Typosquatting with Mikhail

The Infrastructure Boss

by Dominic Alvieri

April 10th, 2024

@AlvieriD

What does a former Boris Yeltsin era Defense Minister for the Russian Federation have to do with cybercrime and ransomware today?

Since early 2023 I have been tracking a cybercrime infrastructure that now accounts for over 800 phishing websites pretending to be banks, software companies and cryptocurrencies deploying malware and dropping crypto stealers.

All of the 800+ phishing sites have two things in common. They are all registered with NiceNIC.NET and the WHOIS registrant organization is "Mihail Kolesnikov." 

Several countries of origin are used including Belize and Belgrade. A few websites were also registered under the correct spelling of Mikhail with the vast majority registered as "Mihail."

Hunters International is the latest ransomware and data extortion group to join.

Several of the websites were deploying bumblebee malware along with various stealers. Redline stealer and new versions of Rilide and Fletchen stealers. 

A quick look - Fletchen stealer features some of the same wide array of malicious activities as other stealers including credential theft, Wi-Fi login details, browser history and cookie retrieval along with several crypto clipper options. 

Fletchen stealer is written in Rust with simple panel access and is easy to navigate but script kiddies beware, you need technical abilities to encrypt the stealer.exe file.

Hunters International registered their clearnet leak site with the registrant organization of Mihail Kolesnikov in January of this year.

All of the malicious websites have been registered since 2022 and continue under the typosquatted registrant organization of Mihail Kolesnikov. 

Typosquatting Mikhail.

Clippers replace the destination address and replace them by generating a corresponding address with Fletchen stealer (pictured below) currently stealing Bitcoin, Ethereum, Litecoin USDC, USDT even Dogecoin and other cryptocurrencies.

"history",

"webRequests",

"tabs",

"clipboardWrite",

"clipboardRead",

"management",

"<all_urls>"

],

Former Rilide C2 domain /silent-scale.com

A full report will be out in the month or so detailing the Chinese registrations and Russian C2's associated with all of these "Mihail Kolesnikov" websites and malware.

Dominic Alvieri

X @AlvieriD

The Part Timers

The Part Time Ransomware Groups.

by Dominic Alvieri

February 18th, 2024

@AlvieriD

It seems like everyone is attacking critical infrastructure these days. There are several nation states and 12 current active ransomware groups that have attacked critical infrastructure around the world. Here are 7 of the 12 active ransomware groups:

ALPHV BlackCat

Black Basta

Hunters International

LockBit

Play Ransomware

RansomHouse

Rhysida Ransomware

Can you name any of the other 5?

Remember the dentist/part time ransomware operator?

There may be another dentist deploying ransomware. Or maybe even a slick lawyer. The rash of bad actors attacking critical infrastructure has to be dealt with immediately. 

Who are these part time ransomware operators and why we should make examples out of them? Tracking several of these groups and I can safely say it wouldn't take long to take down at least 2 of the 5 groups I mention below. I predict that at least one of the groups listed below should be comfortably viewing life behind some cold steel bars sometime this year. 

Attacking critical infrastructure should be heavily penalized and actors jailed for so long that it should never cross the pea brain of any ransomware idiot. 

What is a part time operator?

A part time ransomware operator attacks and posts fewer than about 8 victims per month by my definition and for the purposes of this analysis and article. The part time operator more than likely has another job and or profession in addition to breaching companies. 

Cuba Ransomware would be a perfect example but exempt from this discussion due to their backing which is fairly safe to say it stems from the Russian Government and has nothing at all to do with Cuba.

Who are the part time ransomware operators?

Qilin Ransomware

Infrastructure breached - Electric utility

Qilin started quietly on the ransomware seen in 2023 but has ramped up and is set to graduate to a full time operator. Business is good for Qilin who breached and evidentially negotiated with Electric Power of Serbia posting and removing the utility serval times before finally leaking them.

Qilin appears to have quit his day job and about to deploy ransomware full time. 17 posts year to date thru 6 weeks of 2024. 

Lorenz

Infrastructure breached - Hospital

Strictly business includes critical infrastructure.

