Shocking New Tricks Used In Cyber Crime Today

Shocking New Tricks Used In Cyber Crime Today

Topics: Shocking New Tricks Used In Cyber Crime Today, top tactics used by cybercrime gangs today, new stories about ransomware as a service, new findings on ransomware as a service, understanding cybercrime gangs, latest stories about cybercrime gangs, biggest cybercrime gangs today, how understanding cyber crime tactics helps today,

Video Episode: Don't Miss the Video! 

Audio Podcast (available everywhere): https://cybercrimejunkies.buzzsprout.com

Want more true cyber crime? More interviews with global leaders? Unique insight into emerging trends, news, and other shocking stories? Check out Https://cybercrimejunkies.com

Please consider subscribing to our YouTube Channel for ALL Video episodes. It's FREE. It helps us help others. Our YouTube Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg

[00:00:00] Let me ask you, why do you lock the front doors of your home? Because you know, the criminals could walk right in if not done right. It's an assumption, an obviously safe one. Now, let me ask you this. What if you read in the news that there's been a rash of break-ins lately, right there in your hometown, and they've been doing it in a particular almost unique way.

Criminals were breaking in, but always going in through a side window of every home that was covered by shrubbery. And they'd always break in on Wednesday nights, and then they did something odd like when they would break in, they would always open the refrigerator and take a drink out, leaving a dirty glass on the kitchen counter.

Would you take any different steps in your home defense, like a camera on your side window, maybe cutting down [00:01:00] the shrubbery or a camera inside the kitchen, maybe do something with the refrigerator? You see, knowing the mo, the modus operandi, the methodology behind certain criminal acts helps us defend differently, and it's the same in cybersecurity.

Today's story is about the MO inside the minds of the most notorious ransomware gangs in our episode called Ransomware as a Service. What it's really about, Evil online. This is Cybercrime Chuckies, and I'm your host, David Mauro

Ransomware. Even when you say the name, it has an ominous tone to it. Well, we were wrong about what we thought we knew about ransomware. I mean, even if you've never been involved in the security field or in cybersecurity, everyone's heard of it by now. It's all over the [00:02:00] news, and we all have some basic assumptions about it.

Ransomware, you're gonna have to say it like with an ominous tone. We were wrong about what we thought we knew about ransomware. I mean, even if you're not involved in the cybersecurity field, everyone's heard of it by now. It's been in the media and we all have some basic assumptions. And while possibly unpopular, the truth is, is that most business owners and leaders in organizations are also wrong about what they understand ransomware to be.

It's true. Even today, after all the news media and horror stories, we thought we knew what ransomware was, how it worked, who is generally behind it, and how it can be prevented. We couldn't have been more wrong, the more experts we met with. And when we say experts, we mean people smarter than us. You know, FBI's, secret Service, CISOs, hackers of all colored hats, the wider our eyes grew and the more apparent the [00:03:00] misunderstanding and disconnected is between what is actually needed today by organizations to protect themselves and what most business owners and leaders actually do.

In their efforts toward ransomware, it's an important threat vector. It costs companies, corporations, and infrastructure owners, billions of dollars every year. We all see the news, depending on which report you read. The average ransomware S attack somewhere will cost between $380,000 to 1.8 million, and that's for a small business of just a few hundred employees.

Regardless of the cost that that check gets written for the reputational damage and the loss in production and lost profits and damage to the customer's trust is exponentially much higher. It is interesting to note [00:04:00] that based on a survey of over 3000 business owners and executive leaders and organizations, a cost of ransomware was nearly five times what they actually thought it was.

Like I said, we couldn't have been more wrong, but what is it? What is ransomware? It's just code. It's a set of letters, characters, and numbers strewn together, making some computers block access to some files, right? I mean, really? Isn't that all that it is? How is that not eliminated by now? How much harm can that really cause?

Well, the truth is, is that ransomware is a weapon. And this malicious code causes serious harm and like a knife, which can be used safely to cut a fine filet or use maliciously to cut someone's throat and kill. It's the mind of the ransomware gangs [00:05:00] and the ill intent behind it. That is really the driver.

And that's the cause of the harm and it's real harm. When companies lose significant funds, when production is stopped, when clients leave. For competitors when money that was dogeared for growth, marketing and expansion must be used to pay lawyers, consultants, and cryptocurrency ransom. People's homes go up for sale.

