This article has originally appeared on Cybercrime Diaries

On February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife seemingly spread within the infamous Black Basta ransomware group. On that day, an unknown individual using the alias ExploitWhispers released a file on Telegram, allegedly containing the group’s internal chat logs. The file was a JSON dataset comprising of 196,045 messages from a Matrix/Element chat, primarily in Russian, spanning from September 18, 2023, to September 28, 2024.

While the true identity of the leaker and their actual motives remain unknown, ExploitWhispers accused Black Basta of crossing a red line by targeting Russian banks. A preliminary analysis suggests that most, if not all, of the leaked data appears legitimate. However, the possibility of data manipulation cannot be entirely ruled out.

Black Basta is a ransomware-as-a-service (RaaS) group that emerged in April 2022 and has since attacked over 500 organizations worldwide across various sectors, including healthcare, manufacturing, and utilities. Notable victims include Ascension, Dish Network, Maple Leaf Foods, BT Group, and Rheinmetall. According to estimates published by The Record in November 2023 the group received over 100 million dollars in ransom payments to that date. However, since January 2025 no new victims have been reported and the group’s leak site is presently down, suggesting that an internal conflict could have shaken up the group.

Figure 1: Ransomware victims per country for Black Basta (Source: Ransmware.live)

Back in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of the group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An investigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor is Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.

While extensive research has already been published, providing insights into who Nefedov is and which vulnerabilities the group exploited, this short blog focuses on Black Basta’s internal organization. Additionally, this will offer a glimpse into how and where the group hosted and obfuscated its leak site and C2 servers.

Back in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of the group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An investigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor is Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.

While extensive research has already been published, providing insights into who Nefedov is and which vulnerabilities the group exploited, this blog will primarily focus on Black Basta’s internal organization. This offers a look into how and where the group hosted and obfuscated its leak site and C2 servers.

Key Observations from the Leak and Available Information

• The true identity of the group’s leader, Tramp (aka gg), is possibly Oleg Nefedov, a 35-year-old Russian citizen from Yoshkar-Ola, who is officially known as a successful entrepreneur, but claims to be protected by powerful friends allowing him to pursue his malicious endeavors. 
• Black Basta operates as a highly structured and hierarchical organization, with at least two offices, likely located in Moscow or its outskirts.
  • Group members have several different specializations focusing on areas such as infrastructure management, initial access, malware and C2 obfuscation, development, and negotiations.
  • A key distinction existed between threat actors who were employees of the group—working under Tramp’s direct and strict supervision in office settings—and more independent operatives, known as pentesters or affiliates, working online.
  • These independent affiliates were often Tramp’s former associates from other illicit operations, such as Conti RaaS or banking trojans. They operate within their own teams, using distinct tools, methods, and internal hierarchies. This division sometimes leads to tensions between them and Black Basta’s core management.
  • The group periodically changes Matrix servers for OSPEC reasons. In September 2024, Tramp decided to migrate to a new server. This can also be explained by Tramp’s brief arrest that almost resulted in an extradition from Armenia during a vacation trip in June 2024. 
• Black Basta members are active on major Russian-language cybercrime forums such as XSS, Exploit, and RAMP, where they purchase services from other threat actors. These services include crypting (payload obfuscation), hosting, spam campaigns, exploits, and initial access to compromised networks.
• The group’s leak site, admin panel, and C2 servers were primarily hosted on legitimate providers such as Hetzner, but these were acquired through third-party resellers that specialized in server rentals and accepted cryptocurrency payments.
  • Infrastructure obfuscation appeared to be a more viable strategy than relying on bulletproof hosting. However, bulletproof hosting services, such as Gerry, were used for deploying abuse-resistant C2 servers for Cobalt Strike and for fast-flux capabilities, which helped conceal the real IP addresses of domains.
• Overall, the leak of this chat underscored once again that a substantial part of cybercriminal activity takes place outside forums or public chats, with the latter being just the tip of the iceberg.

Black Basta’s Organization and Internal Hierarchy

A statistical analysis of the leaked data provided valuable insight into the group’s hierarchy. The most active user—by far—was the leader, Tramp, also known as “gg” (@usernamegg in the Figure 2 below). He was responsible for coordinating other members, developing new methods for obtaining initial access, participating in attacks, handling negotiations, and maintaining strict control over his employees. He enforced this control by personally visiting both offices where they operated.

Lapa is the second most active user, he can be described as a senior “pentester” who seemingly knew Tramp before joining the chat in September 2023. The majority of messages from this user were related to access to corporate networks of victims. There are also active external pentesters such as “w.”

Figure 2: Black Basta members by number of messages (Source: Flare)

The periods of activity and the nature of messages itself indicate that the group had specifically defined and organized vacations periods, like in January or June 2024 when almost all activity stopped.

Figure 3: Messages per Week on Black Basta (Source: Flare)

Another notable observation was the distinct structure of the usernames present in the chat. Usernames composed of the word “username” followed by two letters—such as “gg” (aka Tramp), “ww”, “tt”, or “ss”—and hosted on the bestflowers247.online Matrix server appeared to belong to Black Basta’s core members (example: @usernamegg:bestflowers247.online). These threat actors were directly managed by Tramp, who also provided them with their Matrix accounts.

This structure clearly distinguished them from other members of the chat, who used their own Matrix servers, had different username formats, and operated more independently. These independent actors, that can be in fact considered as affiliates, often referred to their own teams and other threat actors who were not part of the chat.

This differentiation is also highlighted in the graph below, where it can be seen that core members remained active for a much longer period than external ones. However, some noticeable discrepancies suggest that the data might be incomplete or that certain core members were simply dismissed in June 2024.

For instance, no disputes or conflicts were recorded for core members such as “ww”, “mm”, “zz”, or “cc”, yet the chat abruptly stopped in June 2024. This indicated the following possibilities: that the dataset is likely incomplete or that these members moved to another communication channel.

Figure 4. Black Basta members and their first and last messages (Source: Flare)

Analysis of the various exchanges between members in the chat led to deciphering their main roles and specializations within Black Basta. As shown in the graph below—and accessible through the provided link—the group could be divided into the following specialties:

• Leadership and management: Led by gg, also known as Tramp.
• Infrastructure management, servers, and hosting payments: Handled by yy, also known as bio.
• Internal pentesters and support: A group working directly under Tramp’s command from two offices. These members were strictly monitored, often asking for his permission even to step away from their computers for a few minutes. Notable members included nn, ww, zz, and others.
• External affiliates: More independent and experienced, often operating with their own teams. They were particularly active in obtaining initial access and conducting social engineering attacks. For instance, Kortez was frequently mentioned as the leader of another malicious group working alongside blood, adm, nickolas, and u123.
• Coders and programmers: Mostly seasoned malware developers such as n3auxaxl, also known as mekor, and chuk. They were responsible for developing new malware, including the group’s Pikabot, which consisted of a downloader/installer, a loader, and a core backdoor component. Black Basta occasionally hired additional coders, though this appeared to be one of the hardest roles to fill.
• Crypting and obfuscation specialists: Primarily a small group of two individuals. One notable figure was muaddib6, also known as Bentley, who may have been the infamous Russian threat actor Vitaly Kovalev.
• Social engineering experts: Specialized in gaining initial access by targeting high-value companies. They used tactics such as impersonating IT support personnel, calling employees, and convincing them to install AnyDesk to deploy malware.
• Brute-force and password de-hashing specialists: At least two threat actors focused specifically on these techniques.

Black Basta’s Internal Structure

Figure 5: Black Basta’s Internal Structure (Source: Flare)

Black Basta’s Infrastructure: Hosted in Germany and Obfuscated

Thanks to this preliminary work, which helped identify the main specialization of each threat actor active in the chat, it became easier to determine where to look for specific information, such as details about the group’s infrastructure.

According to the previous paragraphs and Figure 5, the threat actor yy, also known as bio, was responsible for Black Basta’s hosting, websites, and penetration testing servers.

As illustrated in Figure 6 below and in the graph available here, the group’s most critical servers were likely purchased from VPSKot, a company accepting cryptocurrency payments and reselling servers from legitimate hosting providers unaware of their real customers. One such provider was the German company Hetzner, where Black Basta hosted its Onion websites like the administrative panel, blog, and Element/Matrix chat service in September 2023.

Black Basta’s Key Servers in September 2023

Figure 6: Black Basta’s Key Servers (Source: Flare)

The examination of yy’s messages from November 2023 also gives an interesting glimpse into how Black Basta deployed Cobalt Strike on servers and obfuscated them behind proxies. Cobalt Strike is a post-exploitation framework commonly used by red teams and cybercriminals to establish command and control, move laterally within networks, and execute malicious payloads.

The group seemingly used bulletproof hosting (BPH) but rather marginally, mainly preferring to acquire many servers from « grey » and offshore hosting companies to rotate their servers and obfuscate their sensitive infrastructure. One BPH that was still mentioned multiple times in the leak, referred to as « the Abkhaz hosting », was a service advertised by the threat actors « gerry », one of the most prominent illicit hosting presently active on Russian-language cybercrime forums.

Black Basta’s Cobalt Strike Servers and Proxies in November 2023

Figure 7: Black Basta’s Cobalt Strike servers and proxies (Source: Flare)

Final Thoughts on the Black Basta Leak: A Treasure Trove to Explore

This blog offers just a glimpse into the valuable information that can be extracted and analyzed from this leak. It contains numerous threat actor handles, illicit services from cybercrime forums, contact details, cryptocurrency addresses, and identified vulnerabilities. One particularly interesting investigative approach could be leveraging these indicators to track threat actor accounts across forums, potentially uncovering their real identities. For example, this allowed the identification of several accounts on cybercrime forums of mentioned threat actors by a search in the Flare platform with their TOX IDs.

Figure 8: Black Basta threat actors found in Flare (Source: Flare)

Figure 9. Examples of threat actors selling various services on Exploit that were mentioned in the leak

Dig Further into Cybercrime with Flare Academy

Interested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by cybersecurity researchers. Check out the upcoming sessions here.

We also offer the Flare Academy Discord Community, where you can connect with peers and access training resources from the Flare Academy training.

Can’t wait to see you there!

Sources

“Black Basta – Chat Viewer,” February 2025. https://ransomware-leaks.com/.

Garrity, Patrick. “Exposing CVEs from Black Bastas’ Chats.” VulnCheck, February 24, 2025. https://vulncheck.com/blog/black-basta-chats.

Ransomwarelive. “Balck Basta – Ransomware.Live ,” March 5, 2025. https://www.ransomware.live.

Rieß-Marchive, Valéry. “Ransomware : de REvil à Black Basta, que sait-on de Tramp ?” LeMagIT, March 1, 2025. https://www.lemagit.fr/actualites/366619807/Ransomware-de-REvil-a-Black-Basta-que-sait-on-de-Tramp.

Townsend, Kevin. “Black Basta Leak Offers Glimpse Into Group’s Inner Workings.” SecurityWeek, March 3, 2025. https://www.securityweek.com/black-basta-leak-offers-glimpse-into-groups-inner-workings/.

The post Deciphering Black Basta’s Infrastructure from the Chat Leak appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Dive into the most pressing recent stories on data leaks, cybercrime, and the dark web with security researcher Nick Ascoli on the podcast Leaky Weekly.

On this episode of Leaky Weekly, Nick covers:

• PowerSchool hack
• Cracked & Nulled takedowns and arrests
• Otelier data leak
• ITRC 2024 Breach Report findings
• DeepSeek data leak

Tune in for current events on the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube, or keep reading this article for the highlights.

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments next time.

PowerSchool Hack

PowerSchool, a popular student information system software, used by roughly 16,000 customers that serve 50 million students, was hacked using a stolen credential, leading to exposing student data. Currently the leading narrative appears to be that stolen credentials that weren’t 2FA-enabled were available on the dark web to log in to this portal. 

Schools use this software to track information about students including their:

• Name
• Birthday
• Address
• Parents and legal guardians

Some districts also track:

• Social security numbers
• Health records
• Disciplinary records

This represents the largest leak that impacts children under the age of 18 in the United States. 

PowerSchool paid the threat actor to delete the data, which is a common practice with extortion groups. The threat actors behind the Snowflake tenant campaign also extorted victim organizations this way.

On Paying Threat Actors to Delete Data…

Extortion groups’ campaigns have been getting more coverage in the news. Victim organizations may pay the fee for threat actors to delete their stolen data (and to not release it), but there is no guarantee of this happening.

In a prominent recent example, the threat actor Waifu extorted AT&T out of over $370,000 to delete the data, which he sent a video of himself doing. However, it was well-known that he was exchanging this data with other threat actors, including making the download link public at one point.

It is possible that extortion groups have only one copy of the data and delete it when asked, but it’s safer to assume that a few other people have this data, at the very least within the extortion group itself. 

With the PowerSchool hack, the threat actor has not released the data, as it has at least not in a way that is public, made its way onto major hacking forums or cybercrime groups.

Cracked and Nulled Takedowns and Arrests

Europol and the U.S. Department of Justice announced that “Operation Talent” was responsible for the takedown of Cracked and Nulled, two major hacking forums.

The operation by the numbers (according to law enforcement):

• Two arrests (in Spain)
• Seven properties searched 
• 17 servers and more than 50 electronic devices were taken into evidence
• Roughly $310,000 in cash and crypto was found

Keep reading for an explanation of what sites were taken down and what they did.

Cracked 

Cracked is a hacking forum that has been around since 2018, a popular place for combolists, hacking tools, and people advertising services. Cracked had about four million users, and was estimated to generate – just itself, $4 million in revenue, this is not counting the many transactions it facilitated.

Nulled

Nulled has been around a bit longer, since around 2016. It had about five million users, and was estimated to generate an annual revenue of about $1 million annually.

The English-speaking and Russian-speaking cybercrime communities are mostly covered in the U.S. and EU. This includes about 100 cybercrime forums, and a handful have substantial user bases and traffic, and thus stories covered on the news. Cracked and Nulled are both included in that handful. 

Sellix and MySellix

Cracked, StarkRDP and RDP.sh used Sellix as a payment processor, and it’s well known that the original founder of Cracked was also the founder of Sellix.

Interestingly, one of Sellix’s not-seized domains Sellix.com, currently has an official statement on Operation Talent, clarifying they were not aware of any specific illegal transactions through its platform in connection with Cracked. With that said, the founder of Cracked co-founded Sellix.

StarkRDP and RDP.sh

Both StarkRDP and RDP.sh were heavily advertised on Cracked and Nulled as a place to rent virtual servers. 

Otelier Data Leak

Otelier is a popular hotel management platform used by major global hotel chains at more than 10,000 hotels. A threat actor accessed Otelier’s AWS instance from July to October 2024, and attackers claimed to have stolen about eight terabytes of data from their S3. 

This leak continues in the disturbing trend covered on this show of low effort extortion that works–extortion groups steal credentials without ransomware, tools, or malware development. As IBM X-FORCE’s 2024 Threat Intelligence Report stated, ““In this era, the focus has shifted to logging in rather than hacking in.” 

Much like the PowerSchool hack, the root cause of the leak according to Otelier is a stolen employee credential. A vast vast majority of root causes of leaks are either stolen credentials on sale on the dark web or from a stealer log.

DeepSeek Data Leak

DeepSeek accidentally exposed an internal ClickHouse database to the public. ClickHouse is a popular open source database software, and lots of organizations like eBay and Uber use it for ingesting large amounts of user activity logs from their platform activity to search for anomalies, analyze user behaviors, and train machine learning models over massive data sets. 

In this public and unauthenticated database was over a million lines of log streams containing:

• Chat history
• Secret keys
• Backend details
• And other highly sensitive information

There were several tables, and according to Wiz, the log streams were the most interesting. What they did was: 

Did active and passive DNS to find subdomains. Then, they did queries for open ports that were not the expected standard web ports, 80 and 443. From there they found two open ports that caught their eye, 8123 and 9000. They accessed the 8123 host, which was the HTTP interface for ClickHouse. Then they ran the showtables command. They saw the log_stream table in the list, ran select * from log_stream, and BOOM – had raw logs from tons of DeepSeek services, including:

• Their API backend
• Chat backend that had chat logs
• Platform backend
• Usage checker
• and probably more, but they don’t list them
  • Within these logs were columns such as:
    • Timestamp – the timestamp of the log, they found logs dating back from January 6th, 2025
    • span_name –  which referenced internal DeepSeek API endpoints
    • _service that indicated which deepseek service generated the log
    • strings.values: which were plaintext logs with chat history, API keys, backend details, and operational metadata
    • _source: which exposed the origin of the log requests, and also contained chat history, API kets, directory structure, and chatbot metadata logs 

ITRC 2024 Breach Report Findings

The ITRC (Identity Theft Resource Center), has published the 2024 Breach Report, listing the top 5 compromises by victim count, and for these breaches they sent notifications to the victims:

1. Ticketmaster Entertainment, LLC (560 million victim notices)
2. Advance Auto Parts, Inc. (380 million notices)
3. Change Healthcare (190 million notices)
4. DemandScience by Pure Incubation (121.8 million notices)
5. AT&T (110 million victim notices)

Something to note: Three of these five breaches are from one campaign targeting Snowflake accounts that did not have 2 factor authentication configured. (This is not Snowflake’s fault as their customers are responsible for their own authentication settings)

The Snowflake leak impacted over 160 companies, evidently three of these being some of the largest data breaches of the year, so that’s a wild scale.

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more. 

The post PowerSchool Hack; Takedowns and Arrests and Leaks, Oh My!; and ITRC Breach Report Findings  appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The data and visualizations presented on this webpage are based on information collected from January 2024 to January 2025. These graphs are static and do not reflect real-time updates or recent developments. Any trends, insights, or conclusions should be interpreted with this timeframe in mind.

Executive Summary

• Telegram remains the dominant messaging platform in the cybercriminal underground, despite recent events and concerns about security.
• Increased cooperation between Telegram and law enforcement has prompted discussions about alternative platforms, with Signal showing the most significant growth.
• Other messaging apps like Discord, TOX, Matrix, and Session play niche roles, often tied to specific cybercriminal activities or communities.
• Many threat actors use multiple messaging apps to ensure accessibility and redundancy in their communications.
• Flare’s data lake analysis shows a correlation between messaging app choice and cybercriminal user types; for example, Discord is often used by low-level or young threat actors, while TOX is favored by OPSEC-focused and ransomware cybercriminals.
• The collection of contacts shared by threat actors on cybercriminal communities allowed Flare to automatically identify other handles that they may use on different forums by correlating the contacts. 

Communicating in the Cybercriminal Underground - A Key Necessity for Threat Actors

Engaging in illegal activities within the cybercriminal ecosystem while maintaining anonymity and operational security presents a significant challenge for threat actors. Regardless of their level of technical expertise or the nature of their actions, one of  malicious actors’ primary concerns is securing communications to avoid deanonymization and prevent becoming targets of rival groups or law enforcement. 

At the same time, being easily reachable is equally important, as cybercriminals must maintain efficient and reliable channels to coordinate operations, recruit new members, and conduct illicit transactions. As a result, the balance between security and accessibility varies depending on the type of activity and the threat actor’s level of OPSEC awareness, with some prioritizing ease of communication for quick coordination while others emphasize stricter security measures to minimize exposure.

Given these problematics, cybercriminals often resort to exchanging sensitive information outside of forums, relying on messaging platforms such as Telegram, Discord, Signal, Tox, Jabber, Matrix, or Session to evade forum administrators surveillance or mitigate the fallout of potential database leaks [1]. 

For several years, Telegram has not only served as a communication tool widely praised by threat actors but has also evolved into a cybercriminal ecosystem of its own, emerging as a serious alternative to traditional cybercriminal forums. Telegram is free, valued for its user-friendly interface, API, bot deployment capabilities, support of up to 200,000 members in a group, and the possibility to share files up to 4GB in size. Nevertheless, concerns persist regarding its security. The platform does not enforce automatic encryption for all communications, and its encryption mechanism remains opaque, lacking independent expert review [2]. The rumors about the presence of its key developers in Russia have also raised alarms among the most security-conscious members of the cybercriminal community.

