Ransomware as a Service (RaaS) – The Business of Ransomware

guest · Jul 29, 2022

RaaS Groups Forced to Change Tack as Payments Decline
July 29, 2022

Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.

The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.
It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.
Click to expand...

The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.

“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.
“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”
Click to expand...

The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.
As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.

Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.
Click to expand...

Coveware: Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022

guest · Aug 2, 2022

From Babuk Source Code to Darkside Custom Listings — Exposing a Thriving Ransomware Marketplace on the Dark Web
August 02, 2022

Venafi, the inventor and leading provider of machine identity management, today announced the findings of a Dark Web investigation into ransomware spread via malicious macros. Conducted in partnership with criminal intelligence provider Forensic Pathways between November 2021 and March 2022, the research analyzed 35 million Dark Web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine. The findings uncovered 475 web pages of sophisticated ransomware products and services, with several high-profile groups aggressively marketing ransomware-as-a-service.
Click to expand...

87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

30 different "brands" of ransomware were identified within marketplace listings and forum discussions.

Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks.

Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was $1,262 for a customized version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021.

Source code listings for well-known ransomware generally command higher price points; Babuk source code is listed for $950 and Paradise source code is selling for $593.

Click to expand...

"Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft's indecision around disabling of macros should scare everyone," said Bocek.

In addition to a variety of ransomware at various price points, the research also uncovered a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks. Services with the greatest number of listings include those offering source code, build services, custom development services, and ransomware packages that include step-by-step tutorials.

For more information read the blog.
Click to expand...

guest · Aug 3, 2022

Initial Access Brokers Are Key to Rise in Ransomware Attacks
August 2, 2022

This report provides an overview of the tactics, techniques, and procedures (TTPs) used by cybercriminals on dark web and special-access sources to compromise networks, deploy infostealer malware, and obtain valid credentials. These threat actors, dubbed “initial access brokers”, represent a specialized industry within the cybercriminal underground that enables a significant majority of ransomware attacks.

This is a high-level summary of the chain of events that enable a ransomware attack. It is intended to provide an overview for cybersecurity professionals with non-technical backgrounds or roles.
Click to expand...

Executive Summary
Threat actors can gain initial access to networks through infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces. Other attack vectors, such as phishing, spearphishing, and code injection, are also common on dark web and special-access forums, but their immediate effects are often much less public and visible than the sale of compromised credentials.

Using BlackMatter and Conti as examples, we examine the role of credential access in the execution of the attack, from initial access to ransomware deployment. We provide mitigations for credential breaches, infostealer malware infections, and ransomware attacks, as well as our assessment of the future of these tools and the larger ransomware threat landscape.
Click to expand...

Key Judgments

To conduct a successful ransomware attack, threat actors require remote access to compromised networks. The most common method by which threat actors obtain access is through the use of compromised valid credential pairs, which are often obtained via infostealer malware and sold on dark web and special-access sources.

Compromised credentials are often sold on dark web and special-access forums and shops to ransomware affiliates, who use such access to move laterally through systems, escalate privileges, and use malware loaders to deploy ransomware.

Click to expand...

Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, often sold on dark web and special-access forums, are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB).

The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC).
Click to expand...

guest · Aug 11, 2022

Network access broker listings in Q2 '22 stable, but sales down
August 11, 2022

Statistics collected by cyber-intelligence firm KELA during this year's second quarter show that marketplaces selling initial access to corporate networks have taken a blow.

More specifically, although the number of the offerings remained similar to last quarter, averaging 184 access listings per month, the cumulative requested price was $660,000, which is 0% of Q1 '22 figures.
Additionally, the average price for network access in the recent quarter was only $1,500, whereas, in Q1 '22, access to networks was sold at an average of $3,000, dropping the price by half. The median price also dropped from $400 to $300.
Click to expand...

Why is this happening?
Initial access brokers (IABs) are a category of hackers whose business is tightly linked to ransomware operations, and the fundamental shifts in the latter's tactics have played a key role in the change in marketplace prices.

Ransomware gangs folded their operations and became more careful with their targets as the threat from law enforcement became too significant starting late last year.
Click to expand...

The effect is enhanced by the exit of extortion groups like Lapsus$ and Stormous, which suffered from law enforcement heat in Q1 '22 and are yet to return to regular operations, thus further reducing the demand for network access.

This market pressure has pushed some IABs to pivot to ransomware operations as they strive to make a profit, announcing the formation of nascent small teams that will "lock, exfiltrate, and pivot."
Click to expand...

Should you be worried?
Initial access brokers and ransomware gangs are part of the same supply chain, and while their operations have languished lately, they're far from over.

Moreover, applying network segmentation, least privilege principles, and robust perimeter defense and detection systems helps keep IABs out.
Click to expand...

Ransomware Victims and Network Access Sales in Q2 2022

The following insights are drawn from KELA’s monitoring of ransomware gangs and initial access brokers’ activity in Q2:

Activity of ransomware and data leak actors decreased by 7% in Q2 2022, compared to Q1. On average, KELA observed 216 attacks each month of Q2 2022.

The most active ransomware and data leak actors of Q2 2022 were LockBit, Black Basta, Alphv (aka BlackCat), Conti and Vice Society, with more than 40 victims disclosed by each group.

The report is based on KELA’s monitoring of ransomware gangs and initial access brokers’ activity in Q2.
Click to expand...

Full Report: https://ke-la.com/wp-content/uploads/2022/08/KELA-RESEARCH_Ransomware-Victims-and-Network-Access-Sales_Q2-2022.pdf

guest · Aug 12, 2022

SolidBit Ransomware Group Recruiting New Affiliates on Dark Web
August 12, 2022

A threat actor group named SolidBit is actively advertising RaaS (Ransom-as-a-Service) and looking to recruit new affiliates on dark web forums.

The news comes from CloudSEK security researchers, who published an advisory about the new threat actors on Thursday.

“The group is actively looking for partners to gain access to companies’ private networks in order to spread the ransomware called SolidBit,” read the document.
In particular, according to a SolidBit post viewed by CloudSEK on an unnamed underground forum, 20% of the earned profit from the distribution of the ransomware will be paid to the affiliate for infecting private servers.
Click to expand...

A text file called then opens, which describes the basic steps on how to decrypt infected files by paying a ransom.
Once on the website, users are then able to chat with the threat actor (chat with support) or trial the decryption algorithms (only for files less than 1MB).

“The samples did not contain any communication screenshots, however, it is possible that direct communication with the threat actors is possible via the chat system,” says the advisory.
Click to expand...

CloudSEK: SolidBit Ransomware Group Actively Recruiting Affiliates

Executive Summary
THREAT
• SolidBit ransomware group actively advertising RaaS and looking to recruit new affiliates.
• 20% of the earned profit will be paid to the affiliate for infecting private servers.
IMPACT
• Increased ransomware attacks on companies.
• Exposure of sensitive data upon the inability to pay the demanded ransom.
• The compromised data could reveal business practices & IP.
Click to expand...

MITIGATION
• Update and patch infrastructure fulcrum including servers, computer systems, etc.
• Audit and monitor event and incident logs to identify unusual patterns and behavior.
Click to expand...

guest · Aug 15, 2022

New Cuba ransomware affiliate detailed
August 12, 2022

New tactics, techniques, and procedures, as well as a novel local privilege escalation tool and remote access trojan, have been used by Cuba ransomware affiliate Tropical Scorpius in new attacks, BleepingComputer reports.

While Tropical Scorpius has leveraged the same Cuba ransomware payload since the operation's launch in 2019, the threat actor has begun using a legitimate but invalidated NVIDIA certificate for kernel driver signing aimed at identifying and terminating security product processes, a report from Palo Alto Networks Unit 42 showed.
Click to expand...

Meanwhile, the attacker's new ROMCOM RAT malware facilitates the return of connective drive data and file listings, as well as ZIP file uploads to the command-and-control server, and more.
Click to expand...

Palo Alto Networks - Unit42: Novel News on Cuba Ransomware: Greetings From Tropical Scorpius

Beginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.

A new malware family that Unit 42 tracks as ROMCOM RAT.

A weaponized local privilege escalation exploit to SYSTEM.

A new Kerberos tool that Unit 42 tracks as KerberCache.

A kernel driver for targeting security products.

Identifying the use of the ZeroLogon hacktool.

Click to expand...

BleepingComputer: Hacker uses new RAT malware in Cuba Ransomware attacks

Cuba evolving
The appearance of Tropical Scorpius and its new TTPs indicates that Cuba ransomware is evolving into a greater threat, even if the particular RaaS isn’t the most prolific in terms of the number of victims.
Cuba, however, has opted to keep a low profile and follow a milder double-extortion approach, so the actual number of victims is unknown.

The gang has published the stolen files of four victims since June 2022 on their “free” section on the Onion site, while their “paid” offerings haven’t been updated recently.
Considering the time required for negotiation and extortion, we may see the results of the ‘Tropical Scorpius’ update in the second half of the year.
Click to expand...

guest · Aug 23, 2022

Microsoft Report:
Extortion Economics - Ransomware’s new business model

Cybercriminals emboldened by underground ransomware economy
While ransomware continues to be a headline-grabbing topic, there’s ultimately a relatively small, connected ecosystem of players driving this sector of the cybercrime economy. The specialization and consolidation of the cybercrime economy has fueled ransomware as a service (RaaS) to become a dominant business model, enabling a wider range of criminals, regardless of their technical expertise, to deploy ransomware.
Click to expand...

Just as many industries have shifted toward gig workers for efficiency, cybercriminals are renting or selling their ransomware tools for a portion of the profits, rather than performing the attacks themselves.

The Ransomware as a Service economy allows cybercriminals to purchase access to Ransomware payloads and data leakage as well as payment infrastructure. Ransomware ”gangs” are in reality RaaS programs like Conti or REvil, used by many different actors who switch between RaaS programs and payloads.
Click to expand...

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs have 50+ “affiliates,” as they refer to the users of their service, with varying tools, tradecraft, and objectives. Just as anyone with a car can drive for a rideshare service, Lyft or Uber, anyone with a laptop and credit card willing to search the dark web for penetration testing tools or out-of-the-box malware can join this economy.

This industrialization of cybercrime has created specialized roles, like access brokers who sell access to networks. A single compromise often involves multiple cybercriminals in different stages of the intrusion.
Click to expand...

RaaS kits are easy to find on the dark web and are advertised in the same way goods are advertised across the internet.
Click to expand...

guest · Sep 3, 2022

An interview with initial access broker Wazawaka: ‘There is no such money anywhere as there is in ransomware’
By Dmitry Smilyanets @ddd1ms - August 26, 2022

Editor’s Note: Last April, a ransomware group threatened to expose police informants and other sensitive information if the Washington, D.C. Metropolitan Police Department did not pay a demand.

The brazen attack was the work of a gang known as Babuk, which in early 2021 gained a reputation for posting stolen databases on its website from victims that refused to pay a ransom. Just days after it tried to extort the Metropolitan Police Department, Babuk announced it was closing its ransomware affiliate program, and would focus on data theft and extortion instead.
Click to expand...

Earlier this year, cybersecurity journalist Brian Krebs uncovered details about one man behind the operation named Mikhail Matveev, who was also connected to a number of other groups and identities, including the handle ‘Wazawaka.’ According to Krebs, Matveev had become more unhinged than usual, “publishing bizarre selfie videos” and creating a Twitter account to share exploit code.
Click to expand...

Matveev talked to Recorded Future analyst and product manager Dmitry Smilyanets about his interaction with other hackers, details about ransomware attacks he’s been involved in, and how he settled on the name Babuk. The conversation was conducted in Russian and was translated to English with the help of linguists from Recorded Future’s Insikt group. [...]
Click to expand...

guest · Sep 3, 2022

Ransomware-as-a-service group targets more than 75 organizations
By Steve Zurier - August 26, 2022

Researchers on Thursday reported that the ransomware-as-a-service (RaaS) group known as Black Basta has compromised more than 75 organizations over the past several months.

In a blog post, Unit 42 researchers said the RaaS group uses the double extortion technique, meaning that in addition to encrypting files on targeted systems and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threatened to post sensitive information if a company chooses not to pay the ransom.
Click to expand...

The researchers said the ransomware was written in C++ and impacts both Windows and Linux systems. It encrypts user data using a combination of ChaCha20 and RSA-4096. To speed up the encryption, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted.

Rapid adoption of the cloud has forced financially motivated threat actors to change their tactics, said Davis McCarthy, principal security researcher at Valtix.
McCarthy said because sensitive data gets stored in the cloud, RaaS operators exfiltrate all on-premise data or attempt to gain access to cloud accounts to improve their chances of a payday.

“Password reuse and lack of visibility into cloud infrastructure makes these double extortion campaigns easy for groups like Black Basta,” McCarthy said.
Click to expand...