Kids don't go to college. Divorces happen. Personal bankruptcies happen. Careers are destroyed. Stream are dashed. It's very real, and it hits the heart of people's dinner tables. Professional France, support gangs are responsible for these dangers, these gangs, and they are truly gangs. We're gonna explain it in just a second.

They produce and disseminate the malware, but they organize the whole scheme. [00:06:00] They recruit the talent. They hire and test and engage with digital mercenaries that execute the attacks. They launder the money they create and market the use of their products. But how? Like we, we need to understand how it's the critical information like protecting our home on Wednesday nights in the location where the actual break-ins are happening.

If we know how what their MO is, then we'll have clearer awareness. Like for example, they attack on Wednesday evenings at a certain time through our side windows. We need to cut our shrubbery. So let's take a quick look at some of the most notorious ransomware gangs, where they're from, how they're structured.

And while there's no way to capture all of the criminals involved in ransomware, there are some well-known Al Capone like [00:07:00] gangs that are key to understand because most of the other side ones and smaller ones simply copy their approaches. Today, ransomware is well organized and like crime families.

It's very well segmented and departmentalized. And it's very, very well organized. Can't say that enough. And when we say that there's money in cyber crime, we're not talking new car money or a new house money. It's more like buy a jet or a second island, like oligarch type money. Some of the MOS used by the cybercrime ransomware gangs include either one attacking victims directly, meaning using their own access to the victim's network, okay?

Their own tools, handling the negotiation, exchanging the data for the cryptocurrency, laundering, the money, all [00:08:00] themselves, or what seems to be happening more often than not, especially at scale. For the enterprise targets that we've all read about in the news is the MO that's used is the running of the popular ransomware as a service R as.

It is what it's called, and that ransomware is a service model that enables affiliates to extort specific organizations. So let's explore how initial access brokers, right, and ransomware as a service models work and review some of the top ransomware crime gangs. Ransomware is a service and initial access brokers work like this.

Initial access brokers can be tus, former disgruntled employees. They could be recruited by these ransomware gangs, [00:09:00] but these are people. Individuals that don't wanna get involved in the executing of the ransomware attack. They have access, they have credentials or a back door and they either don't know what to do with it or they don't want to do anything further with it, and they wanna make a quick buck.

Initial access brokers, right? The people that have that initial access into major companies and organizations and government entities all over the world. People that have that access sell it on the dark web, and they usually go for two to $3,000. That's it. One time payment, and they're good to go. So when they sell it on the dark web we find that the affiliates, the people that get hired by the core ransomware groups, they will actually pay for that, and [00:10:00] then they will use that access to do some reconnaissance research and then to launch their attacks.

So we've been fortunate enough to meet and gain some. New expert analysis and insight from an international leading researcher, John DiMaggio. He's the Chief Security Officer at Analyst one. John's also written one of the Cybersecurity's most respected bestselling books and several other practical.

Technical manuals throughout the last couple years. One of the best known books is the Art of Cyber Warfare. If you haven't yet connected with John on LinkedIn or read his books, you're missing out. It's the gold standard on research and best practices. John joined us in the cybercrime studio cybercrime jockey studio, and provided us with some brilliant perspective on our investigation.

He explains that there's this core criminal [00:11:00] group, right? When we think of a ransomware type, our evil lock bit, dark net all of these different names that you read about in news these are forms of the code. But it's also the core group that owns that code and they then hire affiliates and those affiliates go and buy their access to the targets the victims.

Victim organizations and go and execute on it, and they have a profit sharing. It's usually a very generous profit sharing, like a 70 30, where the core groups only gets around 30, but they're able to do it at scale. They're able to have many, many affiliates working for them. These core groups create the code and they orchestrate it all.

If you've ever seen the movie The Godfather, they're like the Don Corleone in the Godfather sitting behind his daughter's sitting behind his desk at his [00:12:00] daughter's wedding, right? Where various people come and ask favors like to kill my no good brother-in-law. These core ransomware gang leaders are smart and they want scale.

Remember, this is New Jet and New Island money that they're after. So, Here's what John DiMaggio explains about the initial access brokers and the core group. Let's take a listen.

So now let's touch into one of the main cyber crime. Ransomware gangs, the former kings of ransomware were Russian based, are evil. They were a ransomware organization, also known as Soda nbi, [00:13:00] and they came onto the scene in a big way as one of the pioneers and creators of the ransomware as a service model.

