Threat Management, Threat Intelligence, Malware, Ransomware

Think like the enemy: the ‘imagined’ life and times of a ransomware retiree

Cognizant reportedly spent up to $70 million to remediate a Maze ransomware attack. Today’s columnist, Jerome Robert of Alsid, offers a fictitious account of what motivated the Maze operators and theorizes why they closed shop.

During a recent sale of household furniture in Yekaterinburg, Russia, a chest of drawers was found to contain pages from a diary among some other papers. Upon closer examination, the diary entries have been attributed to a member of the recently retired Maze cybercrime gang.

The (imagined) diary entries cover the period from May to October 2020 and are published here not to make light of criminal acts, but to raise awareness and help us better understand the methods and motivations of attackers so that more companies can avoid becoming victims of ransomware. 

May 16, 2019: ChaCha20 real smooth

It’s the attention to detail that these guys don’t appreciate. It’s not like we’re running around like one of those semi-literate email scammers going on basic phishing trips. Four hours I'll never get back on the Bundeszentralamt fur Steuern site and we’re ready to go. We’re trying out the new RSA and ChaCha20 stream ciphers - let’s see what we can do...

November 19, 2019: Spearphishing for breakfast

Dear diary, lulz, it’s been a while, but we’ve been kinda busy. We’re in that company I told you about last time and they’ve got 48 hours to pay. Right now, I like our chances. Here’s how we did it.

We like to think we’re much more sophisticated than the phishing scammers, but I will admit we share some of their techniques. So after a bit of research on social networks, we targeted individuals from a range of industries, departments and seniority levels with macro documents resembling phone bills and “failed package delivery” phishing emails.

It’s a good thing everyone’s addicted to online shopping: it means they forget what they’ve ordered and from where, which makes our lives much easier. An HR director called Carol has taken the bait and we’re in: Active Directory compromised and more than enough work for one day. Time for a drink.

November 25, 2019: The keys to the castle

I know it’s been a week but there’s no rush to poke around now we’re in. And judging by Carol’s social posts she’s in Antigua this week, lucky her. Maybe one day I’ll take a holiday, but there’s lots to do before then. So, where was I? Well, after a coffee we kick off with a scan of various facets such as open SMB shares, network configuration, and various Active Directory attributes such as permissions, accounts, and domain trusts blah, blah, blah. Yes, it’s a grind but that’s part of the job.

After a few days of this, lying low, we start (or rather our patented, lulz malware starts) moving laterally around the network leveraging weak passwords or clear-text passwords we’ve found in network shares to directly authenticate into more-privileged accounts. After a bit of movement, we’ve got the credentials of a privileged domain administrator and bingo: we’re in control. No matter how many times we do this, it’s always a great feeling. It feels like Charlie finding the golden ticket to the famous chocolate factory.

Now they’re seriously screwed!!! We can move laterally throughout their entire business using legitimate accounts to query databases and scout resources, download the data and deploy our ransomware to encrypt the files. The thing is, there’s always a lot of legwork involved to find the right targets, but once we’re in, I’m surprised every time how easy this is. Rinse and repeat. Simple.

July 30, 2020: Who said there’s no such thing as bad publicity?

Some may want to blame poor old Carol for getting this ball game started. She shouldn’t have clicked that link, but it’s not really her fault. I’m always amazed that few of the companies we target have much idea about which accounts are active and who has access to what. When we find a mess of old, unused accounts with active permissions: bingo. The next steps are much, much easier.

Once we’re in with one set of credentials it doesn’t take us long to compromise other accounts with weak passwords using brute force and credential scanning techniques. Who are these guys not tidying up after themselves and leaving credentials ready to get exploited? They probably think it will never happen to them. Or maybe they just don’t have the resources and it’s never top of the list, until it’s too late.

I never used to feel bad about what I do. After a while though, we do find ourselves wondering. It’s only human. When we see whole companies fail or watch countries’ entire health services basically shut down, we do start to think of the human cost sometimes, even though I try not to. We tell ourselves that it’s their fault they weren’t more careful, and that ransomware attacks are avoidable if they do the work.

November 30, 2020: Retirement…for now

Maybe it’s seeing the state of the world with this pandemic, but I’ve started to think what I do is a high price for these people to pay, just so I can make more money. I’ve made a ton of it already, more than enough to cover the rest of my life with houses, holidays, cars, whatever. And I’m not quitting because I’m worried about getting caught. I’ve been very careful.

I’ve been looking forward to retirement ever since I was a boy, but now that I’m here, I’m not sure it suits me. Sure, Cape Idokopas (Putin’s Palace) is beautiful this time of year and I have friends in the area, but there are only so many Game of Thrones re-runs to watch. Perhaps it’s too soon to say retirement… But if I were to make a comeback, I'd need a new stage name. Sir Gregor Clegane perhaps. Or E-Gregor. Something will come to me.

Jerome Robert, chief marketing officer, managing director, Alsid

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.