Cybercrime Incorporated

ready so we're going to go ahead and get started now uh since it's 12 and and this will be about a 25 30 minute presentation so go ahead and grab a seat and we'll get started in just a

minute okay so hello folks can everybody hear me okay excellent all right so I'm Vince Kenny I'm a computer scientist with the FBI so I work here in Salt Lake City for the Salt Lake City division of the FBI and today I'd like to tell maybe less of a technical presentation but more of a story based presentation about kind of the the whole element of cyber crime and organized cyber crime so feel free to ask any questions during or after the presentation um but let's go ahead and get started so just to kind of cover our bases here first thing to talk about is kind of the different roles in the federal government when it comes to

cyber security and the way I look at it if you break it down into three large chunks there is the Department of Homeland Security there is the Department of Justice and there is the dod and so the analogy that I'll use if you kind of compare these three is if a cyber event is kind of like a house fire at the end of the day the DHS they're like the fire department so the fire department's job is to come in and put the fire out but more importantly ly the fire department sets up fire safety codes and actually tries to prevent the fire from happening to begin with now if you think of that fire as who started

the fire who was the arson that was responsible for that fire well then you call in the police and so the doj is kind of like the police our job is primarily to go in and investigate that fire and to try and prevent further fires being started from that particular arson and then finally the final leg of this is the dod well if you think of that fire as started from a a military or a foreign government then you're going to have the military come in and and be involved in trying to stop that fire or stop further fires from that adversary and that's what the dod does they are the military arm so they are

that offensive arm that goes after nation states primarily that are that are causing different types of cyber crime incidents but they'll also go after some of these high-profile cyber criminal organizations that we'll be talking about so the makeup of an FBI Salt Lake City or just an FBI cyber task force is a pretty diverse taskforce um it starts out with a supervisory special agent and then there are a handful of different special agents on our Squad there are eight different special agents dedicated and and uh specifically working cyber security uh and cyber crimes but then there are number of different other positions there's a position like one that I'm in which is a computer scientist I'm primarily a technical

resource so I'll do things like malware analysis data analysis and other different types of technical things and then we have other different positions a data analyst that individual will massage the data a staff operation specialist they kind of work as an analyst type of role and then an Intel analyst their job is to communicate that information throughout the intelligence community so it's a fairly Diversified Squad and fairly Diversified uh series of of different skill sets that go into that Squad the other thing that we have that's very important to us is various different Partnerships so Partnerships are really important to the FBI because that's what gives us kind of eyes and ears and also a feedback loop on what's

going on so we have Partnerships with various different Utah Department of uh Public Safety individuals that come and sit on our Squad as well as Partnerships with other other different local and federal government agencies that work with us now the kind of topic that I'll be talking about is this organized crime or this kind of cyber crime Incorporated component and when I'm really talking about that I'm I'm talking about cyber criminal efforts which the distinction is we have kind of two different veins that will put cyber activity into one is the nation state activity which those nation state actors aren't necessarily motivated by anything other than Espionage or other different geopolitical reasons and then you've got

the cyber criminal Focus which is individuals that are primarily financially motivated so they're trying to make a business out of this and I know when I started years ago uh when you think of those financially motivated individuals they were trying to make a quick Buck but throughout this presentation hopefully I'll show that that is definitely evolved from being a quick Buck to now an an actual business model essentially and then also what the FBI is doing to try and disrupt those business models so without further Ado I'll go ahead and begin this presentation just centering around organized crime so like I mentioned this is primarily a story-based presentation just to talk about two different types of organized

crime on the left here you have uh the Kali cartel so who here has watched the narcos Series yeah so about 50% of my information came from from that Netflix Narco Series so I'm I'm not an expert on on the C cartel but point being said is that if you look back in the 1980s one of the biggest issues with organized crime was around drugs and it was around a lot of these foreign foreign individuals primarily in Colombia and South America who were uh who were you know causing these drug problems so for today we're going to actually go ahead and focus on not only the Kali cartel but also compare this to the kti group who's heard of the kti

group before okay they were definitely definely a big big ransomware player certainly throughout the pandemic and then they kind of fizzled out um throughout the end of it so let's go ahead and talk okay there we go sorry just the words uh kind of went away for just a minute so let's go ahead and talk briefly about the Kali cartel well they kind of gained a reputation as being the gentlemen of c and so the reason why they were gentlemen of Cali is they tried to frame this cocaine business into a business model meaning that they were you know hosting various different things they had kind of a different type of structure that went into it it wasn't

