All Episodes

September 20, 2025 74 mins

Unveiling the Ransomware Ecosystem with Tammy Harper

In this compelling episode, Jim is joined by Tammy Harper from Flair.io to re-air one of their most popular and insightful episodes. Dive into the intricate world of ransomware as Tammy, a seasoned threat intelligence researcher, provides an in-depth introduction to the ransomware ecosystem. Explore the basics and nuances of ransomware, from its origins to its modern-day complexities. Tammy discusses not only the operational structures and notable ransomware groups like Conti, LockBit, and Scattered Spider, but also the impact and evolution of ransomware as a service. She also elaborates on ransomware negotiation tactics and how initial access brokers operate. This episode is packed with invaluable information for anyone looking to understand the cybercrime underground economy. Don’t forget to leave your questions in the comments, and they might be addressed in future episodes!

00:00 Introduction and Episode Re-Run Announcement
00:29 Guest Introduction: Tammy Harper from Flair io
00:41 Exploring the Dark Web and Ransomware
02:21 Tammy Harper's Background and Expertise
03:40 Understanding the Ransomware Ecosystem
04:02 Ransomware Business Models and Initial Access Brokers
07:08 Double and Triple Extortion Tactics
11:23 History of Ransomware: From AIDS Trojan to WannaCry
13:02 The Rise of Ransomware as a Service (RaaS)
19:41 Conti: The Ransomware Giant
26:17 Conti's Tools of the Trade: EMOTET, ICEDID, and TrickBot
32:05 The Conti Leaks and Their Impact
34:04 LockBit and the Ransomware Cartel
37:07 National Hazard Agency: A Subgroup of LockBit
38:17 Release of Volume Two and Its Impact
39:08 Details of the Training Manual
40:52 Ransomware Negotiations
41:28 Ransom Chat Project
42:27 Conti vs. LockBit Negotiation Tactics
43:30 Professionalism in Ransomware Operations
47:07 Ransomware Chat Simulation
48:03 Ransom Look Project
49:11 Current Ransomware Landscape
50:32 Infiltration and Research Methods
51:47 Profiles of Emerging Ransomware Groups
01:05:21 Initial Access Market
01:10:26 Future of Ransomware and Law Enforcement Efforts
01:13:14 Conclusion and Final Thoughts

Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hi, it's Jim.
This episode originally ran duringthe summer, but it's been one of our
most popular episodes, so I thoughtI'd run it again this weekend.
If you're listening to it for the firsttime, I think you're gonna enjoy it.
And even as a replay, I still think it'shellishly interesting and there's a lot
of nuances and details you might pick up.

(00:21):
. David Shipley will be back with theregular news on Monday and I'll be
back in the news chair on Wednesday.
Have a great weekend.
So welcome to Cybersecurity today.
my guest today is TammyHarper, from Flair io.
You might have heard her on,she's become a, a regular
panelist on our month in review.

(00:41):
and part of that discussion thatwe had was as we looked through
the dark web and ransomware andall of those threats that we had.
Really people don't have a chanceto explore and find some of the
basics of this and really get andsee it, and probably for good reason.

(01:04):
As I've pointed out, I really don'twant you on your computer in my IT
department exploring the dark web.
I don't even want you doingit on your home computer.
there are ways to do it.
There are people who are trained atdoing this they take the appropriate
precautions and it's part of their job.
So what we've done today is invitedTammy in to give us an introduction

(01:24):
to the ransomware ecosystem,something she knows really well.
This is one topic that we're going to do.
I framed it with my favoritefor the old people out there.
Take a walk on the wild side,for people who are Lou Reed fans.
And if you're not a LouReed fan, Google it.
So welcome Tammy.
Thank you so much for having me back.
I've been looking forward to this.
So we're gonna go through, I'm gonnalet you make this presentation.

(01:46):
I'm gonna jump in and ask questions.
as I've said before, I'm notafraid to ask dumb questions 'cause
I just like to find stuff out.
so I'll let you walk us throughthis and as we go through it,
we're gonna break this up intoareas where we can ask questions.
If you're listening to this and youhave questions, please put them in
the comments, in the various placesand we'll give you a little bit at

(02:08):
the end, but, add those comments andwe'll come back and, I'll make sure
that Tammy answers those questions.
We'll add them to anepisode at a later date.
So consider yourselfinvolved and welcome Tammy.
Take it away.
Thank you very much.
so this is, a presentation thatI did for the Flair Academy but
this is something, and I made anew version just for your show.

(02:28):
this is a very, very interesting topicand, ransomware ecosystem is everywhere
and it's a multi-billion dollar industry.
So a little bit about myself.
So I'm a senior threat intelligence,researcher and certified dark
web investigator at Flair.
My job is to basically, as a researcher,I am a walking encyclopedia when

(02:50):
it comes towards ransomware, cybercrime, the underground economy.
so how to, crypto, anything like that.
so it's my job to really stay onthe bleeding edge of, all that is
what the threat actors are doing.
All that is happening in theworld in terms of, cyber crime.
and as a certified dark web investigator,I've, learned the tools and the trade to

(03:12):
conduct investigations on the dark web.
So I know how to protect myself andto do things, properly and to ensure
the evidence is, forensically viable.
on a little bit more of apersonal level, I'm a cat mom.
I love photography.
I am a astronomy nerd and a, I'ma huge techno head, so I love
listening to mu the techno music.

(03:32):
that QR code there, itgoes to my LinkedIn page.
This is my only social media page, andthat's where I post all of my research.
So you can, follow me there.
so I was thinking about starting with abit with, some terminology just to get a
base foundation of what we're dealing withhere and what we're gonna be covering.
So.
In the term of ransomwareecosystem, what is, , what is

(03:54):
this, what are we talking about?
So this is a business platform.
This is a business model,and it really has a bunch of
different things that happen.
so ransomware as a serviceis built as an MLM.
So it's like a bit like a pyramid schemewhere, you have, someone who offers
the platform, they'll take usuallyan 80 20 cut of the total ransom.

(04:14):
So let's say a ransom is ahundred thousand dollars.
the affiliate will get 80%,usually the bigger chunk.
so $80,000 and then 20% will go towardsthe, developers, the maintainers,
the admin of the group, right,of the provider of the platform.
So then the affiliate has that $80,000.
So what they have to do is thenthey have to launder that, but then

(04:34):
they also have to, pay off whoever,they were, dealing with, which is
sometimes initial access brokers.
So initial access brokers arethese, individuals that have a
hyper specialization in providingaccess to corporate environments
and enterprises or networks.
And so they go around exploitingzero days on your VPNs, your, edge,

(04:58):
devices, and essentially establishing,persistence or backdoor and selling that
access to a ransomware affiliate sayinglike, Hey, I've got access to this.
company, it is based in the states.
I've looked up their domain.
It looks like they make about a hundredmillion dollars of revenue a year.
And, I have domain level, adminaccess, and the, EDR or the antivirus

(05:20):
in that, environment is sentelone or Microsoft, defender, right?
So, basically, you would pay thisan individual, like 5,000, 10,000
depending on the ease of access andhow juicy and how profitable that's.
return on investment couldbe, it's all speculation.
and so you could pay up to$5,000 for an access like that.

(05:40):
And, so then that's your cut.
So then like 75 goes, like,you're now at 75 and it goes down.
Can I stop you there?
Course.
and if you're gonna answerthis later, let me know.
But there, I always talk about, wetalk about initial access brokers,
but there's so many passwords andusernames that are just out there.
, What is special about what they do?

(06:01):
So initial access brokers arethe ones that are gonna get into
usually the bigger, more juicy,environments that don't have
credentials leaked everywhere, right?
So, like leaked credentialsis a massive issue.
It happens all the time.
Like Snowflake was, was, one waspotentially linked to leaked credentials.
but also we're seeing ransomware operator.

(06:23):
because everybody has accessto delete credentials, right?
So there's a chance that these leadcredentials have already been used,
that have already been changed.
So what these initial access brokersdo, they can almost guarantee
that the access is fresh and ithas never been sold to anyone.
And that is only one hand will get them.
the one hand is a concept that ha thatis, that is set a lot on the, on the,

(06:44):
dark web means basically, only oneperson is gonna get access to this.
This is an exclusive cell.
Sometimes you'll see I, I'm doing twohands or three hands, so that's like
three cells, three individuals orthree teams will have access to it.
so there's a difference.
and initial access brokersusually have, better access.
Okay.
No, great.

