We explore the motives of cyber criminals, examples of cyber crime gang activities, risks of physical harm from ransomware, understanding cyber crime motive, and why its important to understand cyber crime MO (Modus Operandi).

Overview of the MO (Modus Operandi) of REVIL, CONTI, HIVE, DARKSIDE and other ransomware gangs and how they drive their operations. This allows us to better defend ourselves and the organizations brands we serve.

Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started.

We're thrilled to introduce Season 5 Cyber Flash Points to show what latest tech news means to online safety with short stories helping spread security awareness and the importance of online privacy protection.

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast YouTube +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

NEW! Text Us Direct Here!

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

The Motives of Cyber Criminals

Find more at CyberCrimeJunkies.com

Summary

Ransomware as a Service (RaaS) is a growing threat in cybersecurity, with notorious ransomware gangs organizing and executing attacks on organizations. These gangs, such as REVIL , Conti, DarkSide, and Lockbit, operate using the RaaS model, where they recruit affiliates to carry out attacks in exchange for a share of the ransom. They target a wide range of industries, including healthcare, education, energy, and government institutions. The attacks often involve double extortion, where the gangs encrypt data and threaten to leak it if the ransom is not paid. The consequences of ransomware attacks are significant, causing financial losses, reputational damage, and personal hardships for individuals and businesses.

Chapters

00:00 Understanding the MO of Ransomware
04:32 Ransomware as a Weapon
06:28 The MO of Ransomware Gangs
13:11 AreEvil and Conti: Pioneers of RaaS
21:18 The Downfall of AreEvil
28:08 The Takedown of AreEvil by the Russian FSB
32:30 The Disbanding of Conti
40:49 DarkSide: From Notoriety to Shutdown
45:46 Lockbit: The Most Prolific Ransomware Group

Topics: the motives of cyber criminals , risks of physical harm from ransomware, understanding cyber crime motive, why its important to understand cyber crime mo, why its important to understand cyber crime motives, why it's important to understand the hacker mindset, why understanding cyber crime motives, understanding the people behind ransomware groups, what it means to profile a criminal, who causes ransomware attacks, emotional toll fraud takes, examples of cyber crime gang activities, examples of data sold on dark web, examples of data sold on dark web forums, examples of data sold on dark web today, examples of recruiting in cyber crime gangs,

Dino Mauro (00:00.43)
Let me ask you, why do you lock the front doors of your home? Because you know that criminals could walk right in if not done, right? It's an assumption and obviously safe one. Now let me ask you this, what if you read the news that there's been a rash of break -ins lately right there in your hometown and they've been doing it in a particular, almost unique way. Criminals were breaking in, but always going in through a side window of every home that was covered by shrubbery. And they'd always break in on Wednesday nights. And then they did something odd.

When they would break in, they would always open the refrigerator and take a drink out, leaving a dirty glass on the kitchen counter. Would you take any different steps in your home defense, like a camera on your side window, maybe cutting down the shrubbery or a camera inside the kitchen, maybe do something with the refrigerator? You see, knowing the MO, the modus operandi, the methodology behind certain criminal acts helps us defend

differently, and it's the same in cybersecurity. Today's story is about the MO inside the minds of the most notorious ransomware gangs in our episode called Ransomware as a Service, What It's Really About, Evil Online. This is CyberCrimeChunkies, and I'm your host, David

Lucky to work for a great group of people you really believe in. Find yourself making an impact. Technology is a river that flows through every aspect of an organization and today is different. We put ourselves and our organizations literally at risk of complete destruction every single time we get online. One click, one distraction is all it takes. Hi, Sabrocrime Junkies. This is your host, David Morrow, along with co -host Mark

Come join us as we explore our research into these blockbuster true crime stories. Along with interviews of leaders who built and protect great brands.