Lorenz is a classic part time operator. A dentist? Probably not. Lorenz has more technical skills than some of the other part timers. I could write a whole other article about Lorenz but let me just say for the purposes of this topic that Lorenz has also breached critical infrastructure in Cogdell Memorial Hospital.

Daixin Team

Infrastructure breached - Hospitals, health networks & water districts

Daixin is the worst of the part timers. Daixin is not a dentist, not by far. I would define the group as the state sponsored nasty version of Cuba. I say this with a moderate degree of certainty from some of their TTPs. Daixin has the most experience and is probably the most likely to continue to cause havoc of any group on this list. 

A majority of the Daixin Team attacks have been against critical infrastructure.

Here is a visual snapshot of Daixin critical infrastructure attacks:

Meow Leaks (seriously)

Infrastructure breached - Hospital

Meow Leaks breached Vanderbilt University Medical Center and Hospital early in 2023 before they created their leak site later in the year. It is difficult to take a group calling themselves Meow seriously but they have attacked critical infrastructure and eventually I will take a deeper look at the group.

Money Message

Infrastructure breached - Hospital

The Money Message group came on the scene in 2023 and joins the not so famous list by breaching Anna Jaques Hospital. MM also breached a major dental company in 2023 so this may not be the first or last venture towards critical level companies. 

Money Message is trying to stay quiet behind the scene but they are now on radar.

Something has to be done.

Examples have to be made of these bad actors otherwise every pimple faced ransomware wannabe may start attempting to attack critical infrastructure. That will not end well.

The Cyber Show 

Dominic Alvieri

X - @AlvieriD 

Where Are They Now?

 The Conti Boys

By Dominic Alvieri

1/14/2024

@AlvieriD

Ransomware groups have come and gone but few have continued to resonate across the criminal ransomware spectrum as the former members of Conti Ransomware. We all know the pipeline hacking name so let's cut to the chase.

Where are members of Conti? Start with the list below.

The list below does not include leaked source code offshoots like Monti or any others. All of the following groups can be attributed to former Conti. 

In alphabetical order:

Akira Ransomware, Black Basta, Black Byte, Black Suit (Royal Ransomware),  Karakurt Team, Three AM

Royal on The Run

Royal Ransomware was arguably on the run after their attack on the City of Dallas, Texas and has rebranded as Black Suit. Royal Black Suit of you like. Black Suit is active again.

100 Days Without Fam

By all accounts Karakurt has been inactive for over 100 days now. No posts. No attacks. No nothing.

So what happened? No speculations please.

Karakurt Team in high level discussions.

Black Byte Bitten

The Black Byte leak site was only active for a few hours over the past 2 months only producing a black and white logo change. That's it. I don't expect Black Byte to rebrand. Time will tell as it always does.

Akira Ransomware

Akira Akira. Not my favorite. Why don't we call him angry Conti. Angry Conti has set up his own thing including a cool retro site. Just a reminder that this cool retro site is trying to peg your system and steal your credentials as you browse their leak site. Phish your visitors. Great evil business model.

Black Basta

If there was ever a racist Conti this is it. More hateful. Targeted. The question is whether for Black Basta to retool or rebrand after the "Basta Busta" released. LockBit proved that you can continue without rebranding. Black Cat ransomware is also challenging what you would think to be the norm.

Black Basta was named by one of the most racist white guys ever. 

There are arguments to be made to include a few other names and strains. I fell like I missed a name or two. 

Don't mount a locker or hack illegally.

Dominic Alvieri X- @AlvieriD

The Cyber Show

2023 Record Ransomware Group Totals and Who to Watch in 2024

New Groups to Look Out for in 2024

By Dominic Alvieri

December 31st, 2023

@AlvieriD

By all accounts it has been another record year for ransomware across the board. Hospitals, schools, large cities and small towns. With one day left in 2023 here is the unofficial top 5 ransomware group victims posted in 2023 by my count. These are only the number of victims posted that we know of.