(07:04):
Thanks.
Yeah.
So then we'll go a littlebit further into it.
but basically most of the modelsnowadays feature around double extortion.
And double extortion is essentially, thefirst level of extortion is, encryption.
And then, the secondlevel is exfiltration.
And now we're seeing tripleextortion, quadruple extortion,
and essentially those are levels.

(07:26):
Anything above double extortion.
So if you're doing like doubleextortion plus a DDoS attack, the
DDoS would be a triple extortion.
If you're doing like, going tobe notifying regulatory bodies.
That's a triple extortion.
So these are the blogs that the threatactors use to shame their victims.
And this is like probably one of thecornerstones of the whole, business model.

(07:47):
And this is something that a lotof victims will get featured on.
And this is one of the most publicand way that people will interact
with, ransomware operators isthrough the blog, like Lock Bid had
a famous one, Ville had a famous one.
Most ransomware operationshave a very famous one.
And this is where you'llsee all the victims, right?
Now there are free tools out therethat, essentially, free and open source

(08:09):
tools that monitor these leak sites.
So it's like, for example,ransom look is one of them.
And so you can basically go on that,open source project and see every
single victim that gets published.
Now, the builder is something that the,ransomware operators will create, that.
Basically allows them to create theencrypter and the decryptor pair.

(08:29):
And this allows, so I would take theencrypter, encrypt the network, and I
have the decryptor that is paired withthe encrypter to decrypt it afterwards.
Now you wanna, you don't wanna lose thatencrypt decryptor because that's okay.
Hang on.
Two things.
First, I'm gonna just jump backand just make a note for everybody.
I'm gonna push you to give melinks for any of these places.
You've mentioned links.

(08:49):
So they'll be posted in the show notes orunderneath in the show notes on YouTube.
so relax.
Yeah, no worries.
So the dedicated leak site is, basicallywhere the threat actors will shame the
victims of their, of their attacks.
So, for example, ed had a very famousone and, rebel had a very famous
one where it was called Happy Blog.

(09:09):
And essentially what happensis, is that they're gonna
post the name of the victims.
They're gonna say like, weattacked you, we have your data.
And if there's usually like a countdown,to continue the pressure of, you
need to pay the ransom or else, weare going to leak all of your data,
or we're gonna delete the decryptor.
and you won't be ableto recover your data.
so depending if it's asingle or double extortion.

(09:32):
a lot of this is done onthis public facing, forum of.
shaming you publicly into,capitulating with our demands.
it's a very unique, aspect to ransomware.
with the pseudo anonymity of ransomware,you need to have that calling card.
and that ransom note.
because it builds legitimacy, itbuilds notoriety, it builds a threat.

(09:54):
And if you don't follow through onyour actions and on your threats,
then people won't take you seriously.
and you can see them, no,they're on the dark web.
So these are done on the dark webtour, and mostly through onions.
Yeah, onion websites.
And we can give a quick ex, I'm sure mostpeople know that, but we'll give a quick
explanation of what that that really meansthroughout the presentation, I'm sure.
but how does everybody know about it then?

(10:16):
Because everybody seems to know,when somebody hits one of these
sites and they've been hacked.
How do you find that out?
So, it's usually through these.
I work on a very famous, andpopular, dark web monitoring,
service called, ransom Look.
And what that does is it basicallyscrapes all of these dedicated leak sites.
we're currently tracking like473 across 2000 unique onions.

(10:40):
What we do with that is we, put themonto, the notification goes on the
ransom looks, dot iOS website, andeverybody can see which companies are
getting hit, in a live sense, likeransom look updates every 15 minutes.
So, it's basically, and theresearch portion of it is me.
'cause there's noGoogle , of the dark web.
, You have to infiltrate these groups.

(11:00):
You have to be part of the community tosee the latest groups that are popping
up and so that we can import theseonions into ransom look, so that you can
basically have the latest information.
So it's, we're always lookingfor the newest and latest groups.
Wow.
Cool.
Yeah.
It's really, really something.
I wanna talk about the,the history of, ransomware.

(11:23):
And so ransomware is really not a,a new concept locking a system in
encrypting data has not really been.
A new concept, in 1989you had the AIDS Trojan.
this was the first documentedransomware attack and was created by,
Joseph Pop he was a biologist workingfor the World Health Organization
and he distributed this malware.

(11:43):
on floppy discs, that attendedthe AIDS conference, in New York.
essentially what that did is, is thatthis was to bring attention to the aids,
crisis that was happening at the time.
And, basically this was, thiswould lock your system up.
And, so this was like hacktivism,now we can see the evolution of this,
In 2005 and 2006, you had GP code,you had, archivists, you had, quoin.

(12:06):
so these were examples ofearly file encrypting malware.
and, but they really lackedlike strong encryption.
so they used like RC four, they used somevery rudimentary encryption, mechanisms,
so they were quickly reversed, engineered,
Things were they like, they changedyour desktop, they encrypted your files?
Like, so this has beenaround since like 2005.
but then I remember mailingoff for our first floppy disc.

(12:28):
We had, we had to get it deliveredby courier, a floppy disc with
apparently the remedy for avirus that we had on our systems.
It was, yeah, yeah, yeah.
Amazing.
It's, I remember when growing up Ihad, live CDs of Linux Distros, and
so I would basically boot up intoKnopix or Ubuntu and basically try

(12:50):
to install from there and use that.
so that was definitelysomething that was crazy.
and then for example, 20 13,20 15, we saw the early rise
of RAs, like ware as a service.
So things started to shape up now andpeople started to say like, Hey, how
can we monetize this a little bit more?
Because back then it was, I'm gonna send.

(13:11):
to my victim, one victim, I'm gonnasend my entire ransomware payload, and
hopefully they click on it and then I, itwould encrypt their, their, their device.
it was effective, but it was notefficient, is what I meant to say.
but then in 2016 you started to see peopleconsidering this a little bit more and
refining the process a little bit more.
And the affiliate model reallystarted to pop up in around 2016.

(13:32):
And so this is where, for example,Satan RAAs, came out and, essentially
allowed people to download theirencrypts and to organize their payments
and their ransom, negotiations ona panel, on the dark web on onions.
And so this was all beingcontrolled from a, a web panel.
And this was all the way back in 2016,and we're still seeing that today.

(13:53):
and in 2017, Serber.
which we still see source codeof today in variants today,
really started to shape up.
And this is where we saw, Serberwas distributed via exploit
kits and spam and had basicallyransom nodes innovation features.
And Philadelphia RAT, which wasanother one, basically was delivered

(14:14):
through, malicious YouTube, ad aadvertisements or, links on YouTube.
So you click on it and it would,you would basically download
something 'cause you saw that, oh,it's cracked software, for example.
But it was, it was ransomware.
So, Then in 2017, we have to talkabout the massive WannaCry, attack
that happened on the, UK's NHS,and how that changed the game.

(14:35):
and because this was one of thefirst, warm able, ransomware where
it spread because of the eternalblue exploit, and it just kept
spreading and spreading and spreading.
Luckily there was a kill switch in thesource code, and essentially, this was
discovered and shut down when someone,registered the domain, for a kill switch.

(14:55):
It was like this random stringof letters and numbers and
ended in like a.com for example.
And once that was registered, themalware, basically stopped spreading.
in 20 18, 20 19, we saw likegang crab and revo pop up.
So this is right before thepandemic, and this is where.
They started treating this asa really, as a business model.
So you had like support and networksaffiliated to it and this, for example,

(15:19):
Revo was one of the first ones tooffer like a 70% split on attacks.
So really taking, making sure thatthe affiliates were, getting paid the
most this Really motivated people tostart using this because if I get a
ransom of a hundred thousand dollars,I'm making $70,000 now on this.
So it really motivated peopleto start conducting attacks.
and did this, the sort of, the, thebig growth of this was this, the

(15:44):
fact that these groups, I guess, areprotected or hidden in some way so
that they're able to launder the moneyor at least take care of payment.
'cause that, if, that always seemsto be the thing about ransomware.
Until we had encryption, until we hadsome distancing and some safety, you
can't, yeah, I can encrypt, somebody'ssite, but I'm not, what are they gonna do?
Phone Jim, and send themoney to my bank account?

(16:06):
I mean that, that payment structuremust have really enabled this.
Is that how these groupsstarted developing?
Yeah, so the ability to receivecrypto payments is what really
started to change everything.
So Bitcoin payments because the way Isee crypto, there's crypto is just a
vessel and a means of transferring value.