Eventually, the arrest of Telegram’s CEO and founder, Pavel Durov, in France the 25th of August 2024 [3], followed by the platform’s announcement of increased cooperation with law enforcement on September 23, 2024 [4] – along with the practical enforcement of this policy through the disclosure of cybercriminals’ IP addresses and phone numbers in January 2025 [5] – has sparked concern within the cybercriminal ecosystem (see Figure 1). Some threat actors started to discuss the idea of stopping using this platform or at least improving their OPSEC (see Figure 2).

However, old habits die hard. The transition from a tool that is convenient, well-integrated into existing workflows, and broadly used within the cybercriminal ecosystem is not straightforward. Telegram is far from the first messaging service to face turbulence in this sphere, yet history shows that disruptions did not lead to an immediate or complete shift away from an established platform.

Indeed, in May 2023 a small tremor shook the Russian language cybercriminal forum XSS, when the threat actor “nightly” announced that he was selling a remote code execution vulnerability and an exploit affecting the qTOX 1.17.6 messenger for 20 Bitcoins (around $550,000 at the moment of the offer). The threat actor shared a proof of concept video (see Figure 3) where he claimed being able to retrieve a user’s IP upon acceptance of a new contact [6]. The vulnerability was allegedly sold in less than a day and caused many fears among qTOX users on XSS – predominantly malicious actors involved in ransomware activities. The alleged sale of this exploit deeply worried the Russian-speaking cybercriminal community and even pushed the administrator of XSS to abandon qTOX as an official communication tool.

Both of these cases have sparked heated discussions about the right communication tool in the cybercriminal ecosystem (see Figure 4). However, several months later, it appears that things have not changed much; qTOX continues to be a niche messenger popular among a minority of threat actors and was recently updated [7], while Telegram seemingly continues to dominate as the preferred platform for cybercriminals, especially those involved in infostealer operations, carding, refund fraud, and hacktivism.

Given the significant developments affecting Telegram in 2024, we sought to examine the current state of cybercriminal communications. By analyzing Flare’s data lake, we aim to address the following questions:

• Have threat actors migrated en masse to alternative platforms since August 2024?
• Does the nature of a cybercriminal’s activity influence their choice of messaging platform?

In the following sections, we will explore these questions in depth, supported by data-driven insights.

I. Analysis of the Popularity of Messengers of the Underground: Making Sense of Raw Data

To answer aforementioned questions, we used Flare’s robust dataset. Flare has an extensive data lake of sources (i.e., market, forums, Telegram channels) focused on cybercriminal activities such as data leaks, initial access, malware, infostealers, carding, fraud, ransomware and marginally drugs. We use a subset of data consisting of 1 year (2024) of activities. These precisions are important because the data lake from which you pull information can heavily influence the output and we wanted to be as transparent as possible with our readers by explaining what our bias is. 

Let’s start by adopting a funnel approach, first looking at the raw data, then refining and analyzing it. In 2024, Flare observed that over 80 millions IDs and links to six different messaging apps were shared by individuals active on cybercriminal forums and Telegram channels (see Figures 5 and 6). While this number may seem impressive, it does not accurately reflect the reality of the cybercriminal ecosystem or the popularity of a messaging application. It is, for instance, quite natural that Telegram links are predominant on Telegram itself as they constitute links between different channels and groups on this platform. Moreover, this data contains many duplicates (i.e. links or IDs shared multiple times by the same or different threat actors).

Figure 5: This is a precise yet conservative estimate of the number of published links/IDs for various messaging apps on cybercrime forums in 2024, meaning the actual number could be slightly higher. Source: Flare.io

Figure 6: Pavel Durov was arrested on the 25th of August 2024, Telegram announced that it will increase cooperation with law enforcement on the 23rd of September 2024. No substantial impact can be observed. Source: Flare.io

For instance, in 2024, 10 threat actors in Flare’s data were responsible for the vast majority of published Discord links (see Figure 7). Removing these top 10 actors from the dataset caused the number of shared Discord invite links in our database to drop from 2.8 million to just 91,000 over the past year. Moreover, among these links numerous duplicates were present. Interestingly, the absolute majority of Discord links was published on Telegram, highlighting a clear interest for this messaging app among Telegram users.

II. Telegram Reign Continues: More Than a Messenger - The Social Network of Cybercrime

To better assess the popularity of messaging apps, let’s refine the data by focusing only on unique links and messenger IDs shared on cybercrime forums. As shown on Figure 8 below, the amount of unique links and Telegram usernames published on cybercrime forums in 2024 is incomparably higher than one of any other massaging apps. Far behind, the second and third most popular apps, Discord and Session have seemingly not clearly benefited from Telegram’s setbacks or the concerns raised by its increased cooperation with law enforcement. As of January 2025, Telegram still reigns supreme, and its usage in the cybercriminal community has not substantially dropped.

As shown in the interactive Figure 8, when only selecting Signal, this messenger seems to be the only one that has gained traction following Pavel Durov’s arrest and Telegram’s policy changes. The rise in newly shared Signal invite links between September and December 2024 strongly suggests a correlation between the timing of these events. Nevertheless, the popularity of Signal remains marginal.

Figure 8: Pavel Durov was arrested on the 25th of August 2024, Telegram announced that it will increase cooperation with law enforcement on the 23rd of September 2024. No substantial impact of these events can be observed except for Signal. Source: Flare.io

III. Correlation Between the Type of Threat Actor’s Activity and Choice of Messaging App

To answer our second question regarding the influence of threat actors cybercriminal activities over their choice of a specific messaging app, Flare has observed on which forums the majority of messaging apps links and IDs were published and what was the nature of criminal activity of threat actors that published them.

• Discord invite links were primarily found on forums like Nulled and Cracked – both recently seized by law enforcement [8] – as well as VeryLeaks and DemonForums. They were mostly published by younger individuals often present in gaming-focused communities and sometimes involved in low-level cybercrime.
• Matrix and Element protocol based IDs were mainly found on drugs focused forums like RuTOR, RCclub, BigBro and marginally on the fraud focused Probiv Russian-language forum. In Flare’s data lake Matrix and Element were predominately used by threat actors buying and selling drugs or those involved in fraud schemes.
• TOX and Jabber IDs were predominantly shared on XSS, CrdPro, BreachForums, and Exploit forums, by cybercriminals often involved in the sale of corporate accesses, ransomware, or corporate databases (see an example in Figure 9).

It is important to note that a substantial number of threat actors use multiple messaging apps simultaneously (see Figure 10). This is especially true for those offering services to other cybercriminals. Maintaining easy accessibility is essential for any commercial activity; therefore, threat actors selling services such as cryptocurrency exchange and money laundering, hosting, malware obfuscation, or development often provide multiple communication channels. The interactive Figure 11 below, highlights this reality and allows you to explore different combinations of messenger apps links and IDs found in a single forum post in 2024. Telegram in combination with other messaging apps remains the most popular combination among all others highlighting once more the resilience of this communication tool.

Figure 11: Source: Flare.io

Final Thoughts and Potential Future Research

The collection of this data has also allowed us to identify links between different messenger IDs and correlate them. As shown in Figures 12 and 13, it is possible to determine which threat actor uses which messaging app. The next step will be to include usernames, making it easier to study malicious actors and automate the discovery of their handles and communication channels—but that’s a story for another time. ;)

Figure 13: Example of a cluster of messenger IDs belonging to the same threat actor but found on different posts on forums and Telegram channels.

Dig Further into Cybercrime with Flare Academy

Interested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by cybersecurity researchers. Check out the upcoming sessions here.

We also offer the Flare Academy Discord Community, where you can connect with peers and access training resources from the Flare Academy training.

Can’t wait to see you there!

Sources

[1] Abrams, Lawrence. “BreachForums v1 Database Leak Is an OPSEC Test for Hackers.” BleepingComputer, July 24, 2024. https://www.bleepingcomputer.com/news/security/breachforums-v1-database-leak-is-an-opsec-test-for-hackers/.

[2] Green, Matthew. “Is Telegram Really an Encrypted Messaging App?” A Few Thoughts on Cryptographic Engineering (blog), August 25, 2024. https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/.

[3] Melander, Ingrid, Guy Faulconbridge, and Guy Faulconbridge. “Telegram Messaging App CEO Durov Arrested in France.” Reuters, August 25, 2024, sec. Europe. https://www.reuters.com/world/europe/telegram-messaging-app-ceo-pavel-durov-arrested-france-tf1-tv-says-2024-08-24/.

[4] Sergiu Gatlan, “Telegram Now Shares Users’ IP and Phone Number on Legal Requests.” BleepingComputer, September 23, 2024. https://www.bleepingcomputer.com/news/security/telegram-now-shares-users-ip-and-phone-number-on-legal-requests/.

[5] Toulas, Bill. “Telegram Hands over Data on Thousands of Users to US Law Enforcement.” BleepingComputer, January 7, 2025. https://www.bleepingcomputer.com/news/legal/telegram-hands-over-data-on-thousands-of-users-to-us-law-enforcement/.

[6] XSS.is (ex DaMaGeLaB). “Tox 1.17.6 / RCE,” May 25, 2023. https://xss.is/threads/88898/.

[7] “Release v1.18.0 · TokTok/qTox,” GitHub, January 1, 2025, https://github.com/TokTok/qTox/releases/tag/v1.18.0.

[8] Gatlan, Sergiu. “Police Seizes Cracked and Nulled Hacking Forum Servers, Arrests Suspects.” BleepingComputer, January 30, 2025. https://www.bleepingcomputer.com/news/security/police-seizes-cracked-and-nulled-hacking-forum-servers-arrests-suspects/.

The post The Underground’s Favorite Messenger: Telegram’s Reign Continues appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

The largest repackage and re-post of an old leak

In November 2024, a hacker known as “Nam3L3ss” allegedly released previously undisclosed data from the MOVEit breach in May 2023. This leak consisted of millions of records, including sensitive employee and big brand corporate information, significantly escalating the breach’s impact. Digging into this story reveals that Nam3L3ss claims to be an hacktivist freeing information from many previous breaches, not just MOVEit.

MOVEit History

MOVEit is a managed file transfer software produced by Ipswitch. Inc., now a subsidiary of Progress Software. MOVEit encrypts files and uses the FTP (file transfer protocol) to transfer data. On May 31st 2023, Progress disclosed a pre-authentication SQL Injection vulnerability in MOVEit Transfer and Cloud, later assigned CVE-2023-34362. This vulnerability turned out to be a 0-day actively exploited in the wild.

