WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
February 20, 2024
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
As we observed in a recent blog on ransomware franchising, ransomware groups often behave like legitimate companies. Large or small, each group needs a certain number of capable employees to cover all the functions of a ransomware operation. A group may comprise multiple members specializing in malware development, reconnaissance, payload delivery, encryption, negotiation, cashing out, strategy, and operations management. Just like their non-criminal counterparts, effective and successful ransomware groups seek to hire the best talent for the job. After all, there’s no point in having the quickest ransomware executable if your team can’t deliver it to a victim’s network. Unlike legitimate companies, however, ransomware groups can’t just turn to professional networking and recruitment platforms to find cybercriminal talent. So how do ransomware groups navigate recruitment in a world where secrecy and anonymity are key? In this blog, the first in a series on cybercriminal recruitment, we’ll take a look at the various ways groups mine the threat actor talent pool via their own websites and cybercriminal forums.
The most obvious way ransomware groups recruit is via their own public-facing data-leak sites (DLS), where they publish news of their victims and list their contact details. This is especially true for groups that practice double extortion (stealing sensitive data in addition to encrypting victims’ systems). Rather than a dedicated advert listing the conditions and benefits of joining, the group may have a simple “Contact Us” form on the site for applicants to provide their contact details and the cybercriminal equivalent of a cover letter. The thinking here is probably that a successful group doesn’t need to sell itself to encourage new people to join: It can attract talent through its reputation alone. Further interaction takes place at the group’s discretion. If the group likes the applicant, it’ll move them to the next stage (likely an anonymous interview). Unsuccessful applicants shouldn’t expect to get any “constructive criticism” as feedback. We’ll call you.
Alternatively, the DLS may not have any indication of how to join the group, and might only provide contact details for encrypted email services or instant messengers. Not listing a specific application process may serve as a pre-interview test, eliminating those greener applicants who need things spelled out for them. Experienced partners will know exactly what to do, and experience in the ransomware game is just as sought after as in any other industry.
These discreet methods are all well and good if the applicant is already interested in the group and simply wants to initiate contact. But there are good reasons for groups to be a bit more explicit. Firstly, more detail is important when trying to attract potential applicants who are just testing the water and looking to break into the scene. Secondly, groups need to stand out to attract experienced affiliates. The ransomware game is a seller’s market: It’s very competitive, with more than 100 groups active over the past year.
Some groups lay out the job description, working conditions and benefits, and company history. Market leader LockBit takes this approach. Its 2,376-word “Affiliate rules” page has been a mainstay of its site for years and has been frequently updated as the group has developed and improved its ransomware as a service (RaaS) affiliate program. At the time of writing, the page describes the LockBit ransomware executable, the group’s targeting methodology, its rules and prerequisites, and pay benefits for affiliates (currently a cool 80% of a collected ransom), then provides specific instructions for creating an application. This approach certainly isn’t unique to LockBit; the Petya and Metya ransomware group advertised its then-new RaaS program in a similar manner in 2016.
We’ve covered the various approaches groups take once a potential applicant has landed on their website and gotten the group’s contact details. But how do they attract website visitors in the first place? After all, their websites are normally hosted on a .onion URL that search engines don’t index, and Googling “ransomware jobs near me” probably isn’t going to give helpful results (I tried). This is where a group’s presence on a cybercriminal forum comes in. Many ransomware groups have a strong and explicit presence on these forums. The forum accounts’ profiles use the groups’ names as their aliases and the groups’ logos as their profile pictures. The representative may maintain pinned threads on these forums that contain a description of the group’s RaaS program and benefits for partners, along with contact information. These may be targeted at specific roles (e.g. “our team needs a new back-end developer”) or they may simply provide a brief description of the group without specifying the roles they’re looking to take on. However, as we mentioned in our blog on how forum life has adapted to the 2021 ransomware content ban, not all forums allow the same level of detail in a RaaS advertisement thread. On the high-profile Russian-language forums Exploit and XSS, for example, groups can only write that they are “looking for pentesters” and must refrain from mentioning the word “ransomware”. Yet on the ransomware-friendly forum RAMP, groups can give as much detail as they like. Take a look at how the AvosLocker ransomware group’s RaaS advert differs between XSS and RAMP.