(16:26):
it's not necessarily a bad thing.
Crypto is not a scam initself or anything like that.
It's not malicious in itself.
It's not negative.
It's just a means of transferring value.
And, so when you had the ability totransfer, in a pseudo anonymous way,
money from, the average Joe or from theaverage company to somewhere in, like

(16:47):
Eastern Block, ex-Soviet, countries like,and then they had the ability to, go to
an exchange and cash out this changedthe game because now you're not using,
, you're not going through the regulat.
financial systems, but you're basically,going through the blockchain, which
allows, anybody to really monetize this.
So that was a huge, huge reason whywe started to see this evolution

(17:09):
and just also the refinement, peopleputting thought into this more now.
when the pandemic happened, this exploded.
Everything exploded.
And this is where we saw, for example,in 2020 we saw Maze, which is an,
a ransom maze, ransomware, and Mazereally pioneered the double extortion.
'cause at, at that point everyonewas just encrypting d the data.
but Maze basically said, we'regoing to encrypt and steal the data.

(17:32):
So you have to pay to, to do, tobasically, pay us to not leak your
data and pay us to decrypt your data.
So this was, a big money maker for Maze.
And essentially after that, it juststarted to steamroll from there.
You saw in 2022 LockBit reallystarted to, make headwinds, from
their 2.0 to their 3.0 variations.
they became the biggest group outthere, basically delivering a hundred

(17:56):
like hundreds of victims a week.
they were extremely, extremely effective.
Conti, in 2022, shut down andwe're gonna talk a lot about Conti
in a bit, but Conti, shut downbecause they sided with Russia.
And this is when the, the,in 2022, this is when Russia
started, attacking, Ukraine.
And in 2023, this is when we saw,black Cat or Al V, and also play and

(18:18):
other ra fragmentation start to happen.
So we started more, seeing more andmore, groups popping up in 2023.
And in 2024, this is where lawenforcement started to fight back more
and we started to see more take downs.
And specifically we saw LockBitget taken down by Operation Kronos.
LockBit had been around since 2019.

(18:38):
they've been around for almostfive years at that time.
basically they went for a doxingof the administrator and that's how
they were able to disrupt LockBit.
Because seizing infrastructure isone thing, but if you can discredit,
the administrator, nobody wants toconduct business with you if you're
completely out in the open anymore.
so where does that bring us today thatessentially now RaaS or ransomware as

(19:02):
a service is completely decentralized?
it's no longer just like, the old guard,the ex conti, the ex reval guys like
working on, the latest and greatest.
now anybody can be part of it, especiallywith ai, like you can basically
leverage AI or leverage the leakedsource code like LockBit has leaked.
Source code Van ing has leakedsource code, to create your

(19:22):
own, full blown operation.
Also now you see a lot of crosspollination, with, info Steelers brokers,
access markets, like, all these forums noware supplying the ransomware ecosystem.
they're all working in tandem together.
So let's take a deeper dive intowhat these groups look like.
And like we have, wehave to talk about Conti.

(19:44):
absolutely.
Because Conti is what really startedeverything and how everything
is based off of Conti nowadays.
So Conti started around December of2019, all the way until mid 2022.
they were also purely Russianspeaking and, their predecessor was
reu, which was just a ransomware.
Conti is considered thespiritual front runner of, reu.

(20:07):
They really operated asa corporate structure.
what's fascinating is that, whenConti has, 'cause Conti has suffered a
devastating leak, at the end in 2022.
And essentially what happened was thatsomeone, a researcher from Ukraine leaked
all of their internal communications.
And this showed that they werereally structured like a business.

(20:31):
So they had hr, they had payroll, theyhad, recruitments, they had, tech support.
They had, managers, it wasreally, really well structured.
And they're responsible for overa thousand, attacks globally.
a friend of mine gothit through that time.
and his comment was a CIOfrom another organization.
His comment was, I wish myhelp desk was as efficien.

(20:53):
Yeah, I'm not surprised.
I don't, I don't think people realizejust how well set up they were.
I mean, we all got the leak andwe, we heard about it, but I
don't think we realized just howeffective this organization was.
Yeah, absolutely.
And they made a hundredover $150 million in crypto.
And that's what, like, what we wereable to trace and what we know of,

(21:14):
and some of their famous victims islike Ireland's, HSE or even the Costa
Rican government, and plus hundredsand hundreds of, US organizations.
so they were hitting everyone, especially,European and American institutions.
So as I mentioned, the Conti wasbasically, attacked, well, not attacked,
but an insider leaked, a bunch ofdocuments they were making so much money

(21:36):
that they were able to pay salaries,monthly salaries for core members.
And so this ranged like up to $2,000USD per month and in some of these
countries that some of these users werebased, this is a lot of money, right.
And, a lot of individuals werejoining this because this is one
of the ways to make the most money.

(21:57):
Right?
I know it's a crime thatthey were committing.
But in these parts of the world, sometimesthis is the only choice you have.
And, they know it's illegal.
They know it's a crime, butsometimes you don't have a choice.
And so this was the best out there was.
And so they were making, theywere offering to pay a lot of
money to, to these individuals sothey could, could work with them.

(22:18):
We think when we don't pay attentionto other economies in the world and
if we devastate these other smallcountries, that it has no impact on us.
One thing it does is it drivespeople to desperate situations
to feed their families.
And this is just one area ofcrime that becomes part of that.
And I think that's something that we,we all are, have to be aware of that

(22:41):
we're part, there's no borders anymore.
You can't insulate yourself.
Absolutely.
It's exactly what happens here.
And, and we see this in, even more recentleaks of black Blast a leak where they
were hired this, Pakistani, individual.
And, he was working for $20a day, sorry, $20 a week.
And, he's, trying to feed his, hisfamily and he, his wife was pregnant.

(23:04):
so what I wanna also, like, if youare on, the, the YouTube stream
here, this I'm showing right now a,basically a layout of what, the Conti,
group looked like because it spans.
Over the years, it span so muchand everything came out of it.
you had a bunch of different typeof ransomware, operations that came
out and when Conti, shuttered itdoors, it split up into three teams.

(23:28):
Conti, team one, Conti TeamTwo, and Conti team three, which
are still in operation date.
this goes all the way to like,for example, chaos ransomware.
this, is the latest, groupthat is still in, you can trace
back the lineage to Conti.
but how did this, this is like thebusiness model that we were just
talking about, but let's dive intonow how they were able to technically

(23:51):
succeed in this environment.
if you're watching this onYouTube, you can see it.
If you're listening to this aspart of the podcast, you can't see
it, but we will post some links sothat you can get copies of these.
But essentially what you've shownhere is Conti gave birth to almost
everybody that is hitting us.
if there's a common name on your slidehere, they've split off into all of

(24:12):
these different groups fractured outto really start most of the other.
Groups that we have Is that,did I get that correctly?
Exactly, exactly.
they started, like, we're gonna get to itin a bit, but they basically spun off into
Royal Zon Quantum Black Suit, and thenpart of it into Black Basta and now Chaos.

(24:32):
these are all like huge, huge names.
black Busta, if you're inCanada, was the group that hit,
the Toronto Public Library.
and so they're very, very much stillactive and hitting everyone today.
for example, was Waka, Miguel iv.
he is a mercenary, heworked with everyone.
He worked with Lock Bid, he workedwith Alvi, he worked with Conti.

(24:54):
Like these are all they're all sharingaffiliates, they're all sharing tools.
They're all sharing like tacticsand techniques and procedures.
They all know each other, right?
Some of them hate each other,but they all know of each other.
They're all connected.
And is it too early toask , how they operate?
You know who some of them are?
We know who some of them are.

(25:16):
How do they stay safe?
So a lot of the times they are located in,non extradition countries, mainly Russia.
So you can't essentially go to, like, theycan't leave Russia essentially anymore.
and if they do, they have to goto other countries that don't
have extradition to the UnitedStates or to the European Union.
because I was traveling in Germanyand I was heading to Canada.

(25:40):
And, when I was goingthrough passport control.
they had wanted posters of a bunchof different people, like drugs,
human trafficking, and of coursethey had, a bunch of, Conti guys.
Like they had wantedposters up for Conti guys.
it was so funny because I was like, Hey,I know this guy, I know of this guy.
And they were like, do you know him?
And I was like, well not know him.
watch what you're saying there.