Dino Mauro (02:05.046)
ransomware. You can have to say it like with an ominous tone. We were wrong about what we thought we knew about ransomware. I mean, even if you're not involved in the cybersecurity field, everyone's heard of it by now. It's been in the media and we all have some basic assumptions. And while possibly unpopular, the truth is that most business owners and leaders and organizations are also wrong about what they understand ransomware to be. It's true, even today. After all the news,

media, and horror stories. We thought we knew what ransomware was, how it worked, who was generally behind it, and how it can be prevented. We couldn't have been more wrong. The more experts we met with, and when we say experts, we mean people smarter than us, know, FBI, Secret Service, CISOs, hackers of all colored hats. The wider our eyes grew and the more apparent the misunderstanding and disconnect is between what is actually needed today by organizations to protect themselves.

and what most business owners and leaders actually do in their efforts toward ransomware. It's an important threat vector. It costs companies, corporations, and infrastructure owners billions of dollars every year. We all see the news. Depending on which report you read, the average ransomware attack somewhere will cost between $380 ,000 to $1 .8 million, and that's for a small business of just a few hundred employees.

Regardless of the cost that that check gets written for, the reputational damage and the loss in production and loss profits and damage to the customer's trust is exponentially much higher. It's interesting to note that based on a survey of over 3 ,000 business owners and executive leaders and organizations, the cost of ransomware was nearly five times

what they actually thought it was. Like I said, we couldn't have been more wrong. But what is it? What is ransomware? It's just code. It's a set of letters, characters, and numbers strewn together making some computers block access to some files, right? I mean, really isn't that all that it is? How is that not eliminated by now? How much harm can that really cause? Well, the truth is that ransomware is a weapon.

Dino Mauro (04:32.258)
and this malicious code causes serious harm. And like a knife, which can be used safely to cut a fine fillet or used maliciously to cut someone's throat and kill, it's the mind of the ransomware gangs and the ill intent behind it that is really the driver. And that's the cause of the harm. And it's real harm. When companies lose significant funds, when production is stopped, when clients leave for competitors,

When money that was dog -eared for growth, marketing, and expansion must be used to pay lawyers, consultants, and cryptocurrency ransom, people's homes go up for sale. Kids don't go to college. Divorces happen. Personal bankruptcies happen. Careers are destroyed. Dreams are dashed. It's very real and it hits the heart of people's dinner tables. Professional ransomware gangs are responsible for these dangers.

These gangs, and they are truly gangs, we're gonna explain it in just a second. They produce and disseminate the malware, but they organize the whole scheme. They recruit the talent, they hire and test and engage with digital mercenaries that execute the attacks, they launder the money, they create and market the use of their products, but

Like we need to understand how. It's the critical information like protecting our home on Wednesday nights in the location where the actual break -ins are happening. If we know how, what their MO is, then we'll have clearer awareness. Like for example, they attack on Wednesday evenings at a certain time through our side windows. We need to cut our shrubbery. So let's take a quick look at some of the most notorious ransomware gangs. Where they're from, how they're structured.

While there's no way to capture all of the criminals involved in ransomware, there are some well -known al Capone -like gangs that are key to understand because most of the other side ones and smaller ones simply copy their approaches. Today ransomware is well organized and like crime families, it's very well segmented and departmentalized and it's very, very well organized.

Dino Mauro (06:58.349)
can't say that enough. And when we say that there's money in cybercrime, we're not talking new car money or new house money. It's more like buy a jet or a second island, like oligarch type money. Some of the MOs used by the cybercrime ransomware gangs include either, one, attacking victims directly, meaning using their own access to the victim's network, their own tools, handling the negotiation,

exchanging the data for the cryptocurrency, laundering the money all themselves. Or what seems to be happening more often than not, especially at scale for the enterprise targets that we've all read about in the news, is the MO that's used is the running of the popular Ransomware as a Service, R as it's called, and that ransomware as a service model that enables affiliates

to extort specific organizations. So let's explore how initial access brokers, right, and ransomware as a service models work. Initial access brokers can be hacktivists, former disc rental employees, they could be recruited by these ransomware gangs, but these are people, individuals that don't wanna get involved in the executing of the ransomware attack.

they have access, they have credentials or a back door and they either don't know what to do with it or they don't want to do anything further with it. And they wanna make a quick buck. Initial access brokers, right? The people that have that initial access into major companies and organizations and government entities all over the world, people that have that access, sell it on the dark web. And they usually go for two to $3 ,000. That's it, one time payment.