They came to be seen commonly in the industry in early 2019 and continued on up until the beginning of 2022. And they rose out of the ashes of several members who had worked under the name GaN Crab. After GaN Crab kind of stopped, all of a sudden took all of its infrastructure offline. Some of the same members in similar infrastructure popped up under the name are evil, and it's a play it seems, on Resident evil.

The popular video game. It's alleged that they had ties to the Russian Federal Service Agency, the fsb, basically the Russian version of the F fbi. Though this is doubtful and it's been debated since the FSB ultimately took them down in a very visible debacle that was [00:14:00] spread across international media.

Our evil at their prime was one of the best known and most merciless ransomware outfits. Pure evil online with very strong technical prowess. They're one of the first groups to go elephant hunting. When we say elephant hunting, think of it like this ransomware. If someone was to launch ransomware on one of our individual computers, they would.

Do so, and it would be locked down and it would be locked down through a phishing email through putting in a jump drive that we shouldn't have done through clicking on an ad. We shouldn't have clicked on all of the ways that malware affects us, but we wouldn't be able to access our own data, and then we would've to pay a ransom by a certain period of time.

Otherwise, the ransom goes up. And that might be a few hundred dollars right, for us to [00:15:00] get our own data back, but our evil was one of the first ones to develop a very powerful code and a very. Mean spirited model and they would sell that code and engage it with these affiliates to execute on it. And we'll get into how they did it.

But they really lowered the moral bar of cyber crime. And when we say elephant on him, They're going after large organizations, some of the biggest in the world. And the reason they're doing that is they don't wanna spend their time going after a few hundred dollars from one of us or two of us. They wanna encrypt thousands of computers and servers and infrastructure across major organizations, cuz then the ransomware demands goes into the millions.

When you hear about the rise and fall of our evil, you'll find that they essentially acted like [00:16:00] John Gotti in cyber crime. I mean, John Gotti's big downfall was he bragged too much. He talked too much. One of the key golden rules. Of organized crime is to keep your mouth shut. And John Gotti drew a lot of attention to him, as did our evil, and that many feel was one of the big Achilles heels that they had.

I mean there are criminals who work both online and in the physical realm. There are some who get into crime because of socioeconomic issues and maybe cuz of the culture in which they were raised. Our evil was tied to hundreds of jaw dropping, high profile mass media attacks, and they reveled in the spotlight.

In a single month in 2021, they took credit for bragged about openly and were tied by researchers and law [00:17:00] enforcement to more than seven major attacks in that one month. Now, that's all according to data collected from extortion sites, government agencies, news reports, hacking forms, and other sources.

Like we said, they lowered the bar, the moral bar in cyber crime. They did double and even triple extortion. Some of their major victims included back in March of 2021, they attacked the electronics and hardware company Acer, and they compromised their servers. They demanded $50 million for a decryption key and threatened to increase the ransom to a hundred million if the company didn't meet the group's demands.

A month later, the group carried out yet another high profile attack against an Apple computer supplier, Quanta computers. It attempted to blackmail both Quanta and Apple, but neither company [00:18:00] paid the 50 million Ransom. The Arval Ransomware group continued attacking spree and targeted J B s foods.

Invenergy ca and several other businesses, J B S Foods was forced to temporarily shut down its operations and paid an estimated 11 million in ransom through Bitcoin to resume operations on, on May 30th, 2021. J B S S sa, which is a Brazilian based meat processing company, they suffered a cyber attack, which completely disabled.

It's beef and pork slaughterhouses. The attack impacted all of the facilities throughout the United States, Canada, and Australia. The company supplies approximately a fifth of the Globes meat. So the whole world, about fifth of it, over 20% comes [00:19:00] from this one single company. It makes it the world's largest producer of beef, chicken, and pork attack was compared to the colonial pipeline cyber attack, which it had occurred earlier the same month.

These were the first times that the supply chain had really been dismantled very publicly, and it was the largest to today impact of a single company focused on food production. All facilities belonging to jbs, s a which is JB S's American subsidiary, including those focused on focused on pork and poultry faced disruption due to the attack.

