WEBVTT 1 00:00:06.030 --> 00:00:08.311 Tom Field: Hi there, I'm Tom Field. I am senior vice 2 00:00:08.367 --> 00:00:11.371 president of Editorial with Information Security Media 3 00:00:11.427 --> 00:00:14.710 Group. The topic of conversation is ransomware - how ransomware 4 00:00:14.766 --> 00:00:18.216 actors and strains are now more decentralized. Here to discuss 5 00:00:18.271 --> 00:00:21.443 this is Yelisey Bohuslavskiy, chief research officer and 6 00:00:21.498 --> 00:00:25.004 partner with Red Sense. Yelisey, thanks so much for taking time 7 00:00:25.060 --> 00:00:26.340 to speak with me today. 8 00:00:26.330 --> 00:00:29.900 9 00:00:26.340 --> 00:00:26.640 Yelisey Bohuslavskiy: Thank you very much. 10 00:00:29.900 --> 00:00:33.830 Tom Field: So we'll start here for context. Why did ransomware actors decentralize their systems after some particular 11 00:00:33.830 --> 00:00:35.000 law enforcement action? 12 00:00:35.960 --> 00:00:38.570 Yelisey Bohuslavskiy: So, in general, the ransomware landscape is 13 00:00:38.570 --> 00:00:43.550 extremely young. Ransomware has been there for a while, but in 14 00:00:43.550 --> 00:00:46.280 its current shape that we know it, when we say ransomware, we 15 00:00:46.310 --> 00:00:50.120 think Conti, REvil or Colonial Pipeline, that has only been 16 00:00:50.120 --> 00:00:54.890 there for less than four years, 2019 to 2023. And because of 17 00:00:54.890 --> 00:00:59.870 that, it's so dynamic that just the ecosystem itself is 18 00:00:59.870 --> 00:01:02.180 constantly changing, and specifically with 19 00:01:02.720 --> 00:01:08.600 decentralization, that has been a response to the external 20 00:01:08.600 --> 00:01:12.740 pressure that the ransomware landscape is facing. Its 21 00:01:12.740 --> 00:01:15.950 external pressure from law enforcement, for sure. It's 22 00:01:15.950 --> 00:01:19.400 external pressure from the fact that they need to evolve 23 00:01:19.400 --> 00:01:22.010 with their technology, with their operations, with their 24 00:01:22.010 --> 00:01:25.430 organization, you could think and this is quite a popular view 25 00:01:25.430 --> 00:01:28.070 within the cybersecurity industry. You could think of 26 00:01:28.070 --> 00:01:32.630 ransomware as something that models and mimics legitimate 27 00:01:32.630 --> 00:01:36.770 corporate businesses. And as a legitimate startup evolves and 28 00:01:36.770 --> 00:01:41.330 needs to change, the same are these groups. They need to find 29 00:01:41.330 --> 00:01:44.060 new ways, find new answers, and decentralization was one of them. 30 00:01:43.890 --> 00:01:47.520 Tom Field: Well look at it as a big business. It broke up. Why 31 00:01:44.060 --> 00:01:44.210 32 00:01:47.520 --> 00:01:51.750 does forming independent units actually help the greater 33 00:01:51.750 --> 00:01:53.220 organization survive? 34 00:01:53.730 --> 00:01:57.240 Yelisey Bohuslavskiy: So a lot of that was just lessons learned 35 00:01:57.660 --> 00:02:02.310 from, you know, shocks, so Conti, that's the classic example. 36 00:02:02.310 --> 00:02:05.820 That's the largest ransomware group that was there, initially 37 00:02:05.820 --> 00:02:10.110 Ryuk and then Conti. They were massive. They were corporate, 38 00:02:10.110 --> 00:02:13.560 they had physical offices, all that. And then they realized 39 00:02:13.560 --> 00:02:17.760 that if one segment is going down, the entire thing is going 40 00:02:17.760 --> 00:02:21.720 down. So what happened with Conti, one of their leaders 41 00:02:21.720 --> 00:02:25.440 made a statement that he supports the Russian invasion, and 42 00:02:25.440 --> 00:02:29.190 as a result, Conti get even under stronger U.S. sanctions 43 00:02:29.190 --> 00:02:31.830 that they were, so no one can pay them anymore. And if you're 44 00:02:31.830 --> 00:02:34.800 not being paid, you cannot do your business. So after that, 45 00:02:34.800 --> 00:02:37.740 they realized - especially other groups within Conti, it 46 00:02:37.740 --> 00:02:41.250 had like subdivisions, six divisions. Other groups, other 47 00:02:41.250 --> 00:02:45.300 divisions realized, well, if one person can pretty much take down 48 00:02:45.300 --> 00:02:48.810 the entire operation, why should we be dependent on that. If 49 00:02:48.810 --> 00:02:52.590 you're managing your own crew, this cannot happen. The other 50 00:02:52.590 --> 00:02:57.420 really good example is Hive. Hive was probably the most 51 00:02:57.450 --> 00:02:59.760 archetypical, corporate ransomware you could ever 52 00:02:59.760 --> 00:03:02.820 imagine. Everything was centralized and everything led 53 00:03:02.850 --> 00:03:06.120 to their blog. Negotiations with victims were through the blog, 54 00:03:06.330 --> 00:03:09.000 ransomware decryptions and encryptions were done through 55 00:03:09.000 --> 00:03:11.880 the blog. Infrastructure was connected to the blog, the 56 00:03:11.880 --> 00:03:15.210 intrusion panels were connected to the blog and also when they 57 00:03:15.210 --> 00:03:18.930 extort data, and the victim doesn't pay, so they need to 58 00:03:18.930 --> 00:03:22.740 threaten them. The data is on the blog. So when the FBI was 59 00:03:22.740 --> 00:03:26.970 able to identify the backend of the blog, and take down the 60 00:03:26.970 --> 00:03:29.460 front page, if you think about it, the blog is just the front 61 00:03:29.460 --> 00:03:32.190 page. But with this centralization, when they took 62 00:03:32.190 --> 00:03:35.340 down the front page, pretty much the entire operation of Hive 63 00:03:35.340 --> 00:03:38.310 that was pretty successful, and that survived the Conti 64 00:03:38.310 --> 00:03:42.450 breakdown, even though they were closely affiliated. That was the 65 00:03:42.450 --> 00:03:45.360 end for them. So other groups, especially post-Conti, they 66 00:03:45.360 --> 00:03:49.170 looked at Hive and they realized that, well, it's not smart to 67 00:03:49.170 --> 00:03:52.980 keep everything in the same place. And they learned a lot, 68 00:03:52.980 --> 00:03:56.940 we have seen at Red Sense, we have seen extended ransomware 69 00:03:56.970 --> 00:04:01.170 adversarial conversations about the Hive takedown. And the recurrent 70 00:04:01.170 --> 00:04:04.470 theme was like, well, we learned our lessons, we will not do it 71 00:04:04.470 --> 00:04:05.040 anymore. 72 00:04:05.400 --> 00:04:07.500 Tom Field: So you mentioned Hive, you mentioned Conti, these 73 00:04:07.500 --> 00:04:09.750 were strains that really dominated the marketplace, and 74 00:04:09.750 --> 00:04:13.020 they've pretty much gone away. Is it because of the targeting 75 00:04:13.050 --> 00:04:14.370 and their centralization? 76 00:04:14.540 --> 00:04:16.760 Yelisey Bohuslavskiy: Yes, absolutely because of that. So 77 00:04:16.790 --> 00:04:21.200 Hive - law enforcement takedown; Conti - improper brand 78 00:04:21.200 --> 00:04:25.520 management; REvil, also a pretty big strain back in the days - 79 00:04:26.210 --> 00:04:29.210 improper organizational management, I would almost say 80 00:04:29.240 --> 00:04:33.680 HR, because they start to hire random people who ended up 81 00:04:34.040 --> 00:04:38.450 making provocative statements, who ended up making provocative 82 00:04:38.450 --> 00:04:42.110 decisions like taking down Cassia on July 4, which was a 83 00:04:42.110 --> 00:04:44.870 slap to the face for our national security. And we're not 84 00:04:44.870 --> 00:04:48.920 a nation that tolerates this. They start to get people who 85 00:04:48.920 --> 00:04:53.150 start to threaten President Trump and it doesn't matter how, like you 86 00:04:53.150 --> 00:04:55.700 know, think about specifically President Trump, he was still 87 00:04:55.730 --> 00:04:58.310 U.S. president and again like this is not something that we as a 88 00:04:58.310 --> 00:05:01.820 nation tolerate. We don't talk to terrorists. So