Ride the Lightning

Ransomware Gangs Playing Hide and Seek with Name Changes

August 5, 2021

KrebsonSecurity carried a post on August 5 called “Ransomware Gangs and the Name Game Distraction.” Good post and it illuminates the whack-a-mole game that is driving law enforcement and governments crazy.

Every so often, we hear that a ransomware gang has had its bitcoin confiscated, servers shut down – or the entire gang “retiring.” Sadly, ransomware gangs do not really retire – they reinvent themselves with a new name instead.

With luck, this impedes any ongoing investigations or turns attention in another direction. Krebs calls this maneuver an “organizational reboot.” It gives the leaders of the gangs a chance to establish new ground rules for their members like identifying entities which must not be attacked (e.g., hospitals, governments and critical infrastructure). They may set ransom payments or the amount they will pay for access to a new victim.

The post contains a nice graphic to illustrate some of the more notable ransom gang reinventions over the past five years.

You may recall DarkSide, the gang that got a $5 million ransom from Colonial Pipeline earlier this year, and then had much of it clawed back in an operation by the U.S. Department of Justice.

After admitting that someone had also seized their internet servers, DarkSide announced it was closing shop. A little more than a month later, a new ransomware affiliate program called BlackMatter emerged, and experts quickly determined BlackMatter was using the same unique encryption methods that DarkSide had used in their attacks. So much for retirement!

DarkSide’s “retirement” roughly coincided with that of REvil, a long-running ransomware group that claims to have extorted more than $100 million from victims. As you may recall, REvil’s last big victim was Kaseya, a Miami-based company whose products help system administrators manage large networks remotely. That attack allowed REvil to deploy ransomware to as many as 1,500 organizations that used Kaseya.

REvil asked for an astronomical $70 million to release a universal decryptor for all victims of the Kaseya attack. Days later, President Biden reportedly told Russian President Vladimir Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

Did that have an impact? We don’t know. But four days later, REvil’s victim shaming blog vanished from the dark web. Mark Arena, CEO of cyber threat intelligence firm Intel 471, said it remains unclear whether BlackMatter is the REvil crew operating under a new banner, or if it is simply the reincarnation of DarkSide.

REvil is widely considered a reboot of GandCrab, a prolific ransomware gang that boasted of extorting more than $2 billion over 12 months before abruptly closing up shop in June 2019. “We are living proof that you can do evil and get off scot-free,” GandCrab bragged. Charming folks, eh?

As you might imagine, rebranding is a useful way to avoid sanctions. Another ransomware family tied to Evil Corp. and the Dridex gang is WastedLocker, which is the latest name of a ransomware strain that has rebranded several times since 2019. That was when the Justice Department put a $5 million bounty out on Evil Corp., and the Treasury Department’s Office of Foreign Asset Control (OFAC) announced it was prepared to impose hefty fines on anyone who paid a ransom to the cybercrime group.

Experts point out that many cybercriminals involved in ransomware activity are affiliates of more than one distinct ransomware-as-a-service operation. Commonly, many affiliates move to competing ransomware groups when their existing sponsor is shut down.

As Krebs notes, all of this suggests that the success of any strategy for combating ransomware depends on the ability to disrupt or apprehend a relatively small number of cybercriminals who seem to wear many disguises.

That may be why the Biden Administration said last month it was offering a $10 million reward for information that leads to the arrest of the gangs behind the extortion schemes, and for new approaches that make it easier to trace and block cryptocurrency payments.

Truly, in the current landscape, we all need a band of heroes to emerge and counter the scourge of ransomware.

Notice: We will be transferring our blogs to a new platform shortly which will be hosted on our website. The new URL for accessing the blog will be https://senseient.com/ride-the-lightning/ Users currently subscribed via email delivery should not be impacted. Those users subscribed via RSS feed will need to resubscribe from the blog once it is relocated to the website.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson