Malware, Ransomware

Claims of ties between ransomware groups met with skepticism among threat researchers

Cyber chatter flowed on Twitter today after a researcher, who goes by the handle @pancak3lullz, posted about claims from ransomware gang REvil that EvilCorp and Maze are actually one group operated by eight people with ties to the Russia government.

While interesting, should rank-and-file security pros even care about this kind of talk?

Probably not in terms of defense tactics, said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, who agreed that while defining attribution to prominent ransomware groups is as intriguing as it is challenging, for the majority of enterprise defenders, it’s largely a distraction.

“Your defenses don't dramatically change whether you are up against a traditional cybercriminal or state-affiliated one,” Holland said. “Patching known vulnerabilities, enabling multi-factor authentication, and disabling macros will go a long way no matter the threat de jour.”

Joe Slowik, senior security researcher at DomainTools, warned that until substantiated, claims of a link between the two groups should be treated with extreme skepticism.

“Overall, short of having direct access to adversary infrastructure communications, or operational planning, it’s very difficult to ‘pinpoint’ such groups, especially as ransomware operations increasingly break down into multiple ‘teams’ selling access, services, and tools to each other,” he said.

Tarik Saleh, senior security engineer for malware & forensics at Amazon agreed that while it's trivial for attackers to create new identities and infrastructure for each attack they conduct, researchers "have to capitalize on sloppy operational mistakes made by these groups to help attribute these attackers to attacks." Who is behind the attack or why they are motivated to execute the attack may not be relevant to all security teams, he added, "but it should."

Just as some question the validity of supposed ties between the groups, or association with Russia's Federal Security Service, or FSB, some see the claims as a potential red herring.

“Personally, I think it’s all a ploy to create distraction from legitimate investigative work on the topic and more darknet drama around an already anxiety-fueled darknet commodity,” said Mark Turnage, CEO of DarkOwl.

Open source reporting from December 2019 linked EvilCorp to Maxim Yakubets and the federal government issued indictments for Yakubets and other leading members of the EvilCorp hacking group, assessed to be heavily protected by the Russian government. Nonetheless, Tor and similar decentralized networks that protect the originating IP address of its users make deanonymization of specific users extremely challenging.

What is clear, however, is that groups within the community periodically dismantle or reincarnate with new branding and personas.

What’s interesting about a potential connection of Maze, EvilCorp and the FSB is the motivations, said Saleh.

"We are all very familiar with Maze being apart of a ransomware cartel that has caused significant financial damages globally," he said. "If the supposed link between Maze and EvilCorp to the Russian FSB are true, this places the FSB into a unique category of nation-states that are participating in ransomware campaigns. Ransomware campaigns help generate profits, but they also do a phenomenal job of causing disruption and chaos to their targets. This speaks more towards the motivations of a nation-state, specifically the FSB and its relationship with the West."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.