Digital "Pharmacusa" I: Complexity of Underground Syndicates Behind 2019 Rise of Targeted Ransomware
Updated: Oct 7, 2021
Digital "Pharmacusa": AdvIntel Ransomware Series In the 1st century BC, a small island of Pharmacusa (Farmakonisi) became a scene of one of the most infamous ransom extortions in history. According to Plutarch, a Roman commander Julius Caesar had to pay 50 Talents of Roman Currency to Sicilian pirates to be released. Through the next 2,000 years, rulers offered to fill rooms with gold or flotillas with silver as ransom. And even by this day, the entire cities and states can be held hostage, while governments pay millions to rescue the infrastructure. If one will need to describe the 2019 threat landscape with only a few words, "ransomware" will definitely be one of them.
The sharp rise of this menace is reshaping the entire cyber domain, filling the headlines with news about attacks against high-profile public and corporate networks. The underground community reacts by developing multidimensional structures of criminal alliances, shadow auctions, trusted groups, secretive relationships, and partnerships designed to maximize the revenue of the expanding ransomware market. These fragile unions bring together experts from all across the darkweb, who join the efforts to attack the most secure and lucrative targets.
Who are these Sicilian pirates and Pizarro conquistadors of the digital realm? Through this research series, AdvIntel offers a deep-dive into the labyrinth of organizational, political, and financial relationships between ransomware syndicates. By examining the stories of hacker groups and talented DarkWeb criminals, we will display how the ransomware ecosystem is becoming more complex, interconnected, and organized, while these groups themselves evolve from individual network intruders into perfectly balanced mechanisms of advanced digital crime. Access-as-a-Service: When Data Breach Meets Ransomware
Like most organizations, ransomware groups tend to pursue several strategic development approaches at the same time. They expand the scale of their operations to infect the larger number of networks. Simultaneously, they focus on large single targets such as corporations or government entities as extorting even one of them can yield hundreds of thousands of dollars.
To develop the quantity and quality-based strategies simultaneously, ransomware collectives surround themselves with an expanded network of third-parties - underground vendors who will disseminate the malware on their own or will offer specialization in a particular type of attack. When it comes to highly secure targets, experts in network access and lateral movements are always ready to offer their talents for hire.
The Russian-speaking underground is a home for many skilled network breach experts who orchestrate complex intrusion operations and obtain high-profile accesses. At the same time, monetizing these accesses can become a significant challenge, especially if this monetization is done as a direct darkweb sale. Ransomware teams can offer a convenient solution to this problem. In 2018 and 2019 many skilled hackers were able to find their niche in the community by using intrusion skills to help the new generation of ransomware groups.
Threat Actor: "-TMT-"
A peculiar case is presented by a hacker calling themselves "-TMT-". -TMT- joined the underground community in May 2019 by registering on one of the most influential Russian-language hacking forums. According to AdvIntel source intelligence, before joining the forum, -TMT- operated secretly via secure messengers for at least over a year.
Through June, July, and August, they were looking for customers to monetize corporate network compromises, however, not specifying the victim names, instead referring to the breaches as "fat accesses". At the same time, in private communication, -TMT- offered several accesses to compromised entities, as well as stolen credentials for administrative accounts on the victim’s websites. Their breach prices ranged from $3,000 to $5,000 USD.
Based on the list of corporate and government victims, -TMT- is not targeting any specific jurisdiction or industry vector. Most likely, this universality made them useful for ransomware teams, who aim to infect new networks across different regions. The most recent list of -TMT- victims includes the following:
1. A Latin American house products provider operating in Chile, Bolivia, and Peru
1069 hosts, 105 servers compromised
2. A Taiwanese meta manufacturer
388 hosts,15 servers compromised
3. A Colombian financial services provider
623 hosts compromised
4. An international maritime logistics services provider
668 hosts compromised
5. A network of US universities and educational institutions
875 hosts, 87 servers compromised
6. A Danish dairy producer
1 host, 72 servers compromised
7. A Bolivian energy sector company.
270 hosts, 12 servers compromised
In late July 2019, -TMT- offered their most valuable access for $20,000 USD. They claimed they have access to an international developer of advanced digital imaging solutions. -TMT- emphasized that this is full access to the company’s administrative panels, server hosts, and corporate VPN networks and not simply a compromised Remote Desktop Protocol (RDP). According to them, the access is secured by a set of measures, since they exploited a vulnerability on the corporate servers and are now capable of exploiting the network environment via Cobalt Strike post-exploitation framework, not exposing themselves to the risks of using compromised RDPs.
