Through the active Dark Web research that Trustwave SpiderLabs conducts for its clients, we have observed new communications on various Dark Web forums between Eastern-European cybercriminals.
Based on the conversations that we’ve collected, a segment of cybercriminals is now worried that the Russian authorities may be actively hunting them down. One of the forum members on the Dark Web even went as far as to state that they believed there were “recent secret negotiations on cybercrime between the Russian Federation and the United States.”
Все решается втихаря, в кабинетах.
А кто какие игры ведет в закулисье ..- бессмысленно гадать. Мы не знаем (всего).
Кстати, вот - недавние тайные переговоры о киберпреступности РФ и США тому пример."
Everything is decided on the sly, in the offices.
And who and which game is actually playing in the backstage ..- it is pointless to guess. We don't know (everything).
Incidentally, there are the recent secret negotiations on cybercrime between the Russian Federation and the United States. "
10 Nov 2021, 10:09 PM, Forum: Exploit
Other cybercriminals, however, are still living large, according to recent news. A REvil hacker wanted by the FBI for ransomware and money laundering activities, Yevgyeniy Igoryevich Polyani, was seen in Barnaul driving a $74,000 Toyota Land Cruiser and owns a BMW worth up to $108,000.
Hackers have Picked Up on Current Events
Back on June 16, 2021, U.S. President Joe Biden met with Russian President Vladimir Putin in Geneva, Switzerland. Part of their conversation was reportedly the growing number of ransomware attacks on U.S. companies and critical infrastructure.
After Biden publicly stated he expected to see results from his conversations on ransomware with Putin in June, forum threads dedicated to recent arrests almost immediately began focusing on potential takedowns, and later, the possibility of one of their own cooperating with law enforcement.
Just months prior, these forum members would joke about being caught and arrested. But now, these same forum members are discussing how to prepare themselves for the possibility of being captured or potential sentences for crimes. Others, meanwhile, refuse to be scared.
“никто рансомварщиков в ру не будет закрывать, максимум попросят быть тише и делиться не нагоняй жути”
“no one will put to the jail the ransomware gang members in RU, maximum you will be asked to be quieter and to share, do not be scared “
17 June 2021, 7:41 AM, Forum: h0st
В политике часто личности становятся разменной монетой (от древнего Рима). Нет никаких гарантий, что 272 ст.УК РФ никогда не будет применена из-за чернухи к тем, кто работает по юсе.
и да, ВВП не вечен. Кто придет на смену и какие будут внешнеполитические договоренности, отношения, да и внутренние акценты в правоприменительной практике, никто не знает.”
In politics, individuals often become a bargaining chip (from ancient Rome). There are no guarantees that Article 272 of the Criminal Code of the Russian Federation will never be applied because of the criminal operations to those who work in the US.
and yes, Putin is not eternal. Who will replace and what will be the foreign policy agreements, relations, and the internal accents in law enforcement practice, no one knows.”
8 Nov 2021, 9:39 PM, Forum: Exploit
Весь вопрос в том, к чему вы готовы, если начнется охота. За вами.
Вот мне на днях отвели два месяца жизни - и это на самом деле несерьезно. Ресурсов не хватит, у того кто угрожал.
Но призадумалась.... а если бы серьезно?
Отсюда и вопрос - кто что делать будет, если из уютной норы начнут тянуть?”
The whole question is, what are you ready for if the hunt begins on you.
So the other day I was given two months of life - and this is actually not serious. The resources won't be enough, the one who threatened.
But it makes me wonder .... and if it were serious?
Hence the question - who will do what if they start pulling from a cozy hole?”
9 Nov 2021, 5:16 AM, Forum: Exploit
On July 2, shortly after the June meeting between Biden and Putin, the Kaseya VSA attacks occurred – a mass-scale ransomware campaign that was attributed to Russia-based cybergang REvil.
On July 9, Biden pressed Putin on a phone call about the attacks again.
“I made it very clear to [Putin] that the United States expects, when a ransomware operation is coming from their soil even though it’s not, not, sponsored by the state, that we expect them to act,” said Biden.