as a result, 89 00:05:01.970 --> 00:05:04.820 it's almost like you know a lot of those corporate scandals, 90 00:05:04.820 --> 00:05:07.970 when some of the executive says something inappropriate, and 91 00:05:07.970 --> 00:05:11.600 then the stock market goes down, that was the same thing was 92 00:05:11.630 --> 00:05:15.650 REvil. And this is again exactly the issue of 93 00:05:15.650 --> 00:05:19.760 hypercentralization at this point. So decentralization really solves 94 00:05:19.760 --> 00:05:22.370 it if someone says something wrong, if someone provokes 95 00:05:22.520 --> 00:05:25.760 someone wrong, if someone starts to deal with U.S. national 96 00:05:25.760 --> 00:05:28.970 security, that person would be the one responsible for that. He 97 00:05:28.970 --> 00:05:31.640 will not or she will not take the entire organization with 98 00:05:31.640 --> 00:05:31.820 them. 99 00:05:32.220 --> 00:05:34.599 Tom Field: What would you say is new and unique about some of 100 00:05:34.647 --> 00:05:37.740 these brands of ransomware that have filled the void and dominated 101 00:05:37.788 --> 00:05:38.550 the marketplace? 102 00:05:38.000 --> 00:05:40.194 Yelisey Bohuslavskiy: I would say everything except for 103 00:05:40.261 --> 00:05:44.385 people. This is like absolutely the paradoxical situation in which 104 00:05:44.451 --> 00:05:48.775 the techniques are new. The ways they find initial intrusions are 105 00:05:48.841 --> 00:05:52.233 completely new, they put emphasis on CVEs, they put 106 00:05:52.300 --> 00:05:56.556 emphasis on zero days. Clop just had two zero days in a row like 107 00:05:56.623 --> 00:06:00.547 the MOVEit vulnerability and then they're trying to exploit the Citrix vulnerability. 108 00:06:00.614 --> 00:06:04.272 The malware is brand new, we just released a more or less 109 00:06:04.338 --> 00:06:08.595 classified TLP: red report where we were able to identify a 110 00:06:08.662 --> 00:06:12.386 malware lab associated with the post-Conti environment, and their 111 00:06:12.453 --> 00:06:16.710 experimenting with 14 different strains and families of malware 112 00:06:16.776 --> 00:06:20.834 trying to find novel methods. Their organizational structure, 113 00:06:20.900 --> 00:06:24.891 as we already said, you know it's new, and instead of having 114 00:06:24.957 --> 00:06:29.081 120, 150 people in the same place quite often physically in the 115 00:06:29.148 --> 00:06:32.939 same place. Now this would be subdivisions of three, four 116 00:06:33.005 --> 00:06:36.663 people working in specific networks, segregated one from 117 00:06:36.730 --> 00:06:40.787 another, not really talking to another one, only having 118 00:06:40.854 --> 00:06:44.711 the joint leadership, things like that. But what is really 119 00:06:44.778 --> 00:06:48.702 paradoxical about all of that is that with all this novelty, the 120 00:06:48.769 --> 00:06:52.693 people are exactly the same. There is no fresh blood within 121 00:06:52.760 --> 00:06:56.351 the ransomware community, exactly the same leadership. 122 00:06:56.418 --> 00:07:00.475 They use different names now, Conti is now five organizations 123 00:07:00.541 --> 00:07:04.532 still exactly the same people. You look at their pen testers, 124 00:07:04.599 --> 00:07:08.589 still the same people. The same guys who were like attacking 125 00:07:08.656 --> 00:07:12.580 Texas back in 2019 - the first major ransomware attack - same 126 00:07:12.647 --> 00:07:16.238 people are doing it right now. And what is like really 127 00:07:16.305 --> 00:07:20.429 interesting about all of that, not only the dynamics of threat 128 00:07:20.495 --> 00:07:24.419 landscape didn't change that, not only the successes of law 129 00:07:24.486 --> 00:07:28.610 enforcement didn't change that, even the largest war in Europe 130 00:07:28.676 --> 00:07:32.733 since Second World War didn't change that. Because despite the 131 00:07:32.800 --> 