and they're good to go. So when they sell it on the dark web, we find that the affiliates, the people that get hired by the core ransomware groups, they will actually pay for that. And then they will use that access to do some reconnaissance research and then to launch their attacks. So we've been fortunate enough to meet and gain

Dino Mauro (09:26.505)
new expert analysis and insight from an international leading researcher, John DiMaggio. He's the chief security officer at AnalystOne. John's also written one of the cybersecurity's most respected bestselling books and several other practical technical manuals throughout the last couple of years. One of the best known books is The Art of Cyberwarfare. If you haven't yet connected with John on LinkedIn or read his books, you're missing

It's the gold standard on research and best practices. John joined us in the cyber crime studio, cyber crime junkie studio and provided us with some brilliant perspective on our investigation. He explains that there's this core criminal group, right? When we think of ransomware type, our evil, lock bit, dark net, all of these different names that you read about in news. These are

forms of the code, but it's also the core group that owns that code. And they then hire affiliates. And those affiliates go and buy their access to the targets, the victims, victim organizations, and go and execute on it. And they have a profit sharing. It's usually a very generous profit sharing, like a 70 -30, where the core group only gets around 30.

they're able to do it at scale. They're able to have many, many affiliates working for them. These core groups create the code and they orchestrate it all. If you've ever seen the movie The Godfather, they're like the Don Corleone in The Godfather, sitting behind his daughter's, sitting behind his desk at his daughter's wedding, right, where various people come and ask favors, like to kill my no good brother -in -law. But these core ransomware gang leaders are smart and they want scale. Remember, this is new jet and

island money that they're after. So here's what John DiMaggio explains about the initial access brokers and the core group. Let's take a listen. So walk us through what IABs are, if you don't mind. Yeah, so an initial access broker, IAB, it's a business in itself. So what those individuals do is they go out and they hack into corporate organizations,

Dino Mauro (11:48.301)
The juice, the bigger the target, the more revenue they make, the better. then what's different about what they do is they have to be very stealthy because they're not stealing anything. They just want to get the access and hold the access. They want to get in undetected and remain there. Once they have that access, they come back to these criminal forums, they market advertise it and they sell that access. now an adversary

just buys the access and walks right in and they have now eliminated all the time and resources that are necessary to go and exploit it to begin with. IABs, these initial access brokers, these could be people that get, they'll get access to a corporate network, a government agency or whatever, but then they don't necessarily want to get involved in extorting them or anything else. They'll just make a quick buck, a few grand on the dark web.

to just sell, hey, I've got access to these 10 organizations. They buy it and then they make their quick buck. Okay. And yeah. And that's also by just being an access broker. They're not the big fish. you know, there's. now let's touch into one of the cyber crime ransomware gangs. The former kings of ransomware were Russian based are evil. They were a ransomware.

organization also known as Soda No Kibi. And they came onto the scene in a big way as one of the pioneers and creators of the ransomware as a service model. They came to be seen commonly in the industry in early 2019 and continued on up until the beginning of 2022. And they rose out of the ashes of several members who had worked under the name Gan Crab. After Gan Crab kind of stopped all of a sudden,

took all of its infrastructure offline, some of the same members and similar infrastructure popped up under the name Arevil. And it's a play, it seems, on Resident Evil, the popular video game. It's alleged that they had ties to the Russian Federal Service Agency, the FSB, basically the Russian version of the FBI. Though this is doubtful and it's been debated since the FSB ultimately took them down in a

Dino Mauro (14:08.109)
invisible debacle that was spread across international media. AreEvil, at their prime, was one of the best known and most merciless ransomware outfits. Pure evil online, with very strong technical prowess. They're one of the first groups to go elephant hunting. When we say elephant hunting, think of it like this. Ransomware, if someone was to launch ransomware on one of our individual computers,

they would do so and it would be locked down and it would be locked down through a phishing email, through putting in a jump drive that we shouldn't have done, through clicking on an ad we shouldn't have clicked on, all the ways that malware affects us. But we wouldn't be able to access our own data and then we would have to pay a ransom by a certain period of time, otherwise the ransom goes up. And that might be a few hundred dollars, right, for us to get our own data back.