just a street level type of thing but that being said they had to come from somewhere so in fact actually these individuals they started out their business through uh high-profile kidnappings which is very far from a you know distinguished businessman that's definitely a much Gr dirtier business to be a part of so they shifted away from that um that kidnapping component uh to the drug business and they actually took a lot of the money that they got from the kidnapping component of their business and turned that into sort of the seed money to start their drug Empire and in particular they had a really strong connection with various different individuals in New York city so New York City was kind of one of

their main hubs of how they were able to facilitate their drug Empire now we compare the kti group so kti is a very interesting group in the aspect that it's really started through various different groups over the past decade or longer and when you think of two major groups that sort of were there before kti you think of the group wizard spider and ryuk so wizard spider is kind of a larger conglomerate of different individuals that are part of that group that do various different types of crime ryuk was kind of a a ransomware campaign and it was more associated with ransomware in general but wizard spider they started out not through ransomware but through banking Trojans how many

people here remember banking Trojans yeah this is kind of like a blast from the past those aren't quite as common nowadays they still exist a little bit but this group started out with banking Trojans and that was kind of their money that they that they eventually turned that into other different forms of businesses and then ryuk came along and that like I said wasy arily specialized around ransomware so when kti eventually came around they kind of had a few different go ATS that go at uh different types of business models to try and organize their group so now the organized structure so the organized structure for uh the Kali cartel well there was definitely a

leadership component there were a couple different leaders in particular the Rodriguez Brothers uh but also there was the Santa Cruz family that helped helped sort of structure that but throughout that organized structure what you'll see is that they try to run that business like a Fortune 500 company they had different types of buildings that had different types of accounting departments HR departments other different types of things to also try and you know mix the illegitimate components of the business with legitimate components of the business so moneya laundering was a very big component of being able to take the profits from drugs and poured into some legitimate type of business when you look at the Conti

group they had kind of a similar organized crime structure in the aspect that they were kind of like a startup they had a top level boss they had various different departments um even departments centered around training HR payroll different types of things they even acquired different types of property in real estate that people would would use sort of on a full-time basis but that group formed uh essentially like a criminal business that you might see as sort of a cyber security company here in the United States there were coders testers administrators reverse Engineers pent testers lots of different technical people that supported different phases throughout these ransomware campaigns now any group needs a leader and the leader of the Cali group was an

individual named hilberto Rodriguez and he gained a reputation as being kind of the chess player meaning that he had a very strategic role in the cony group where he was known not only for his ability to run the business but he was also known for his ability to use things like corruption and influence to be able to further this business and try to make it look at least legitimate at least in his sort of Hometown to some degree so he was very very clever and also he was a lawyer so he had a law degree so he kind of understood how to actually run a business um so it's very interesting the leadership in kti so the

KY leadership was run by an individual code named Stern uh so he kind of got that name Stern because he wasn't necessarily known as the most technical individual but he was known as a very very very Str strong-handed and uh Taskmaster type of individual uh if you got a task from Stern you had to complete it and he made sure that those things happened so he gained really reputation for his organizational management rather than just purely his technical skills now the criminal ecosystem so another big component of a successful business is good opportunities or an ecosystem that helps flourish that business so one of the things that led to the colleague group being able to be

successful was not only the downfall of Pablo Escobar but also the trying to position themselves as an opposite to Pablo Escobar so Pablo Escobar used violence as a very strong mean to sort of get what he wanted he was known as an individual that if you defied him he would use a lot of violence against you the kague group they used corruption that was their big thing they really tried to use corruption and Partnerships to make things move forward but that criminal ecosystem really back in the 1980s owed them to sort of flourish this business because there weren't that many rules and they were dealing with kind of this separation of the United States was

used to combating drug problems here locally in the United States and it turned out that the drug problems really were stemming from overseas so go figure when you're talking about ransomware problems the FBI and the United States we're pretty good about going after individuals that are here locally in the United States but it certainly creates some challenges and hurdles if those individuals are in foreign countries especially foreign countries that we might not be able to work with so closely so one of the things that really led to the success of of why kti was able to do its operations was a major change that happened throughout the world so what happened in 2020 that was

a major change covid So Co essentially was kind of this component that really led to more growth and opportunity for kti to run wild and the reason why was individuals were connecting to the internet and had to change their own businesses to be in this remote type of State another thing that was important for the growth of kti was a profit component of that meaning that cryptocurrencies the rise of using virtual currencies as a medium of trading and also medium of getting large amounts of money really led to the success of kti running these big game operations so the big game operations are they go after a very large Target rather than these small oneoff two off

