Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Groove Promises Maximum Profits for Ransomware Affiliates

Babuk Ransomware Spinoff Seeks Recruits for More Opportunistically Driven Cybercrime
Groove Promises Maximum Profits for Ransomware Affiliates
Overview of the RAMP cybercrime forum, which has announced the launch of Groove (Source: Advanced Intelligence)

If a ransomware operation says it's gone or otherwise appears to be defunct, can it ever be said to have truly died?

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The short answer, barring everyone in the operation involved getting arrested, would appear to be no. That's because the thriving ransomware ecosystem involves not only administrators and developers who run specific operations, but also affiliates who take the ransomware and infect victims, and then share in the proceeds.

When one ransomware operation goes quiet, affiliates seek new ones. Furthermore, some affiliates have become so highly skilled that they're chafing against what has traditionally been a very hierarchical ransomware-as-a-service business model, thus giving rise to new approaches and players.

So say security researchers from McAfee Enterprise’s Advanced Threat Research group, backed by threat-intelligence firm Intel 471 and ransomware incident response firm Coveware, in a new report that details how ransomware-wielding attackers continue to find innovative new ways of working together, as well as lambasting more rigid RaaS models. For example, a Conti affiliate recently leaked that ransomware operation's attack playbook, alleging he was underpaid.

As with all cybercrime, the impetus for most new moves and countermoves remains simple: for a criminal to amass the most money, in the least amount of time, using a variety of online-attack tactics at their disposal, while minimizing the risk of arrest or disruption.

Success Gets Emulated

The calculus underlying cybercrime trends changes constantly, based on what's working or not. After Maze pioneered stealing data before crypto-locking systems, other groups soon followed suit. The same goes for other advanced operators, such as GandCrab targeting managed service providers' customers, and successor REvil - aka Sodinokibi - making it even easier to do so. It and some other top-tier groups also brought in specialists, in part for big game hunting, meaning taking down larger targets in pursuit of larger ransoms. Less advanced groups soon followed suit.

All of that helps explain why ransomware profits have continued to surge. But starting in May, some attackers perhaps overreached: Russian-language groups Conti hit Ireland's health service, Babuk hit the Metropolitan Police Department of Washington, D.C., DarkSide crypto-locked U.S.-based Colonial Pipeline, causing a run on fuel, and REvil attacked meat processing giant JBS and remote management software firm Kaseya. In response, the Biden administration pledged to better disrupt the ransomware business model, including putting Russia on notice that if it failed to disrupt ransomware-wielding criminals operating from inside its borders, then the White House reserved the right to do so.

Seemingly in response, Avaddon announced it was ceasing operation, Babuk and DarkSide said they would no longer work with affiliates, and both REvil and DarkSide seemed to go dark.

But experts warn that it's easy for operations to rebrand, or hand their code off to someone else (see: Secrets and Lies: The Games Ransomware Attackers Play).

Indeed, security experts say that based on the malware and cryptocurrency wallets being used by newcomer BlackMatter, it appears to be an offshoot of DarkSide.

Advertisement on the Exploit cybercrime forum by the BlackMatter ransomware-as-a-service operation, seeking initial access broker partners, in exchange for payment or a percentage of any ransom that gets paid (Source: Recorded Future)

REvil, meanwhile, seemingly reappeared on Tuesday, as first spotted by Dmitry Smilnanets, a researcher at threat intelligence firm Recorded Future, who reported that its "Happy Blog" Tor-based data leak site was again live.

Some ransomware-wielding criminals, however, do look to be running scared. Bob McArdle, director of cybercrime research at security firm Trend Micro, says there's increasing chatter on cybercrime forums focusing on the feasibility of moving beyond ransomware to a "pure data leakage model" that doesn't bother encrypting systems and networks. "Because that's the bit that causes all sorts of consternation and governments coming back at you, because the pipeline is offline, or hospitals are offline," he says. Hence criminals have been saying: "'Can we just do the data leakage part?' We probably won't get paid as much because the urgency is not there. But there's a lot less hassle and overhead."

Into the Groove

Enter the Groove operation, which appears to have been created by former members of Babuk, and which says in a manifesto published Tuesday that it won't limit itself to crypto-locking malware, and that's it's seeking "pentesters" and other attackers with network-penetration experience, offering to give them a proper cut of all criminal proceeds.

"Groove is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years," reads the post, issued by "Orange," a forum admin. "Ransomware is no more than an additional source of income. We don't care who we work with and how. You've got money? We're in."

Orange's Crush

Groove is tied to a relatively new cybercrime forum known as RAMP, headed by an individual who used the moniker "TetyaSluha" before changing it to "Orange," in what might be a ransomware fan boy's tribute.

"REvil insiders will recognize the name Orange as one of their admins," write Max Kersten, John Fokker and Thibault Seret of McAfee Enterprise's Advanced Threat Research team, who co-authored the firm's new report with Intel 471.

REvil's Orange appears to have formerly been "Funnycrab," who was part of the GandCrab operation that went dark in mid-2019, with at least some operators and affiliates launching or joining REvil.