On July 13, the REvil gang began to disappear from the Internet (before briefly reappearing and then seemingly shut down in October), and more arrests were made due to the collaboration between several law enforcement agencies internationally.
Dark Web Forums Shine a Light on the Minds of Cybercriminals
Dark Web forums are very much a window into the soul of the cybercriminal community, and it is the place threat actors can create a society.
By regularly monitoring the Dark Web, security professionals can gain valuable insights into emerging trends and specific threat intelligence to improve their defensive techniques. They can leverage chatter on Dark Web forums as an early warning system, alerting them to new bots, viruses or malware that have appeared on the scene. Monitoring the Dark Web can provide early notification of an attack on a specific organization(s) too. Chatter on the Dark Web mentioning some form of access or the sale of credentials, names of executives and other information that is specific to an organization can be a giveaway you’re under attack or are being highly targeted.
This early warning gives security professionals time to harden their defenses and update their response playbooks, enabling them to mitigate the risk of the threat being used against their organization or respond more quickly if an attack does occur. If they see a discussion of a new social engineering technique or phishing lure, they can proactively update their email security settings and warn employees to be on the lookout.
A wide variety of activities take place in these extremely active Dark Web forums. The topics cover everything from discussing rumors and gossip – to selling malware or commercial secrets, data stolen by ransomware attacks, hiring developers to write a new malware, and recruiting. The chat rooms are also a place where those looking to break into the underground can find work and build their reputation amongst local gangs.
Other activities include posting translations of publications, including press reports on ransomware arrests and activity. There are even news sites for cybercriminals – with information on the latest occurrences and other information that may be useful for threat actors. If you are new to the cybercriminal world, you can study the field you’re interested in joining and possibly get brought in to start doing some entry-level criminal activity.
The Next Move for Organized Cybercriminals
Eastern-European ransomware operators are increasingly trapped. It appears they may no longer be entirely safe in their own country, and they cannot physically pick up their operations and move to another location with extradition treaty agreements in place with other countries.
In just the last few months, we have seen some results of geopolitical collaboration efforts. Getting a handle on ransomware and bringing cybercriminals to justice seems to be becoming a global priority. And this should scare threat actors.
We will likely see groups toggle ‘offline’ and ‘online’ – as we’ve seen with REvil before – in order to cover their tracks when law enforcement gets too close. We may also see some gangs go dark and close their business, and other groups emerging to pick their share.
We anticipate that these organized gangs will likely physically stay put in their home countries because even though it is not as ‘safe’ as it once was for cybercrime, cyber gang members are still less likely to be caught on their ‘home turf’. Many of these cybercriminals want to stay where they belong, where their families and friends reside, and where the local language is familiar, and many of their contacts exist.
Also, the corruption in many Eastern European countries means cybercriminals have a better chance of escaping even if they do get into trouble.
What Organizations Can do to Defend Against Targeted Ransomware Attacks
Ransomware will not stop. We do not expect a decline in ransomware attacks because the rewards are too great for those involved. Organizations of all sizes need to be prepared – but especially those in manufacturing, critical infrastructure, finance and healthcare. These types of organizations hold sensitive data and are seen as more willing to pay a ransom due to the vital services they provide.
Having a strong cybersecurity posture across your various networks and infrastructures by ensuring your organization executes best security practices is critical to avoid becoming a ransomware gang victim. Here’s a short list of actions that we recommend all organizations follow to ensure they are prepared for targeted ransomware attacks.
- Run supported versions of software
- Always patch and do it quickly
- Maintain regular air-gapped backups. Practice restores from these backups
- Use effective security email gateways and endpoint protection
- Enforce strong password policy and use multi-factor authentication (MFA)
- Deploy network and data segmentation
- Pen-test your environment and minimize access rights (e.g. RDP)
- Use Dark Web monitoring of your assets (domains, executive names, etc.)
- Have a plan for a ransomware attack
- Refrain from paying ransoms