Attackers exploited this vulnerability on public-facing servers, allowing them to deploy a web shell called “LemurLoot,” disguised as legitimate ASP.NET files. This enabled the exfiltration of sensitive data from affected organizations.

In May 2023, the ransomware group Cl0p exploited the 0-day vulnerability to gain access to MOVEit instances worldwide. Cl0p published a blog post about the breach, warning affected organizations that they had until June 14th to pay a ransom or risk having their data made public. Organizations disclosed in June 2023 included the Government of Nova Scotia, BBC, British Airways, and the United States Department of Energy amongst hundreds of others.

Cl0p extorted victims over the course of June, July and August, posting batches of victims and leaking their data via Bittorrent. Then we didn’t hear from them.

The Rise of Nam3L3ss

Over a year later, Nam3L3ss claimed to have MOVEit related data from prominent companies. These leaks were not previously claimed by Cl0p and sparked theories as to the origins of this data. While these leaks appear new, they, in fact, are repacked data Cl0p’s breach. This is the largest repackaging of old information to ever happen.

The repackaged data was extracted, for now, from four compromised companies’ files from the Cl0p MOVEit breach. Nam3L3ss strategically reorganized and repackaged data from companies impacted by the MOVEit breach, presenting it in a way that emphasized high-profile clients. For example, Company A, a contractor for Company B, had its compromised files containing a directory labeled “Company B.” Nam3L3ss extracted and leaked this directory separately, branding the leak as “Company B” to amplify its significance.

This approach transformed a voluminous and unstructured leak into a targeted release, naming and organizing the leaks based on the recognizable clients rather than the original contractors. This repackaging tactic, likely aimed to maximize public attention, has the consequence of increasing pressure on the implicated companies.

Nam3L3ss is a hacktivist claiming to liberate data. He posted a manifesto on Breach forums and operates a blog at nam3l3ss.bearblog[.]dev. Here’s an excerpt from his blog:

Data I post is NOT a secret, everything I post the Criminal already have it!
It's only the Politicians, Government Agencies, and sorry to say the Public in general who have their heads buried in the sand about just how much information is floating around the internet on them, and extremely Personal information!
I am tired of Governments allowing Companies to SELL data on people and Data Brokers with terrible security or protections on their data.
Who really owns the Data on you? IS it YOUR data or do Companies OWN your private data and have a right to SELL it to anyone they desire?
Think about that for a minute, Companies treat YOU and your information as something they OWN! It does NOT belong to you they say, so they are FREE to SELL your data to whoever they want whenever they want and YOU have NO SAY!

Nam3L3ss insists he is not affiliated with Cl0p ransomware

Although he insists, see forum post screenshot below for details, we have so far confirmed that all of the repackaged breaches we looked at came from the MOVEit breach of 2023.

Here is the list of breaches he allegedly possess:

• Cl0p: 16.9TB
• Medusa: 10.3TB
• Snatch: 8.8TB
• Ragnar_Locker: 871.9GB
• Qilin: 765.5GB
• EXConfidential: 746.9GB
• Marketo: 735.9GB
• Revil-Sodinokibi-Happy[.]Blog: 569.2GB
• Lockbit: 343.2GB
• Nefilim: 314.6GB
• CL0P-TA505: 281.8GB
• Lorenz: 254.3GB
• Suncrypt: 239.0GB
• Avaddon: 200.5GB
• EVEREST: 198.3GB
• DARKSiDE: 148.2GB
• 00[.]Resort: 133.4GB
• Blackmatter: 124.3GB
• Anonymous: 123.8GB
• Conti-Ryuk: 112.2GB
• Phineas[.]Fisher: 98.7GB
• cdn.databases[.]today: 80.6GB
• PlayNews: 74.6GB
• Cuba: 70.6GB
• Ragnar: 63.5GB
• Babuk: 61.6GB
• Mount[.]Locker: 60.4GB
• ContiNews: 33.4GB
• Vice[.]Society: 16.8GB
• AtomSilo: 16.3GB
• 5c4qycmxc2xk4t6p64xyz6f4z7: 14.7GB
• Pysa: 14.3 GB
• DoppelPaymer: 6.5GB
• Lockbit2.0: 5.1GB
• Lulzsec: 5.0GB
• 0mega: 4.6GB
• f[u]ck[.]delivery: 3.1 GB
• atlaszppqsv6mu7[.]onion: 1.5GB
• nuclearleaks[.]com: 1.1GB
• RansomEXX: 1.1GB
• AvosLocker: 718.7MB
• Grief: 601.0MB
• [EXCONFIDENTIAL]: 594.1MB
• Payload[.]bin: 405.5MB
• nexeya[.]com: 89.1 MB

Repackaging Enabled by Supply Chains

These four entities were contractors for larger corporations, providing services that integrate into their operations. While a company may invest heavily in its own security infrastructure, its overall security posture is only as strong as its weakest link. Supply chain monitoring is not just a precaution but a necessity to mitigate the risk of security failures from third-party contractors and suppliers.

Flare customers can access a TLP:Amber article in our research center covering the breach victims as disclosed by Nam3L3ss as of December 6th 2024. 

We would like to thank Estelle Ruellan, Olivier Bilodeau, Tammy Harper, and Mathieu Lavoie for their help on this article.

Dark Web Investigations and Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post MOVEit Repackaged and Recycled appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Infostealer malware represents one of the most underrated threats to corporate and consumer information security today. These sophisticated remote access Trojans (RATs) silently infect computers and systematically exfiltrate massive amounts of sensitive information from the host to threat actors’ command and control (C2) infrastructure. Their primary targets include:

• Browser-saved credentials
• Session cookies
• Browser fingerprints
• Other sensitive system data

Once the information has been exfiltrated, it takes the form of a “stealer log,” a single discrete set of information about a user that includes a snapshot of their browser and key details about their computer. Threat actors then distribute these (either as free samples or in exchange for cryptocurrency) across principally, Telegram and Russian Market, where they are then used by other criminal actors to commit financial fraud, steal cryptocurrency, or in some cases breach major companies.

This article will dive deep into infostealer malware and provide readers with a comprehensive picture of the entire infostealer ecosystem, from malware-as-a-service distributors designing new variants of infostealers to how cybercriminals use logs to gain access to key services.

What’s in an Info(stealer) Log?

Each infostealer log represents a single user’s stolen data. Different infostealer variants pull different types of data (and malware developers in some cases compete on which data the variant they maintain steals!). For example, one variant may pull clipboard data from the user while another variant may not. There is a constant tension – the more data stolen by the infostealer variant the more likely it is to be detected and stopped by Windows Defender or an anti-virus platform.

An infostealer log with separate .txt files for different types of stolen data

Here’s what’s in the infostealer log above:

• Autofills: This folder contains stolen data related to autofill functionality from web browsers, including names, addresses, and payment details. If compromised, this data can be used for identity theft or fraudulent transactions.
• Cookies: This folder holds browser cookies, which store session data and login credentials for websites. Stolen cookies could allow attackers to bypass authentication mechanisms and hijack active sessions, leading to account takeovers.
• Discord: This folder might store session tokens or credentials related to the Discord platform. Compromising these tokens could give attackers access to the victim’s Discord account, enabling them to steal sensitive communications or impersonate the user.
• DomainDetects.txt: This text file logs domains detected or visited by the victim. It could be useful for understanding the victim’s browsing behavior or identifying phishing targets.
• FBFastCheck: This is actually an advertisement for another subscription service the channel owner offers which enables users to quickly sort through stealer logs to identify the type of credentials they are after. 
• ImportantAutofills.txt: This file stores more critical autofill information such as sensitive entries like payment cards, billing addresses, or personally identifiable information (PII) from browser autofill data.
• InstalledBrowsers.txt: A list of browsers installed on the victim’s system. 
• InstalledSoftware.txt: Contains a list of all software installed on the victim’s machine. 
• Passwords.txt: This file is critical, as it contains cleartext passwords harvested from the victim’s browser. 
• ProcessList.txt: This file logs running processes on the victim’s machine at the time of the infostealer infection. 
• UserInformation.txt: This file contains detailed information about the victim’s account or system, such as usernames, computer names, or operating system details. It also contains information about the infection date and build of the malware.

Origins: The Infostealer Malware-as-a-Service Ecosystem

The Infostealer MaaS Business Model

Modern infostealers operate within a sophisticated Malware-as-a-Service (MaaS) ecosystem. Key characteristics include:

• Distribution Channels:
  • Cybercrime forums
  • Telegram channels (including specialized channels for RAT developers)

Telegram post of a redline stealer for sale

Pricing Structure

• Standard Variants:
  • Monthly subscription model
  • Price range: $100-1000 USD
  • Payments accepted in cryptocurrency
  • Includes C2 infrastructure hosting
• Specialized Variants:
  • macOS stealers command premium pricing
  • Currently the only major variant targeting Apple ecosystems
  • Higher prices reflect limited competition in Mac malware space

MaaS vendors fulfill a critical role in the ecosystem. Malware development is difficult and time-consuming and requires substantial expertise – particularly to get around modern AV/EDR systems. By having specialized infostealer developers maintaining their own code and selling it as a service, they can leverage the economic principle of role specialization while making a significant profit, particularly for developers that build popular variants such as Redline.

Infostealer Distribution: Common Attack Patterns

After acquiring an infostealer variant, cybercriminals employ various distribution methods to infect victim systems. While multiple approaches exist, the most prevalent involves embedding malware within purported “cracked” software downloads.

Below is the typical attack flow:

1. Initial Setup
   • Threat actor purchases an infostealer variant through Telegram channels
   • Package typically includes C2 infrastructure
   • Some variants come with detailed infection pipeline documentation
2. Distribution Infrastructure
   • Creates landing pages using either paste-type sites, stolen websites, or sites hosted on bulletproof hosting
   • Uploads malicious payload to file-sharing platforms (e.g., Mega.nz)
   • Uses password protection to bypass antivirus scanning during download
3. Traffic Generation
   • Acquires compromised Google Ads accounts
   • Purchases compromised YouTube accounts
   • Use these platforms to advertise (real or fake) cracked software seeded with infostealer
4. Data Exfiltration
   • Victims download and execute the malicious files
   • Infostealer harvests various data types:
     • Login credentials
     • Browser data
     • System information
   • Stolen data is transmitted to:
     • Dedicated C2 infrastructure
     • Telegram channels (in some configurations)

While cracked software distribution is common, sophisticated threat actors may employ other techniques:

• Targeted phishing campaigns
• Watering hole attacks

One particularly interesting campaign occurred in mid-2023 and targeted potential users of the AI platform Midjourney. This campaign leveraged several of the aforementioned features – malicious google ads likely being run from compromised accounts.

