Ransomware Rebrands

absolutely loved that so that's going to be a tough act to follow I did not bring my ukulele I'm really sorry um but I'll see what I can do to keep you guys awake as well I wanted to start out with a brief introduction of myself I know this conference tends to attract a lot of students and I know when I was a student it was very instructive to know what other people's career paths were what took them where they ended up going so so I started my career as an intelligence analyst I am a Intel analyst by trade so straight out of undergrad I went into CIA where I was a analyst looking at Russian space and then cyber threats military space and cyber threats so I was a CIA for 12 years which was great and then I hopped over to IBM where I also did Intelligence analysis for four years and then for the past year at IBM I've been working in the X4 cyber range where we put organizations through cyber crisis simulations and help them test how they would respond to a Cyber attack in the critical moment and if you'll indulge me for just one moment just for a minute and a half I wanted to let my good friend Allison Ritter give you a quick tour of the Cyber range in Cambridge Massachusetts this is the IBM security Command Center my name is Allison Ritter and I'm the command Center's creative director we are an elite team that helped prepare our clients perform at their best even on their worst possible day our Command Center is a state-of-the-art security operations center that uses the latest threat intelligence to simulate cyber attacks for clients based on their industry and needs computers simulation is an immersive experience that is built to test their response to a cyber incident Daniel really on the day of the experience clients come in and are oriented to the command center almost immediately after the simulated breach begins Command Center the goal is to understand how the entire organization works together support buffering problems if we don't get all the way through that's okay I think she still gave you a good um a good taste so so that's the command center if that looks at all cool to you and interesting feel free to get in touch with me and I'm happy to chat about it um but what I'm really here to talk about today is kind of a side project that I have been working on that looks at how ransomware groups are rebranding and um in 2021 law enforcement worldwide accelerated its focus on ransomware threat actors so this renewed emphasis likely spurred by cyber attacks on critical infrastructure and supply chain providers such as the colonial pipeline ransomware attack in May 2021 and the attack on caseya in September in 2021 so as a result of this Focus law enforcement teams worldwide conducted a number of arrests so they arrested six members of the klopp gang in June 2021 two operators connected to Revel in October 2021 group associated with Locker Goga and mega cortex in October 21 and then in January 2022 the Russian Federal Security Service itself which is known for going easy on ransomware actors they arrested 14 operators associated with Regal ransomware groups so facing this increased law enforcement activity ransomware groups have been rebranding at an accelerated rate rebranding is when a ransomware gang changes the name of their group The malware they use in ransomware attacks and sometimes their infrastructure in an attempt to remake themselves and hide from law enforcement operations according to the 2022 X-Force threat intelligence index the current average lifespan of a ransomware group is 17 months after which it is likely to shut down Rebrand itself or potentially shut down altogether so of course law enforcement evasion is not the only reason that ransomware groups Rebrand disagreements and factions within groups can lead to rebranding or splinters advances in malware attack techniques or public relations strategies might also prompt ransomware groups to Rebrand and recreate their image with improved capabilities but whatever the reason behind a Rebrand the implications of this trend are clear that the ransomware groups are not going away and the individuals behind this activity are likely to continue their trade even if under a different name thus tracking and understanding ransomware rebrands can help us can help threat researchers can help law enforcement and potential ransomware victims better understand cyber criminal groups tactics techniques and procedures including procedures that are enduring or in procedures that are in flux anticipate Ransom negotiation tactics and even unravel the rebranding Labyrinth to reveal the individuals behind it including for law enforcement action because ransomware groups are for the most part rebranding to evade law enforcement and mask their true identity the rebranding process is by definition opaque unclear and usually debatable these are not legitimate businesses releasing clear press statements the company a will now be known as Company B with a new logo rather these are cyber criminal groups attempting to stay under the radar and confuse outside observers thus the art of tracking ransomware rebrands is tedious and often uncertain and confidence in the reality of a Rebrand varies from group to group and also tends to vary over time as more information is made available as analysts collect additional evidence of a Rebrand between groups over time confidence in that Rebrand may change in addition it is possible that security researchers or the Press could become unwitting accomplices in rebranding they can contribute to Confusion by publicly declaring a Rebrand when one has not truly occurred or mistakenly misattributing a new ransomware group as a Rebrand of one to which it has no strong relation this is a natural side effect of investigating a necessarily opaque Maze of relationships the more security researchers are aware of this tendency the more likely it is that caution will prevail in researching and declaring rebrands and relationships here on this slide is a snippet of a press article about a babook Rebrand to payload bin a Rebrand that never actually happened but which the ransomware group wanted researchers and the public to think had happened so this is one example of how we can be unwitting accomplices in this and we're going to talk about more about babook and payload bin in a minute so to illustrate the complicated nature of rebranding I'm going to walk you through three case studies of three stories of actual ransomware rebrands that we're aware of including the messy and the unclear details that reveal how these rebranding operations unfold and what they