AreVo was one of the first ones to develop a very powerful code and a very mean -spirited model. And they would sell that code and engage it with these affiliates to execute on it. And we'll get into how they did it, but they really lowered the moral bar of cyber crime. And when we say Elephant Honey, they're going after large organizations, some of the biggest in the world. And the reason they're doing that is

They don't want to their time going after a few hundred dollars from one of us or two of us. They want to encrypt thousands of computers and servers and infrastructure across major organizations. Because then the ransomware demands goes into the millions.

When you hear about the rise and fall of our evil, you'll find that they essentially acted like John Gotti in cybercrime. mean, John Gotti's big downfall was he bragged too much, he talked too much. One of the key golden rules of organized crime is to keep your mouth shut. And John Gotti drew a lot of attention to him, as did our evil. And that, many feel, was one of the big Achilles heels that they had.

Dino Mauro (16:26.349)
I mean, there are criminals who work both online and in the physical realm. There are some who get into crime because of socioeconomic issues and maybe because of the culture in which they were raised. Our evil was tied to hundreds of jaw -dropping high -profile mass media attacks, and they reveled in the spotlight. In a single month in 2021, they took credit for, bragged about openly, and were tied by researchers in law

to more than seven major attacks in that one month. Now it's all according to data collected from extortion sites, government agencies, news reports, hacking forums, and other sources. Like we said, they lowered the bar, the moral bar in cyber crime. They did double and even triple extortion. Some of their major victims included back in March of 2021. They attacked the electronics and hardware company Acer, and they compromised their servers.

They demanded $50 million for a decryption key and threatened to increase the ransom to $100 million if the company didn't meet the group's demands. A month later, the group carried out yet another high profile attack against an Apple computer supplier, Quanta Computers. It attempted to blackmail both Quanta and Apple, but neither company paid the $50 million ransom.

The REVIL Ransomware Group continued attacking Spree and targeted JBS Foods, Invenergy, Casea, and several other businesses. JBS Foods was forced to temporarily shut down its operations and paid an estimated $11 million in ransom through Bitcoin to resume operations. On May 30th, 2021, JBS SA, which is a Brazilian -based meat processing company, they suffered a cyber attack which completely disabled

its beef and pork slaughterhouses. The attack impacted all of the facilities throughout the United States, Canada, and Australia. The company supplies approximately a fifth of the globe's meat. So the whole world, fifth of it, over 20 % comes from this one single company. It makes it the world's largest producer of beef, chicken, and pork.

Dino Mauro (18:50.999)
The attack was compared to the Colonial Pipeline cyberattack, which had occurred earlier the same month. These were the first times that the supply chain had really been dismantled very publicly. And it was the largest to date impact of a single company focused on food production. All facilities belonging to JBS USA, which is JBS's American subsidiary, including those focused on pork and poultry,

disruption due to the attack. All their beef facilities in the U .S. were also rendered inoperable. It impacted slaughterhouses throughout Utah, Texas, Wisconsin, and Nebraska. And the beef industry in Australia had to stand down 7 ,000 Australian employees as well. The U .S. Department of Agriculture wasn't able to offer their wholesale beef and pork prices. And due to the predicted shortfalls,

in the meat production that was coming up and the price increases, the USDA had encouraged other companies to increase production. The attack heightened awareness of several things. One, cybersecurity in the supply chain, because it was a matter of national security. Also, it rose the issue of consolidating the meatpacking industry in the United States, meaning why was only one company in charge of so much?

Right. That raised a lot of concerns and it made its way into being debated into Congress. They wound up paying the hackers $11 million ransom and the ransom was paid in Bitcoin. The attack also brought the attention to the negative consequences of both poor cybersecurity hygiene as well as consolidation of supply chain. But two things stand out when we think of our evil. I mean, the

breach was bad. there were two things that really led to the fall of our evil. one of the major ones was that they had gone too far. This is what really led to their downfall. Right? The first one was when they hit Kaseya. So Kaseya VSA is a remote monitoring and management platform. It's a tool platform that's used for remotely monitoring, managing,

Dino Mauro (21:18.909)
in controlling other companies, computers, servers, switches, routers, things of that nature. It's the tool that allows managed service providers, IT companies that support those other companies. And they use this common popular tool called Kaseya VSA. Well, our evil attacked them and by attacking them, they then got pushed out through all of the MSPs.

that had the remote control tools all over thousands of clients throughout the United States. And that really crossed the line and made its way all the way up to the White House as well as international relations and negotiations between the United States and Moscow.