All of their beef facilities in the U US were also rendered inoperative. It impacted slaughterhouses throughout Utah, Texas, Wisconsin, and Nebraska, and the beef industry in Australia had to stand [00:20:00] down. 7,000 Australian employees as well. The US Department of Agriculture wasn't able to offer their wholesale beef and pork prices and due to the predicted shortfalls in the meat production that was coming up and the price increases, the U S D A had encouraged other companies to increase production.

The attack heightened awareness of several things. One, cybersecurity in the supply chain because it was a matter of national security. Also, it, it rose the issue of consolidating the meatpacking industry in the United States, meaning why was only one company in charge of so much, right? That raised a lot of concerns and it made its way into being debated into congress.

They wound up paying the hacker's 11 million ransom, and the ransom was paid in Bitcoin. The attack also brought the attention to the negative [00:21:00] consequences of both poor cybersecurity hygiene, as well as consolidation of supply chain. But two things stand out when we think of our evil. I mean, the JVs.

Screech was bad, but there were two things that really led to the fall of our evil and. One of the major ones was that they had gone too far. This is what really led to their downfall, right? The first one was when they hit caea. So CAEA VSA is a remote monitoring and management platform. It's a tool platform that's used for remotely monitoring, managing and, and controlling other companies.

Computers, servers, switches, routers, things of that nature. It's the tool that allows managed service providers, IT companies that support [00:22:00] those other companies, and they use this common popular tool called Kaseya vsa, well, our evil attack them. And by attacking them, they then got pushed out through all of the MSPs that were, had, the remote control tools all over thousands of clients throughout the the United States and that.

Really crossed a line and made its way all the way up to the White House, as well as international relations and negotiations between the United States and Moscow. The R M M agent, it's installed on the endpoints on clients, workstations and servers, right? The purpose, like most software is to kind of streamline IT operations by MSPs and to centralize the management and monitoring of those platforms.

It includes everything from asset tracking, software [00:23:00] monitoring, et cetera, but the Kaseya ransomware attack impacted over 50 managed service providers. In an upcoming episode, we're actually going to interview Robert Sifi, and he was one of the owners of those, one of those MSPs, and he's going to tell a very human.

Inside story about what it was like to have 100% of all of your clients ransomed all at once, and it all happens in about an hour. So when you. Hear his story, you'll hear the pain, the anguish, the fear, and the, the, the inspirational story of how people rallied together to overcome this. But it'll really set the tone and explain why our evils methodologies of you know, [00:24:00] Initial.

Initial ransom, double ransom. Triple ransom. When we say that, what they would do is they would encrypt the data on. Endpoints and on servers. Then they would say, if you don't engage with us and don't pay on time, we're going to start to leak some of this data and humiliate you. It will be public. They have a leak site.

Right. And they'll be able to do that. I think they called, there's the happy blog. Right. And they would leak all of the data. Right. So companies would lose, and customers would lose all of their intellectual property, their private, private, confidential information. There'd be compliance violations.

It was horrible, right? And then sometimes they would even do a triple extortion where if you didn't engage with them and didn't click on the link. That they provide to go into the dark web chats with them and negotiate and arrange for [00:25:00] payments so that you can get some of this data back. They'll often even DDoS your sites and DDoS your platforms.

They will take them down, knock them offline until you actually would engage in negotiations. It was pure evil online. It was a pure offensive attack. And when they did this to Kaseya, it really changed the world and they, they crossed a line that ultimately led to their demise that along with another factor.

The other factor was the fact that they had double crossed their own affiliates. See when our evil would engage with their affiliates, right? They would provide the code, the affiliates would go and execute getting access through. Initial access brokers going in and launching the ransomware, then the [00:26:00] affiliates would go and negotiate with the victims, collect the money, and the money would be distributed between the affiliates and our evil.

And sometimes there were disputes about, well, how much is owed? How much was really collected, et cetera. And on the dark web, believe it or not, there are actually tribunals. And arbitration hearings and negotiations where a group will actually air their dirty laundry and. Independent people, independent criminals, criminal hackers, will go and decide those disputes, rendering a judgment, and everybody was bound by it.

Well, through those and through the research that John DiMaggio and others had found, that in those tribunals it came to light that are evil. Had actually been double crossing a lot [00:27:00] of their own affiliates. What they were doing is when an affiliate was about to negotiate and receive millions of dollars of payment from an organization, our evil was monitoring that conversation and they stepped in and they would tell the affiliate, oh, we spoke to the.

