Though it happens rarely, it's always a good day when a ransomware group is taken down by law enforcement.
Singapore-based Group-IB celebrated its 20th anniversary in the cybersecurity industry this year, and during this time its researchers have broken into an array of ransomware groups and their affiliates.
Before the authorities got their hands on Hive at the start of this year, Group-IB's researchers were inside as early as 2021, tricking their affiliates into accepting them, learning how they operated, and ultimately gathering the kind of information usually reserved for insiders only.
Group-IB's threat intelligence team spoke to The Register about how they're able to consistently break into cybercriminals' ranks and the vast work that goes into each operation.
The initial infiltration, Group-IB says, can be broken down into four key stages all connected by the common theme of gathering as much information about the ransomware-as-a-service group as possible.
All of this sets up the researchers for the later stages of the intrusion, and having a deep understanding of how the criminals operate proves especially useful during the interview if the target group has a particularly stringent vetting process, though this isn't always the case.
Some groups will spend time assessing each candidate for their RaaS program, including their technical expertise and grasp of specific terms, while others will simply grant access to an affiliate program seemingly with little to no thought.
It's generally understood, by the good guys and the bad, that the cybercrime underworld is teeming with researchers trying to unearth secrets from ransomware groups and as a result, it's becoming a vastly more difficult feat to infiltrate them.
Getting to the interview stage is the next step in the intrusion and where the quality of the research into the group will determine the success of the operation.
RaaS managers will quiz potential affiliates on the ransomware landscape generally, and how other groups operate, discussing unconventional tactics, techniques, and procedures, the researchers say.
They'll also ask about the candidate's own experience in attacking organizations - light work for researchers whose job it is to analyze exactly how attacks unfold day in, day out.
Just like any other employer, RaaS groups will also do their due diligence as regards a candidate's character, as well as their capability.
The team isn't willing to discuss with us the specifics of how to make an account seem genuine, through fear of jeopardizing future intrusion attempts.
Unlike Brad Pitt's Basterds in Tarantino's masterpiece of a Nazi tavern scene, the researchers understand that native speakers can flush out a foreigner with ease.
Predictably, a candidate will also be expected to demonstrate their technical understanding of how to carry out an attack, including their knowledge of the different tools they use.
During previous infiltrations, the Group-IB team has published various revelations about the world's top ransomware gangs.
The farnetwork case revealed the group's payment structure and policy around initial intrusions into victims' networks.
The Qilin operation also revealed a lucrative payment structure, as well as an inside look at how affiliates build their custom ransomware payload using the group's builder.
Researchers who can't ever fully earn the trust of criminals by becoming one of them will never secure the long-term access to a RaaS group that's required to understand how it operates on a deep level.
They really do go after anyone, they say - any group of interest to their customers and that the industry needs to understand more deeply is a target for the team's infiltrators.
This Cyber News was published on go.theregister.com. Publication date: Fri, 22 Dec 2023 16:13:24 +0000