Bud Broomhead, chief executive officer at Viakoo, said here’s another example of threat actors forming a business out of their malicious activities. Broomhead said in the case of Black Basta, we could view it as form of hybrid cloud implementation — the ransomware itself when installed forms a private cloud under the control of the threat actors at the victim’s site, which then gets connected to a public cloud for the “business” side of the ransomware process (public shaming, the cybercrime marketplace).

“In other words it’s SaaS on the ransomware ‘business’ end and private cloud on the victim end,” Broomhead said.
Click to expand...

Palo Alto Networks - Unit42: Threat Assessment: Black Basta Ransomware

Black Basta affiliates have been very active deploying Black Basta and extorting organizations since the ransomware first emerged. Although the Black Basta affiliates have only been active for the past couple of months, based on the information posted on their leak site, they have compromised over 75 organizations at the time of this publication. Unit 42 has also worked on several Black Basta incident response cases.

The faster the ransomware encrypts, the more systems can potentially be compromised before defenses are triggered. It is a key factor affiliates look for when joining a Ransomware-as-a-Service group.
Click to expand...

guest · Sep 10, 2022

Ransomware gangs switching to new intermittent encryption tactic
By Bill Toulas @billtoulas - September 10, 2022

A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.

This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryptor+key.
For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.
Click to expand...

"What the cool kids use."
SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.

"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.
Agenda ransomware offers intermittent encryption as an optional and configurable setting.
Click to expand...

Intermittent encryption outlook
Intermittent encryption seems to have significant advantages and virtually no downsides, so security analysts expect more ransomware gangs to adopt this approach shortly.
LockBit's strain is already the quickest out there in terms of encryption speeds, so if the gang adopted the partial encryption technique, the duration of its strikes would be reduced to a couple of minutes.

Right now, BlackCat's implementation is the most sophisticated, while that of Qyick remains unknown since malware analysts have not yet analyzed samples of the new RaaS.
Click to expand...

SentinelLabs: Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection

By Aleksandar Milenkoski & Jim Walter - September 8, 2022
We observe a new trend on the ransomware scene – intermittent encryption, or partial encryption of victims’ files. This encryption method helps ransomware operators to evade detection systems and encrypt victims’ files faster. We observe that ransomware developers are increasingly adopting the feature and intensively advertising intermittent encryption to attract buyers or affiliates.
Click to expand...

guest · Nov 8, 2022

Black Basta Ransomware Linked to FIN7 Cybercrime Group
By Ionut Arghire - November 4, 2022

The highly active Black Basta ransomware has been linked by cybersecurity firm SentinelOne to the notorious Russian cybercrime group known as FIN7.
Click to expand...

Initially spotted in April 2022, Black Basta became a prevalent threat within the first two months of operation, and is estimated to have breached over 90 organizations by September 2022.

Analysis of the ransomware operation has revealed a well-organized and well-resourced operator that does not attempt to recruit affiliates, indicating that the threat actor is developing their toolkit in-house and might be collaborating with a small number of affiliates.
Click to expand...

SentinelOne says that its investigation into Black Basta has also surfaced the use of multiple tools created by one or more FIN7 (aka Carbanak) developers, suggesting a tight connection with the cybercrime group.

An analysis of this custom tool led to the discovery of a custom-packed Birddog sample – also known as SocksBot, this backdoor is known to be part of the FIN7 arsenal – that helped SentinelOne link the impairment tool and the custom packer to the same developer.

“We assess it is highly likely the BlackBasta ransomware operation has ties with FIN7. Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7,” SentinelOne says.
Click to expand...

SentinelLabs: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor

By Antonio Cocomazzi and Antonio Pirozzi - November 3, 2022
Executive Summary

SentinelLabs researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques.

SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7.

Black Basta maintains and deploys custom tools, including EDR evasion tools.

SentinelLabs assess it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7.

Black Basta attacks use a uniquely obfuscated version of ADFind and exploit PrintNightmare, ZeroLogon and NoPac for privilege escalation.

Click to expand...

Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022. The rapidity and volume of attacks prove that the actors behind Black Basta are well-organized and well-resourced, and yet there has been no indications of Black Basta attempting to recruit affiliates or advertising as a RaaS on the usual darknet forums or crimeware marketplaces. This has led to much speculation about the origin, identity and operation of the Black Basta ransomware group.
Click to expand...

guest · Nov 19, 2022

Ransomware-as-a-Service Market Now Highly Specialized
Services Include Subscription Models, Bug Bounties and High-Paying Jobs
By Anviksha More - November 18, 2022

The criminal underground market for ransomware services is now specialized to the point where almost every step of the infection and extortion chain can be outsourced to contractors, cybersecurity firm Sophos says in its latest annual assessment of the threat landscape.
Click to expand...