Organization. They've turned everything over to law enforcement. They're not gonna pay and they would. Take over the, the conversation. So the affiliate didn't have access to actually speak with the organization anymore. They thought they were, but they were really speaking with our evil. And our evil would do that, get the affiliate to go away, and then settle the ransom directly with the victim organization.

So when the double cross started to become well known our evil started [00:28:00] to really lose its own street, street cred within the dark web. So, That along with the Kase attack, cuz the Kase attack brought a lot of unwanted attention to the group and it's mostly because it affected over 1500 businesses worldwide and a lot of diplomatic pressure occurred and the US met with Moscow.

And as a result of that, Russian authorities actually arrested several key group members in January, 2022 and seized a assets worth millions of dollars. We're gonna show you a quick video of that takedown because it made international news, so check this out.

So you can see the [00:29:00] true Russian style of the breaking down of the doors and the, and the massive takedowns. But what a lot of people have found is that that disruption was arguably just a temporary appeasement politically, or perhaps it was a distraction since the very following month. After that takedown in February, 2022, Russia invaded.

Ukraine. But regardless that distraction was short-lived cuz our evil ransomware gang was back up and running ever since April, 2022. However, they have surely not been the same. So some of the people that had been taken down, Were gone because they haven't been as successful. They haven't been as taunting of their victims.

And they just aren't the major player and the kings of ransomware that they were at that time. So another NA major player [00:30:00] that. Can be found in the rise and fall of the ransomware crime groups. It was called Conti. And Conti is another infamous ransomware gang, which really started making headlines back in 2018.

And it used the double extortion method, meaning the group withholds the dec, the decryption keys. And then threatens to leak the sensitive data if the ransom is not paid. It even ran a leak website called the Conti News, and that's where they would publish the stolen data. What makes Conti a little different from other ransomware groups is the lack of ethical limitations on its targets.

It conducted several attacks in the education and healthcare sectors and would demand millions of dollars in ransom from organizations that clearly couldn't. Afford it. They had a long history of targeting critical in public infrastructure like healthcare, energy, IT, and agriculture. And [00:31:00] in December, 2021, the group reported that it had compromised Indonesia's Central Bank and stole sensitive data, which wound up being like 13, 14 gigs of highly, highly sensitive data.

And then in February, 2022, Conti attacked an international terminal operator, S e a, invest. That company operated 24 seaports across Europe and Africa, and they specialized in handling food bulk items like dry bulk, fruit and food, liquid bulk, oil and gas and containers. But that attack was massive and it affected all 24 ports and caused massive disruptions.

Conti even compromised the Broward County Public Schools in April of that year and demanded 40 million from the school district. The group leaked the stolen documents on its blog after the [00:32:00] district engaged with the FBI and refused to pay that ransom. The group would advertise job postings. They would attempt to, you know, test security products of cybersecurity companies, and they even offered bonuses and appraisals like a contemporary business.

And then in May, 2022, Conti was suddenly taken offline, and it's all of its internal infrastructure, including panels and hosts and a new blog like the leak site. All of that was taken down. At that time, Conti was in the middle of an intense ransomware deadlock negotiation with the government of Costa Rica.

And they had actually, the president of Costa Rica at the time had actually enforced a national emergency in the company, in the country cause of the Conti ransomware attack. According to n h S Digital, the only guaranteed way to recover [00:33:00] was to restore all affected files from their most recent backup, but they weren't able to.

So during the Russian invasion of Ukraine, here's kind of what led to the Conti. Fall after the February, 2022 invasion of Ukraine, the Conti Group announced its support of Russia and threatened to deploy retaliatory measures and cyber attacks. If cyber attacks weren't launched by fellow Russians against the Ukraine, as a result, somebody internally.

An unknown source who was seemingly loyal to Ukraine took issue with this, and over 60,000 messages from internal chat logs within the Conti organization were leaked by that anonymous person who indicated their [00:34:00] support for Ukraine. When leaking it along with CTI's source code and tons of other files, personal information from the group itself.

Those leaks came to be known as the Conti leaks, and it contained tons and tons of data that was absolutely embarrassing and damaging financially to the group. A member known as Patrick repeated several false claims made by Putin about Ukraine and Patrick lives in Australia, but might be a Russian citizen.

