Contributed by George Mack, Content Marketing Manager, Check Point Software.
“No honor among thieves” is a phrase that best captures the recent actions of cyber criminals.
In the past few years, it turns out that a ransomware hacker’s biggest liability is his/her colleagues – as exemplified by a string of activities in which members of ransomware groups have leaked sensitive information. However, it should be no surprise that someone who engages in cyber crime is willing to turn on their “friends” for some form of gain.
For example, in 2019, a ransomware group, dubbed REvil, infiltrated an array of dental offices and local governments in Texas. A REvil insider sent an email – revealing sensitive information about the group’s operations – to a group of security researchers. The researchers then shared this information with law enforcement, which helped lead to the arrests of REvil-affiliated hackers.
In another case, in 2021, an affiliate belonging to the Conti ransomware group leaked a training manual that details how Conti onboards affiliates. Thus, it’s not just full-time employees who can release sensitive information; “colleagues” of these organizations can also include affiliates, partners, and others who have access to inside information.
Below, we’ll explore the motivations behind why ransomware groups’ colleagues are leaking information, in addition to other groups who could be responsible.
Who is behind these recent, high-profile leaks?
First, affiliates are angry about how they’ve been treated. According to one security architect, several of the large ransomware gangs brought in lots of money but didn’t appropriately reward their affiliates. This was the apparent motivation in the 2021 Conti leaks, which took place after the vengeful affiliate was underpaid for doing the group’s dirty work.
Second, ransomware groups have made public statements about geopolitical events, which can motivate countries to retaliate against the threat actors. Earlier this year, large-scale ransomware attacks were carried out in Costa Rica and Peru – leading the state of Costa Rica to declare a national emergency after the group leaked 672GB of data. Events like this could motivate governments to infiltrate these organizations and release sensitive information to the public.
For example, Conti released a statement on February 25th, 2022, pledging full support for the Russian invasion of Ukraine. Two days later, an anonymous Twitter account dubbed “ContiLeaks” published a huge log containing internal chats revealing the inner workings of the group. Coincidence? Maybe. Maybe not.
Third, ransomware groups aren’t exactly run like well-managed corporations. They are relatively new and are often comprised of people who may have little experience in managing a large company – hence a possible motivation for why they turn to cyber crime. As a result, it’s harder for leaders to run a tight ship, making leaks more probable.
Fourth, it’s possible that law enforcement has infiltrated several ransomware gangs, as they often do with criminal gangs in the physical world – which could help contribute to leaks.
Fifth, and finally, cases have shown that hackers accidentally give away information without even knowing it. For example, a cardiologist based in Venezuela, named Moises Luis Zagala Gonzalez, was arrested for distributing ransomware tools. Law enforcement was able to track him down after linking his contact information to the email accounts and payment services that he used to carry out crimes.
It certainly makes it easier for law enforcement agencies to do their job when hackers are actively sabotaging each other or making mistakes. Instead of waiting on others, what can you do to proactively defend against ransomware attacks?
In our CISO’s Guide to Ransomware Prevention, here are just a few of the best practices that we recommend implementing:
- Provide employees with cyber security awareness training
- Develop stronger user authentication methodologies
- Test backups regularly
- Segment networks to prevent lateral movement in the event of a breach
- Regularly update and patch software
- Pursue a ‘defense-in-depth’ approach, which refers to layering security measures