How Ransomware Groups Respond to External PressureYelisey Bohuslavskiy of Red Sense on Why Large Ransomware Groups Have Decentralized
Ransomware groups, like legitimate businesses, must adapt and change as they grow, in response to trends and external pressures - such as law enforcement actions. To survive, many large ransomware groups have adopted decentralized structures, said Yelisey Bohuslavskiy, chief research officer and partner with Red Sense.
The now-defunct Conti group's downfall was triggered by a single leader's controversial statement about supporting Russia's invasion of Ukraine. This caused other leaders within the group to recognize the vulnerability of being dependent on centralized leadership and resources. As a result of "lessons learned," Bohuslavskiy said, the operation restructured as independent, decentralized units "to prevent having one person take down the whole operation."
In this video interview with Information Security Media Group at Black Hat USA 2023, Bohuslavskiy also discussed:
- Why adversaries are relying on customized malware;
- How compliance audits and cyber insurance requirements have shaped the ransomware landscape;
- How ransomware actors refine their targets by avoiding sectors unlikely to yield ransom payments.
Bohuslavskiy previously served as co-founder and head of research and development at threat intelligence firm Advanced Intelligence. He previously worked as a cyberthreat intelligence analyst at Flashpoint and due diligence researcher at Kroll.
Tom Field: Hi there, I'm Tom Field. I am senior vice president of editorial with Information Security Media Group. The topic of conversation is ransomware - how ransomware actors and strains are now more decentralized. Here to discuss this is Yelisey Bohuslavskiy, chief research officer and partner with Red Sense. Yelisey, thanks so much for taking time to speak with me today.
Yelisey Bohuslavskiy: Thank you very much.
Field: Why did ransomware actors decentralize their systems after some particular law enforcement action?
Bohuslavskiy: So, in general, the ransomware landscape is extremely young. Ransomware has been there for a while, but in its current shape that we know it, when we say ransomware, we think Conti, REvil or Colonial Pipeline, that has only been there for less than four years - 2019 to 2023. And because of that, it's so dynamic that just the ecosystem itself is constantly changing, and specifically with decentralization, that has been a response to the external pressure that the ransomware landscape is facing. It's external pressure from law enforcement, for sure. It's external pressure from the fact that they need to evolve with their technology, with their operations and with their organization. This is quite a popular view within the cybersecurity industry: You could think of ransomware as something that models and mimics legitimate corporate businesses. And as a legitimate startup evolves and needs to change, the same with these groups. They need to find new ways and new answers, and decentralization was one of them.
Field: Well look at it as a big business. It broke up. Why does forming independent units actually help the greater organization survive?
Bohuslavskiy: So a lot of that was just lessons learned from shocks, so Conti, that's the classic example. That's the largest ransomware group that was there, initially Ryuk and then Conti. They were massive. They were corporate. They had physical offices. And then they realized that if one segment is going down, the entire thing is going down. So what happened with Conti, one of their leaders made a statement that he supports the Russian invasion, and as a result, Conti got even under stronger U.S. sanctions than they were, so no one can pay them anymore. And if you're not being paid, you cannot do your business. So after that, they realized - especially other groups and divisions within Conti, it had six subdivisions - other groups, other divisions realized that if one person can pretty much take down the entire operation, why should we be dependent on that. If you're managing your own crew, this cannot happen. The other good example is Hive. Hive is - was - probably the most archetypical, corporate ransomware you could ever imagine. Everything was centralized, and everything led to their blog. Negotiations with victims were through the blog; ransomware decryptions and encryptions were done through the blog. Infrastructure was connected to the blog. The intrusion panels were connected to the blog. And also when they extort data and the victim doesn't pay, so they need to threaten them, the data is on the blog. So when the FBI was able to identify the backend of the blog and take down the front page - if you think about it, the blog is just the front page. But with this centralization, when they took down the front page, pretty much the entire operation of Hive that was pretty successful and that survived the Conti breakdown - even though they were closely affiliated - that was the end for them. So other groups, especially post-Conti, they looked at Hive and they realized that it's not smart to keep everything in the same place. And they learned a lot. At Red Sense, we have seen extended ransomware adversarial conversations about the Hive takedown. And the recurrent theme was we learned our lessons, we will not do it anymore.
Field: So you mentioned Hive, you mentioned Conti, these were strains that really dominated the marketplace, and they've pretty much gone away. Is it because of the targeting and their centralization?
Bohuslavskiy: Yes, absolutely because of that. So Hive, law enforcement takedown; Conti, improper brand management; REvil, also a pretty big strain back in the days, improper organizational management. I would almost say HR because they start to hire random people who ended up making provocative statements, who ended up making provocative decisions like taking down Kaseya on July 4, which was a slap to the face for our national security and we're not a nation that tolerates this. They start to get people who start to threaten President Trump and it doesn't matter how, like think about specifically President Trump, he was still U.S. president and again like this is not something that we as a nation tolerate. We don't talk to terrorists. It is almost a lot like those corporate scandals, when some of the executive says something inappropriate, and then the stock market goes down - that was the same thing with REvil. And this is again exactly the issue of hypercentralization at this point. So decentralization really solves it if someone says something wrong, if someone provokes someone wrong, if someone starts to deal with U.S. national security, that person would be the one responsible for that. He will not or she will not take the entire organization with them.