A user would search for Midjourney and the first result was the now defunct  “ai.mid-journye.org” which was advertised using Google Ads. Clicking on the advertisement would bring the user to a custom build landing page.

The landing page was fairly sophisticated and well designed to entice the user to download the Windows application. Note the highlighted red “it is possible that the computer’s security systems may falsely trigger” and the lack of a MacOS option.

Info(stealer) Log Distribution 

As of November 2024, stealer logs are primarily distributed in four main ways:

• Public Telegram channels: These channels provide bulk infostealer logs packaged together (typically files with hundreds or thousands of bundled logs). Threat actors use public rooms as a way to build reputation and credibility, and in some cases to promote their private channels which require a paid monthly subscription.
• Private Telegram channels: These channels require users to pay a monthly subscription fee and sometimes limit the number of users in a specific channel (to 5-20 individuals). Prices range from $100 to $500 a month and heavily depend on the reputation of the threat actor and the frequency that new logs are published to the channel.
• Live Telegram channels: In a few instances, we’ve identified threat actors selling access to “live” logs in which Telegram serves as a backend where logs are sent directly upon a victim being infected. There is substantial time relevancy to logs – newer logs are more likely to contain unexpired session cookies and unchanged credentials – providing the threat actor maximal opportunity to gain unauthorized access to core services.
• Russian Market: Russian Market is a marketplace operating as a dark web hidden service which allows infostealer distributors to bulk upload logs that are sold for $10 each. Russian Market also enables buyers to search through logs and identify those with specific credential sets they are interested in compromising prior to purchase.

Stealer logs for purchase and download

The Time Relevancy of Infostealer Logs

Stealer logs are not all equally valuable. Brand new logs (such as those fed into a live Telegram channel) are substantially more valuable for a number of reasons to include that:

• Fresh logs are much more likely to include active session cookies which can be used to bypass MFA on web applications. To do this, threat actors use what is called an “anti-detect” browser. Stealer Logs store all of the information 
• Threat actors disproportionately value “fresh” logs due to the fact that the session cookies are more likely to be valid. 
• Utilizing new logs also makes it less likely that another threat actor has already gained access to financial resources, crypto wallets, and other data in the stealer log.

Infostealer Log Use-Cases

Infostealers have largely flown under the radar for corporate security teams, particularly those at smaller organizations or those with a less sophisticated security posture. Unfortunately they have not flown under the radar for threat actors looking for easy ways to compromise corporate IT environments. But, before we go into the business information security risks that infostealer malware and stealer logs pose, let’s talk about their more common use-cases; namely facilitating fraud and account takeover for monetary gain. 

Threat actors are primarily not looking to compromise corporate accounts, nor is it the reason that the vast majority of threat actors use them, instead a typical workflow might look something like this:

1. Threat actors process downloaded logs through specialized “checker” applications that:

• Validate session cookie authenticity
• Filter logs based on customizable parameters
• Flag high-value targets (e.g., active financial service sessions)
• Prioritize logs containing authenticated access to valuable services

The checker tool essentially serves as a triage system, allowing actors to quickly identify and prioritize the most potentially valuable compromised accounts from large batches of logs.

A threat actor uses a checker to identify high-value logs

2. The actor then uses an anti-detect browser to impersonate the victims session on specially selected financial services logs.

Screenshot of an anti-detect browser from a tutorial video on how to impersonate sessions

3. The actor gains access to the account and transfers money or otherwise buys cryptocurrency using the victim’s bank account.

Infostealer Malware and Corporate Cybersecurity

Infostealers (and stealer logs) are one of the most concerning trends for corporate cybersecurity teams today. Why? Millions of employees in the U.S. save credentials from their jobs onto their personal computers and subsequently get compromised by infostealer malware. 

We’ve seen thousands of examples to include:

• Credentials to VPN into surgery centers
• Credentials to major corporate SSO applications
• ADFS and VPN credentials
• Corporate PR accounts, CRM accounts

Threat actors (on average) don’t “target” infostealer malware campaigns at corporate employees, but by default if they infect tens of millions of computers, huge numbers of corporate credentials and session cookies are bound to show up. This is well known by ransomware groups and other criminal entities that target businesses. Both ransomware actors and initial access brokers directly leverage stealer logs and infostealer malware infections to gain access to corporate IT systems. 

To learn more about threat actors and corporate stealer logs, take a look at our report Stealer Logs, Single Sign On, and the New Era of Corporate Cybercrime.

Infostealer Malware & Initial Access Brokers

Infostealer malware is likely one of the most common ways that initial access brokers get into corporate networks. Initial access brokers (IABs) serve as a “white glove” service for ransomware groups and other criminal entities, gaining initial access to a victims corporate systems, then auctioning it off on Russian language cybercrime forums.

Forum post from initial access broker

When there are millions of corporate credentials and session cookies floating around Telegram, it defeats much of the need for threat actors to launch more complicated attacks such as spear-phishing or exploiting vulnerabilities on publicly facing hosts.

An initial access broker advertises logs for sale on the Russian language cybercrime forum XSS

For example, an attack facilitated by an initial access broker might look something like this:

1. IAB purchases an infostealer log from a dark web marketplace. The log contains credentials, session cookies, and other sensitive data from multiple victims.
2. Among the entries, they identify a high-value target: credentials for a user with an email from a mid-sized financial services firm.
3. Using a virtual private server (VPS) or proxy to match the target’s geographic location, the IAB attempts to log into the financial firm’s VPN with the stolen credentials.
4. Login is successful, and they are granted access to the internal network.
5. The IAB installs a covert remote access tool (RAT) to maintain control even if the VPN password changes.
6. They create a hidden administrator account to re-enter if the initial access point is detected or closed.
7. Using the RAT, the IAB maps the network, identifying key systems like file servers, databases, and sensitive applications.
8. They collect more internal credentials, including administrative passwords, using tools like Mimikatz.
9. The IAB gathers the details of the access they’ve achieved:

• VPN login credentials
• Privileged admin access to specific systems
• Network map and location of sensitive financial records

10. They list this package on a dark web forum, advertising it as “Administrator-level access to mid-sized financial services firm” and setting a starting price.
11. The IAB provides guidance on navigating the network and any details to ensure a smooth handoff.
12. The ransomware group uses the access to deploy ransomware across the network, encrypting financial data and issuing a ransom demand to the firm.

Stealer Logs & The Growing Cybercrime Ecosystem

It’s no secret that cybersecurity is adversarial, however in the past decade the nature of offense has changed. The cybercrime economy is vast – stretching into hundreds of millions, and actors ranging from lone wolves to highly coordinated groups leverage it to profit. 

The complexity of the ecosystem is a source of its strength. Individual vendors each specializing in particular parts of the attack chain enable role specialization which can create scalability through the “cybercrime assembly line.” If an actor had to design their own infostealer variant, distribute it, harvest credentials, and leverage them it would be a far slower process.

Monitoring for Stealer Logs with Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

Our customer Victor Pettersson, CISO at Sokigo, recently said, “Stealer logs have been the [sources] where we have seen the most actionable intelligence regarding leaked credentials.”

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.

The post Infostealer Malware: An Introduction appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

Leaky Weekly is a podcast hosted by security researcher Nick Ascoli as he dives into the most pressing stories on data leaks, cybercrime, and the dark web in the last week or so.

On this episode of Leaky Weekly, Nick covers:

• Recent dark forum arrests for LockBit and Bohemia 
• Updates on the City of Columbus attack costs
• Potential data leaks from another American public record and background research company, MC2

Tune in for current events on the podcast below or keep reading this article for the highlights.

Dark Web Forum Arrests 

Global law enforcement agencies continue to pursue cybercriminals, tracing them across the dark web. 

LockBit 

Europol announced four new arrests connected to LockBit while the UK sanctioned 15 Russian citizens allegedly related to Evil Corp. A look at the history shows how intertwined LockBit and Evil Corp are:

• 2014: Evil Corp forms then releases the Dridex banking malware that was also used as a rentable botnet and for deploying BitPaymer ransomware
• 2019: Key Evil Corp members leave and move on to other malware projects
• 2019: LockBit is developed and released
• 2021-2023: LockBit becomes the most popular and prolific ransomware, pioneering the Ransomware-as-a-Service (RaaS) business model
• 2022: Evil Corp member using the handle Beverly becomes a LockBit affiliate
• 2024: Operation Cronos completed takedown of LockBit infrastructure, removing 34 servers from operation. 

The additional Operation Cronos arrests include a suspected LockBit developer, and the National Crime Agency’s report “Evil Corp: Behind the Screens” provides further details about these connections. 

The UK’s sanctions make any payments to these parties illegal under the country’s Anti-Money Laundering Act, making ransomware payments illegal. 

Bohemia Market

Dutch police arrested and seized assets related to the Bohemia market and its sister market Cannabia. While primarily a drug market, it supported additional dark web market products, like fake identification, forged checks, and malware. 

The Dutch police claim that this market processed approximately 82,000 transactions every month, noting that during its business month, September 2023, it processed about 12 million Euros.

The asset seizure is the newest update. The Bohemia market’s old onion link is live again, displaying a law enforcement banner that contains a link to another onion site that lists individuals by their darknet market usernames. While the web page says these individuals have been arrested, a reviewed sample for the usernames failed to show news stories, law enforcement press releases, or articles referencing them.

Law enforcement banner on Bohemia market lists arrested threat actors and their usernames

City of Columbus Security Incident Update

The last episode of Leaky Weekly discussed the security incident linked to the Rhysida ransomware group. The city then sued the independent security researcher for sharing information about the leaked dataset with the media. 

