The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Ransomware hackers have a new worst enemy: themselves

Analysis by
October 12, 2022 at 7:58 a.m. EDT
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Good morning! Scroll down to the bottom of this newsletter for a video depicting our feline overlords.

Below: U.S. regulators fine a cryptocurrency exchange over compliance issues including ransomware and dark web payments, and a judge says a former NSA employee should be detained before he goes on trial for trying to sell Russia classified documents. First:

Sometimes, ransomware hackers rat out their gangs

In a string of recent incidents, members of notorious ransomware gangs have leaked sensitive information. The incidents pose a major question for hacking groups: Who can you trust if you can’t trust your colleagues?

Take the case of the ransomware gang REvil in 2019. At the time, the group had hacked hundreds of dental offices and more than a dozen local governments in Texas. But when security researchers at cybersecurity firm McAfee (now known as Trellix) wrote about a REvil-affiliated hacker discussing their earnings, the researchers got an anonymous email from an insider annoyed at the group’s management.

The insider ultimately shared information on the group’s tactics, procedures and operations, Trellix head of threat intelligence and principal engineer John Fokker wrote in a blog post last month. He said the firm shared the data with law enforcement, which was “ecstatic” and said that the information was helpful for their investigations of REvil. 

  • Fokker declined to tell CyberScoop’s AJ Vicens which law enforcement agencies they worked with. But U.S. and European police have announced raids, charges and the seizure of cryptocurrency from REvil-linked hackers, Vicens reported.
  • The person initially asked for a financial reward, but Trellix doesn’t pay cybercriminals for information, Fokker wrote. But the U.S. government last year offered up to $10 million for information leading to the arrests of REvil leaders.

It's not shocking that someone willing to engage in criminal hacking activity might also be willing to turn on his compatriots if it might bring some advantage. The REvil insider is far from the only hacker who has posted or shared sensitive information on their colleagues out of apparent spite or resignation.

Last year, an apparently upset affiliate of the Conti ransomware gang — which months earlier hacked Ireland’s health-care system — leaked an internal training manual given to the group’s affiliates. 

And after the group quickly supported Russia’s invasion of Ukraine, an anonymous Twitter account leaked a trove of internal chats from within the group, giving outside observers unprecedented access into the inner workings of the group.

  • The person behind that hack told CNN that they were a Ukrainian researcher who had long had access to systems used by the group.
  • Around the same time, another Twitter account leaked internal messages from the Trickbot group, which has links to Conti. The researcher behind that leak also identified themself as Ukrainian, the Wall Street Journal reported.

Apparent insiders have also shared internal tools used by the Lockbit and Babuk ransomware gangs.

The leaks come amid a confluence of factors, experts say. Some of the large ransomware groups quickly made lots of money and didn’t treat their affiliates or contractors well, Recorded Future senior security architect Allan Liska told me. Ransomware groups have also made unpopular statements about geopolitical events and face pressure from U.S. and other law enforcement agencies, Liska said.

“You have all of these things happening all at once,” Liska said. “So it can be really dangerous to be a ransomware operator.”

Ransomware gangs also don’t have experienced managers, Liska said. “They're not like senior executives or seasoned operators or things like that,” he said. “These are people in their 20s and 30s that are running them and clearly have no concept of how to manage a large organization like this. Everyone [thinks] it's easy to be a manager. It really isn't.”

Ransomware groups are also vulnerable to infiltration, Emsisoft threat analyst Brett Callow said. “I'd be surprised if law enforcement hadn't infiltrated a number of groups,” he said. “I'd be equally surprised if cybersecurity researchers hadn't.”

Ransomware hackers can also give away key information without knowing it. This year, prosecutors announced charges against Venezuela-based cardiologist Moises Luis Zagala Gonzalez for allegedly distributing ransomware tools. Prosecutors were able to confirm that he was a previously anonymous cybercriminal after discovering that the email accounts and payment services he used were linked to his real-life contact information.

In another case, researchers found an Iranian ransomware hacker’s name listed as the creator of a ransom note.

Some ransomware operators think that they’re untouchable and don’t have to take precautions to keep themselves completely anonymous, Liska said.

