amount of time, they have to retool everything. Basically, it comes back to this old adage of the pyramid of pain. It's really hard for attackers to change their behaviors. Their ttps, their tools are pretty much, you can track a malware binary based on the code that they've written. If the code hasn't changed much, you can find those technical overlaps. You can link them together that way. If they're using the same exploit and they're launching an intrusion against the network, the same way you can track them that way. It's really hard for attackers to ultimately change these ttps. And that's how, as researchers, we can track and make the connections between the sort of the original brand and the rebrand.

B (21:16)

Now, at the time we're recording this threat, intel firm Kela also released a report on this leak. And if you haven't gotten to read it, the report also looks at a blkbasta intrusion. You looked at ncension, they looked at a Brazilian company, and just like you noticed it, they also noticed a gigantic dwell time in that case to like almost a month. Like, I know in your report you said blackbasta sat and Ascension Network for months before triggering their attack. This is what I found to be the most shocking part of the leak. Like, I know the leak also mentions the real name of one of the blackbast admins, but I actually found this the most shocking parts of the leak because the this goes against everything you know about ransomware gangs and all the recent infosec reports that say that ransomware gangs are the fastest in their attacks. From all your CTI experience of looking at ransomware gangs is blockbuster, just lazier than other groups. Do they have just very few affiliates? Do they have too many hacked networks and initial access points to deal with in a timely manner? What's going on here?

A (22:23)

Yeah, good question. I think as a ransomware gang, they are. You have to kind of remember that there's kind of a skill limit to how good ransomware gangs are. A lot of them are reusing tools like Cobalt Strike, Mimi Cats, all this kind of credential harvesting and lateral movement tools that I've even managed to build the ransomware tool matrix. And there's dozens of ransomware gangs all using the same tools. So it's not actually that hard to stop a ransomware attack if you have the right tools in place and controls in place. However, if you're a ransomware game like Backbaster and you want to go after a very big target, then they have to be a little bit more methodical. They have to understand their target a bit better to try and get into the most critical system, such as the domain controller or the hypervisor or something like that, to really impact them and to really be able to hit them where it hurts so that they can't recover, including backups and things, and then stealing enough data as well. It takes time. So if you want to try and get into a really large organization, because then you can maximize your sort of ransom demand, then the adversaries need to kind of be a bit more methodical about it. And if anything, Blackmaster was pretty methodical, right? They had all these custom malware botnets that they're under the control. They had these interesting elaborate social engineering capabilities including vishing and this kind of stuff. And they actually have. They're pretty experienced operators. They've been part of Conti. You know, some of those operators have probably been running ransomware attacks for the last five, six years. So these guys know exactly what they're doing. They know how to do a ransomware attack. They're not amateurs. And that's probably why we see some of these longer dwell times or longer time to ransoms, from sort of reconnaissance to actually running the binary on target systems. Because they know it's worth the wait, right? They know it's worth. If we just methodically go from this endpoint to this one, we steal this data from this server, if we complete all these steps, then our chances of getting a multibillion dollar ransom are pretty high compared to amateurs who may just rdp a few things, move laterally, run ransomware and hope for the best.

B (24:53)

Well, those were some really great insights. Thank you for your time today.

A (24:57)

Thanks very much. Appreciate it.