Recent security breaches by Lockbit, the world’s leading ransomware group, are helping uncover the group’s modus operandi. In doing so, it offers a prime example of the new vanguard of cybercriminal groups using distinctly corporate management methodologies.
Like any self-respecting 21st Century corporation with global ambitions, Lockbit employs a full HR department, plus an effective and highly-creative marketing department. One of Lockbit’s recent PR stunts was to offer to pay anyone foolish enough to receive a tattoo with the group’s logo a payment of $1,000 apiece, similar to the way Nike once paid hairdressers to shave its tick logo into customers’ haircuts. So many followers worldwide opted for the tattoo that Lockbit was eventually forced to limit its campaign. Relatively crude initiatives like this are combined with generous $50,000 bug-hunting prizes. Senior Lockbit “executives” also regularly give interviews and speak freely about their exploits and plans for the future.
The recently-formed, but fast-growing Atlas Intelligence Group (AIG) is another example of this new breed of cybercriminal. AIG has a unique style of recruiting cyber-professionals for specific jobs as a part of larger campaigns. By working on “a need to know” basis like this, AIG protects itself more effectively against the kind of breach suffered by Lockbit. A small team of administrators reports directly to an individual known on the dark web as “Mr. Eagle,” the only individual in the group with a fully-comprehensive knowledge of its entire activities.
Like some Silicon Valley CEO, Eagle uses his virtual, remote-working business model to expand AIG’s international sphere of operations at breakneck speed. While many groups focus on offering one or possibly two services, AIG already offers a far wider variety of services than rival criminal groups. Its streamlined efficiency and rapid growth have encouraged AIG to expand globally. The group already encompasses the United States, Colombia, Pakistan, Israel, and the Emirates, focusing squarely on government and other state assets.
AIG also recently published some alarming advertisements claiming to have connections with several law enforcement agencies on mainland Europe. Like any public-facing tech corporation, AIG also wants good public relations by “giving something back” in the form of what it claims are purely altruistic endeavors. These include voluntarily hunting down and exposing pedophiles. In its first two months of operations, the group has already exposed alleged pedophiles from across Europe, releasing very personal information about these individuals such as home address, phone number, and pictures.
Another new group, RansomHouse, first emerged at the end of March and has already amassed four victims on its Onion site. It now also claims it’s something far removed from a traditional cybercrime gang and has tried to portray itself as a largely altruistic corporation. RansomHouse’s marketing claims that its victims are the real villains, having failed to protect themselves and their customers adequately against RansomHouse’s well-orchestrated cyber-attacks.
RansomHouse claims many businesses and companies are not willing to invest as much money as required to fortify their infrastructures and ignore or do not institute enough bug bounty plans. The group says these organizations put their assets and their customers’ information at risk. Despite its self-gratifying rhetoric, RansomHouse effectively executes the latest version of one of the world’s oldest crimes: the protection racket, by practically forcing “penetration testing services” on organizations that never used their services or rewarded bug bounties. Once RansomHouse finds any vulnerabilities, it exploits them without mercy to steal as much sensitive data as possible.
However, like any self-respecting new ransomware group, RansomHouse has its own marketing department dedicated to polishing the group’s imaginary halo. It operates three Telegram channels: the first records not merely the group’s crimes, but also the victims’ reactions and how RansomHouse was the voice of calm and reason during the ransom negotiations; the second operates as a chat line for followers to speak with RansomHouse’s admin department; and the third runs as a straightforward PR service dedicated to journalists.
To defend against these highly corporate cybercriminal groups, companies need to start by boosting existing defenses and carry out regular pen-testing. They also must access relevant threat intelligence gathered on the dark web and the other communication platforms used by cybercriminal gangs such as Telegram and, increasingly, Discord.
Discord was released in May 2015 mainly for creating communities for gamers, but subsequently became an excellent platform for education, crypto, and businesses of all kinds. Learning the modus operandi of the new cybercriminal groups and having advance knowledge of their skillsets and where and when they plan to strike has become a must for organizations. In an era where rapidly-growing and extremely sophisticated international groups of cybercriminals continue make cybercrime a multi-trillion industry, knowledge is truly power.
Yochai Corem, chief executive officer, Cyberint