(26:01):
So especially in today's world, right?
So, that I had to clear up a littlebit of a misunderstanding there.
But yes, I want, 'cause I wanted to takea picture of the wanted poster and they
basically allowed me to do that, butI, I was like, Hey, I know this person.
Wrong choice of words, butyes, phrasing very important.
so I just wanna get back into it andtalk about, like EMOTET, EMOTET and

(26:22):
ICEDID, because these are the toolsof the trade that allowed Conti two.
'cause they designed these tools, and.
It allowed them to, first of all,gain access to the network and then
also to, conduct a post exploitationframework to continue and persist on
their conducting their attacks oncethey were inside of the network.
So the first one thatwe talk about is EMOTET.

(26:45):
so EMOTET was delivered by aspam, and this was like a Trojan.
And essentially what it was, isthat it, deployed TRICKBOT EMOTET.
and from there, Conti was able to connectto EMOTETt and conduct their attacks.
emo Ted was very, spread like a worm.
it basically spread through Outlookand, it used polymorphic code to

(27:08):
evade, antiviruses, and it wasable to constantly change itself.
So that, signature based detectionwas completely useless against it.
you had to look at heuristics and,like, kill chain analysis to really
figure out if this was EMOTET.
and EMOTET has been disrupted manytimes by law enforcement and in 2023.
And it, it sort of like had alittle bit of a revival and it's

(27:30):
still kicking around a little bit.
then we have ICEDID or BACKBOT.
And so this is what, EMOTET droppedand this was really, or you could
also just drop ICEDID on itself.
And this was mainly abanking Trojan, a loader.
And essentially what it was, is thatit was way more surgical than EMOTET.
it helped, once you were inside ofthe network, it helped you pivot

(27:52):
into active directory environments.
so you were able to directlygo to the domain controller
and, conduct your attacks.
It had escalation privilegesand, lateral movement.
It had a whole bunch of,really, really fancy features.
this was given to, mid-tier and aboveaffiliates that were part of Conti
because this was such a good tool.
This was part of the toolkitthat Conti would give to its

(28:13):
affiliates to conduct these attacks.
the first one's a distribution method.
The second one is the attacker,or it could also be used
as a distribution method.
if you needed to.
this was the main one, iced ID was themain one, but if iced Id got picked up,
you could basically wrap it in EMOTET.
And because EMOTET was, more evasive,you could hopefully get the EMOTET

(28:36):
in and then it would drop, ICEDID.
they had a lot of different tools.
and then of course TrickBot.
Now TrickBot was essentiallythis post exfiltration tool.
this acted a lot like Cobalt Strike.
essentially, this wasable to, dump credentials.
It was able to map, networks.
once you get into this network,you need tools to work, right?

(28:57):
TrickBot allowed them to come inwith a little bit of a tool belt.
it allowed them to dump, mimic cats andto dump hashes, to pivot to basically
start working directly from TrickBot.
nowadays we see most people uselike Cobalt Strike, but this is
before Cobalt Strike was a thing.
And we saw everyone wasusing TrickBot back then.

(29:18):
But this is a set of tools that allowsyou to do the things that, because
I'm always amazed at how people canmove laterally through networks.
They can do these things.
It's not, I'm not, I'm not theworld's greatest network technician.
I'm not, but I'm no idiot.
But I would, I'm just amazed at how fastpeople can move through networks, how they
can negotiate their way around and arethey using these tool sets to do that?

(29:41):
Well, nowadays they're using Bruel orCobalt Strike or, the evolution of these.
But this is basically, yeah,this is the foundation kit that
would've gone out initially.
Exactly.
this is what we're seeing now, everyone'susing this or they're using custom tools.
Like, there's, a new tool by agroup called Global that just came
out, and it's called, I wrote apiece about it on my LinkedIn page.

(30:02):
It's called, Kylo Ren, from Star Wars.
And, essentially this is like areinvented version of TrickBot, because
they don't want to use, cobalt strike.
so they're basically saying like,Hey, we're gonna build our own.
So a lot of groups now are tryingto Go back to its roots and
building these modular, Trojansand, post exploitation tools.
because everyone knows now thatthere's cobalt, strike trick.

(30:24):
so essentially the whole frameworkwas initial access brokers, deployed,
EMOTET and ICEDID dvia phishing.
the malware installs theloader example, like EMOTET.
And then, the affiliates would,reconnaissance move laterally.
They would deploy, mimic,cast, cobalt strike.
And, from there they would essentially,dump the credentials, brute force them,

(30:45):
or do some form of CBER roasting, andthen gain access to the domain controller.
And then they would pass it offto the main Conti core team.
And from there, the Conti would deploythe ransomware and exfiltrate the data.
so in five steps, everything was done.
and this would usually last, backthen in 2019 to 2022, this would
probably take about a month, or two.

(31:07):
But now, nowadays everythingis so much faster.
we're seeing now, people essentiallyconducting attacks in a week.
so it's very, very fast now.
Sorry, keep interruptingyou, but yeah, no worries.
Just always fascinated by thisis, At one time, people would
hang around, we'd hear that they'dhang around in networks forever.
And do their reconnaissance.
Are you saying that things have speededup now or they, they just, is there

(31:31):
a difference in terms of attacks?
So nowadays they're, they're nothanging around networks forever.
The, because, EDRs have gotten better andthey don't wanna risk getting kicked out.
So now, attacks are gettingconducted way, way, way faster.
we see people essentially get into anetwork in a, in a week, and by the

(31:52):
end of the week they're, they're done.
they've exfiltrated and they are,'cause the tools and the process,
everything has been refined so much.
Right.
So they're basicallygetting in, getting out.
Yeah.
So I'm going to talk a littlebit about the Conti leaks.
So the, Conti really started tosee the cracks in the RaaS empire.

(32:13):
and so this happened in, February of 2022.
Conti, publicly declared,support for Russia after the
Ukrainian invasion in, in 2022.
And then, the, Ukrainianaligned insiders, leaked all of,
Conti's internal, jabber chats.
this is where we were, like I saidbefore, we were able to see that
they were, organized a companyand how much people were making.

(32:37):
And then in May of 2022, Contiannounced their shutdowns.
And, in June of 2022, the final knownConti, ransomware payload was deployed
to attack the, Costa Rica, government.
Conti's leak was substantial.
It was 60,000 internal Jabber chats.
it really showed everything, theirnames, their aliases, their handles,

(32:58):
their emails, and also where theyoperated from because a lot of it
was Hey, I'm going to the office.
And then, they were basically describingtheir environment, which allowed
people to figure out who was who.
So it really was what spawned, all theteams to, go out and we, now we can see.

(33:18):
where the evolution came from.
so essentially now from there, fromConti, we had black ba, we had car,
Curt Royal and Black Suit Quantum.
everyone's coming out of this now andlike groups all had their specialties.
Like car.
Curt was really focused on, extortion onlylike exfiltration, black baa, as well.

(33:40):
But they also had their own payload.
they maintain, like these two reallymaintained a low profile, and were really
had a very high victim volume count.
and then you had like aroyal and black suit like.
They were more polished, theywere very aggressive, and,
went for high victim counts.
but nowadays, because this is allthe ex Conti guys, new players

(34:02):
were coming into the arena.
And so one of them is calledLockBit, which we briefly
discussed a little earlier.
And so they were the red princesand they were not necessarily
affiliated with, Conti.
but they were definitely known by Conti.
and it's also important to saythat during this time, there
was a, codename, wizard spider.

(34:24):
this is a codename given by CrowdStrike
That this group, like LockBit wastrying, was trying to organize a
cartel, they basically got approachedby Ransom Cartel back in the day.
this was a group trying toorganize like content together,
LockBit together, reil together.
And they were trying to basicallysay like, Hey, like the Ola cartel

(34:44):
in Mexico saying like, Hey, we canorganize something together and we
can all work to benefit each other.
this ransom cartel did not last very long.
bLockBit was seen as a problemchild and essentially did not want
to collaborate with them anymore.
it was very, very short-lived.
It only lasted a couple of months,but they were still able to
pull off some attacks together.

(35:05):
So in looking at, what it looked like,
Lock bid had connections to a bunch ofwhat, Conti was connected to, right?
They were connected to the Conti teams,storm 0 5 0 6, and, the financially
motivated groups like FIN seven, whichis also related to lop goldish is one
of the, mal advertisement campaignsthat they were really behind too.

(35:26):
so these groups are very, very well known.
so, LockBit was around from 2019 to 2024.
Again, Russian speaking, theybegan as, a, B, c, D, ransomware.
and, one of the things that reallymade them stand apart from the
rest of the competition at thetime was that it had one of the
fastest lockers and a really strongaffiliate support and slick marketing.