entail for some of these rebranding sagas the story is not over and we will probably see more to come and their relationship to other groups is likely to evolve over time so one example of this complicated nature is the relationship between Maize sekmet and egregor the maze ransomware group began operations in May 2019 establishing a strong business model that other groups would follow by creating a public name and shame website and Contracting out ransomware in a ransomware as a service model Contracting out to Affiliates that task of infiltrating victims Mays realized a precedent setting level of success in its attacks and then on November 1st 2020 maze announced that it was shut down going to shut down apparently in its prime abruptly ending their campaign before Maize even shut down however the Gregor ransomware gang began operations in September 2020 and his security researchers began to compare the two strains many were coming to the conclusion that McGregor was maze's follow-on yet if one looks closely at the code in Maize and a Gregor ran somewhere the similarities are not as strong as other rebrands and I have here a snippet of my research that I've done comparing these groups some of the structured research that we that I've been doing so if anything McGregor appeared to attract many Maze Affiliates rather than bare resemblance to mazes tactics techniques and their code and their style but a ransomware Serene to which Gregor did bear strong resemblance was SEC bet so segment began operations in March 2020 four months after maze but maintained a lower profile and lower attack Tempo when compared to Maize well there are some code similarities between Maze and segment and Mason McGregor the code similarities between sekmet and a Gregor are even more uncanny suggesting that the same developers were behind both strains on February 8 2022 the decryption keys for Maze and Gregor and segment were released together on a bleeping computer Forum suggesting a strong connection between all three groups recorded future analyst Alan Liska has noted that Maze aggregor and sekmet were always tied together each scene is a successor of the other and then a flurry of arrests in February 2021 probably led to the demise of all three groups a Gregor officially announced it was shutting down that same month um segment never made an announcement but it has kind of disappeared and then of course there's the more recent decryption key release in February of this year which really probably dealt the final blow so some researchers track a separate Rebrand from mace to segment and from maze to McGregor While others argue that Maize rebranded to segment and segment rebranded Gregor in any case the precise order of the Rebrand is unclear but a strong connection between all three groups is fairly apparent so a second example is dark side to black matter to Black Cat so the dark side ransomware group is probably most famous for its attack on Colonial pipeline in May 2021 intense law enforcement interest in this group following the attack and ostensibly law enforcement activity culminating in the seizure of 2.3 million in Bitcoin from a dark side address led to The Disappearance of this group that same month May 2021 after less than a year in operation two months later a new group named black matter emerged similarities in encryption algorithms used by both Darkseid and black matter including a custom salsa 20 Matrix used by Darkseid LED security researchers early on to conclude the black matter was a Rebrand of Darkseid in a subsequent interview with the black matter representative however the representative stated we are familiar with the dark side team from working together in the past but we are not them although we are intimate with their ideas intelligence analysts confidence level on a Rebrand from Dark Side to black matter has evolved over time in light of new and changing information in um however at this time and I'm showing some of my research here again it appears that the similarities between ransomware code and encryption ransomware notes leaked sites and ttps between the two groups supports a high confidence assessment in a Rebrand despite denials from the group not not that we can trust everything a cyber criminal says but um but that data point the evidence goes against it so black matter was also a short-lived ransomware group however they shut down in November 2021 again reportedly due to pressure from law enforcement since then a new ransomware group named Alpha V or black cat appears to be a Rebrand from black matter based on similarities in ttps between the two groups a forum post by a ransomware criminal announcing the Rebrand so this might be a case where we can trust what they might be saying just because it's backed by other evidence and a public interview in which a black cat representative reinforced suspicions that the group was a Rebrand from black matter alphabe Black Cat first appeared in November 2021 and fin seven a group that ex-force threat intelligence tracks is itg-14 appears to be behind all three organizations based on our research as well as research of other security organizations so um so a third example is bit payment and its rebrands so a bit payment began operations in June 2017. the initiative of itg 19 also known that's how we track it it's known by other groups as ta-505 or even more commonly as evil core this is a cyber criminal group that has existed since at least 2017 and in December 2019 the U.S Department of Treasury placed sanctions on this group making it illegal for any U.S victims to pay a ransom for bit payment ransomware attacks obviously this created complications for the group and their business model and in response they rebranded for this group in particular though because of the sanctions it is even more imperative that the actors behind this ransomware activity hide their true identity when compared to others so that they get paid thus the groups rebranding his Tempo has kept a fast pace and has been combined with occasional masquerading as other non-sanctioned ransomware groups there are two potential splinters of bit payment rebranding um once a Doppel payment in June 2019 and went to wasted Locker in May 2020. so bit payment and Doppel payment share significant overlaps in code and the payment portals between the two groups also share similarities however it is still not fully clear whether the same threat actor group is behind bitpaymer and doppelgamer as well as its follow-on grief similarly the research Community is divided on the wasted Locker line of bit payment rebranding so code analysis between