That was one of the findings in the leaked documents. By May of 2022, the US offered a reward of up to 15 million for any information on the group. 10 million for the identity or location of its leaders. 5 million for information leading to the arrest of anyone [00:35:00] conspiring with Conti. It's the first time the US federal government had actually put a bounty on the heads of a ransomware gang.

And Conti. I mean, they were one of the most prolific ransomware gangs in recent history. But in light of all of that political pressure, they disbanded in July, 2022. Now a lot of the members are still around and they've just joined. They've either gone off on their own or they've joined other groups. For example, black Basta.

Black Basta is one of the other leading groups that is making a lot of recent news. And some of those same members were the former Conti members.

So Black Basta began appearing in April, 2022. So right along the time when the political pressure was on Conti that month, [00:36:00] April and May of 2022, black Basta began to be formed, and a lot of people believed that The Conti, several members of the Conti Group. Came over to Black Basa. And it's a ransomware as a service group.

And they've comp, you know, they're, they're comprised of former members of the Conti group. And also the research has shown that there's also some former members of the our Evil ransomware gang. And the reason they say that is because they share similar tactics. Some of the techniques used are similar as well as the code in the ransomware code itself.

And they proceed to boast just like Conti and our evil did. They, they advertise, they do recruiting of affiliates. They draw attention to themselves. They claim that their ransomware code and platform and infrastructure are much better than their competitors. And they [00:37:00] post about highly skilled and experienced group members.

They have been increasingly gaining access to organizations usually exploiting unpatched security vulnerabilities or publicly available source source code, right? They usually rely on the double extortion techniques, right where they threaten to publicly leak the stolen data unless the ransom is paid just like our evil and conti before them.

They also deploy DDoS attacks. To convince victims to engage in the negotiations and pay the ransom just like our evil used to. And in some cases, black BAA have even demanded millions of dollars from their victims in order to keep the stolen de private. So some of the ransomware attacks that Black Basta has been involved in have really dramatically increased in the end of 2022.

At where we sit today[00:38:00] they hit over 50 organizations. So if you do a Google search on Black Basta, you'll see that all of the recent attacks. So many of them, a really high percentage are tied to Black Basta Code and the Black Basta ransomware group they hit over 50 organizations in the third quarter of 2022 alone.

And the sectors mostly impacted by these ransomware attacks included consumer and industrial products, professional services and consulting, tech and media, life, science, and healthcare. So they again, Have the bar low and they are going after every organization in every vertical and among the different countries.

The US is clearly the biggest target getting 62% of all of their reported attacks. Another key ransomware cybercrime group is called Hive. They sprung up in [00:39:00] early 2022 and they quickly earned a name for themselves as one of the most active ransomware groups. The number of attacks from this gang alone jumped 188% from February to March, according to N'S March.

Cyber Threat pulse report. The ransomware variant was also one of the top four most observed during the third quarter of the year. So what types of companies does Hive Target? Traditionally focused on industrials hive also targets academic and educational services as well as sciences and healthcare companies along with energy.

Resources and agriculture businesses. Last quarter in 2022, the Hive ransomware hit 15 countries with the United States and the United Kingdom as the two top targets respectively. The group is known to be fast, allegedly [00:40:00] encrypting anywhere from hundreds of megabytes to more than four gigabytes of data per minute.

Let me rephrase that. The group, their code that they've created is notoriously fast. It encrypts hundreds of megabytes to. Four gigs of data per minute. Every minute that the ransomware is launched, it is encrypting up to four gigs of data per minute. That's really fast compared to other ransomware strains and to help carry out its attacks.

Hive hires penetration testers. Initial access brokers and threat actors in August, 2022, an alleged operator of the Hive ransomware group reported using phishing emails as the initial attack vector. That leads us to one of the [00:41:00] other leading ones. And that's dark side. A lot of people have heard of Dark Side.

The Dark Side Ransomware Group follows the ransomware as a service model and targets big businesses to extort large amounts of money. It does so by gaining access to the company's network, usually through phishing emails or brute force attacks. It crips all of the files on the network, just like the other ransomware groups.

But there's several theories regarding the origins of Darkside. Some analysts think that it's from Eastern Europe, somewhere in the Ukraine or Russia. Others believe the group actually franchises in multiple countries, including Iran and Poland, dark side's hacking group is believed to have hit Toshiba.

But they're also the ones that the FBI tied to the Colonial Pipeline attack, which is one of the more famous ones along with jbs the [00:42:00] Meatpacking Group. It's thought that they've been able to hack and extort around 90 companies in the US alone. And the group is a ransomware as a service group, right?