(35:48):
and by, slick marketing, I mean,they were paying affiliates, not
affiliates, but they were paying,forum users or just users a thousand
US dollars to tattoo themselves withtheir locked bit logo on their bodies.
so this really, and they were also doingwriting contests and, oh, and they had
like a, about a bug bounty program.
They attacked Boeing.
Royal Mail, the city ofOakland sick kids in Canada.

(36:09):
the California Department of Finance,like, you name it, they were attacking,
they were the biggest ones at the time.
And, they were really known for, usingthe same thing, ICEDID, everybody
shared tools in the space, right.
why reinvent the wheel when you canjust if you all know each other.
and so they really conductedthese types of attacks.
one thing that's really interestingis LockBit really tried to

(36:32):
explore with triple extortion.
so they would encrypt the data, stealthe data, they would DDoS people call,
the affiliates sometimes would call, thecompanies to harass them into paying it.
and this is something that's becoming moreand more popular, even Qilin right now.
essentially setting up callcenters to, look through the data
and attack these victims now.
so this is something that's fascinating.

(36:55):
now we have something becauselock Bid was so popular,
And, there was, some affiliatesstarted to basically be, creating
these smaller subgroups within LockBit.
one of them was called theNational Hazard Agency, or NHA.
this was a group that was, spearheadedand, commanded, if you wanna
say by a user called Ba Lord or,fisheye ba lord, grew up in Luan,

(37:21):
Ukraine, during wartime poverty.
worked as a freelance designer andlater was recruited into cyber crime,
and started National Hazard Agency.
he wanted to help his mother, which wasvery sick at the time, and this was his
motivation to pay for her healthcare
And so he had somewhat nobleintentions, but he was still
committing crimes to get this done.

(37:43):
And it really shows like youmentioned, Jim, This is people's lives.
And sometimes if they're desperate,they will do desperate things.
BA Lord has since retired,and, was able to walk away
with a couple million dollars,
So it's a fascinating, story,with these individuals.
Ba Lord has a really big, environment.
he was very, very active for a few years.

(38:03):
he was part of Rebel.
He worked with Avedon.
and in 2021 he published,the first ransomware manual.
this is basically a manualof how to conduct attacks.
And this manual sold forthousands of dollars.
And in December of 2022,he, released a volume two.
And volume two was when it first cameout, it was going up for $10,000 and

(38:28):
it basically was, you gotta spendmoney to make money and, was, how
to deploy the latest zero days andhow it was an entire training manual
on how to conduct these attacks.
And this was the manual that wasgiven to Lock Bid affiliates.
and because he was part of lockbid in, March of 2023, this
became part of the repertoire andtraining, material for lock bid.

(38:51):
Like the onboarding material for LockBit.
so a lot of these individuals,work really hard on these things.
I have a copy of these manuals, and ifyou really want one, reach out to me
on LinkedIn and I will happily give youa copy of it, for research purposes.
Of course.
And it covered everything.
It covered mask scan, 40 gatescanners, eternal blue, zero log

(39:13):
on abuse, how to deploy mimic hats.
this is better than some sense.
Course in some aspects.
This is a lot of work.
I mean he put a lot oftime and work into this.
And everything was written in Russian too.
Wow.
Yeah.
And have you, seen these, soobviously, I mean, are these used in
training now for defender training?
Are they, I hope so.

(39:35):
I am writing a, 10 piece, on thisnow, and it's gonna be really, really
interesting to see how people, react tothis because a lot of the information,
especially in volume one, is dated.
it goes up to like 2021.
but, 2020, the, the second volumecovers stuff from 20 22, 20 23,
and we all know that there's amassive lag in patching systems.

(39:58):
And like some systems like 2023 was only.
Two years ago, 2022 wasonly three years ago.
And I know there are still systemsout there that are vulnerable to
the exact playbook, of both of thesevolumes, volume one and volume two.
so these are still very, very dangerouseven today because, of the lag in, in

(40:19):
patching and in upgrading infrastructure,like these things still work.
Amazing.
Yeah.
And we've seen people go rippingthrough, you know, onsite, Microsoft,
email systems, , SharePoint, old systemsthat are just out there and sitting.

(40:40):
Available for, for hackingthat have not been updated.
, I could probably point you to a coupleplaces where I know people probably
haven't updated the systems in years.
Exactly.
It's still 100% vulnerable to all of this.
we can talk a little bit about, howactually the ransomware negotiations
happen, I just wanted to do a quickrecap of for everybody 'cause there's

(41:00):
been a lot of information you'vetalked about the start of ransomware.
You've talked about the groups. You'vetalked about Conti, that was fractured
into the many groups that we have today.
The evolution of the techniques,how they, how sophisticated these
are now, and that's really, Ithink, where we've come from so far.
and now you're gonna talk about ransomnegotiations I think that's great.

(41:21):
let's talk about that.
Yeah, absolutely.
So, ransom negotiationsis really cool actually.
So there's this project calledRansom Chat, and it allows you
to essentially go read the actualnegotiation chats of, a bunch of
different, ransomware, operations there.

(41:42):
So you can see the victimstalking to, the attackers.
But you also have to understand thatnot every single victim is just like the
CEO or like the head tech support, orthe like, like the SOC talking to these,
this is, sometimes these are lawyers,sometimes these are trained negotiators.
Sometimes it's law enforcement talkingto lock, but you'll never know.

(42:05):
Right.
But it's fascinating to know thatthis is a, it could be anyone
from the victim's side talkingto these, to these, attackers.
So, reading it, and I really seelike how much they charge the, the
pressure tactics that they employ.
so this is a fantastic projectthat you can actually, it's free.
You can just go ahead and,basically read, the whole chat logs.

(42:27):
and so there's a lot of differencesbetween how Conti, for example, and
LockBit conducted their negotiations.
And because they're two completelyseparate groups, and you can definitely
see, like, and you mentioned this alittle earlier in our conversation
Jim, was just how methodicaland how professional Conti was.
And then you can see how immatureand how, brazen and, Unstable

(42:52):
walk bit was So we can definitelysee the two different sides.
And doing stories on them.
you caught posts and you can hearthe language that they use and the
way they talk from their posts.
Really, really different personalities.
Great observation.
So for example, Conti would be like, wealways keep the terms of the contract and
in a similar, segment of the negotiationlock bid would be you think I'm a fool.

(43:17):
I have your files.
I know how much money you have.
So very manipulative, aggressive,try to badger and beat down
the victims into submission.
And Conti was all about framingit as a business transaction.
Is this where the breakdownstarted to happen?
Because I know at one point the feelingthat we would have as CIOs from the

(43:38):
professionalism you saw was that, and I'dheard this many times, pay the ransom.
They're going to give you the key back.
Why?
Because they want to make surethat you're a satisfied customer.
It sounds sick, but it was, you know,that they were, they were gonna keep
their reputation and that was howthey guaranteed they'd get payment.

(43:58):
And that broke down at one point.
Like Lock Bid alwaysoperated like that, right?
Conti was just very professional.
They were above and beyond.
and they, again, they wereequally as dangerous and equally
as sick as, as, as LockBit was.
But they just had the, a betterbusiness, acumen if you wanna go that

(44:20):
way, and how to conduct business.
another example is, Conti, saidhigh but also negotiable ransoms.
Like they would say okay, gimme $500,000but we are also ready to accept 256,000.
And Lock bid was like, extremely highand be like, don't, like they would
ask for 15 million, for example.

(44:40):
but they're like, don't offerme like one, two, 3 million.
It's ridiculous for your company size.
there was a very big difference,like LockBit uses prices
to dominate and humiliate.
but Conti was always showingcontrolled concession.
And I was trying to use discountsto portray, being reasonable
and ready to negotiate.
If you've done this in businessfor a while, you've read a

(45:01):
number of books on negotiations.
One of the beautiful ones hasnever split the difference.
. Sounds like these guys had taken MBAcourses in, in contract negotiation.
Different flavors, but, but youknow, that whole thing of stake a
high price and then, then they'llbe happier with the lower one.
These guys are smart negotiators.
Wow.
Yeah.
And, here's a final, example.

(45:22):
so Conti imposes, business day countdowns.
so they would be like twobusiness days left before we
start uploading your private data.
But LockBit, on the other hand, usethe timer and, they didn't care if the
data would go up on a Sunday or on aSaturday, or on a holiday, for example.
they would just reference thetimer and see, see the timer.
nobody's going to wait for you.