types of types of approaches so there were a couple things that had to really happen for K to be successful and uh and so yeah we saw a few of these different things happen over the past couple of years all right now getting into the rise and the fall so this is kind of the rise so like I mentioned the main thing that the colleague cartel they were able to do is they were able to use um they were able to infil infiltrate various different key sectors so they were able to infiltrate various different political organizations law enforcement organizations and generally subvert Justice in general in uh Colombia to be able to run their business and then they

had various different business fronts to try and legitimize their business or at least give their business a legitimized facelift so to speak the thing with the colag or the kti group is that they were really known for big game hunting so they changed this ransomware component that changed from you know 20 14 to 2020 and then 2020 and moving forward this big game hunting really was we're going to go after large targets that might be more challenging to infiltrate and might require more sophistication but the reward out of this is to receive um you know a much larger amount of money from the extortion campaign they also pioneered this double and triple extortion so double and triple extortion

would be a ransomware campaign has happened the individual refuses to pay the ransom because they've got a backup or they just don't want to pay it they will then extort them further by stating that we've stolen your data and we're going to release it if you don't uh pay this Ransom and then they'd go even further by contacting customers of that particular group and harassing those customers saying that we have obtained this sensitive data from this group and they're not doing anything about this they're leaving you behind now when we think of kind of the disruption component of it one of the strongest disruption components that kind of goes into these is obviously arresting or actually putting charges on

the individuals but another component that caused a lot of heartburn for the kague group was seizures so seizures of the drugs the product and seizures of money so seizures is actually something that that we have started to incorporate a lot more in our ransomware cases trying to not only go after the individuals but go after their stuff essentially if we can't really find a paino with them by arresting them maybe we can find a paino by taking their money by seizing their infrastructure now kti they had a few big incidents that big game hunting puts them in a much riskier place so they had two very interesting incidents that happened one on May 21st that targeted

the Irish Health Service executive um and then the other one that happened to the costan uh Costa Rican government so these instances actually elevated their status as being just a criminal threat to being a matter of national security so that was one of the mistakes that they make is they they basically got too to too greedy and went after too big of targets that they started to move up in this radar it almost be somewhat comparable to back in the 1980s some of these drug Kings and cartels started working with communist countries to facilitate their drugs and the Communist countes split the profits that almost made it move from being hey these are drug dealers and this is a drug

organization to these individuals are working with communist countries and this has moved into a matter of national security so the US government therefore put a reward on their head of 10 10 thou 1010 million now we're kind of leading to the downfall so this is kind of an interesting component of the colleague group that also was shared with the kti group or rather the Kali cartel where the the kti cartel or the Kali cartel rather had a whistleblower that basically caused the whole cartel to kind of crumble from within so Jorge Salos Soo he uh was an engineer and a highlevel individual within that K Kali cartel and he grew disillusioned with the the the cartel he kind of felt like

he was making money but he wasn't receiving some other different forms of security and other things that he wanted with that group so he decided to Pivot and actually work with the federal government and that led to a major major disruption of the Kali group or the Kali cartel another thing that happened with the kti group was the leaks uh of a whole bunch of different chats so I remember when this came out there was a a leak of you know uh hundreds of different types of chat pages of how this kti group uh was organized and how they worked and this was a really really interesting thing to sort of read through because you literally were

reading through like daily standups you were literally reading through like progress reports you were reading through all these different sort of business components that gave away lots and lots of information especially different financial information where they eventually stored money where they eventually spent money on different types of infrastructure so that was a huge blow to the KY group was the release of um a bunch of their chatting information of their business by uh an affiliate who was disgruntled with this group and then finally the fall so uh obviously with the rise and now the fall the arrest of hilberto Rodriguez and uh and other different leaders of the colleague group led to that fall that

started um to really you know dissipate the the influence that the Kali cartel had in that drug organization and the fall of Ki well one of the things like I said even though there were no arrests that were made for the Ki group one of the things that caused them to fall was actually the allegiance that they pled to the Russian government during uh that period of time when the when Russ Russia initially invaded Ukraine and is still in Ukraine obviously so one of the things that that elevated it to was it elevated it from being just this organized crime group to someone who was supporting the Russian government and that was kind of like all