Since then, the city requests additional $3 million in funding to manage the investigation, including up to:

• $2,401,052 for forensics and monitoring to understand the attack and determine the data posted to the dark web
• $1,644,348 for the initial estimated costs of Experian credit and dark web monitoring, but these costs could change based on actual enrollments
• $1,952,100 for legal fees related to incident response
• $1,000,000 for continued systems, endpoint, and cyber threat monitoring
• $300,000 for legal fees related to litigation
• $2,500 for expenses like hard drives and tools

Despite these estimated set aside emergency funds currently totalling $7 million, the Director of the Department of Technology noted that they still need to restore 22% of access systems, likely increasing the total costs further. 

These updates provide some additional insight:

• Costs: Expanding the budget from the initial $2.4 million to $7 million indicates that the complete costs may not be fully determined yet.
• Public relations: Suing the security researcher impacted the city’s reputation with the security community and the impacted individuals, especially since anyone with a TOR browser could easily access the exposed data. 

MC2 Data Leak

MC2 Data, a company used for running public records and background searches, had a publicly accessible database lacking any authentication, exposing user information for the over 2 million people purchasing background checks. According to Cybernews, database access was secured prior to publishing the article. The database contained information like:

• IP address
• User agent
• Encrypted password
• Partial payment information

Similar to the National Public Data (NPD) leak earlier this year, MC2 Data is a parent company that owns several background check subsidiaries, including:

• privaterecords.net 
• privatereports
• peoplesearcher
• PeopleSearchUSA

Currently, this appears to be a security research team identifying and reporting an exposure then publishing an article after giving the company notice. While no cybercriminal organizations are reporting this data for sale or compromised, it was exposed from at least August 7 to September 25, 2024. Organizations should remember that cybercriminals sometimes exchange data within their groups, leaving the affected company, journalists, and general public unaware of the data leak. 

Despite the data being public record, these leaks remain impactful. When compiled and stored in easily parsable JSON format, cybercriminals can easily use the information in a variety of ways, including:

• Automated cybercrime campaigns
• Bot dialing operations
• Phishing scam

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments in two weeks.

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more. 

The post Dark Web Forum Arrests, Columbus Ransomware Attack Updates, and American Background Info Data Leak appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

There’s so much to keep up with in the world of cybercrime…especially for security practitioners.

Leaky Weekly is a cybercrime current events podcast hosted by security researcher Nick Ascoli as he dives into the most pressing stories on data leaks, cybercrime, and the dark web in the last week or so.

On this episode of Leaky Weekly, Nick covers:

• AWS takeover campaign
• Ransomware attack on Columbus, Ohio
• Regarding the same ransomware attack mentioned above, the city of Columbus sues a ransomware researcher whistleblower

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments in two weeks.

Tune in for current events on the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube below, or keep reading this article for the highlights.

AWS Takeover Campaign

A whole new category (not just a variant) of ransomware is here.

Palo Alto’s new research team, Unit 42, uncovered an extortion campaign involving attackers exfiltrating data from AWS cloud storage containers, and leaving a ransom note. The threat actors scanned over 230 million unique targets for exposed .env files.

Unit 42 tracked 111,000 domains targeted by the campaign, and roughly 90,000 unique environment variables  in .env files had hard coded AWS access keys. These .env files are not supposed to be internet facing, especially if they contain secrets. They contain configuration variables used by an application, and in many cases, a configuration variable might be an API key, database login, or AWS access key.

This is the lifecycle of the attack:

1. The attacker scans the internet for exposed .env files.
2. The attacker searches the contents of that file for an AWS access key.
3. Using the AWS access key, the threat actor figures out what it is by sending it to the AWS API endpoint GetCallerIdentity, which tells them the user ID, the account number, and the ARN tells them information such as what account it’s located in, what AWS service it uses, and what types of resource it is (a user, a role, a group, etc).
4. The threat actor sends the key to the AWS API endpoint ListUsers, which sends back a list of other IAM users in that AWS account, which they may use later on for lateral movement within the environment, and then request the ListBuckets endpoint, which lists the existing S3 buckets that they can also target for exfiltration and extortion.
5. If the key had permission, the attacker would create a new IAM resource for themselves in the target environment with unlimited access.
6. The attacker then would attempt to create a lambda for spin up virtual machines in ec2 and cryptomine on them. If they misconfigure it, it would fail.
7. But, if what didn’t fail was another lambda, they could create what would scan more targets, using a file it pulled down from another S3 bucket in an AWS instance the attacker had previously compromised. In that bucket, Unit 42 found 110,000 domains with exposed .env files the threat actor was targeting, and in their bucket, a file that showed roughly 230 million unique targets that the threat actor was scanning for exposed environment files. 
8. Finally, the threat actor would exfiltrate the data stored in the S3 bucket and upload this ransom note.

In this situation, the threat actor left an .env file exposed that contained a wide variety of credentials, presumably that they had harvested from their scanning campaign. About 90,000 unique environment variables were found to be specifically access keys or IAM credentials, about 7,000 were associated with cloud services, about 1,500 were associated with social media accounts, and there were other variables associated with other services.

Unit 42 mentions in their report that the attack seems to have started with Mailgun credentials which is a service for automating sending emails. This probably started as an attack looking for mailgun creds in exposed .env files and slowly evolved into this extortion operation looking for all kinds of credentials. This self-replicated through AWS environments, acting like a worm.

Here are two conclusions to draw:

• Cybercriminals know that a lot of organizations don’t keep data on hosts or on-prem apps anymore. This is a hint at the future campaigns threat actors are likely to engage in the future, because it’s easy and can be commodified. With the ransomware affiliate programs and growing infostealer malware infrastructure, the lower-barrier to entry ransomware gangs shift to become highly commodified cybercrime operations.
• This continues the trend of ransomware with the “ware” portion, or at least without the encryption. 

Ransomware Attack on Columbus, Ohio

The Rhysida ransomware group infected the city of Columbus, Ohio. The group then advertised 6.5 terabytes of stolen data, and made 45% of this available for download, claiming this data wasn’t already sold.

Often, a ransomware group will post small samples to their data leak site to prove that a compromise was real. However, they release the entirety of the files or sell them, after negotiations have failed or never started.

But, Columbus’s Director of the Department of Technology not only claims they never received a ransom demand from the group, but also when they tried to reach out to the group, they didn’t get a response.

Meanwhile, the group listed the entire 6.5 terabytes of data for sale for $2 million in Bitcoin, but didn’t sell all of it, since they listed 3.1 terabytes for free on their data leak site. They claimed that the 3.1 terabytes of data was not sold.

If it’s true that Rhysida didn’t engage in contact with the city government of Columbus, that would possibly be surprising from an ethical standpoint, but not common. A ransomware operation’s typical goal is to extort a victim into paying the ransomware group to decrypt the files. In recent years, ransomware groups pursue double extortion by threatening to also auction off the files or release them to the general public if the ransom is not paid. In this situation, supposedly Rhysida did both of these things.

City of Columbus Sues Ransomware Researcher Whistleblower

This next story is also about Columbus, Ohio and is related to the aforementioned Rhysida hack. The city is suing the security researcher Connor Goodwolf for notifying them that they were hacked.

Goodwolf read that the mayor of Columbus claimed that the 3.1 terabytes of data posted by Rhysida were encrypted or corrupted. But, when Goodwolf looked into this data that the ransomware group posted and was publicly accessible, he discovered that it was not only encrypted or corrupted, but it also contained sensitive information about the city’s residents.

Goodwolf left a voicemail with the city claiming that he was aware someone in the Department of Technology lied, and asked them to call him back so he could walk them through the data that was actually exposed and not corrupted. He then informed them that he would notify the news to discuss the exposed data.

Shortly after, the city attorney sued Goodwolf stating, “If there is information that needs to be brought forward, there is a way to disclose that information to law enforcement, and not going directly to the media, and this is why we had to file the TRO.”

Goodwolf had left the voicemail with the city government the day before he told this story on the news, which indicates that he did disclose information to the concerned party ahead of revealing the information to the news.

Goodwolf has at the very least succeeded in making the public aware of the full extent of the actual danger and breadth of the exposed data.

Separate from the lawsuit against Goodwolf, the city is facing two class-action lawsuits. These were brought forward by local police and firefighters, including an undercover officer, who worried that his cover had been exposed by a specific set of police data present in the leak. They are suing specifically because the city did not inform them of their exposed information as soon as they should have.

The complaint specifically states:

“Defendant’s actions of downloading from the dark web and spreading this stolen, sensitive information at a local level has resulted in widespread concern throughout the Central Ohio region,”

“Only individuals willing to navigate and interact with the criminal element on the dark web, who also have the computer expertise and tools necessary to download data from the dark web, would be able to do so.”

However, this information is relatively accessible–there are YouTube videos from news organizations such as CNBC that show how to access the dark web.

So at this point, it remains unclear if Columbus residents, or the implicated firefighters and police officers suing the city, would have ever learned that they were impacted by the leak if Goodwolf had not been on the news. 

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more. 

The post AWS Takeover Campaign, Ransomware Attack on Columbus, and City of Columbus Sues Ransomware Researcher Whistleblower appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

There’s so much to keep up with in the world of cybercrime…especially for security practitioners.

Leaky Weekly is a bi-weekly podcast hosted by security researcher Nick Ascoli as he dives into the most pressing stories on data leaks, cybercrime, and the dark web in the last week or so.

On this episode of Leaky Weekly, Nick covers:

• National Public data breach, and what does “2.9 billion personal records leaked” mean
• FBI “repossessing” the Dispossessor ransomware operation
• A threat actor posting information of Leakbase users to BreachForums
• Two arrests of threat actors who both go by the name “J.P. Morgan”

When a company is possibly the victim of a breach, that may not necessarily be the case for various reasons, such as if threat actors may not actually have the information they claim to. Security practitioners should be supportive of organizations/security teams addressing breaches and never shame them.

Tune in for current events on the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube below, or keep reading this article for the highlights.

National Public Data Breach

National Public Data (NPD) is a data aggregator that sells background checks, and a threat actor stole 2.9 billion personal records including personal information such as Social Security numbers and home addresses. 

Threat actor on BreachForums posted the NPD leak for free

Your first reaction may be: does this mean personal records of 2.9 billion people across Canada, the U.K., and the U.S.? No. The combined populations of those countries is about 450 million. 