(45:43):
they were, lock, but always tried to pushthe victims into panic while Conti, used
like soft clocks with like, like, likejust a bit like a law firm on retainer.
Like, we're gonna giveyou two business days.
Yeah.
are you allowed to havean opinion on this?
Should, should people geta professional negotiator?
so yeah.
I always say, well.
My professional opinion on this is,whatever your, insurance companies tells

(46:07):
you to do, that's what you should do.
Good point.
because some, your insurance company,will say, part of your package, you
can get a negotiator or you have togo through or we can do it for you.
So just listen to your lawyers.
Yeah.
Good, good, good point on that.
Yeah.
And so there's a bunch of differentoptions here and how they were able

(46:27):
to really pressure, and emotionally,
Like, pressure, your victims.
but it really boiled down toConti being calm, structured.
it really tried to packageeverything as a service and
their reputation was everything.
And Block Bid was allabout media spectacle.
And you can see the differencebecause Conti was very much
more like a invite only group.

(46:49):
It was very much more controlled interms of who could join the group.
But LockBit had over a hundredaffiliates at one point at their biggest.
And so it was very hard to,keep the same language going.
And it was hard to keepconsistency, right?
So you had a whole bunch ofpeople doing nego negotiations.
So there's also this thing thatyou can do, and this is one of my

(47:10):
favorite things, is, there's actuallya ransomware, chat simulation.
so this is part of the RansomChats, service that I just, spoke
about a project a little earlier.
But you can basically run this as aPython script and you can actually,
plug in your, chat, GPT, API key, andyou, it will basically load all the
chats in terms of like a, a littlefile and you can basically, so it's

(47:31):
like quickly trains the, the ai.
And then from there you can basically,like practice negotiating with
the different, types of groups.
So you can practice negotiating with Contiif you wanna learn what it feels like.
this is a really cool, littleransomware chat simulation.
we'll post a link to this.
I'm actually gonna, do a bit of ademonstration with you at one point
down the road of how that works.

(47:51):
that sounds fascinating.
we'll give you a link forthat, but I think we're gonna
do a little digging into that.
Absolutely.
it's really fascinatinghow negotiations work.
we can also talk about the modernarena and what that looks like now.
this is Ransom look.
Ransom Look is an open source,project aimed at assisting,
users tracking, ransomware.
this is the, service that wasthe open source project service

(48:12):
that I was talking about earlier.
tracking a whole bunch of differentgroups and, across a whole bunch
of different relays and onions.
And, with this type of service,you can really see that,
throughout the evolution now.
even something like this chart here, ifyou're on YouTube, you can see it, but
it's basically showing that safe pay, inthe past week, had like 20 victims posted.

(48:33):
But the thing is, If you look at ittoday, El Dorado is no longer there.
interlock links is no longer there.
ERO is barely postingblack suit got seized.
Arcus Media maybe won.
dev Man is not posting much anymore.
ransom House isn't posting, Kairosisn't really posting embargo
is selling their source code.

(48:54):
And this is since April, right?
So just for those who can onlyhear us, we're looking at a chart
and it looks like a hockey stick.
there's a whole pile of groupsthat are doing not much in the
way of posting frequency and thena huge spike of larger groups.
Like you've got Qilin,you've got Safe Pay Sarcoma.
So.
Does that mean that they'rethe dominant ones today?

(49:14):
Yeah.
and the other ones, there'sstill some massive effort
from some of the other ones.
So you've got some dominant players,some mid-level players, and then some
ones that are maybe on the fringes.
Yeah, exactly.
so it's really something Thatthese groups, arcana security
got absorbed into killin, at thevery, left side of the chart.
a lot of these groups, pop up, conducta few attacks, and then it is severe.

(49:38):
it is fascinating how that worksbecause a lot of this still
seems like the tech industry.
you got some dominantplayers that absorb people.
You've got some mid-level players,you got little ones that pop up
and manage to get some attention.
It's a whole business ecosystem.
Exactly.
So one of my, as a researcher, I havethis, affinity for these, groups.

(50:00):
So I can say my favorite group or,I think what this group is cool.
I don't support thesegroups, but, we get it.
but It's hard not to.
I would admire is not the right word.
It's not the right word, but theseare the, the ones that are doing
this are successful businesses.
Yes, exactly.
And we may not like them, but that's,you have to at least respect their

(50:22):
abilities, I guess maybe though.
You can underestimate them isessentially what I'm getting at.
and you, you actually participate insome chats or can you talk about that?
I never know what you can talk about.
So yeah, what I do, part of my jobis, infiltration and so a lot of
it is because infiltration is notmeant to last very long, right?
I'm not because I can't conduct,Actual crime, I can't conduct attacks.

(50:47):
all I can do as a private citizenand as a researcher is lie.
so I basically, con my way into thesegroups, without breaking the law and
essentially try to gain access to theircontrol panels or to their source code or
to their builders, or to their hierarchyof their teams since in their chats.
And export and screenshot as muchas I can because I know I'm gonna

(51:11):
get marked and it's gonna get, I'mgonna get, burnt, very, very quickly.
And I have to, there's alsoa massive delay in terms of
what I can publish publicly.
and a lot of this, 99% of the stuffthat I work on is not never published
publicly, but, A lot of the stuff that Iget gets, passed on to the proper parties.

(51:32):
that can be government, that canbe law enforcement, that can be
various different organizations and,essentially they take care of, of that.
it's also like, yeah, like, it'strying to, be as sly as possible,
without getting in trouble.
Wow.
And is this next group, Medusa, canyou give us a little profile on that?
Is that the intent?
Yeah.
So Medusa is, one of the groupsthat, popped up on a Russian

(51:56):
speaking forum called ramp.
And so, they originally started andit was a pretty big, they were trying
to become a new RAs, a new service.
they weren't connected to Conti,they weren't connected to, LockBit.
when they first launched, theyhad one of their, servers, leaking
their clear web ip and essentiallythey were hosting out of the uk.
they've since patched that andthey've been around for a while.

(52:18):
this was around 2023, but they'reoften confused with another
group called Medusa Locker.
Medusa specializes in spear phishingemails to obtain credentials
and to deploy the malware.
And, one of their best known TPSis, to use any desks, a terra or
ConnectWise for persistence and control.
So they love to live off the land ofyour existing, remote, connection tools,

(52:42):
to basically keep that in the network.
Another, one that we brieflytalked about is killin or Quillin.
this group really originallydid not like English.
so they really tried to, emphasize.
Russian speaking, partners, but in thefew months since they've really opened up
to English speakers, especially ScatteredSpider, which is not necessarily a

(53:05):
group, it's more like a just a community.
And, they really opened up to, Englishspeakers in that sense because, they
know, that they can leverage these,these individuals to gain access to
more infrastructure through theirsocial engineering techniques.
so killin is, is been around fora while, but they have really
reinvented their themselves in thepast year especially, since, ransom

(53:29):
Hub, was dethroned as number one.
And so now they're probablynumber one right now.
and they're using the, because we've,we've talked about this, we've talked
about this on cybersecurity today ofgroups that are really effectively
using North American or Englishspeaking, I presume teenagers.
Yep.
Who are doing someincredible spear phishing.

(53:50):
And again, , I'm in the same boat as you.
I don't condone it.
But they, they're, they're incrediblein terms of how they can spearfish,
how they can get credentials,how they can get past help desks.
is that, is that the same group?
Yeah, exactly.
The Scattered Spider.
So it's, it's not necessarilya group, it's like a loose,
loosely connected group.

(54:11):
Scattered Spider, it's in thename, it's scattered, it's,
it's, thousands of individuals.
Right.
and it's really, like a lot ofthem, like this, the recruitment for
scattered spiders, like happens onclear web, social media platforms.
'cause it is indeed like, like you said,teenagers of English speaking countries
like, the uk like European countries,Canada, the US and essentially anyone

(54:32):
that can get past, voice verificationor talking to a help desk properly.
That will really getyou far in these groups.
And, it's all, a lot of it isabout the lifestyle, right?
And, they're seeing money, they're seeinggirls, they're seeing guys, they're
seeing cars, they're seeing drugs.
they, they, it's all about that,live large and fast lifestyle, right?

(54:52):
So a lot of the teens get, absorbedin this and mesmerized and, and
infatuated with this lifestyle.
So they all wanna be part of it.
but yeah, it's.
It's a big problem.
And sorry if I'm jumping aheadfor where you might be going to
explain this already, , but Qilinis exploiting part of that group
as well now you're, you're saying?
Yeah, exactly.
So they basically partnered up withthem and so has Dragon Force, which

(55:14):
we're gonna get to in a bit too.
But groups now are paying attentionto Scattered Spider more because
of how successful they've been.
like AlphV, black Cat, did thatexact point in, 2023 with, the MGM
resort, attacks and, that was ascattered spider initial access.
Right.
And so, but it was, AlphV Black Cat,ransomware that ended up being deployed.

