A shadow court system for hackers shows how professional ransomware gangs have become.
Cyber-criminals who have worked as affiliates with ransomware group Dark Side, responsible for the Colonial Pipeline attack, are having a tough time getting paid for their work now that the group has had its operations interrupted; so, they’re turning to admins of the group’s Dark Web criminal forum to sort things out in what researchers call a “shady version of the People’s Court.”
Ransomware-as-a-Service (RaaS)
Ransomware-as-a-service (RaaS) providers like Dark Side strike arrangements with various other cyber-criminals to provide malware for their campaigns in exchange for a percentage of the take & business is booming. Ransomware attacks have spiked by 350% since 2018.
“It should come as no surprise that RaaS groups literally treat their operations as a business – interviewing potential team members, establishing a work agreement & providing the tools to get the job done,” John Hammond, a Senior Security Researcher with Huntress, explained.
Lucrative
“Cyber-crime groups have to be selective & handpick members of their cohorts – they take their work seriously, & obviously it can be a lucrative gig.”
Huntress has been monitoring these cyber-criminals & watching them settle disputes among themselves. Specifically, Huntress has observed a growing number of complaints being submitted claiming Dark Side is in breach of the terms of its affiliate program. The claims are being settled among admins in a well-defined “hackers’ courtroom” & payments made by admins out of a Dark Side deposit they control.
The hackers’ court even refers to “plaintiffs” &“defendants,” Hammond added.
Hackers’ Court
“Cyber-crime has matured so much there is a strange ‘People’s Court’ to dispute claims & wrongdoings in the underground syndicate,” Hammond explained.
“If a scammer has been scammed, or a business agreement has turned sour, even a hacker can file a claim & have their time in front of a jury. There is no honour among thieves — but there is a “dark side” code of conduct. At least they have some ethical principles albeit a bit twisted guiding them.”
These darknet forums have provided RaaS providers with the infrastructure necessary to run mature, professional operations & sell their stolen data to the highest bidder. Ransomware tactics are becoming more potent, too.
Triple Extortion
Besides double extortion, where victims are threatened with losing access to their sensitive data, & also with having that data posted publicly, these ransomware gangs have decided to worsen matters with triple extortion. That means not only is the victim’s data encrypted & potentially publicly disclosed, but the ransomware operators go after the victim’s customers & partners, demanding payments from them as well.
All of these leaks, in addition to recruitment, stolen data sales etc., are run on these Dark Web forums & overseen by a strict administration structure.
Colonial Pipeline Attack
Huntress images, including the Dark Side forum access page, which references “the latest news” which likely refers to the Colonial Pipeline attack:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined govt. & look for other our motives. Our goal is to make money, & not creating problems for society.”
They added a note at the bottom that “From today we introduce moderation & check each company that our partners want to encrypt to avoid social consequences in the future.”
Just Business – Among Criminals
“Reading public messages from the Dark Side or other RaaS networks can send a chill down your spine, but it demonstrates how cyber-crime has truly become an underground industry,” Hammond explained.
“Bad actors may cripple organisations, damage national security or disrupt critical services, but they see this at face value: Nothing more than a job that gets them paid.”
While these ransomware gangs have shown ‘no mercy’ to their victims — attacking hospitals, schools & disrupting the lives of everyday people — they have enough business sense to know they need basic mechanisms for recruitment & settling disputes. In many cases, doing a better job than their legitimate cyber-security counterparts.
Infosec Industry
“Every operation that happens in the infosec industry, from marketing & sales to customer service, has a ‘dark side’ counterpart,” Hammond stated. “A ‘customer’ comes forward with a ransomware complaint? There are staff members & support queues for that.
Want a good deal on getting your stolen information back? Just contact the ‘Sales Dept.’ — they can help. That 5-star service experience is something that many legitimate service providers are striving toward to this day.”
https://www.cybernewsgroup.co.uk/virtual-conference-june-2021/