“Maybe there is something we can do in terms of arrests or things like that, but absolutely they can be exposed,” Liska said. “And I think that does have some value to it.”

The keys

U.S. authorities fine crypto exchange over ransomware, dark web payments and sanctions violations

Virtual cryptocurrency exchange Bittrex will pay around $29 million to settle allegations that it broke U.S. money laundering and sanctions laws, CyberScoop’s Tonya Riley reports. U.S. officials said the enforcement actions against the exchange, which is based in Bellevue, Wash., are a warning to cryptocurrency firms that don’t have strong compliance programs.

“An investigation by Treasury’s Office of Foreign Assets Control and Financial Crimes Enforcement Network, or FinCEN, found that Bittrex repeatedly failed to identify thousands of prohibited transactions, including direct transactions with dark web marketplaces such as AlphaBay, Agora and Silk Road,” Tonya writes. “The company also failed to detect and investigate transactions connected to ransomware attacks against individuals and small businesses in the U.S.”

Former NSA employee accused of trying to sell documents to Russia is ordered detained before trial

Magistrate Judge S. Kato Crews said Jareh Dalke is a flight risk because of the charges he’s facing and apparent sympathies for Russia, the Associated Press’s Colleen Slevin reports. Dalke, a former National Security Agency information systems security designer, has been charged with six counts of trying to send classified defense documents to Russia. An undercover FBI agent was actually communicating with him, though.

  • Dalke is accused of sending documents about planned cryptographic updates, information on U.S. defenses and details about a foreign government’s military capabilities to the undercover agent.
  • The penalties for the charges range, with the maximums including life in prison and the death penalty. Prosecutors have reportedly said they likely won't seek the death penalty if he's convicted.

Prosecutors say they don’t know if Dalke, who pleaded not guilty, took or memorized additional documents. They also argued that he’d be motivated to sell more secret documents if he were released.

Dozens of representatives will meet at the White House next week to discuss cybersecurity labeling

The Oct. 19 workshop comes ahead of the expected launch of the program next spring, CyberScoop’s Suzanne Smalley reports. The White House released a brief description of the program in a Tuesday fact sheet.

  • The administration will be “starting with some of the most common, and often most at-risk, technologies — routers and home cameras — to deliver the most impact, most quickly,” the document said.

“The White House hopes the program will reward companies that invest in cybersecurity while also helping consumers find safer products,” Smalley writes. It's using the Environmental Protection Agency and Department of Energy's Energy Star program as a model, a senior administration official told CyberScoop. The official told the outlet that the ratings could be based on the frequency of updates for software vulnerabilities or whether devices require passwords before connecting to the internet. 

Privacy patch

Tour Amazon’s dream home, where every appliance is also a spy (Geoffrey A. Fowler)

Global cyberspace

Hacks in Australia spur call for review of data retention laws (Bloomberg News)

Young people using TikTok is no problem, GCHQ chief says (The Guardian)

Greek spyware inquiry ends in stalemate (Politico Europe)

Cyber insecurity

Solana-based decentralized finance platform Mango hit by potential $100 million exploit (CoinDesk)

Daybook

  • The FS-ISAC holds its FinCyber Today summit in Scottsdale, Ariz., through today.
  • National security adviser Jake Sullivan speaks at an event hosted by the Center for a New American Security and Georgetown University’s Walsh School of Foreign Service today at 2 p.m.
  • Deputy national security adviser Anne Neuberger, Rep. John Katko (R-N.Y.) and Google Cloud global director of risk and compliance Jeanette Manfra discuss cybersecurity at a Washington Post Live event on Thursday at 9 a.m.
  • The Atlantic Council hosts an event on a new transatlantic data privacy framework on Monday at 10 a.m.
  • Emily Goldman, a strategist at U.S. Cyber Command, discusses cyberspace strategy at a Heritage Foundation event on Monday at noon.
  • The Carnegie Endowment for International Peace holds an event on Russian information warfare on Monday at 2 p.m.
  • CISA Director Jen Easterly, NSA Cybersecurity Director Rob Joyce and top Ukrainian cybersecurity official Viktor Zhora speak at Mandiant’s mWISE conference starting Tuesday.

Secure log off

Thanks for reading. See you tomorrow.