hell sort of broke loose for them so to speak um they had to backtrack that statement but at the end of the day that really um you know kind of caused their operation to fall apart completely so like I said there was just this General series of different missteps that they had they ran a fairly long campaign but throughout that whole process we were able to poke holes and disrupt various different things there were many cryptocurrency seizures that were H that happened Mar various different takedowns of different types of infrastructure and so uh that eventually led to kti shutting down at least that particular campaign in May of 2022 so throughout all this and kind of

the conclusion to this well there are a lot of similarities that went into the Cali cartel and the kti group at the end of the day it's organized crime it's just a different Vector of organized crime I think one of the differences when I look at something like ransomware versus um you know cocaine and and drugs is that cie's product at the end of the day they had these willing victims even though they were being victimized by consuming these products these willing victims to take those products whereas kti's group they were repulsed by that that product you know no company obviously wants to receive somewere and so as a result I feel like there is some

some component where you know there is aspects of the FBI going out and talking with different companies going out and talking to different individuals to try and move these things forward and the second reason is because of many of you the security Engineering Group as far as when I'm talking about the kti group I can't emphasize how incredibly valuable it is to work with various different security companies on some of these ransomware campaigns and and combating some of these cyber organized crime efforts so the thing that I really want to emphasize is that's maybe one of the biggest difference when you look at law enforcement in the 1980s to law enforcement today especially versus you

know comparing to drugs to cyber crime is in the 1980s it was very much limited to the federal government and the military kind of work together to help take down groups like this Cali cartel today if you look at that chart and you see that there is is the DHS the doj and the dod well there's actually kind of a secret fourth leg in there and that is the private sector like I said I can't tell you how useful it's been to work with private sector companies that have different ideas and capabilities to be able to use and wield to take some of these group groups down so thank you very much that is the conclusion of this

presentation are there any questions from here yeah go ahead

yeah alphabet

Su yeah so I I kind of look at it like I kind of said in that initial analogy I look at it as there is this kind of chronic problem and different government agencies have different Big Sticks essentially it's sort of like the big stick for the FBI is we're like the police we'll go after and try to arrest and use criminal prosecution on that so it kind of depends what type of situation you're dealing with if you're dealing with a victim where their number one issue is they just want to mitigate this issue and they want to try and resolve it it might be a situation where working with DHS might provide that um

as as far as they provide sort of instant response types of services as far as kind of the overlapping component of the federal government in cyber security sure the federal government is huge there are some inefficiencies that kind of go on with it but I do think that we really try to have this mindset of trying to leverage other different federal agencies and and use their strengths to move certain things forward so it's less you know maybe 10 20 years ago when cyber crime was a brand new thing it maybe was a little bit of a who's going to help work this now the rules have been more defined so that if you do have a ransomware attack and you

contact the FBI we come in and we know how to facilitate stuff that will help us but we also know how to facilitate stuff that might help sisa or might help Secret Service or might help other government agencies because we work with them a lot thank you go ahead

yeah it's a good question you know at the end of the day I think one of the things that has changed a little bit from 2020 to now is this aspect that um they might not do as many of these big game hunting components of it so in short to answer your question do you think those groups have gone away no there're still out there but it's similar nature to kind of like these large drug organizations that were very hierarch iCal they became very you know distributed to some degree that's really the push that we're making is to make it less of a hierarchical type of organization where the barrier of Entry is very easy meaning that there's a

couple leaders who are able to pull in low-level individuals to pushing back on that so that it's very difficult to make this hierarchical type of organization so it's still persistent problem but obviously we're pushing more to make it so that the barrier entry to get into ransomware is more and more difficult go

ahead yeah so when I think about private sector engagement and private sector work when you're when you're an FBI office that's working a ransomware event um essentially I think probably one of the strongest things that we get from the private sector is more or less feedback of various different victims and how victims are either mitigating it or how victims are being compromised one of the challenges we have with ransomware is there's a pretty low victim reporting we might have a ransomware variant that has you know 2,000 victims but only 200 of them have actually reported it so there is that component but I also kind of feel like I know a lot of security researchers who

have developed clever and interesting Solutions to try and Target various different types of infrastructure for example some ransomware groups they like to use their extortion means um or rather their means of sharing extorted data through like the bit torn Network I've worked with security researchers that are like hey you know bit torrent isn't anonymized you can see things if you dig a little bit further so things like that just tips that can assist law enforcement with that disruption element because that's our big stick we can we can actually shut these individuals down shut their infrastructure down seize their cryptocurrencies things like that security researchers they might be just limited to the observational kind of component of

it any other questions time okay thank you all so much if you have any questions feel free to come up and talk to me afterwards