Cybercriminal forum threads also allow for current or former affiliates to provide reviews of working with the groups. A positive review from a credible user almost certainly boosts a group’s profile. A negative review will almost certainly cause interested parties to distrust it. Even worse, a disgruntled affiliate could accuse the group of not paying its affiliates and initiate a claim against the group’s representative in the forum’s arbitration section. If the group loses the case, as we saw with the now-defunct group DarkSide, it would be a major blow to the group’s reputation and it would lose most, or all, of its forum deposit, depending on how much money it owed to affiliates.
Some groups are so well-known on forums that they may not even need a dedicated advertisement thread. LockBit chooses to simply maintain a forum presence and rely on its reputation alone; aspiring affiliates likely send the representative a forum private message. While LockBit doesn’t have an official forum advertisement for its RaaS program, it does conduct some interesting marketing. In September 2022 it promised to pay USD 1,000 to any cybercriminal forum users who got a tattoo of the LockBit group logo. Surprisingly, at least three users did. Talk about brand awareness… Only big, established groups can take this style of approach; smaller and newer groups must recruit more explicitly and build a reputation within the cybercriminal community first.
The forum representatives of LockBit, Alphv, and AvosLocker are clearly linked to their groups, either by using the group name or logo in their profile. But it appears that some groups may have taken a more anonymous approach to sharing their DLS address by asking “does anyone know the URL for X group” in a thread called “ransomware data leak sites” on one cybercriminal forum. Other forum users suspect that these individuals actually belong to the groups in question. Maybe the group’s representatives are trying a sort of undercover marketing campaign to generate a buzz about their group and get the cybercriminal community searching for their DLS.
Regardless of whether these adverts appear on forums or a group’s DLS, these types of advertisements and marketing come from ransomware operators and are primarily aimed at ransomware affiliates. An affiliate may be one highly skilled individual operating as a “one man band”. They can cover everything from initial access, delivery, encryption, and exfiltration, but just need a trusted ransomware executable to operate. However, many affiliates are actually teams comprising multiple members with specific roles. As the affiliate gets more successful, they’ll take on new team members to get through more attacks. So how do these affiliate teams recruit?
Like operators, they turn to cybercriminal forums. It appears that the component most sought after by affiliate teams is initial access to corporate networks. Traditionally, this is simply purchased ad hoc, with affiliates opportunistically picking from the initial access offerings listed by brokers on the most prominent cybercriminal forums. However, we’ve noticed in the past year or so that teams seem to be looking for “in-house” initial access providers, essentially getting rid of the brokerage aspect and dealing with the provider directly. In this way, they have more control over the companies they target. They can direct the provider to target a specific company of their choice, rather than having to rely on winning an auction process for an access listing that pops up on a forum. Affiliates may choose to pay their access providers a flat fee per access or a percentage of the profits generated from ransoming the victim.
Alternatively, instead of creating a job advertisement on a forum, affiliates can turn to the ready-made solutions offered by the service providers themselves. Forums’ Freelance and Work sections abound with threads in which users offer up their skills. There are certainly some niche services being offered… Recently, we saw one user advertising business and financial analysis services in which they provide an analysis dossier assessing how much a victim would actually be able to pay based on its reported revenues and exposed copies of departmental budgets. This enables ransomware groups to waste less time targeting companies who can’t afford to pay a ransom, and gives them more knowledge to leverage during the negotiation phase.
Another interesting listing saw a user offering up their linguistic services to American and Chinese affiliate teams wishing to work with high-profile Russian-speaking ransomware groups that explicitly state they only work with Russian speakers. The user would work as a sort of in-house liaison officer so that the affiliate would be allowed to work with the operator.
By tracking which services and roles ransomware groups are trying to recruit, Digital Shadows (now ReliaQuest) keeps track of ransomware market growth, trends, and capabilities. If a group goes on a hiring spree, we could expect them to increase their rate or size of attacks. Digital Shadows (now ReliaQuest) monitors ransomware groups and cybercriminal forums on a daily basis, tracking their victims, announcements, behavior, and related chatter. If you’d like to take advantage of this intelligence, as well as countless other insights into the dark web and cybercriminal underworld, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.