One of the other, better-known REvil administrators was "UNKN," formerly known as "Crab" with the GandCrab operation, according to the report published by McAfee Enterprise. (On July 27, security firm McAfee’s enterprise-focused business unit was sold to Symphony Technology Group, and this new company is now known as McAfee Enterprise.)

The RAMP name also appears to be a tribute, as it's the same acronym for Russian Anonymous Marketplace, an underground drugs market that Russian police shuttered in 2017. Orange claims the new version stands for "Ransom Anon Mark[et] Place."

When the RAMP forum first launched in July - again, apparently by one or more former Babuk team members - it was hosted on a server that previously ran Babuk's data leak site, and then Payload.bin, which was a site designed to host leaked data, for example, from the Vice Society group.

Subsequently, the RAMP forum was "moved to a dedicated Tor-based resource and relaunched with a new layout and a revamped administrative team, where Orange acted as the admin, with other known actors MRT, 999 and KAJIT serving as moderators," McAfee Enterprise says.

"We are curious to know if this Orange is the real Orange, or if it is just a tribute," Fokker, who's McAfee Enterprise's principal engineer and head of cyber investigations, tells Information Security Media Group.

Less Ransomware, More Drama?

RAMP was launched after Babuk fractured. Why Babuk split isn't clear, although hitting the Washington police department and a debate over whether to leak stolen data - it got leaked - may have been the impetus. Such a high-profile hit made Babuk very well known, and thus at greater risk of being unmasked and targeted by law enforcement agencies.

"This kind of heat is unwanted by most gangs, as any loose ends that are out there can come back to bite them," McAfee Enterprise says.

Later, Orange posted to RAMP the builder for Babuk, which is used to generate crypto-locking malware and a decryptor, says Victoria Kivilevich, a threat intelligence analyst at threat intelligence firm Kela.

Subsequently, the alleged source code for Babuk was released. "On Sept. 3, the threat actor with the handle 'dyadka0220' stated that they were the principal developer of Babuk ransomware and posted what they claimed was the Babuk ransomware source code. They claimed the reason they were sharing everything was due to being terminally ill with lung cancer," McAfee Enterprise says.

One way to read all of that would be elements of Babuk attempting to claim: We quit; don't come after us." But on Sept. 7, Groove issued a statement, titled "Ransomware Thoughts," claiming dyadka0220 isn't really ill, and noting that Babuk never developed its own ransomware, but rather contracted with someone else to do it for them, which is a claim Orange has made previously.

On Tuesday, meanwhile, "Groove released leaks of Fortinet VPN SSL credentials via their leak website," Yelisey Boguslavskiy and Anastasia Sentsova of threat intelligence firm Advanced Intelligence write in a new report. "The list contains 799 directories and 86,941 purportedly compromised VPN connections. The reason behind the leak is unclear."

A list of stolen Fortinet VPN SSL credentials posted to Groove on Tuesday includes 22,500 victims from 74 different countries, with 2,959 victims being U.S.-based.

Of course, it could be an attempt to raise Groove's profile and attract newcomers.

BlackMatter as Business Partner

Groove has apparently also pursued partnerships, including with DarkSide spinoff BlackMatter.

After Babuk split, "the server that Babuk used, which we will refer to as the 'wyyad' server due to the ending of the onion URL, rebranded in late August," McAfee Enterprise says. A site hosted on the wyyad server still lists victims of Babuk, as well as a Thai IT service provider that the BlackMatter operation claims as one of its victims, it says. In addition, the server also hosts a site, reachable via a different URL, that lists a single Groove victim, it says.

Given these and other clues, McAfee Enterprise says it believes "that the Groove gang is a former affiliate or subgroup of the Babuk gang, who are willing to collaborate with other parties, as long as there is financial gain for them. Thus, an affiliation with the BlackMatter gang is likely."

Another takeaway is that Groove appears to be testing a post-ransomware data extortion model.

Timing-wise, McAfee Enterprise notes that Groove is capitalizing on increasing dissatisfaction with RaaS operators among affiliates, as well as underground forums banning or restricting ransomware discussions, which has made it more difficult for affiliates and operators to connect.

A forum user receives a warning for attempting to trade ransomware. (Source: Digital Shadows)

But Orange launched RAMP with a promise to facilitate these sorts of conversations, which he now appears to be carrying through with Groove, "with the offer of new ways of working where an associate's worth was based entirely on their ability to earn money," McAfee Enterprise says.

Groove Sells More Opportunistic Model

"Time will tell if this approach enhances the reputation of the Groove gang to the level of the cybercriminals they seem to admire," it says. "One thing is clear though: With the manifestation of more self-reliant cybercrime groups, the power balance within the RaaS eco-climate will change from he who controls the ransomware to he who controls the victim's networks."

Historically, RaaS operations have been top-down affairs, structured like classic criminal pyramids - used by the Mafia and others - in which the leaders sit up top, recruit multiple tiers of affiliates, and see those affiliates pass most of their earnings to the top, Fokker says.

Now, however, "we anticipate seeing the power balance shift away from the RaaS developers and toward groups that have access to big networks, thus breaking what's been a pyramid structure, in favor of a more opportunistic model," he says. "Groove, with Orange, is an example of just that."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.