The RMM agent, it's installed on the endpoints on clients, workstations and servers, right? The purpose like most software is to kind of streamline IT operations by MSPs and to centralize the management and monitoring of those platforms. It includes everything from asset tracking, software monitoring, et cetera. But the Kaseya ransomware attack impacted over 50 managed service providers. In an upcoming episode, we're actually going to interview Robert Siafi and he was one of the owners

of one of those MSPs. He's going to tell a very human inside story about what it was like to have 100 % of all of your clients ransomed all at once. It all happens in about an hour. When you hear his story, you'll hear the pain, the anguish, the fear, and the inspirational story of

people rallied together to overcome this. But it'll really set the tone and explain why our evil's methodologies of, you know, initial ransom, double ransom, triple ransom. When we say that, what they would do is they would encrypt the data on endpoints and on servers. Then they would say, if you don't engage with us and don't pay on

Dino Mauro (23:41.495)
we're going to start to leak some of this data and humiliate you. It will be public, they have a leak site, right? And they'll be able to do that. I think they called theirs the happy blog, right? And they would leak all of the data, right? So companies would lose and customers would lose all of their intellectual property, their private confidential information, there'd be compliance violations. It was horrible, right? And then sometimes they would even do

triple extortion where if you didn't engage with them and didn't click on the link that they provide to go into the dark web chats with them and negotiate and arrange for payment so that you can get some of this data back, they'll often even DDoS your sites and DDoS your platforms. They will take them down, knock them offline until you actually would engage in negotiations.

It was pure evil online. It was a pure offensive attack. When they did this to Kaseya, it really changed the world and they crossed a line that ultimately led to their demise. That along with another factor. The other factor was the fact that they had double crossed their own affiliates. See, when our

would engage with their affiliates, right? They would provide the code, the affiliates would go and execute, getting access through initial access brokers, going in and launching the ransomware. And the affiliates would go and negotiate with the victims, collect the money, and the money would be distributed between the affiliates and our evil. And sometimes there were disputes about,

how much is owed, how much was really collected, et cetera. And on the dark web, believe it or not, there are actually tribunals and arbitration hearings and negotiations where a group will actually air their dirty laundry and independent people, independent criminals, criminal hackers will go and decide those disputes, rendering a judgment and everybody was bound by it. Well, through those,

Dino Mauro (26:05.131)
And through the research that John DiMaggio and others had found in those tribunals, it came to light that OurEvil had actually been double -crossing a lot of their own affiliates. What they were doing is when an affiliate was about to negotiate and receive millions of dollars of payment from an organization, OurEvil was monitoring that conversation. And they stepped in and they would tell the affiliate, we spoke to

organization, they've turned everything over to law enforcement. They're not going to pay. And they would

take over the conversation so the affiliate didn't have access to actually speak with the organization anymore. They thought they were, but they were really speaking with our evil. And our evil would do that, get the affiliate to go away and then settle the ransom directly with the victim organization. So when the double cross started to become well known,

our evil started to really lose its own street cred within the dark web. That along with the Kaseya attack, because the Kaseya attack brought a lot of unwanted attention to the group. it's mostly because it affected over 1500 businesses worldwide and a lot of diplomatic pressure occurred and the US met with Moscow. And as a result of that, Russian authorities

actually arrested several key group members in January 2022 and seized assets worth millions of dollars. We're going to show you a quick video of that takedown because it made international news. So check this out. In the videos put on by the Russian FSB and published all over international media, you see Russian agents.

