Photo credit: www.darkreading.com
The landscape of Russian-language ransomware is not particularly vast, but a recent analysis reveals a troubling trend: members of various ransomware groups are collaborating closely, sharing strategies, botnets, and malware. This cooperation is increasingly evident among the groups and extends to interactions with Russian state actors. Notably, a new ransomware group, BlackBasta, has recently made headlines.
Following the significant law enforcement operations against Conti in 2022, the Russian-language ransomware ecosystem underwent considerable upheaval. This disruption was exacerbated by the August 2023 intervention that dismantled Qakbot botnets, which had been a primary means for these groups to spread ransomware. Dubbed “Operation Duck Hunt,” this crackdown succeeded in wiping Qakbot malware from over 700,000 compromised devices. However, the relief was short-lived as analysts began detecting the botnet resurfacing in cyberattacks just months later.
By January, BlackBasta had already adapted, employing a competitor’s tool known as Pikabot, in collaboration with a growing threat group named Water Curupira, which also utilized Pikabot to launch BlackBasta ransomware attacks.
In response to these challenges, BlackBasta widened its methods, engaging in phishing, vishing, and social engineering tactics while also acquiring network access through initial access brokers. By the following August, the group had begun implementing its own custom malware, Cogscan, designed to analyze victim networks and identify high-value targets, along with a .NET-based tool called Knotrock, used for executing ransomware.
Effectiveness of Law Enforcement Actions Against Ransomware
Yelisey Bohuslavskiy, a cybersecurity analyst at RedSense, has provided an insightful report on the evolution of BlackBasta’s strategies. He posits that adversity stemming from law enforcement actions has propelled the group to the forefront of Russian-language ransomware operations. Bohuslavskiy expresses concern that BlackBasta may be striving to form a more intimate partnership with the Russian state. He cites alarming cyberattacks on the healthcare sector this year as a harbinger of what may lie ahead.
Bohuslavskiy comments, “The spike in high-profile attacks targeting healthcare is unprecedented, and I’m worried about a potential link between BlackBasta and the Russian state actor Nobelium, especially in light of their use of MS Teams and other tools. While this connection remains speculative, increased collaboration between ransomware groups and the Russian government could severely worsen the cyber threat landscape.”
He anticipates that BlackBasta will hone its attack techniques, particularly in social engineering to compromise user credentials. “Organizations should bolster defenses against social engineering, particularly targeting Cisco, Fortinet, and Citrix credentials, as well as monitoring open repositories like GitHub, which have become hunting grounds for these actors,” he advises.
While this development is concerning for businesses, Bohuslavskiy notes that social engineering tactics are generally less efficient for disseminating ransomware compared to botnet strategies.
He concludes, “It’s crucial to recognize that law enforcement actions are effective. The shift from botnet reliance to social engineering techniques indicates a gradual transformation in operations, even for groups traditionally dependent on botnets.”
Referring to past attempts by Conti to implement social engineering via call centers as a failed experiment, he suggests that as organizations adapt, ransomware groups may redirect their focus back to developing robust botnets since this method is more effective.
The Complexity of Ransomware Coordination
Ed Dubrovsky, a ransomware negotiator and COO at Cypfer, challenges the notion of straightforward coordination between ransomware groups and the Russian state. Instead, he highlights the decentralized nature of these Ransomware as a Service (RaaS) operations, where individual hackers operate within a loose organizational framework.
According to Dubrovsky, once authorities disrupt a group, the talent quickly migrates to other operations, complicating any assertions of coordinated efforts with state actors. “We often categorize these entities under a single label, like BlackBasta, yet they are more comparable to a service provider reliant on affiliates to execute cyberattacks. To imply cooperation with state entities based on brand association is misleading—for instance, suggesting that McDonald’s collaborates with the government simply because they operate in Russia,” he states.
He believes that the movement of individuals within the ransomware ecosystem is often driven by potential financial gain rather than allegiance to any specific group or compliance with law enforcement pressures.
Ngoc Bui, a cyber expert at Menlo Security, adds another layer of complexity by making a distinction between “Russian-speaking” and “Russian” hackers involved in these operations. “While many discussions in the illicit cyber communities are conducted in the Russian language, it doesn’t necessarily signify that all participants hail from Russia. Recognizing this difference is crucial when assessing the potential for collaboration between various groups,” she notes.
Bui contends there exists a “golden rule” among these cyber operatives: as long as their attacks do not target Russia or its allies, they are often allowed to operate freely, creating a relatively safe haven for cybercriminals in Russia.
Dubrovsky underscores the necessity for cybersecurity professionals to concentrate on reinforcing defenses against resourceful and increasingly skilled Russian-speaking ransomware adversaries. He observes that the cyber threat landscape has been expanding since 2013, and he firmly believes that predictions of further deterioration, as noted by Bohuslavskiy, are practically inevitable.
He concludes, “It’s reasonable to expect a surge in ransomware activity, bolstered by the significant resources at the disposal of these actors and, in many cases, state influence. While the direct correlation of tactics to specific groups remains uncertain, the pressing question is how to enhance defenses against adversaries equipped with greater capabilities to inflict damage.”
Source
www.darkreading.com