image of breaking badness
Breaking Badness
Breaking Badness

157. They Ransomware

Coming up this week on Breaking Badness: Updates on the most prolific ransomware families, and Gold, Guidance, and Grievances.

In this week’s episode of Breaking Badness, we are focusing on our updated Ransomware Report!

  • A few years ago, we provided a report on the most prolific ransomware families, and as you know, things have changed since then
  • Our updated blog post catches readers up on what’s been going on since that time
  • Something that’s changed a lot in 4-5 years is the affiliate model these groups have adopted, which has made them harder to classify
  • These families have had a multi-pronged approach: they try to persuade you to pay to get that data back, but now you’re seeing a second stage of “Name and Blame” where they will list your company as a victim. That’s probably the clearest way to see what’s happening and to whom
  • Name brands help a lot like Conti – the name strikes fear and people will want to pay
    • But you start going after larger and larger targets like the Colonial Pipeline attack and now you have not just companies interested, but nations. 
    • You have very large, powerful nations asking what’s going on here – so you’re getting unwanted attention when you have too much of a brand
    • Rebranding is a way to say we’re doing well, but there’s too much attention on us, and then we’ll regroup under a different name and maybe we’ll bring some new people in. There’s sort of an evolution to it
    • ReVil needed to rebrand because the concern would be that it would be illegal for victims to pay
  • External forces have changed the landscape – but what are these external forces?
    • The nexus of the groups in this report are Russian affiliate or Russian speaking, so the external force is the Russian/Ukrainian war
    • Up until this invasion, they had been working together, but this invasion changed everything. There were divisions and discord. It was a notable ripple, not just across Ukraine as a country, but within these cybercrime groups
    • The Conti leaks episode was also an important event. This was just after the Russian invasion of Ukraine. Conti was typically very business-centric and they didn’t take political stands, but someone came out with their support of Russia in attacks of the west so they wouldn’t take action in support of Ukraine. That blog post lasted hours, but they realized this statement was not in their best business interest so they walked it back. A member or research privy to their structure started dumping a whole host of IOCs (Indicators of Compromise) around Conti which was a boon for researchers. It gave you unparalleled insight into this organization and how it operates – so that was probably the nail in the coffin for Conti
    • Even after these leaks, Conti still had one last hurrah, which was their hacks into Costa Rica in 2022, but people wonder if these were already in the works because they disappeared, but those leaks caused the organization to self-implode
  • What makes LockBit so prominent?
    •  It’s like any business, you’re looking to reinvest in your business and the types of returns these groups get is substantial. There are different versions of LockBit, and they continue to innovate and ensure they provide iterations for their customers. Their ability to attract affiliates with strong technical chops allows them to thrive. These groups tend to be responsive to market focuses and they change tactics very quickly, because it’s how they make money 
  • Victimology
    • We hear about the common ones – healthcare tends to be the first one thought of, maybe because it is so hideous from a human perspective, but that’s just what the data shows at the top. But what’s changed since our last study?
      • The groups themselves are specializing in different areas where they feel they have an in
      • You may have an affiliate that feels they have a knack for attacking a certain industry, and they might find a particular tactic works there too
      • Healthcare and education have highly motivated individuals to get things back up and running so they might be more likely to pay, even though the payments might be smaller
      • It’s one thing for a private company to say we are losing X dollars per day, but if you are a hospital and you have patients who can’t get a surgery or medicine needed, you are talking about literal lives
    • Shifting gears, other ransomware groups have seen success elsewhere
      • BlackBasta found their niche in construction and it includes very large companies. LockBit and BlackCat have large affiliates working for them, so their attack region is more broad. 
  • What’s most worrying?
    • We can continue to talk about critical infrastructure and healthcare, but if we have to not just worry about ourselves, but these institutions that support the broader public good, we have to worry about going to the hospital or seeing our local government operate
    • Three or four years ago there were groups who said they wouldn’t attack hospitals. There was a group statement about it and part of it might have been dealing with the PR fallout, but in the last 12 months it seems like the line has been erased and the number of attacks you see in healthcare have grown significantly. Clop has grown largely due to that. You see a more aggressive stance in attacking these organizations and it’s concerning. They don’t have the budget being nonprofits to pay these funds
    • The Verizon DBIR report stated that the rise of vulnerabilities in supply chain attacks and not just phishing or spearphishing, it’s getting in through other holes I need to keep my business running. As we’re improving the security on our endpoints, these vulnerabilities are creeping up and causing issues. 
  • What can legit organizations learn from these groups?
    • If there’s a silver lining, maybe there are takeaways to make legit businesses better
    • Doing things because that’s the way we’ve always done them is something to take a close look at because these groups only do what works and we can take a lesson from that. They wouldn’t be in business if these tactics didn’t work
    • Criminals don’t feel constrained by “that’s the way we’ve always done it.” If you think about innovation in business, what we’re seeing is cybercrime groups looking at innovation efficiently. They don’t care about laws or regulations. From our perspective, if we know they’re doing the classic startup playbook and say there are avenues for attack and how we can look at these groups and their affiliations.

This Week’s Hoodie/Goodie Scale


[Sean]: 8/10 Hoodies
[Sasha]: 8/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!