Dino Mauro (28:07.917)
with the FSB and the Russian Secret Service barging down doors, slamming people to the ground, putting them in handcuffs, cracking into their laptops, showing their bank balances in millions, as well as all of the laptops that they had taken down and the hundreds and hundreds of thousands of dollars and millions of dollars in actual cash

these gentlemen had all stashed. It's really shocking video. for those watching the YouTube channel, please go check that out. You won't want to miss

Dino Mauro (29:08.493)
So you can see the true Russian style of the breaking down of the doors and the massive takedowns. But what a lot of people have found is that that disruption was arguably just a temporary appeasement politically, or perhaps it was a distraction. Since the very following month after that takedown, in February 2022, Russia invaded Ukraine. But regardless, that distraction was short -lived

our evil ransomware gang was back up and running ever since April, 2022. However, they have surely not been the same. So some of the people that had been taken down were gone because they haven't been as successful. They haven't been as taunting of their victims. And they just aren't the major player and the kings of ransomware that they were at that

So another major player that can be found in the rise and fall of the ransomware crime groups is called Conti. And Conti is another infamous ransomware gang which really started making headlines back in 2018. And it used the double extortion method, meaning the group withholds the decryption keys and then threatens to leak the sensitive data if the ransom is not paid.

even ran a leak website called the Conti News, and that's where they would publish the stolen data. What makes Conti a little different from other ransomware groups is the lack of ethical limitations on its targets. It conducted several attacks in the education and healthcare sectors and would demand millions of dollars in ransom from organizations that clearly couldn't afford it. They had a long history of targeting critical public infrastructure.

like healthcare, energy, IT and agriculture. And in December 2021, the group reported that it had compromised Indonesia's central bank and stole sensitive data, which wound up being like 13, 14 gigs of highly, highly sensitive data. And then in February 2022, Conti attacked an international terminal operator, SEA Invest. That company operated 24 seaports across Europe and Africa.

Dino Mauro (31:31.821)
and they specialized in handling food bulk items like dry bulk, fruit and food, liquid bulk, oil and gas and containers. But that attack was massive and it affected all 24 ports and caused massive disruptions. Conti even compromised the Broward County Public Schools in April of that year and demanded $40 million from the school district. The group leaked the stolen documents on its blog after the

engaged with the FBI and refused to pay that ransom. The group would advertise job postings. They would attempt to test security products of cybersecurity companies. They even offered bonuses and appraisals like a contemporary business. Then in May, 2022, Conti was suddenly taken offline and it's all of its internal infrastructure, including panels and hosts and a new blog.

like the leak site, all of that was taken down. At that time, Conti was in the middle of an intense ransomware deadlock negotiation with the government of Costa Rica. And they had actually, the president of Costa Rica at the time, had actually enforced a national emergency in the country because of the Conti ransomware attack. According to NHS Digital, the only guaranteed way to recover was to restore all affected files

from their most recent backup, they weren't able to. So during the Russian invasion of Ukraine, here's kind of what led to the Conti fall. After the February, 2022 invasion of Ukraine, the Conti group announced its support of Russia and threatened to deploy retaliatory measures and cyber attacks. If cyber attacks weren't launched,

by fellow Russians against the Ukraine. As a result, somebody internally, an unknown source, who was seemingly loyal to Ukraine, took issue with this. And over 60 ,000 messages from internal chat logs within the Conti organization were leaked by that anonymous person who indicated their support for Ukraine when leaking

Dino Mauro (33:56.841)
along with Conti's source code and tons of other files, personal information from the group itself. Those leaks came to be known as the Conti leaks. And it contained tons and tons of data that was absolutely embarrassing and damaging financially to the group. A member known as Patrick repeated several false claims made by Putin about Ukraine.

Patrick lives in Australia, but might be a Russian citizen. That was one of the findings in the leaked documents. May of 2022, the U .S. offered a reward of up to $15 million for any information on the group. $10 million for the identity or location of its leaders. $5 million for information leading to the arrest of anyone conspiring with Conti. It's the first time the U .S. federal

that actually put a bounty on the heads of a ransomware gang. And Conti, I mean, they were one of the most prolific ransom workings in recent history, but in light of all of that political pressure, they disbanded in July 2022. Now, a lot of the members are still around and they've just joined, they've either gone off on their own or they've joined other groups. For example, Black Basta. Black Basta is one of the other leading groups that

making a lot of recent news. And some of those same members were the former Conti members. So Black Basta began appearing in April, 2022. So right along the time when the political pressure was on Conti, that month, April and May of 2022, Black Basta began to be formed. And a lot of people believe that the Conti, several members of the Conti group came over to Black Basta.