One enterprising criminal entrepreneur even offers OPSEC-as-a-service, the Sophos report says. The seller offers - either as a one-off setup or a monthly subscription - a service designed to hide Cobalt Strike infections and minimize the risk of detection and attribution, Sophos writes.

"Ransomware-as-a-Service began last year and by this year, virtually every type of cybercriminal activity is available as a service for a few hundred dollars. This is just an indication of how sophisticated and professionalized the people in the cybercrime industry have become," says Sean Gallagher, a Sophos principle threat researcher.
Dark web marketplaces such as Genesis are entry points for entry-level cybercriminals. They can act as resellers for stolen credentials obtained through malware and malware deployment services, Sophos says.
Click to expand...

According to earlier analysis from Sophos, the costs of these services can run cheap. The single set of credentials that led to the June 2021 EA breach, which famously allowed the attackers in June 2021 into Electronic Arts' system through the gaming giant's Slack, cost the attacker $10 on Genesis.

"In one Raccoon Stealer campaign, based on the crypto and information they were able to steal, they had about a 150% return on their investments," says Gallagher.
Money, of course, is the driving force for the growth of this commerce, he says.
Click to expand...

guest · Jan 17, 2023

Initial Access Broker Market Booms, Posing Growing Threat to Enterprises
By Jai Vijayan @jaivijayan - January 17, 2023

Names such as Novelli, orangecake, Pirat-Networks, SubComandanteVPN, and zirochka are unlikely to mean anything to a vast majority of enterprise security teams. But for ransomware operators and other cybercriminals looking for quick access to enterprise networks, these were the brokers to approach for a major portion of last year.
Click to expand...

Between them, the five entities accounted for some 25% of all access offers to enterprise networks that were available for sale on underground forums between the second half of 2021 and the first half of 2022. For an average price of around $2,800, these so-called initial access brokers (IABs) sold stolen VPN and remote desktop protocol (RDP) account details and other credentials that criminals could use to break into the networks of more than 2,300 organizations around the world, without breaking a sweat.
A Vast & Growing Marketplace
The five operators were the leaders in a much bigger and fast-growing market of hundreds of other similar IABs that security firm Group-IB discovered when conducting research for its 11th annual report on high-tech crime, released this week.

"As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023," warned Dmitry Volkov, CEO of Group-IB, in a statement accompanying the new report.
"Initial access brokers play the role of oil producers for the whole underground economy," he noted. "They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries."
Click to expand...

Group-IB: Hi-Tech Crime Trends 2022/2023

guest · Jan 18, 2023

LockBit Ransomware Group's Big Liability: 'Ego-Driven CEO'
Ransomware Researcher Jon DiMaggio Probes LockBit's Business Operation and Behavior
By Mathew J. Schwartz @euroinfosec - January 17, 2023

The notorious LockBit 3.0 ransomware group runs just like a business, with a relentless focus on recruiting top talent and maintaining an advanced product - which has led to the group's longevity, says ransomware-tracking researcher Jon DiMaggio.
Click to expand...

But that doesn't mean everything runs smoothly in LockBit land. Take the ex-BlackMatter developer it recruited who quit LockBit and leaked its source code after the organization docked his pay by $50,000 to recoup a bug bounty award after a programmer spotted an error in his code. In response, the group branded him as being "a deranged psycho," as DiMaggio documents in a new report analyzing LockBit's behavior.

A major takeaway and a way to potentially disrupt LockBit: It's "a business that is run by an ego-driven CEO that has massive insecurities," says DiMaggio, chief security strategist at threat intelligence firm Analyst1. So, "while unfortunately they have a great criminal product … what will eventually lead to their demise is that sort of ego and the constant over-reacting because of their insecurities to things that happen, such as the developer leaking their code.
Click to expand...

Analyst1: Ransomware Diaries: Volume 1

by Jon DiMaggio - January 16, 2023
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide.

To prepare for this project, I spent months developing several online personas and established their credibility over time to gain access to the gang’s operation.
Click to expand...

Log in or Sign up

Ransomware as a Service (RaaS) – The Business of Ransomware

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Ransomware as a Service (RaaS) – The Business of Ransomware

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches