Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
From data leaks to group fallouts, the trials and tribulations of ransomware collectives generate a lot of buzz in traditional media outlets and cybersecurity news platforms alike. Many of the ransomware-related scandals result from different groups making opposing claims, affiliates accusing operators of deception, or leaders making promises that ultimately prove to be worthless. For instance, recently we’ve had groups denying links to other gangs (despite strong evidence from security researchers), groups misidentifying their victims, and allegedly extinct groups rising from the ashes. Ransomware groups are as trustworthy as they are ethical, which makes it difficult for researchers to sort fact from fiction. We must treat every new development within the ransomware landscape with a healthy dose of skepticism, and use the experience we’ve gleaned from many years of tracking these groups to assess the likely credibility of new claims. In this blog, we’ll take a look at some examples of when ransomware groups have confused watchers and blurred the boundaries between truth and lies, and think about how we can best tackle the issue of untrustworthiness in our analysis of these collectives.
Ah yes, LockBit — everyone’s favorite ransomware group. This group first appeared in September 2019 under the guise “ABCD ransomware”, progressing into LockBit 2.0 in June 2021. The first half of 2022 has seen multiple interesting developments in this collective’s trajectory. Some are pretty clear-cut and undebatable. For example, in late June 2022, LockBit officially released Lockbit 3.0, an improved version of its malware that will allegedly help it become the “world’s fastest and most stable ransomware”. Around the same time, the group created several new mirror websites, to ensure that LockBit’s operations remain online as much as possible. The new sites also introduced the option of paying ransoms via the cryptocurrency Zcash, which cybercriminals favor because it enables transactions to be verified without revealing the sender, receiver, or transaction amount. So far, so good on LockBit’s claims.
The change that really got the security industry talking was the group’s unveiling of a bug bounty program. This scheme offers rewards starting from USD 1,000 for security exploits, personally identifiable information (PII), or information on high-value targets. Immediately after the announcement, members of cybercriminal forums began questioning the program’s legitimacy. They debated whether LockBit would be true to its word and actually pay out in return for any submitted findings. Others wondered whether participants in the bug bounty scheme could even risk punishment under Russian law for developing plans and creating conditions for the commission of crimes by organized criminal groups, or if it might result in a participant being sued by the “victims” they share information about. On one forum, LockBit’s representative set out the case for the group’s trustworthiness, favorably comparing the group’s scheme to the bug bounty programs offered by large technology companies, who pay only “5-10k for critical vulnerabilities”.
It remains to be seen whether LockBit will cough up as a result of a submitted disclosure; as security researchers, we are still in “wait and see” mode. Threat actors themselves appear to be retaining their doubts: In a 04 Jul 2022 cybercriminal forum thread, a user jokingly asked whether LockBit will pay the security research firm Malvuln for finding a “Buffer Overflow” vulnerability on the LockBit 3.0 data-leak site. LockBit has failed to respond thus far, but one forum user compared the ransomware collective’s operations to the Aesop fable “The Boy Who Cried Wolf” (see Figure 1), indicating frustration and a lack of trust in the underground community. LockBit has a long history of playing fast and loose with their promises: The group has frequently promised to release data when a timer counts down to zero, only to reset the clock once the counter reaches the end.
Looking back at LockBit’s track record provides plenty of justification for our unwillingness to immediately believe LockBit’s promises. Take the June 2022 controversy involving LockBit, Evil Corp, and Mandiant. Speculation began to spread that Evil Corp—a financially-motivated cybercriminal group active since 2007—and LockBit had been working together. The cybersecurity firm Mandiant published a blog that alleged Evil Corp was using LockBit’s ransomware in its attacks to avoid sanctions imposed by the US Treasury Department’s Office of Foreign Assets Control that could restrict ransom payments from US-based victims. In response, LockBit created a new post on its data-leak website that threatened to release 356,841 files allegedly stolen from Mandiant (see Figure 2), along with a timer counting down to the file publication time. When the timer hit zero, many expected to see actual Mandiant data. Instead, LockBit released .txt files containing a statement responding to Mandiant’s blog. The statement dismissed allegations about links to Evil Corp, claiming that some of the tools these two groups use are available on publicly accessible websites and platforms, such as GitHub. It highlighted that the similarity in tools cannot constitute evidence that the same group has conducted an attack.