-TMT- was able to provide extended evidence for their breaches. AdvIntel has informed the US law enforcement about the incident.
The hacker claims that they have successfully extracted admin credentials and can safely navigate through the network and elevate their access privileges as needed. They highlighted access to the financial division server which contains valuable corporate information. The actor allegedly has ultimate access to the company's domain controllers as well. As an alternative to purchasing the full access, -TMT- offers to upload malicious files or malware upload into the system as a service, or to open a single server access session.
Tactics, Techniques & Procedures (TTPs)
-TMT- primarily focuses on breaches of corporate networks. For these purposes, they use compromised remote desktop protocols and credential-stealing malware as initial attack vectors.
Specifically, the actor leverages Cobalt Strike Beacon to access secure environments. Beacon is Cobalt Strike's payload used for as initial payload. Beacon's shell command allows executing cmd.exe commands on the compromised host. -TMT- starts a session and by using Beacon obtains an ability to manipulate the compromised network environment via server commands. According to the actor, they start multiple sessions to ensure the stability of their access to the network and all of its hosts. -TMT- pivots from Beacon sessions to elevate the privileges within the compromised environment, specifically, by using stolen credentials. Most often, credential stealing is performed by integrating Mimikatz injection into the Beacon session.
Additionally, they leverage compromised RDPs to obtain additional visibility and capability of network manipulation. -TMT- claims that they rely on a bulletproof server based in Lebanon for their operations.
-TMT- Ransomware Connection
In a private communication, -TMT- was open regarding their strategies which are based on supporting the ransomware collectives in uploading the malware into larger secured networks.
They propose to either open a single session and upload ransomware and other payloads or to provide continuous access to the network which can be utilized for further spread of malware, for instance, against the victim's clients.
According to -TMT- they have been practicing this model with collectives emerging after GandCrab's departure from the business. Considering the fact that both -TMT- and another prolific network breach actor under the alias "truniger" are heavily focusing on abusing exploitation frameworks, such as Cobalt Strike and Metasploit, it is likely that both actors may be developing a partnership to increase their offensive capabilities.
According to AdvIntel sensitive source intelligence, since August 2019, -TMT- among other ransomware collectives has been working with the REvil developers supporting their crypto locker uploads. According to the sources, the actor has a long-established connection with a high-profile REvil affiliate "Lalartu" (the name, as noted by Mathew J. Schwartz, is a reference to vampiric Sumerian spirits).
The connection initially originated due to the specialization which both actors shared - admin panel compromises. In 2019, both Lalartu and -TMT- started to offer their services to the ransomware collectives. When this strategy proved its efficiency, they started to approach high-profile syndicates offering their service. By June 2019, this was "truniger" collective for -TMT- and REVil group for Lalartu. Eventually, Lalartu facilitated the connection between -TMT- and REvil, as -TMT-'s attack skills were in high demand by the group.
Most likely, joining REvil was the main reason why the two actors almost simultaneously left the Exploit forum. The data breach community has been constantly sharing their concerns regarding the inefficiency of direct breach monetization via underground forums. Indeed, many high-profile breaches were compromised by unexperienced buyers or law enforcement during the initial examination of the admin panel access. These concerns were only exacerbated by rumors of a potential compromise of Exploit leadership account by Russian law enforcement.
Offering breached panels, domain controllers, and other valuable access to ransomware groups resolved many of such concerns, which lead to skilled forum members such as -TMT- or Lalartu to migrate from forums and join their efforts via secure messengers.
The -TMT- case illustrates how individual hackers can extend their capabilities by working for the ransomware teams. Previously, for individual network intruders monetizing the corporate network accesses could be as hard as obtaining these accesses themselves. By offering network compromise for sale on the darkweb, each hacker was facing mistrust and risk of being scammed or losing the access.
With the recent advancement of new ransomware teams that heavily rely on external support from the for-hire specialists, these actors receive a solid foundation to securely monetize the illicitly obtained access.
This alliance between network intruders, Metasploit/Cobalt Strike specialists and ransomware developers is only one of many partnerships that emerged recently across the darkweb and will be covered in the following AdvIntel ransomware reports.