So, 2.9 billion people were not affected, but millions of people are still impacted. Security consultant and founder of HaveIBeenPwned Troy Hunt found that one person may be represented multiple times due to repeat addresses. Many of the data points were:

• from deceased people
• repeats with small variations
• incorrect 

Troy Hunt’s research shows repeated addresses associated with his email

This dataset has been listed before–a threat actor named USDoD posted this in April for $3.5 million, and this past week a different threat actor listed this for free. The threat actor clarified to security researcher Brian Krebs that they didn’t originate the dataset, and it had actually been making the rounds already in smaller cybercrime circles. 

There was actually a class action lawsuit forming after the initial leak in April.

People are just now starting to parse through and analyze the information, so it will take some time to fully understand how many people are officially implicated after accounting for inaccurate records, repeat information, and deceased people. 

Disposessor Ransomware Operation Repossessed

The FBI “repossessed” the Dispossessor ransomware operation and seized all of its domains. 

The FBI repossessed the Dispossessor ransomware operation

The site had hundreds of leaks, but the FBI noted in their press release that they found 43 victims of the gang. This means that a majority of the victims posted to the site were reposts from LockBit’s blog and other data leak sites.

What does this mean? Dispossessor was initially an extortion group or even an aggregator, in that they had data listed on their servers, which they could claim was useful since it was no longer subject to the “availability” restrictions of LockBit.

Allegedly, an angry LockBit developer leaked their encryptor, which Dispossessor picked up and started using. 

One of the domains seized in the operation was RedHotCypher.com, and an eerily similar domain, RedHotCyber.com, is still online. The website hosts an interview transcript with Dispossessor that seems to be AI-generated.

Fighting Forums

A threat actor posted information on 78,540 members of the forum Leakbase to BreachForums. This information includes their username and some basic metadata.

Threat actor posted LeakBase users’ information to BreachForums

This is a common occurrence, as forums constantly hack each others’ member databases then post them. There doesn’t seem to be any public fight currently between Leakbase and BreachForums. 

In our first story about the National Public Data breach, a subsection of the data was posted for sale by the threat actor USDoD on Leakbase.

Double “J.P. Morgan” Arrest

The National Crime Agency in the U.K. arrested two threat actors who both go by the name “J.P. Morgan.” The law enforcement agency identified them as culprits behind the Reveton Ransomware Group. 

They not only operated the Reveton Ransomware Group, but also Ransomware Cartel, and the Angler Exploit Kit. 

Collectively, these threat actors have extorted millions of dollars from a wide variety of victims. 

Law enforcement arrested four other members of their group, specifically those who are suspected of being involved in the Angler Exploit Kit, and 15 of their employees. Their office that they operate in Ukraine was raided as well.

Cisco’s 2015 mid-year report states that Angler accounted for 40% of user penetration in cyber attacks observed so far (at the time). A lot of early ransomware used Angler such as CryptoWall, Teslacrypt, Torrentlocker, and old banking trojans like Tinba. 

This is a major arrest in the realm of malware history. This is a developing story in that law enforcement has not publicly identified the identity of one of the J.P. Morgans.

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more. 

The post Cybercrime Current Events: Background Check Organization Breach, a Repossessed Ransomware Blog, Feuding Forums, and Double Arrest of “J.P. Morgan” appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

There’s so much to keep up with in the world of cybercrime…especially for security practitioners.

Leaky Weekly is a cybercrime current events podcast hosted by security researcher Nick Ascoli as he dives into the most pressing stories on data leaks, cybercrime, and the dark web in the last week or so.

On this episode of Leaky Weekly, Nick covers:

• AT&T breach
• Snowflake tenant breaches
• SiegedSec
• Disney hack

Important disclaimer: When a company is possibly the victim of a breach, that may not necessarily be the case for various reasons, such as if threat actors may not actually have the information they claim to. Security practitioners should be supportive of organizations/security teams addressing breaches and never shame them.

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments in two weeks.

Tune in for current events on the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube below, or keep reading this article for the highlights.

AT&T Breach

Billions of text and call records stolen 

A threat actor reached out to a security researcher to share a sampling of the researcher’s call records. After the researcher confirmed that those were their call records, the threat actor reveals that they leveraged a Snowflake account that didn’t have MFA turned on, and accessed the information in that tenant.

This threat actor sent the information to a few people including a member of ShinyHunters, a threat actor group. 

The original security researcher informed Mandiant, which then notified AT&T, which then filed an SEC filing and claimed that the threat actor associated with the breach has been arrested. 

The original threat actor had been arrested but was actually arrested in relation to a T-Mobile breach, a few years ago. 

AT&T attempted to contact ShinyHunters through the original security researcher:

1. AT&T paid ShinyHunters five bitcoins to delete the data (with the security researcher also receiving a cut).
2. ShinyHunters sent AT&T a video deleting the data (though it’s possible they may have other copies).
3. WIRED also gets a hold of this video.
4. ShinyHunters told several news outlets that the original threat actor shared the data with multiple people, including a ShinyHunters member (so it’s possible there are multiple copies of this information out there). 

This is a developing story, and it’s unclear how many copies of this information may be floating around. There are many theories of how malicious actors can exploit this data as they include information such as cell tower local pings that can geolocate where a call took place.

Snowflake Tenant Breaches

Unauthorized third parties breaching major Snowflake tenants have been in the news for the past few weeks such as with Ticketmaster, Santander Bank, and more. 

How these breaches have been playing out: threat actors (such as ShinyHunters) are abusing infostealer logs that contain login information to various Snowflake tenants.

How do infostealers work?

An independent contractor may have had access to a Snowflake tenant. They may have been working on a personal device, and downloaded a cracked version of design software. This design software could function, but also have brought an infostealer in the installer. This infostealer malware can steal all of the logins saved to this person’s browser, cookie sessions, browsing history, and more. This can get uploaded to a forum or illicit Telegram channel. 

This is not necessarily Snowflake’s fault but rather they are issues of human error. 

Mandiant and Snowflake have published a report together that can be useful to understand the scope of this problem, and best practices in moving forward.

SiegedSec

SiegedSec is a hacktivist group that targeted the Heritage Foundation, a conservative American think tank, and shared stolen information in their Telegram channel. However, they disbanded shortly after, stating that there’s a lot of attention on them and they should lay low for some time.

In the last few years, SiegedSec selects a cause to rally behind and hits target companies relevant to that campaign. These target organizations include companies that have donated to a certain political cause, or stand in firm political opposition to the hacktivist group’s values. 

SiegedSec’s leader posted in their Telegram channel (screenshot below) that they disbanded due to, “[their] own mental health, the stress of mass publicity, and to avoid the eye of the FBI.” 

This is a major shakeup in the hacktivist realm. 

Disney Hack

The hacktivist group NullBulge, which claims to protect artists’ rights, hacked into Disney’s internal Slack messages in a protest over AI-generated art. 

NullBulge claimed there were two prominent methods of hacking:

• An insider supposedly gave the group access to Disney’s internal Slack. However, this insider cut off NullBulge’s access, and the group responded by doxxing this individual. 
• The WIRED article mentions infostealers may have been involved. 

The leak revealed 1.1 terabytes of messages, unreleased projects, code, documentation, and more across 10,000 Slack channels. NullBulge posted this information on their blog. 

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more. 

The post Launching Leaky Weekly with Flare, Cybercrime Current Events Podcast appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

2024 has started off dramatic shifts in the ransomware landscape. In December of 2023 international law enforcement took down the BlackCat leaks site, leading to the group removing all ethical restrictions for their affiliates and declaring all organizations in Western Europe and the United States viable targets to include nuclear power plants and childrens hospitals.

Weeks later a mysterious post appeared on the dark web forums RAMP, XSS, and Breach, claiming to be selling data from a ransomware attack perpetrated against the Russian company AN-SECURITY[.].ru, using LockBit ransomware. 

Even more recently the LockBitSupp account was banned from one of the primary Russian language cybercrime forums for scamming an initial access broker, soon after followed by a law enforcement takedown of the LockBit blog. 

Each of these events is interesting in turn, but together they paint a broader picture of a ransomware ecosystem undergoing a period of turbulence and a radical shift. The Flare Research team delved into various forums across the dark web to investigate. This article is going to explore each event in turn, and focus on explanatory factors that provide the “why” for the rapid change in the ecosystem. First we’ll provide a brief summary of each event before providing conclusions at the end. 

The December 2023 Alphv Takedown

BlackCat is one of the largest Ransomware as a Service (RaaS) groups in the ecosystem, second only to LockBit in number of attacks perpetrated in 2023. BlackCat is a Russian ransomware as a service group and operates on an affiliate model in which the group provides the ransomware application and other threat actors launch attacks and split the profit of ransom payments.

In December 2023 the FBI working with international law enforcement successfully compromised BlackCat’s infrastructure. According to the U.S. Department of Justice Press release on the takedown:

The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems. To date, the FBI has worked with dozens of victims in the United States and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68 million

Weeks later BlackCat posted the message below announcing that affiliates would get up to 90% of ransom payments and that they were removing all targeting restrictions from affiliates. 

Prior to the takedown, BlackCat had certain rules for targeting for their affiliates. For example nuclear power plants and childrens hospitals had previously been off limits. The group responded to the takedown by declaring that affiliates could now target any organization, regardless of industry or criticality. Additionally BlackCat increased the ransom split to 90% of a ransom payment going to affiliates while BlackCat would only keep 10%. 

In Context

This series of events was highly interesting by itself. They showed that BlackCat was clearly concerned over its ability to retain affiliates after the embarrassment of having part of their infrastructure compromised. This highlights the absolute centrality of the role that affiliates play in today’s ransomware ecosystem in which three groups make up more than half of all ransom attacks. 

The AN-Security Breach Saga

In February of 2024 a mysterious forum post appeared on RAMP claiming to be selling data belonging to the Russian private security company AN-Security. 

In Russian language cybercrime communities, attacking any targets located in Russia or the Coalition of Independent States (Russian aligned countries) is strictly prohibited. The Russian Federal Police are unlikely to arrest threat actors targeting businesses in the U.S. or Western Europe, but will not tolerate targeting Russian companies or assets.