This trick was not without consequences: Cybercriminal forum users responded to the stunt by criticizing LockBit for not delivering on its promises, posting false data, and not releasing information when the time was up. Members emphasized that this was a common problem with LockBit, posting memes about LockBit failing to deliver on its promises (see Figure 3).
Another ransomware group that is no stranger to controversy is Conti, an experienced and successful collective that first appeared in late 2019. In May 2022, Conti announced on cybercriminal forums that it would be halting its operations and closing its affiliate program. Many observers thought this had been on the cards for some time: There were rumors of internal rifts after Conti released a statement supporting Russia in the Ukraine war, and then a Ukrainian cybersecurity researcher published over 60,000 messages allegedly taken from the backend of a Jabber server that Conti used for internal communications at the end of February 2022. Yet the prominence of the group—which conducted the second highest number of attacks in Q2 2022 out of all the ransomware groups we monitor (see Figure 4)—prompted predictions that the group’s shutdown was not entirely as it seemed. Some forecasted that Conti had not really shut up shop, and that the group would soon reappear under a new name.
Even before the Conti shutdown, cybersecurity researchers had started speculating about a tie between Conti and the ransomware groups Hive and AlphV because of similarities in the collectives’ attacks and targets. After the May 2022 closure announcement, observers wondered whether Conti’s operators intended to create smaller, autonomous groups, which could allow members to continue conducting attacks with less chance of detection than a mammoth, infamous collective. This scheme might also allow groups to combine a ransomware-as-a-service model with new malware capabilities, which could maximize agility,effectiveness, and avoid creating patterns of attacks that are easily mitigated.
Another theory holds that former members of Conti and the REVil (aka Sodinokibi) ransomware group—the notorious collective responsible for the July 2021 attack against technology firm Kaseya—now run the ransomware group Black Basta. This relative newcomer to the ransomware scene accounted for the fourth highest number of attacks in Q2 2022 of all the groups we monitor (see Figure 4). Proponents of this hypothesis point to similarities between the groups’ data-leak sites, payment systems, and affiliate behavior. Users on cybercriminal forums, including an official LockBit representative, also chimed into the debate. The LockBit representative characterized the developments as the creation of different Conti divisions, rather than a rebranding into BlackBasta. The true nature of the groups’ association may become clear over time; we have seen multiple examples in the past of ransomware groups changing their names in order to continue operating. For their part, Conti denied the allegations during the “For Peru” Black Basta campaign.
It’s hard to think of many examples of developments relating to ransomware groups that haven’t been murkily mired in confusion and doubt. One recent case that springs to mind is the ransomware collective AstroLocker’s declaration that it would halt its ransomware operations and pivot instead to carrying out cryptojacking attacks. Following this announcement, the group released the decryptor for its malware, which is about as much “proof” as we’re ever going to get that a ransomware gang will stick to its word. Perhaps this quagmire of uncertainty is all by design; may be in ransomware groups’ interests for researchers, law enforcement, and potential victims to never quite know what the gangs are up to and how they will behave during and following negotiations. The ransomware collectives can exploit the unpredictability, keep us on our toes, and prevent us from totally fulfilling the security commandment “Know Thine Enemy”.
That said, following ransomware groups closely and trying to discern trends and patterns that can help us identify the most likely scenarios is our best chance of successfully defending against this threat. Digital Shadows (now ReliaQuest) monitors ransomware groups on a daily basis, tracking their victims, announcements, behavior, and related chatter. If you’d like to take advantage of this intelligence, as well as countless other insights into the dark web and cybercriminal underworld, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.