00:07:36.791 fact that people are literally under fire, those who are not 132 00:07:36.857 --> 00:07:40.249 under fire, they need to leave their countries like 133 00:07:40.316 --> 00:07:44.307 specifically Russia with the draft and all the brutality that 134 00:07:44.373 --> 00:07:48.164 the Russian regime executes against its own population or 135 00:07:48.231 --> 00:07:52.288 obviously along the Ukrainian population. Even with all that, 136 00:07:52.355 --> 00:07:55.946 communities are still there, people did not lose their 137 00:07:56.013 --> 00:08:00.203 connections, and they still work together within the same small 138 00:08:00.270 --> 00:08:04.327 or large collectives. And it's amazing how everything changed 139 00:08:04.393 --> 00:08:07.520 except for the actual human beings behind that. 140 00:08:07.000 --> 00:08:10.150 Tom Field: Let's talk about another topic altogether. Why do you see 141 00:08:10.150 --> 00:08:13.480 the adversaries now relying on customized malware - the focus is 142 00:08:13.480 --> 00:08:15.010 on specific industry sectors? 143 00:08:15.720 --> 00:08:19.530 Yelisey Bohuslavskiy: So, in general, when ransomware became 144 00:08:19.530 --> 00:08:25.020 a big thing, it was almost entirely because of opportunism 145 00:08:25.050 --> 00:08:29.760 defined by where a large attack surface is. I remember back in 146 00:08:29.760 --> 00:08:32.700 the days on top-tier Russian-speaking forums, 147 00:08:32.700 --> 00:08:37.200 ransomware people were not even allowed - which, interestingly 148 00:08:37.200 --> 00:08:40.620 enough, ironically, repeated at the very peak of ransomware, 149 00:08:40.830 --> 00:08:43.350 when after Colonial Pipeline, they got kicked out of the 150 00:08:43.350 --> 00:08:46.800 forums. But years before the Colonial Pipeline, they were not 151 00:08:46.800 --> 00:08:49.830 allowed not because they were reputationally dangerous, but 152 00:08:49.830 --> 00:08:53.100 because it was considered that ransomware is an intellectual 153 00:08:53.100 --> 00:08:56.490 shortcut to the art of hacking, which is, you know, 154 00:08:56.490 --> 00:09:00.720 sophisticated. And like my former business partner, 155 00:09:00.720 --> 00:09:04.500 unfortunately now deceased, Vitali Kremez used to say, hacking is weaponized 156 00:09:04.500 --> 00:09:09.780 creativity. So they saw it like that. And they thought that it's 157 00:09:09.780 --> 00:09:14.070 just like, it's offensive to them to incorporate ransomware 158 00:09:14.070 --> 00:09:17.970 people into forums, because ransomware was considered very 159 00:09:17.970 --> 00:09:22.770 primitive. But then ransomware actors realized that there is 160 00:09:22.770 --> 00:09:26.760 this massive unprotected attack surface that they could exploit. 161 00:09:27.210 --> 00:09:30.900 And their entire business was very opportunistic. We see 162 00:09:30.900 --> 00:09:34.830 something, we hit it. Then things started to evolve, 163 00:09:34.830 --> 00:09:38.070 and I think the major evolution happened, 164 00:09:38.280 --> 00:09:41.820 mostly because of compliance audit and insurance industry, 165 00:09:42.000 --> 00:09:44.670 which especially in our country, with some support from the 166 00:09:44.670 --> 00:09:49.650 government regulators, started to go to, you know, the 167 00:09:49.650 --> 00:09:53.100 market, to specifically SMEs because small and medium 168 00:09:53.100 --> 00:09:55.860 entities are the most common victims of ransomware attacks, 169 00:09:56.100 --> 00:09:58.680 and started to tell them: listen, if you want like your insurance 170 00:09:58.680 --> 00:10:01.110 coverage, especially cyber insurance coverage, you need to 171 00:10:01.110 --> 00:10:04.410 make sure you have at least basic protocols in place. And 172 00:10:04.410 --> 00:10:08.910 those basic protocols were actually enough en masse to 173 00:10:09.000 --> 00:10:13.650 curtail the attack surface to a point when