Cyber sleuths reveal how they infiltrate the biggest ransomware gangs When AlphV/BlackCat's website went dark this month, it was like Chrimbo came early for cybersecurity defenders, some of whom seemingly believed law enforcement had busted one of the most menacing cyber criminal crews. The excitement lasted just five days, though, and its website is now back online, albeit in worse shape than …
Maybe the researchers should partner with industry and set up some honeypot corporations. If there's a web site and a whole (apparent) infrastructure underneath, then the researcher could compromise that, and his fellow hackers if they were checking up on his work would believe he just compromised a legitimate company. Set them up now and leave them dormant for a few years so you can use them when they are needed (and they will show up in the Wayback Machine if someone checks)
You wouldn't need "real" infrastructure - have it look like a company that's gone all-in on the cloud. It could even be copied from a real corporation that volunteers a part of its organization, minus all the real data of course which would have to be massaged in some way so it looks real but contains no real PII of company personnel or customers. The processing and storage requirements would be modest since it wouldn't actually be conducting business, and they could probably get MS/Amazon/Google to kick in some free credits to make that possible.
I doubt the ransomware gangs go so far as to have someone drive out to the address of the corporate HQ and see if they physically exist, and in today's world a company that's pretty much 100% work from home wouldn't be the obvious red flag of a fake company it used to be. Theoretically an "HQ" could be a small office in a big building somewhere or even a PO Box. Or they could find a real HQ of a defunct company in a space that's for rent and make a deal with the landlord to put a different sign on it and remove any "for rent" signs for a short time when the "sleeper" corporation was made active so a researcher could "attack" it. Maybe its enough just to have Google (if they are cooperating in this endeavor) update their streetview pics to show the fake company's sign, thanks to a little Photoshop work.
You could even attack the same company multiple times, by different researchers embedded in different ransomware gangs, so long as a gang doesn't list it on their website as a "kill" or it could be believable they are dumb enough to be attacked twice. I mean, worst case if they figure out the attack was not on a real company they're no worse off than if they were asked to perform some evil deed, refused, and the gang ostracized them believing they were a plant.
Maybe the researchers should partner with industry and set up some honeypot corporations. ..... DS999
How good .... or bad ..... do you think El Regers are in discovering/uncovering/creating/publicising dodgy systems weaknesses and exploitable vulnerabilities for gain of future ACTive Universal Awareness/Ransomware function?
Not very? Or uncommonly adept and unusually stealthy, which if one was in the market for such deep diving research services would surely be both strangely reassuring and uncomfortably unsettling too .... and thus really only of great ransomware use to a very select chosen few.
Way to go Group-IB! Give 'em REvil- and Nokoyama-slinging Qiling, BlackCat, and farnetwork all you've got! Targeting those DLanging cyber-mercenary ransomware gangsters with extensive preparation, long-game infiltration, investigative action, intelligence, and experience, is most impressive and needed! Much more impressive than busting teenage ASD hackers of GTA 6 video clips, from their mom's basement, in my book! Keep up the great work!
Just one question : what keeps those scum from reading this article and drawing some conclusions for their own benefit ?
They're not stupid. We're way past script kiddies, these days. These are intelligent scum. They can analyse data.
This is data. Are you not giving them them keys to better protect themselves ?
Don't get me wrong, I'm very interested in finding out how the scum are taken down, but I think there's a reason why the police doesn't reveal their methods. This article seems, to me, to reveal methods.
So I ask : is this article really a good idea ?
Yes, absolutely. As a powerful ransomware operator, I have drawn the following conclusions from reading this which I will be conveying to all my staff:
1. They try to trick you.
2. They have some people who speak languages well so they can pretend to be from a place. Those people are actually from that place.
3. They try to know what they're talking about so they don't look incompetent.
As a result, I will be instructing those who look for new people to only accept incompetent people who sound like they're not from the place they say they are. We'll be victorious. All your data will be ours.
Unfortunately, the article had to leave so much out to avoid what you're worried about that it basically said nothing at all other than that the company named does this kind of thing.
Long ago USB devices came with a read-only switch, rendering them read-only. Because of this, on each reboot they were immune to computer viruses. You would think these geniuses and innovators would know this. (Fitted on less that 4GB).
The actual solution is to not use Active Directory (or any centralised authentication), at the very least RBAC...and don't have permanently mounted network drives.
In the many cases of ransomware I've seen...Active Directory based networks usually get fucked the hardest. Those that don't have Active Directory typically end up with one machine being infected that has to be shredded.
I think the main issue with AD is that it's a lot more vulnerable to privilege escalation than other systems.
Combination of centralized credentials and very well documented vulnerabilities (along with automated tools to sniff them out).
Once you got admin access you can access *everything*, or grant yourself access if it's not already set up.
I agree that companies should move away from AD, but the advantages of centralized authentication solutions in terms of usability and monitoring are hard to ignore for a lot of companies.
Good luck at running infrastructure for 10k users without some form of central AAA. Your point stands but you need something otherwise users could be required to have hundreds of different passwords to various data sources. Most of the issue seems to be excessive privileges, especially around access to data and network resources.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