Field: What would you say is new and unique about some of these brands of ransomware that have filled the void and dominated the marketplace?
Bohuslavskiy: I would say everything except for people. This is like absolutely the paradoxical situation in which the techniques are new. The ways they find initial intrusions are completely new, they put emphasis CVEs and zero days. Clop just had two zero days in a row - like the MOVEit vulnerability and then they're trying to exploit the Citrix vulnerability. The malware is brand new. We just released a more or less classified - a TLP: red report where we were able to identify a malware lab associated with the post-Conti environment, and their experimenting with 14 different strains and families of malware trying to find novel methods. Their organizational structure, as we already said, is new. Instead of having 120, 150 people in the same place, quite often physically in the same place, now this would be subdivisions, so three, four people working in specific networks, segregated one from another, not really talking to one another, only having the joint leadership, things like that. But what is really paradoxical about all of that is that with all this novelty, the people are exactly the same. There is no fresh blood within the ransomware community, [it's] exactly the same leadership. They use different names now, Conti is now five organizations; still exactly the same people. You look at their pen testers: still the same people. The same guys who were attacking Texas back in 2019 - the first major ransomware attack - same people are doing it right now. And what is really interesting about all of that, not only the dynamics of [the] threat landscape didn't change that, not only the successes of law enforcement didn't change that. Even the largest war in Europe since WWII didn't change that. Because despite the fact that people are literally under fire, those who are not under fire, they need to leave their countries like specifically Russia with the draft and all the brutality that the Russian regime executes against its own population, obviously along with the Ukrainian population. Even with all that, communities are still there, people did not lose their connections, and they still work together within the same small or large collectives. And it's amazing how everything changed except for the actual human beings behind that.
Field: Let's talk about another topic altogether. Why do you see the adversaries now relying on customized malware - the focus is on specific industry sectors?
Bohuslavskiy: So in general, when ransomware became a big thing, it was almost entirely because of opportunism defined by where a large attack surface is. I remember back in the days on top-tier Russian-speaking forums, ransomware people were not even allowed - which, interestingly enough, ironically, repeated at the very peak of ransomware, when after Colonial Pipeline, they got thrown out of the forums. But years before the Colonial Pipeline, they were not allowed not because they were reputationally dangerous, but because it was considered that ransomware is an intellectual shortcut to the art of hacking, which is sophisticated. And as my former business partner, unfortunately now deceased, Vitali Kremez used to say, hacking is weaponized creativity. So they saw it like that. They thought: it's offensive to them to incorporate ransomware people into forums because ransomware was considered very primitive. But then ransomware actors realized that there is this massive unprotected attack surface that they could exploit. And their entire business was very opportunistic. We see something, we hit it. Then things started to evolve, and I think the major evolution happened, mostly because of [the] compliance audit and insurance industry which especially in our country, with some support from the government regulators, started to go to the market, to specifically SMEs, because small and medium entities are the most common victims of ransomware attacks, and started to tell them: listen, if you want your insurance coverage, especially cyber insurance coverage, you need to make sure you have at least the basic protocols in place. And those basic protocols were enough en masse to curtail the attack surface to a point when you cannot just drop random trick bot infection and have multimillion dollar ransom payment. So as a result, big shifts started with moving from primitive technology on the ransomware side to a combination of technology and social engineering. One of the Conti operators used to say: we cannot win on the technology front because the technology companies have billions and billions and billions of dollars of revenue developing antivirus. But we can win on the human front. And the moment they started to invest into the human front, that's when they started to create Conti's intelligence divisions and political divisions. They started to hire people who understand [the] Western - specifically U.S. - landscape very well, particularly [the] legal landscape and [the] regulatory landscape. And at this point, they started to understand that while some industries are better than others as targets. Very interesting was that some industries benefited from that with certain groups, unfortunately, not with all of them. For instance, post-Conti groups, particularly Royal, which is the largest one, they started to filter out in their infection panels the .edu domain, because schools and universities don't pay much anymore. And why would you bother with that? And then they even had an additional analysis, especially after their rebrand, saying that well, schools will not pay us, but at the same time, if we hack a school, this will create a major noise, and we don't need additional noise, we don't want to go into sanctions again. It was really interesting how they made an official statement, they released a statement on their blog saying that we hacked a school, a specific school, but we decided to delete the data because we are respecting the privacy of students. And that happened three weeks before the White House Educational Summit. So, they're definitely seeing how things are here, and they're definitely trying to evolve and adjust, and the industry targeting is a big part of this intelligent ransomware, so to speak.
Field: Yelisey, I appreciate the insight you've shared today. Thank you so much.
Bohuslavskiy: Thank you so much.
Field: We've been talking about ransomware. You just heard from Yelisey Bohuslavskiy, chief research officer and partner with Red Sense. For Information Security Media Group, I'm Tom Field. Thank you for giving us your time and attention today.