and it's a ransomware as a service group. they've, you know, they're, they're comprised of former members of the Conti group. And also the research has shown that there's also some former members of the AreEvil ransomware. And the reason they say that is because they share similar tactics. Some of the techniques used are similar as well as the code in the ransomware code itself. And they proceed to boast

Dino Mauro (36:20.993)
just like Conti and Areval did. They advertise, they do recruiting of affiliates, they draw attention to themselves, they claim that their ransomware code and platform and infrastructure are much better than their competitors, and they post about highly skilled and experienced group members. They have been increasingly gaining access to organizations.

usually exploiting unpatched security vulnerabilities or publicly available source code, right? They usually rely on the double extortion techniques, right? Where they threaten to publicly leak the stolen data unless the ransom is paid, just like our evil and Conti before them. They also deploy DDoS attacks to convince victims to engage in the negotiations and pay the ransom, just like our evil used

And in some cases, Black Basta have even demanded millions of dollars from their victims in order to keep the stolen data private. So some of the ransomware attacks that Black Basta has been involved in have really dramatically increased in the end of 2022, where we sit today. They hit over 50 organizations. So if you do a Google search on Black Basta, you will see that all of the recent attacks

So many of them, a really high percentage are tied to BlackBasta code and the BlackBasta ransomware group. They hit over 50 organizations in the third quarter of 2022 alone. And the sectors mostly impacted by these ransomware attacks included consumer and industrial products, professional services and consulting, tech and media, life science and healthcare. So they again have the bar low and they are going after

every organization and every vertical. And among the different countries, the U .S. is clearly the biggest target, getting 62 % of all of their reported attacks. Another key ransomware cybercrime group is called Hive. They sprung up in early 2022 and they quickly earned a name for themselves as one of the most active ransomware groups. The number of attacks from this gang alone

Dino Mauro (38:42.765)
jumped 188 % from February to March, according to NCC's March cyber threat Pulse Report. The ransomware variant was also one of the top four most observed during the third quarter of the year. So what types of companies does Hive target? Traditionally focused on industrials, Hive also targets academic and educational services, as well as sciences and healthcare companies, along with energy resources.

and agriculture businesses. Last quarter in 2022, Hive Ransomware hit 15 countries with the United States and the United Kingdom as the two top targets respectively. The group is known to be fast, allegedly encrypting anywhere from hundreds of megabytes to more than four gigabytes of data per minute. Let me rephrase that. The group, the code that they've created is notoriously fast.

It encrypts hundreds of megabytes to four gigs of data per minute. Every minute that the ransomware is launched, is encrypting up to four gigs of data per minute. That's really fast compared to other ransom restraints. And to help carry out its attacks, Hive hires penetration testers, initial access brokers, and threat actors. In August, 2022,

An alleged operator of the Hive ransomware group reported using phishing emails as the initial attack vector.

That leads us to one of the other leading ones, and that's Darkside. A lot of people have heard of Darkside. The Darkside Ransomware Group follows the ransomware as a service model and targets big businesses to extort large amounts of money. It does so by gaining access to the company's network, usually through phishing, emails, or brute force attacks. It encrypts all of the files on the network, just like the other ransomware groups. But there's

Dino Mauro (40:49.473)
theories regarding the origins of Darkside. Some analysts think that it's from Eastern Europe, somewhere in the Ukraine or Russia. Others believe the group actually franchises in multiple countries, including Iran and Poland. Darkside's hacking group is believed to have hit Toshiba, but they're also the ones that the FBI tied to the Colonial Pipeline attack, which is one of the more famous ones along with JBS, the meatpack.

It's thought that they've been able to hack and extort around 90 companies in the US alone. And the group is a ransomware as a service group, right? They themselves claim to be apolitical, but that's kind of the downfall of what happened there. So what has occurred is most researchers haven't found them to be directly state sponsored, right? Meaning operated by the Russian intelligence service.

But some of the ransomware groups have either been tied to that or at least been ratified by it. Meaning, as long as you don't hit Russian organizations, you can continue to proceed within our country. DarkSide tended to avoid targets in certain geographic locations by checking their system language settings. So that's why they know kind of where they're from, because if it was a Russian speaking group or a certain language speaking group, they wouldn't attack.