The post was quickly locked and the user banned due to RAMP’s 0 tolerance policy for targeting organizations within CIS countries. However the drama didn’t end there, the same posted reposted on several other forums.

Within hours the LockBitSupp account posted that he was being set up. 

As far as we can tell, no law enforcement action in Russia or elsewhere has taken place as a result of this incident. However the series of events is extremely interesting. The breach appears to be real which means that:

• A fairly sophisticated threat actor successfully compromised a major Russian company with ties to the Kremlin
• They then exfiltrated the data and listed it for a price that is far beyond the price range of others posts on the forums.
• This seems to have been done with the possible goal of setting the LockBit group up to be targeted by Russian law enforcement. 

In Context

It remains unclear what group targeted an-security[.]ru. It is quite possible that they attempted to set LockBit up or that they had a different motive. If we are to accept LockBit’s explanation that it was the CL0P group that targeted them things get even more interesting.

This would imply that either CL0P had a grudge against LockBit, or that CL0P believed there was some level of possible financial gain from taking down Lockbit. CL0P doesn’t operate under a “traditional” affiliate model and instead operates with a tight knit closed group that identifies and exploits 0-days at a large scale. 

LockBit’s Ban from XSS

One of the most salient, interesting, and underreported events from the past 2 months has been LockBit’s ban on the dark web forum XSS. XSS is a primary hub for initial access brokers, threat actors that break into corporate environments then resell the access.

In February 2024 an initial access broker posted a thread accusing Lockbit of scamming them which also contained more than 14 pages of private chat logs between the access broker and Lockbit included as evidence of the scam. The dispute occurred because the access broker provided access prior to an agreement on payment, and then refused to accept LockBit’s offer after the fact.

There were numerous fascinating exchanges in the private communication between the broker and LockBit. At a high level:

• LockBit was purchasing initial access on behalf of affiliates.
• The initial access broker prematurely provided access to LockBit with the promise of future negotiation over payment.
• LockBit was segmenting the victims based on their technical and security maturity, giving complex environments with certain EDR providers to more sophisticated affiliates. 
• Based on the conversation it appears that the access broker was utilizing infostealer malware to gain access to the environments and establish persistence.
• LockBit had serious concerns about whether the broker may have already sold the access several times indicating the distrust within the ecosystem and the fact that groups likely rely on private suppliers of access. 
• The broker and LockBit had a falling out when LockBit wanted to pay a flat fee for the first organization, then share a 10% commission for the second breach, and increase by 1% up to 20% for subsequent successful attacks. 

In Context:

Given the other dramatic events in the ransomware ecosystem, the leaked LockBit chat logs flew under the radar, but there were several surprising and interesting things found within. First, the fact that LockBit was buying access on behalf of affiliates was in and of itself highly interesting. It suggests that there is a high degree of competition particularly for the most sophisticated affiliates capable of compromising highly complex environments.

Additionally it provides interesting context on the IAB ecosystem and why IABs often list EDR solutions. Establishing access and persistence is one thing, but leveraging that access and being able to successfully execute an attack is considerably more challenging and depends on many factors.

The LockBit Takedown

In March of 2024 law enforcement took down the LockBit blog, immediately capturing a great deal of attention from both cybersecurity professionals and mainstream media. The law enforcement action (dubbed Operation Cronos) successfully compromised LockBit infrastructure. The enforcement action resulted in five individuals being criminally charged along with two arrests and the freezing of hundreds of cryptocurrency addresses.

While this has not stopped LockBit, the takedown has severely damaged their reputation and likely resulted in many affiliates fleeing the group. The fact that international law enforcement was able to identify and issue arrest warrants for individual affiliates also very likely harmed LockBit’s ability to conduct business and recruit new affiliates. 

BlackCat Exit Scam

The final event worth noting from the past three months has been BlackCat exit scamming their own affiliate.

A Brief Aside: What is an exit scam?

An exit scam occurs when a threat actor breaks a bargain and effectively absconds with thousands, hundreds of thousands, or in some cases millions of dollars. Since cybercriminals can’t exactly go to the police there is very little recourse available to them. Exit scams are common for dark web marketplaces but less so for ransomware groups. In most cases for a sophisticated RaaS offering it is more economically efficient to maintain reputation. 

In February the U.S. health insurance clearinghouse Change Health Care was breached by a BlackCat affiliate. The affiliate threatened to release four terabytes of data stolen during the attack unless Change Healthcare paid a stunning $22,000,000 ransom. 

Change Healthcare paid BlackCat, which then appears to have scammed the affiliate. Within days a fabricated FBI takedown notice was posted on the BlackCat site, and a representative of the group posted on the Russian ransomware-focused dark web forum RAMP that law enforcement had infiltrated them in response to the affiliate complaining they weren’t paid their $20,000,000. 

Ransomware Landscape: What Does it All Mean?

The ransomware landscape is clearly undergoing a dramatic shift. The two largest groups, LockBit and BlackCat, have both been compromised by international law enforcement in the past 4 months and it looks increasingly likely that both may fragment. But what does this mean? We have a few thoughts. 

How Does this Change Ransomware?

To answer this question there are a few important points to consider. First, LockBit and BlackCat were not responsible for the vast majority of attacks attributed to them, in almost all cases affiliates were. The real question we should be asking is how much do takedowns and arrests disrupt the affiliate ecosystem?

It’s important to understand that ransomware is a structural response to a confluence of economics, geopolitics, and social events rather than an isolated phenomenon. There are thousands of threat actors engaged in the ransomware ecosystem, in many cases these actors are making many times the prevailing wage in their countries. Law enforcement actions disrupted the infrastructure they were using, but barely impacted the actors themselves. 

What are the important points we’ve identified from the five events examined above?

• The ransomware ecosystem is incredibly competitive, with fierce inter-group competition including possibly even with some groups setting up rival groups to be targeted by law enforcement.  
• Ransomware affiliates operating under RaaS providers make up the majority of attacks, the affiliate ecosystem is key, and by extension so is the initial access broker ecosystem which supplies access.
• As competition has increased, groups have increasingly taken measures to attract affiliates such as cutting margins or allowing affiliates to target any company or sector.
• Law enforcement actions disrupt ransomware group infrastructure, but without indictments it is difficult to disrupt operations for long periods of time.
• Indictments, even for individuals in non-extradition countries, still harm the ecosystem. Indicted individuals in countries such as Russia are restricted from traveling to countries that respect the rule of law. This may deter some affiliates. 
• It’s likely that we are seeing a substantial transformation of the ransomware ecosystem as it transitions from one led by LockBit and BlackCat to a new equilibrium. 

The Outlook for Ransomware

“Prediction is hard, especially about the future” – Niehls Bohr

Ransomware could take many paths from here, however there are two that we find to be somewhat likely. One can best be labeled “fragmentation of the ecosystem” a trend we’ve seen numerous times in dark web marketplaces, such as with the takedown of Dream Market during which actors spread out to many smaller niche sites. Another path might be for one or two dominant groups to emerge out of the more than 50 active ransomware groups.

Fragmentation and Dispersal

In this scenario the disruptions of BlackCat and LockBit result in an event we’ve seen several times with the cybercrime ecosystem, actors disperse to various groups or form their own groups. For example, when Ukraine was invaded Conti announced their support for Russia, the group imploded and many administrators and prominent members chose to begin their own groups.

If this were to play out, ransomware becomes more distributed with less massive groups and more small disjointed groups. In some ways this actually increases the risk level as groups provided a structuring and shaping force, such as banning the targeting of certain critical infrastructure industries. 

RaidForums was a significant example of fragmentation when a major marketplace or forum gets taken down. 

RaidForums was one of the world’s largest hacking forums, with over 500,000 members. It served as a major hub for cybercriminals to buy and sell stolen data, including personal information, credit card details, and credentials. The forum was also known for its high-profile database leaks, often obtained through hacking or scraping.

After a coordinated effort by law enforcement agencies from the United States, United Kingdom, Sweden, Portugal, and Romania, RaidForums was seized and taken offline. The forum’s founder and chief administrator, Diogo Santos Coelho, was arrested in the United Kingdom.

The aftermath of the RaidForums takedown caused significant fragmentation in the cybercrime community with many users dispersing to smaller and lesser known sites. 

If we saw the same phenomena play out with ransomware groups we would expect that many small RaaS operations would grow somewhat, and many new ones would form without the same clear dominant players that have existed for the past few years. 

New Groups Take their Place

It’s also quite possible to imagine a scenario in which smaller groups absorb the influx of affiliates fleeing Lockbit and BlackCat. The ecosystem continues roughly as-is but a few groups again rise to prominence. For a ransomware group becoming a major player has both upsides and downsides. 

It makes affiliate recruitment easier to have universal brand recognition and be mentioned in the media consistently. At the same time it also makes the group a major target for international law enforcement actions. If a few major groups were to continue to dominate the ecosystem it could be that BlackCat and LockBit rebrand, effectively washing themselves of tarnish that the takedowns caused, or it can be totally unrelated groups that seize the vacuum that these two players leave. 

As a result of the recent takedowns and indictments, it is likely to be very challenging for groups to achieve the same level of prominence and success as Lockbit and BlackCat. Affiliates may naturally shy away as groups become massive and invite increasing scrutiny from law enforcement entities. 

Where Does this Leave us?

Ransomware will likely remain a substantial source of disruption and loss for the foreseeable future. The confluence of geopolitical risk, increasing reliance on complex information technology, and the adaptability of the cybercrime ecosystem makes it extraordinarily difficult to eliminate ransomware as a threat to organizations. As we have seen with the takedowns of major forums like RaidForums, the cybercrime ecosystem is resilient and quick to adapt to disruptions. 

The recent upheavals in the ransomware landscape, including the takedowns of Lockbit and BlackCat, may lead to a period of fragmentation and restructuring. However, it is highly probable that the ransomware ecosystem will continue on in some new form, with the overall risk level either slightly diminished or slightly elevated depending on how the ecosystem evolves. 

Monitoring for (Supply Chain) Ransomware Exposures with Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically and constantly scans the clear & dark web and illicit Telegram channels to discover unknown events, automatically prioritize risks, and deliver actionable intelligence on third-parties that you can use instantly to improve security.

Learn more by signing up for our free trial.

The post Ransomware in Context: 2024, A Year of Tumultuous Change appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.