They themselves claim to be apolitical, but that's kind of the downfall of what happened there. So, What, what has occurred is most researchers haven't found them to be directly state sponsored, right? Meaning operated by the Russian Intelligence Service. But some of the ransomware groups have either been tied to that or at least been ratified by it.

Meaning as long as you don't hit Russian, Organizations you can continue to proceed within our country. Dark side tended to avoid targets in certain geographic locations by checking their system language settings. So that's why they know kind of where they're from because if it was a Russian speaking [00:43:00] group or a certain language speaking group, they wouldn't attack it.

They're one of the many for profit ransomware groups that have proliferated and thrived in Russia. So Russia's either given them implicit sanction right, or has ratified their acts. They also make huge ransomware demands and launched their ransomware at scale. But what's interesting is this group claims to have had a code of conduct.

Unlike the other ones this group would advertise and talk about in their forums that they have a higher ethical standard, right? They claim to never target schools. Never target hospitals, never target government institutions or any infrastructure that could negatively affect the public, so that's good, right?

However, in March, 2021, Darkside carried out [00:44:00] the Colonial Pipeline attack and demanded 5 million in ransom. It was the largest cyber attack on oil infrastructure in US history. And it disrupted the supply of gasoline and jet fuel in 17 states, essentially within hours in the United States. The F B I identified Darkside as the perpetrators of that attack.

Which happened on May 7th, 2021, they could tell it by the code that was used and the pressure that was put down led them, to voluntarily shut down 45% of the fuel to the East coast of the United States following that attack. It was described as the worst cyber attack to date on US critical infrastructure.

They successfully extorted through that attack around 75 Bitcoin, which is around 5 million at the time, [00:45:00] from Colonial Pipeline itself. And then they were. That led to a lot of other investigations because of their relationship to Russia at the time. But following the attack on Dark Side and the US government's investigation into their ties to the Russian government itself, the core group of, of Moscow, right Central Russia's government Darkside posted a statement on the forum and their blog saying, we are apolitical.

We do not participate in geopolitics. Our goal is to make money and not create problems for society, even though that's how they make their money. But following that attack, Darkside came under massive pressure by the US government and other allied nations. They tried to clear its name by blaming third party affiliates.

Saying it wasn't us. Some of our affiliates went rogue. We tell everybody, if you're gonna use our code, don't go after critical infrastructure. They hit [00:46:00] them, what could we do? But. The pressure mounted and mounted and it got to the point where the group completely shut down all of its operations after the mounting pressure from the United States.

In fact, since June of 2021, dark, dark side's only published data from one ransomware attack from one company, so they've essentially disappeared. Today, the most prolific ransomware group is Lock Bit, right? There was originally Lock Bit, then lock bit 2.0, and then lock bit 3.0, and it's an impactful ransomware group.

It accounts for over four 40% of all ransomware attacks almost every single month. Currently in 2022, it attacks organizations throughout the us. It attacks China, it attacks India and throughout Europe. Earlier this year, lock bit targeted The fails [00:47:00] group, which is a French electronics multinational group and threatened to leak sensitive data.

If the company didn't meet the group's ransomware demands, it also compromised the French Ministry of Justice and encrypted their files. The group now claims to have breached the Italian tax agency za de Entra and Stolen. They claim to have stolen a hundred gigs of data. But we've gone into a great description of lock bit.

By somebody that actually has spoken with them, has spoken with the US agencies investigating them and knows them better than anybody. And that's John DiMaggio. We have an episode that we've already released and it's called the Description of Lock and it's, it's called New Lessons from Lock Bit with John DiMaggio.

Please check that out because some of the stories there about how Lock Bit does it, the. Coding of the ransomware is more powerful than any other [00:48:00] group anybody has seen. They recruit actively their affiliates, they have tattoo competitions among affiliates. And it's just a very prolific and dangerous, dangerous gang.

I mean, today ransomware continues to be the single most. Dangerous threat. It, the, the money is good to the point of funding massive amounts of criminal organizations, right? This is New Island Money, this is jet money. And it's just something we all need to be aware of. We hope that you enjoyed this episode.

We appreciate you listening. And as always, thanks for being a cyber crime junkie. Check out our next episode, which will start right now. Thanks.