(55:36):
So, these groups are, very well connected.
I wanted to talk about RansomHub really quickly here.
Sure.
And Ransom Hub, is essentially wasat the right time, at the right
place to, capitalize on the void.
this happened right in 2023,sorry, in, 2024, sorry.
And, Right when, LockBit and AlphV hadbeen, disrupted, especially Black Cat,

(56:00):
ransom Hub positioned itself to, to be,hey, we, when Alvi Black Cat, basically
got seized, ransom Hub was like, comejoin me instead, let's make, and a lot
of the affiliates from Black Hat jumpedover to Ransom Hub and, ransom Hub had
a very, very, generous 90 10 split and,which was a lot better than what Alfie

(56:21):
was giving a lot of the affiliates.
So, Ransom Hub showed a lot ofdevelopments like, they were updating
their platform constantly overthe course of the next few months.
they became number one, for all of 2024.
they were originally based off ofthe Knight Ransomware Code Base.
but they really focused on exploitationof public facing applications

(56:42):
like Confluence and VMware.
they did phishing for credentials.
they purchased initialaccess from brokers.
they did double extortion.
they did it all right.
They were very, very, very,very well, established for this.
And they moved into exfiltration as well.
they were one of the first ones thatgot into the exfiltrate and, and,
as, as the only, the only thing theydid is that, did I get that correct?

(57:06):
No.
So they did double extortion.
So they'd encrypted andalso leaked the data.
they were just well positionedto take over, like the LockBit,
groups, like affiliates andthe afi, affiliates that were.
Because they had just been disrupted.
Those, those number one and numbertwo groups got disrupted within
a couple of months of each other.
So, Ransom Hub was very opportunisticand had an amazing opportunity

(57:27):
to seize that number one spotof come work for us, right?
and they filled thatvoid very, very quickly.
It's a mystery of how they disappeared.
it is a bit of a known industrysecret of what happened.
but essentially, They've, just stoppedresponding to, and this is known a bit
of, like, in some circles some wouldsay this is an exit scam, but I'm

(57:48):
not saying that this is what happenedto Ransom Hub, but, essentially,
yeah, they're no longer around.
the affiliates are, but Ransom Hubas a brand is no longer around.
and I wanted to talk, finally about,two last groups, dragon Force and Akira.
Dragon Force was a very interestinggroup because, essentially what
they did was they were like, Hey,we want, we, we, we want a gun

(58:11):
for Ransom Hub's, number one spot.
And when Ransom Hub, at the, in earlyof 2 20, 25, shuttered and was having
issues, dragon Force, basically triedto be opportunistic, and said, Hey,
we're gonna spin up our own cartel.
And, we want everybody to join.
anybody can join and we're gonnawhite label ransomware as a service.

(58:31):
that was supposed to bethe next evolution of it.
It hasn't really materialized, butessentially they're saying that
if you want to create a ransomwareas a service now all you need
to do is contact Dragon Force.
you have to pass an interview.
You have to be vetted, of course,and you have to put a deposit.
this is not just like someone canjust walk in and start a ransomware
operation, but they're tryingto make it as easy as possible.

(58:52):
And from there, they'll spinup the infrastructure for you.
They'll give you access to the code,like code based to build builders.
And cryptos, decryptsand negotiation panels.
They'll do all of that foryou for an 80 20 split.
so they'll take 20% of all the ransompayments that you make and, essentially
to pay for your infrastructure.
Now, this can be very expensive, butyou don't have to basically write a

(59:16):
single line of code and you can haveyour whole ransomware operation.
And it would be like Stargate by black,by, dragon Force type of thing, right?
It was, like a white label,powered by Dragon Force.
so they tried to do that.
it hasn't really took off yetbecause the 2080 is a pretty, steep,
asking price to run infrastructureand run, this type of service.

(59:37):
But I'm sure that once more people,because it's also really hard to run
this type of infrastructure, especiallyif you're running on bulletproof
holsters, and servers across the world,you're trying to manage all that stuff.
it becomes something that people wouldwanna pay for convenience, especially
the criminals that wanna do this.
Yeah.
I, and well, they didn't, theymade promises and didn't keep them.

(01:00:01):
They are part of the software industry.
Yeah.
And they, so they really triedto make the cartel happen, but
they've been around for a while.
Like they've been aroundsince August of 2023.
And this was a ransomware group thatstarted originally on breach forums.
Right.
and they were the ones that,attacked the UK retail sector and
the aviation sector, in recent news.

(01:00:23):
so they've been very, very busy.
and so they have a bunchof different types of TTPs.
and they try really hard toexploit vulnerabilities in public
facing applications like VPNs andRDP, to gain access and they do
collaborate with, scattered spider.
so this is a very, very, busy, busy group.
and, they're very, very dangerous.

(01:00:45):
we can definitely talkabout scattered spider.
I think we have to, 'cause it has becomea big piece of what's happening out there.
And you've described, you'veeducated me on this, which is
they're not really a group, right?
They're Yeah.
More of a, a coalition or whateveryou wanna call it, a coalition.
And they have a bunch of different names.
Like, because, and this is the thingabout, the nomenclature and the naming
standards of like threat intelligence inthe cybersecurity world is whoever names

(01:01:09):
a group, it's hard to, each company,big company will, our threat Intel firm
will have their own name for somethinglike on, 39, 39 44, or Octo, Tempus,
like Roasted Octopus, muddled Libra.
These are all different names forScattered Spider and like scattered
spider's been around since 2022.
And they're like a, like we said, they'reprimarily English speaking individuals

(01:01:32):
aged like 19 to 22 from the US and the uk.
one famous one, for example.
Intel Broker from Breach Forums,was part of this community.
And, basically was started his cybercrime career doing swatting and
bomb threat calls at the age of 17.
And, was picked up by the NCA at the timeand said like, Hey, you're a good kid.

(01:01:55):
you're a smart kid.
Like, come intern with us.
let's take you under our wing and you canactually turn your life around hopefully.
But like the, world is so differentand, these individuals are so
influential and the type of peoplethat they associate with aren't very
nice so they get caught up in a wholebunch of different things, right?
And there's some very powerful peoplethat work, in these environments.

(01:02:19):
A lot of these, individuals end upgetting caught up in drugs and a
whole bunch of different things.
And, it's just a lifestyle that theycan't really escape from sometimes.
so yeah, their specialty is socialengineering, and they really specialize in
sim swapping, and impersonation of IT helpdesk and our, hijacking phone numbers.

(01:02:39):
so they're, a very dangerousgroup and they've gotten past some
incredibly, I think, incredible,incredible, maybe the wrong word.
Some organizations thatare pretty sophisticated.
, And these are in many cases NorthAmerican, or at least English speaking.
they could be anywhere in theworld, but they're also, caught up.
in this lifestyle isthere an escape for them?

(01:03:01):
Are they trapped in it?
What, what is it's, or they juststay there because the thrills.
Yeah, because, the thrills, right.
A lot of it is the thrills.
a lot of it is this life is betterthan what they have in other ways.
but also they, in some waysthey are very much trapped.
Right?
And there are some peoplethat just can't leave.

(01:03:22):
it is, it's very muchlike organized crime.
It is organized crime.
like getting out is no longeran option for some of them.
And we've seen some extensionsof, organized crime where people
are brutally attacked in otherransomware and those types of attacks.
So it's not beyond the pale that people,they could be threatened as as well.

(01:03:42):
Yeah, it's, it's a very dangerous group.
Wow.
they're very, very dangerous.
And I wanted to finish upwith, a group called Akira.
Now, Akira is a group that, hasconnections to, Conti, but it's
not necessarily one that, isconsidered part of the, the lineage.
and they've been aroundsince March of 2023.

(01:04:04):
they transitioned theirpayloads from go to Rust.
and this is something that a lotof ransomware, groups are doing.
Like they're writing theirlo their, payloads in Rust.
so this provides like enhanced stealthand cross-platform capabilities.
'cause the RUS can run on Linux,it can run on Windows, it can run
on a bunch of different things.
And especially if you're targeting like.
ESXI, infrastructure,this is what you wanna do.

(01:04:25):
they really f focus on publicfacing applications Fortinet,
VPNs, em backups and replication.
and, they will purchase a lot ofstolen credentials, from Steeler logs.
Right.
And they love RTP.
and they've also been known to conductattacks through phishing emails.
And I think Fortinets beenhammered over the past year.

