Distrust, feuds building among ransomware groups
In an industry that operates in anonymity, trust is everything -- but recent accusations of ransomware actors working with or being law enforcement is threatening that work model.
The same anonymity that obscures threat actors from authorities has sparked distrust among ransomware groups themselves.
While tracking the activity of BlackMatter and LockBit, among others, Azim Khodjibaev, senior intelligence analyst at Cisco Talos, observed a tension that's been building between the two ransomware groups since last summer. He attributed it to several recent developments, including the shutdown of REvil and the leaking of BlackMatter's control panel.
However, the tension culminated recently when the owner of the LockBit ransomware as a service (RaaS) operation accused a major threat actor, known as Kajit, of either being a law enforcement agent or working with police.
Khodjibaev discovered that Kajit created a forum named RAMP that openly allowed ransomware partnerships. As a caveat, Kajit insisted on being the only person to test all of them and obtained full admin rights. That was the key moment ransomware operators accused Kajit of being the leak, according to Khodjibaev.
"This whole trust has been extremely shaken to its core," he said to SearchSecurity.
In a Twitter thread this week, Khodjibaev discussed his observations and the various allegations and developments that fueled the ongoing dispute between two of the most notorious ransomware groups. The feud has intensified so much during the last several months that he described it as "a major civil war going on [in] the Russian cyber-criminal underground."
After alleging for a long time that Kajit, the former owner of RAMP is a cop, LockBittSupp posted a massive bombshell t0 XSS(DaMaGe LaB) Russian hacking forum pic.twitter.com/kSEMuwJs6M— Azim Khodjibaev (@AShukuhi) January 31, 2022
Maintaining a persona
Communication among ransomware operators, affiliates and even victims are done on forums like RAMP and private chat platforms. Nick Biasini, head of outreach at Cisco Talos, said those forums basically operate on trust and trust is the only thing that makes the whole ecosystem work.
"One reason they succeed is their belief in the use of escrow and arbitration and all these mechanisms that they have in place to handle these types of disputes," he said. "But what you're starting to see is some of that trust break down."
The breakdown could be tied to the reported REvil arrests by Russian authorities last month, he said, and various other factors. It is clear, however, that cybercriminals are starting to get nervous and paranoid in such an anonymous environment where everyone is tied to their online personas.
This type of distrust and disruption could be exactly what law enforcement agencies aimed to create with recent actions around the globe, Biasini said. For example, the U.S. State Department recently offered $10 million rewards for information leading to the arrest of the ringleaders behind both REvil and DarkSide ransomware groups; some infosec experts believe that while the rewards are unlikely to produce any arrests or convictions, the bounties could make it more difficult for RaaS to verify and trust potential affiliates through dark web forums and anonymous chat.
In addition to communication and leaking victims' data, these forums also provide ransomware actors a means of obtaining validation. Khodjibaev said there are reviews and reaction scores on some platforms, and compared it to a "social media type experience." Receiving a like or dislike can be extremely important to threat actors.
"They have a lot of value in the personas that they build," Biasini said. "Trust plays such a huge role in this and the anonymity associated with it introduces both advantages and problems. It's problematic because you can't absolutely trust the people that you're working with."
Long-term and short-term impacts
That problem was highlighted even further by the recent REvil arrests in Russia, which both Khodjibaev and Biasini agreed have had a tangible impact. Biasini said historically, they have not seen major arrests occur inside Russia related to ransomware actors, and when something like that happens it will absolutely have an impact.
Aside from the ransomware actors realizing they face serious consequences, it also contributed to the growing distrust.
"Now, people question, 'Well, are you legitimate? Did you get arrested and are now an informant?' There's a lot of skepticism around that as well because you don't know how deep the arrests went or who was, or wasn't, involved," Biasini said.
This is where the anonymity and validation and trust work against them, Khodjibaev said, because people are going to have prove themselves if they want back in.
The takeaway, he said, is the budding distrust likely won't undermine any operations long-term. However, in the short term there may be regrouping and reconsolidation.
"It's almost akin to some sort of economic disruption within a particular business sector. It's only just reorganization and seems like LockBit has put themselves in a very strong position," Khodjibaev said.
While ransomware actors won't disappear from the threat landscape, Biasini said it will cause them to burrow further, to splinter off and figure out additional ways to communicate with one another in mechanisms that aren't necessarily as public as the forums would be.