ransomware strains suggests that wasted Locker which emerged in May 2020 two months after bitpaymer shutdown evolved from bitpaymer in addition there's significant code and technique overlap between wasted locker and Hades which emerged in January 2021 Phoenix Locker which emerged in April 2021 payload bin which emerged in July 2021 in McCall Locker which emerged in October 2021 so obviously this group rebrands quite frequently is the groups Behind These ransomware strains consistently evolve their ttps and evasion techniques to circumvent law enforcement and sanctions however following this Trail can be relatively difficult add to this the fact that the Cyber criminal group evil Corps has frequently attempted to masquerade as other types of ransomware in mid-2021 the group pretended that its new payload bin ransomware was actually a follow-on to babuk ransomware confusing researchers and victims as to the ransomware lineage of payload bin if you remember that press snippet that I had earlier in the presentation and then in December 2021 the group pretended to be Rebel a notorious and widespread ransomware group and actually the one that exports incident response saw most frequently as we were helping clients recover from ransomware attacks and then in its latest plot twist evil core as of mid-2022 began operating as one of many Affiliates Distributing lockbit ransomware attempting to hide in the noise of non-sanctioned activity in order to evade sanctions and also has been found behind raspberry Robin attacks which act as a precursor for ransomware it's more research on this group's evasion techniques unfold confidence levels and understanding of these rebranding relationships is likely to evolve as well so to wrap this all together I'd like to address again why this even matters how is knowing this stuff even helpful for the world from a defense perspective rebranding knowledge can inform incident response teams can enable more effective efficient response if an organization is affected by a ransomware attack knowing the past tactics techniques and procedures used by the same actors provides an edge in defensive operations and in reconstitution at the same time from a research perspective rebranding data can help with possible attribution of malicious activity long-term monitoring of ransomware actors across multiple rebrandings can give insight into their preferred targets end goals and operational objectives this information in turn can enable more effective defense resource allocation and potential identification of the actors as well despite engaging in rebranding ransomware actors maintain certain levels of institutional knowledge and habits which is one reason why actors can quickly ramp up operations after a Rebrand however these habits can also be used by Savvy cyber security researchers and practitioners to identify and mitigate ransomware activity and data on rebranding enable enables easier identification of these Trends as well so unraveling the Labyrinth of ransomware group rebrands is fraught with difficulties but it does have many credible benefits as well especially if understanding a Rebrand can help you identify the individuals behind the activity and lead to actual law enforcement activity that stops the stops the actions of that actor and also sends a message to others that there is increased risk associated with ransomware activity so if any of this seems interesting to you if you'd like to become involved let me know I definitely see this as something that not one person not one organization can do alone but we as a security Community need to be working together to track rebrands so if you were a student looking for a Capstone project and this seems interesting to you let me know I'd be happy to you know share some of what I've done already and you can build on that if you're a security researcher an intelligence analyst interested in joining as well let me know I think it's important that we work together the ransomware actors are working together we need to work together as well to combat this threat so with that I wanted to end there I think we have about five minutes left if you have any questions about ransomware rebrands or anything else that I have brought up so far so you mentioned the some of the groups were taking you know credit for you know tax or trying to pretend to be other groups what would be like the motivation behind that other than law enforcement um evasion yeah well evil core likes to do that in particular and that's because they are sanctioned and so if people know that it's evil core behind the activity they will know it's illegal to pay them a ransom whereas they if they can convincingly portray themselves um as another threat group like revel revel is not sanctioned many U.S victims have paid the ransom and so they would probably have confidence that they would get money for that so it helps their business model to uh to you know stay a step ahead of people so I don't know if you've seen before the when people do forensics on like black blockchain uh payments they can like actually track Bitcoin wallets and like see and correlate those to businesses and other things which have you ever seen awesome research that needs to continue yeah so I'm wondering if you've ever seen um that correlated to uh like this topic where you can like connect uh ransomware actors to themselves and them rebranding by just tracking their Bitcoin activity yeah so and admittedly I'm not a cryptocurrency Tracker um but I have uh colleagues who work in that area and I know that they definitely attract rebrands very closely um I mean they want to identify wallets that belong to specific ransomware actors right ransomware groups and as those groups change they're going to want to find the new wallets as well the truth is we don't know every wallet for every ransomware actor out there and even if we do that doesn't mean that we can stop the payments going through but the more we know the better so yeah I know this research is very pertinent to them as well and they're wanting to keep up with rebrands and do it accurately also and when you can track money going to one specific individual that helps as well and I know law enforcement is interested in you know one individual how much money have they specifically stolen because that helps in prosecuting so my question for you is kind of in regard to the MetaBank hack in Australia when those ransomware actors hit do you view that um more governments taking offensive action like the Australian government did is the key to solving this ransomware issue yeah the ransomware problem is trick