They are one of the many for -profit ransomware groups that have proliferated and thrived in Russia. Russia has either given them implicit sanction or has ratified their acts. They also make huge ransomware demands and launch their ransomware at scale. What's interesting is this group claims to have had a code of conduct unlike the

this group would advertise and talk about in the forums that they have a higher ethical standard, right? They claim to never target schools, never target hospitals, never target government institutions or any infrastructure that could negatively affect the public. So that's good, right? However, in March, 2021, Darkside carried out the colonial pipeline attack and demanded $5 million in ransom.

Dino Mauro (43:17.901)
It was the largest cyber attack on oil infrastructure in US history. And it disrupted the supply of gasoline and jet fuel in 17 states, essentially within hours in the United States. The FBI identified Darkseid as the perpetrators of that attack, which happened on May 7th, 2021. They could tell it by the code that was used and the pressure that was put down led them

to voluntarily shut down 45 % of the fuel to the East Coast of the United States following that attack. It was described as the worst cyber attack to date on US critical infrastructure. They successfully extorted through that attack around 75 Bitcoin, which is around $5 million at the time from Colonial Pipeline itself. And then that led to a lot of other investigations because of their

Russia at the time. But following the attack on Darkseid and the US government's investigation into their ties to the Russian government itself, the core group of Moscow, right, central Russia's government, Darkseid posted a statement on a forum in their blog saying, are apolitical. We do not participate in geopolitics. Our goal is to make money and not create problems for society. You know, that's how

make their money. But following that attack, Darkseid came under massive pressure by the US government and other allied nations. They tried to clear its name by blaming third party affiliates, saying it wasn't us. Some of our affiliates went rogue. We tell everybody if you're to use our code, don't go after critical infrastructure. They hit them. What could we do? But the pressure mounted and mounted, and it got to the point where the group

completely shut down all of its operations after the mounting pressure from the United States. In fact, since June of 2021, DarkSides only published data from one ransomware attack from one company. So they've essentially disappeared. Today, the most prolific ransomware group is Lockbit, right? There was originally Lockbit, then Lockbit 2 .0, and then Lockbit 3 .0. And it's an impactful ransomware group. It accounts for

Dino Mauro (45:46.189)
40 % of all ransomware attacks almost every single month currently in 2022. It attacks organizations throughout the US, it attacks China, it attacks India and throughout Europe. Earlier this year, Lockbit targeted the Thales Group, which is a French electronics multinational group and threatened to leak sensitive data if the company didn't meet the group's ransomware demands. It also compromised the French Ministry of Justice and encrypted their files.

The group now claims to have breached the Italian tax agency, Leggianza Entrate, and they claim to have stolen 100 gigs of data. But we've gone into a great description of Lockbit by somebody that actually has spoken with them, has spoken with the US agencies, investigating them, and knows them better than anybody, and that's John DiMaggio.

We have an episode that we've already released that's called the description of Lockbit. It's called New Lessons from Lockbit with John Namagio. Please check that out because some of the stories there about how Lockbit does it, the coding of the ransomware is more powerful than any other group anybody has seen. They recruit actively, they're affiliates, they have tattoo competitions among affiliates.

And it's just a very prolific and dangerous dangerous game. I mean today ransomware continues to be the single most dangerous threat. The money is good to the point of funding massive amounts of criminal organizations, right? This is New Island money. This is jet money. And it's just something we all need to be aware

We hope that you enjoyed this episode. We appreciate you listening. And as always, thanks for being a Cybercrime Junkie. Check out our next episode, which will start right now. Hi, Cybercrime Junkies. Thanks for listening. Got a question you want us to address on an episode? Reach out to us at cybercrimejunkies .com. We explore why cybercrime grows daily, how it is funded, productized, and organized, how to protect yourself, and where cybercrime goes to

Dino Mauro (48:10.741)
And thanks for being a cybercrime

Cyber Crime Junkies

Inside the Mind: Unveiling Cyber Criminals' Motives and the Real-World Dangers of Ransomware

Listen to this podcast on