(01:04:45):
Are these the people who areprimarily doing that work?
'cause it's just, I don't wannarun a Fortinet story all the time
because every week there's a new one.
Yeah.
and I don't, I'm not saying thatas an attack on Fortinet great
company and all that sort of stuff,but they're just hit and hit.
Yeah, so this is one of the groupsthat's been attacking Fortinet.
Medusa was another one that attacksFortinet quite a bit as well.
So, these groups are constantly tryingto find out the latest attacks, on

(01:05:10):
all of the public facing applications.
Yeah.
Not just Fortinet.
No, it's not just Fortinet, but Iguess the more market share you have,
the more they hit you or something.
yeah.
Wild.
So, yeah, there's, we can finishoff with talking about, the initial
access market, and then, basicallythis is the last, slide here.
And just to give you, the people thatare watching this on YouTube as far, I

(01:05:32):
sort of described this at the beginningof what this looked like, but this is an
advertisement for a $1 billion company.
And so essentially how it's gonnabe, what what's gonna be asked for
is like, this is a $5,000 ad. this isa company that's based in the us you
have access to the domain admin, localuser admin and root access on Unix.

(01:05:53):
And, the access type is RDPvia, http s Unix Reverse Shell.
And you also have a Metasexploit reverse Shell.
and there's 500 computers, all Windows os.
And the price is $5,000.
So what you would do is you would contactthe seller and purchase this access.
And so this is an ad, andfor those I can see it.

(01:06:14):
And for those who are listening,I think you've, you've given the
elements of it, but this is like acomplete made to order access to,
and this is quite sophisticated.
Yep.
And one of the most popular, basically,example of a famous, Initial Access Broker
was called Broker, and essentially brokerwould, sell access on, us, Canada, China,

(01:06:41):
uk, a bunch of different, countries.
And it was very, very, very sophisticated.
broker was, essentially,disrupted, in 2023.
And, the, individual, uh, was connected tolike, um, Irish, like a Irish connection.
So, essentially what was reallyinteresting was initial access

(01:07:01):
can also become like a business,like a broker was running it very
much like a professional business.
they constantly had hundreds ofdifferent types of, this isn't just
like Steeler logs or, compromiseCredentials that he was selling.
but this was stuff that his teamwould go out and, basically guarantee
that this was never foreseen.
and these were really big companiesand a lot of it was targeted.

(01:07:23):
So, because he was exploitingvulnerabilities in like in
public facing alliances.
So this was, very much targeted,and became one of the bigger
and more well-known initialaccess brokers, on the market.
So just if you're, if you're going tothese initial access brokers, and they.
Well, they post the credentials theyhave, and I don't wanna even ask this,

(01:07:47):
but can you order the things in froma particular industry, because people
send, tend to move through verticals.
Are they, do they specialize in this?
How do I get the accessfor a particular vertical?
Is it just by looking around or, yeah,so it would be like, it goes by country.
because the, some indivi, like you don'twanna attack where you live, right?

(01:08:08):
So like.
Or where I can get extradited too.
But you also want to, you alsowant to attack countries that have
the highest chance of paying out.
So countries like that havevery high privacy standards.
Us, Canada, uk like the, theEuropean Union, those will have
like a lot of protections andthey have like, the chances of you

(01:08:30):
getting a ransom payment are higher.
It's not guaranteed, but it's just higher.
and also like companies would tend to havethe money to pay because of insurance.
Right.
but if you're like, youwouldn't wanna target like.
a company that does notmake a lot of money, right?
Because then you're, you'rejust wasting your time.
So this is again, this is all targetedby country and, and it's, a lot of it is

(01:08:50):
they try to attack in terms of industries.
Like sometimes they'll, some groupswill say, we don't attack hospitals,
but some groups will say yeah, weattack hospitals 'cause we've had a
lot of success receiving ransom paymentfrom hospitals, or the healthcare
industry or the financial industry.
But sometimes groups donot want to, to attack.
they have a hard no on like, I'm notattacking, the indus tho those industries.

(01:09:13):
Wild.
Yeah.
And again, all this stuff is, is sofascinatingly it's available everywhere.
Like you can go on telegram.
And you can download these logs, right?
And these, these are massive data dumpsof, like zip files that contain, like
millions of leak credentials, right?
And you can just quicklydownload them, like they're on

(01:09:34):
forums, they're on Telegram.
And you can basically try tocreate automated, scripts that
would just continuously testnew access and credentials.
So this is like password spraying.
This is where the, the, thistype of attack comes from.
And essentially this is whereyou would, like this is part of
the fulfillment process of this.
Wow.
That is it.
That's amazing.
So that has been incredible.

(01:09:55):
I hope people have beenable to pick through it.
If you're watching this on YouTube,like I said, you've been able to see
the slides and I'll post a link forthat for anybody who's listening into
the audio version of this as well.
so you go back to that, but I thinkyou sort of walked us through this.
What I mean, and I guess the questionreally is, you follow this all the time.

(01:10:19):
what most fascinates you interms of where this is all going?
What's the next thing thatyou're most watching for?
So I'm really paying attention to,the stratification of ransomware.
what that means is a lot of thesegroups now, like the biggest issue
that they're having is, findingaffiliates, like the, we're

(01:10:44):
the peak of 2023,
because ransomware really explo,it's still increasing, it's,
it's not an, it's not over.
one of the biggestyears was 2023 and 2024.
but like 20, 25 has not beena typical year for ransomware.
And so what's happening is thata lot of the groups are trying to

(01:11:04):
attract, experienced, attackers.
And how they're doing that is they'retrying to create more in-house
tools and diversify their offerings.
one specific group, BLACKLOCK and global.
global is like super AI assisted.
Like you, when you're negotiating,there's AI assistance in there.
Now, Qilin is basically sayingHey, we have lawyers on standby.

(01:11:27):
that if you need help during yournegotiation, you can loop in a lawyer.
we have call centers that we'rerolling out to harass the victims.
so they're trying to like.
Incentivize, saying Hey, we have allof these extra things that you can
now use as part of the, of the groups.
So I'm trying to seewhere that's gonna happen.
And we're starting to see, one of mypredictions is that, we're gonna start to

(01:11:48):
see more subgroups of bigger groups andthat's gonna be definitely become a thing.
Like we saw that a little bit with likeNHA, but it's a national hazard agency,
but we're gonna start seeing more,subgroups popping up of bigger groups.
Right.
And law enforcement hasbeen disrupting them.
Yeah.
That they are under attack.
There are pressures not to pay ransoms.

(01:12:10):
is any of that really working?
Is that starting to reduce the threat?
Yes, it absolutely is.
the disruptions are working.
absolutely.
the biggest example is LockBit.
they seize lock bid infrastructure.
They didn't, were able to seizeall of it, but they basically
destroyed the reputation of LockBit.
And by doing so, nobody wantsto publicly affiliate or

(01:12:32):
associate with LockBit anymore.
so Lock Bid is back inthe shadows, rebranding.
It's not over.
They're just rebranding and gonnabe recreating a new program.
And when they're ready,they're gonna launch it.
hopefully, it takes off likepreviously, but the field now is
so, full of competition and it'shard to attract talented, attackers.

(01:12:53):
So a lot of these groups now aretraining the next generation, right.
so it's, it's, it's areally big challenge.
Amazing.
And again, I, we've talkedabout this being as an industry.
I've known it intellectually, butwalking through this, I'm just.
This is a whole ecosystemthat exists, something you
spend a lot of time studying.

(01:13:14):
Tammy, thank you so much for, for walkingus through this and I will, I'm gonna
make a, a, commitment on, if that's okay.
, But if people have questions and theywant to get those back to us, they can
find you on social media or they canjust go to our website@technewsday.ca
or tech newsday.com, get the contact usform or, and, and pop in some questions.

(01:13:34):
And we'll design another question andanswer show perhaps for a later time.
Perfect.
That'd be great.
my guest today has been Tammy Harper.
She's with flair.io.
this was an introduction tothe ransomware ecosystem.
A great presentation.
Again, if you havequestions, leave them for me.
great to have you on the show.
For all of you out there, thankyou so much for listening to this.

(01:13:55):
We hope that we've given yousome information that you can
at least expand how you see thisand maybe just fascinate you.
if you're listening to this on theweekend, it'd be David Shipley will be
in the news chair on Monday morning,and I'll be back next Wednesday.
Thanks a lot.
Talk to you soon.
Advertise With Us

Popular Podcasts

Stuff You Should Know
Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2025 iHeartMedia, Inc.