you cannot just drop 174 00:10:13.650 --> 00:10:18.810 random trick bot infection and have multimillion dollar ransom 175 00:10:18.810 --> 00:10:24.000 payment. So as a result, big shifts started with moving from 176 00:10:24.000 --> 00:10:27.330 technology, primitive technology on the ransomware side to a 177 00:10:27.330 --> 00:10:30.420 combination of technology and social engineering. One of the 178 00:10:30.420 --> 00:10:35.430 Conti operators used to say: we cannot win on the technology 179 00:10:35.430 --> 00:10:38.340 front, because the technology companies have billions and 180 00:10:38.340 --> 00:10:41.160 billions and billions dollars of revenue developing antivirus. 181 00:10:41.310 --> 00:10:44.280 But we can win on the human front. And the moment they started to 182 00:10:44.280 --> 00:10:47.850 invest into the human front, that's when they started to 183 00:10:47.880 --> 00:10:50.400 create Conti's intelligence divisions and 184 00:10:50.400 --> 00:10:53.340 political divisions. They started to hire people who 185 00:10:53.460 --> 00:10:57.270 understand Western - specifically U.S. - landscape very well, 186 00:10:57.270 --> 00:11:00.570 particularly legal landscape, regulatory landscape. And at 187 00:11:00.570 --> 00:11:03.660 this point, they started to understand that while some 188 00:11:03.660 --> 00:11:07.440 industries are better than others as targets. Very 189 00:11:07.440 --> 00:11:11.640 interesting was that some industries actually benefited 190 00:11:11.640 --> 00:11:14.670 from that with certain groups, unfortunately, not with all of 191 00:11:14.670 --> 00:11:18.240 them. But for instance, post-Conti groups, particularly 192 00:11:18.240 --> 00:11:21.630 Royal, which is the largest one, they started to filter out in 193 00:11:21.630 --> 00:11:28.020 their infection panels the .edu domain, because schools and 194 00:11:28.020 --> 00:11:31.920 universities don't pay much anymore. And why would you 195 00:11:31.920 --> 00:11:34.920 bother with that? And then they even created like, had an 196 00:11:34.920 --> 00:11:39.330 additional analysis, especially after their rebrand, saying 197 00:11:39.330 --> 00:11:43.620 that, well schools will not pay us, but at the same time, if we 198 00:11:43.620 --> 00:11:47.220 hack a school, this will create a major noise and we 199 00:11:47.220 --> 00:11:49.860 don't need additional noise. We don't want to, you know, go 200 00:11:49.890 --> 00:11:53.160 into sanctions again. It was really interesting how they made 201 00:11:53.160 --> 00:11:55.800 an official statement, they released a 202 00:11:55.800 --> 00:11:59.190 statement on their blog saying that we hacked a school, a 203 00:11:59.190 --> 00:12:03.390 specific school, but we decided to delete the data because we 204 00:12:03.390 --> 00:12:07.920 are, you know, we're respecting the privacy of students. And 205 00:12:07.920 --> 00:12:11.790 that happened three weeks before the White House Educational 206 00:12:11.790 --> 00:12:17.070 Summit. So there is, they're definitely seeing how things are 207 00:12:17.070 --> 00:12:20.850 here. And they're definitely trying to evolve and adjust. And 208 00:12:20.850 --> 00:12:23.940 the industry targeting is a big part of this intelligent 209 00:12:23.940 --> 00:12:25.170 ransomware, so to speak. 210 00:12:25.630 --> 00:12:27.190 Tom Field: Yelisey, I really appreciate the insight you've 211 00:12:27.190 --> 00:12:28.240 shared today. Thank you so much. 212 00:12:28.260 --> 00:12:29.160 Yelisey Bohuslavskiy: Thank you so much. 213 00:12:29.510 --> 00:12:31.550 Tom Field: We've been talking about ransomware, you just heard from 214 00:12:31.760 --> 00:12:34.820 Yelisey Bohuslavskiy, chief research officer and partner 215 00:12:34.850 --> 00:12:38.270 with Red Sense. For Information Security Media Group, I'm Tom 216 00:12:38.270 --> 00:12:40.820 Field. Thank you for giving us your time and attention today.