Both LockBit and Black Cat have posted new victims while I have been typing this blog so these numbers are fairly accurate:

LockBit 1031

ALPHV BlackCat 432

Clop Ransomware 388

Play Ransomware 314

BianLian 255

-- other top 10 notable rising posters include Akira and Medusa Team.

Where are they now?

Hive Ransomware

Hunters International

Hive Ransomware was one of the 3 ransomware group disruptions in 2023. There were no arrests.

ALPHV Black Cat holiday seizure c/o Brian Krebs article.

Hive Ransomware was the first ransomware group disruption in January of 2023. New self proclaimed ransomware and data extortion group Hunters International is using a close match to a Hive strain so much so that the group even posted a rebuttal on their leak site blog denying the accusation. 

Hunters have already emailed extortion threats to hospital cancer patients in December of 2023. 

Enough said.

BlackByte

BlackByte has been offline for over 2 months now with only a brief showing of their new white colored logo and then they disappeared again. BlackByte has been creating custom tools like their ExByte data exfiltrator and braded logos like the ones pictured above, 

If BlackByte is not running from the law they should be back menacing companies.

Royal Ransomware

Royal Black Suit

In a wildly unpopular blog that I rewrote several times and have been unable to publish here for some reason Royal Ransomware is on the run and has rebranded to Black Suit. Comparing their binaries they have matched and Royal has taken down their old leak site for the better part of the end of the year. 

Royal has recently also taken down their victim portal and have started to post more frequently now on their Black Suit leak site. Hence the name I have given them Royal Black Suit.

Vice Society

One of my favorite logos and most hated groups has been Vice Society. Vice has not posted for over 3 months now with their main leak site down for a majority of that duration. Vice Society has pulled down all of their back up leak sites right before the ALPHV BlackCat Ransomware leak sire seizure. 

There has been some rumors and talk of Vice Society rebranding and they do resemble a new group which I will release in more detail early in 2024.

NoEscape

NoEscape, formerly Avaddon has pullled an exit scam. 

Groups to Watch for in 2024

In no particular order here are some of the new groups that have create a stir and defenders should be aware of. More detailed profiles along with TTPs will be out early in 2024.

Akira Ransomware, Hunters International, Cactus & Rhysida.

Clop Ransomware is Not Acting Like CL0P

Clop is back again, or are they?

By Dominic Alvieri

11/3/2023

@AlvieriD

Will the Real Clop Please Stand Up

The group behind the hack of the year is back, or are they? After taking an odd mid-hack of the year 6 week hiatus CL0P Ransomware is back posting companies on their leak site and full torrent leaks on their torrent leak site. Is this the real Clop?

The once cocky and sh*tposting Clop I  thought I knew has changed dramatically. The only story is we want money for our work. Quick to call out the BBC in reference to a post now this Clop doesnt seem to know the difference between a leak via tor and a torrent.

On Saturday, November 4th Clop Ransomware posted an updated post on Sweet Lake Land and Oil Co publishing full files via torrent. Today on Sunday the 5th of November they have just changed the updated post reflecting the files published via tor. Again. Evidentially this Clop doesn't know the difference between a leak via tor and a torrent.

CL0P Ransomware has not published any torrents on their torrent leak since the last company published via torrent which was a healthcare related company late in October. 

The Clop Ransomware torrent leak site was taken down on November 1st.

This is a heavily speculated comment but it is almost like the real operator was arrested on an unrelated charge and now trying to explain to a friend or relative how and what to post. Either that or Clop has been seized and I am ruining the attempted honeypot. Either or the two above speculative scenarios would explain the extreme tactical and functional errors taking place. Unless you think Clop had a slight change of heart and is kinder, gentler and a lot less technically capable. 

I have sent CL0P an email for a response but to no avail. I do not believe this is the same Clop Ransomware currently posting. The next few weeks will tell if there is a new zero-day they are exploiting and too busy to know the difference between tor and a torrent or something else is going on.

Stay safe, online and off.

The Cyber Show

@AlvieriD

alvierid@infosec.exchange

  

Ransomware Groups May Soon Get Their Hands on Your Fingerprints.

You have to give us your fingerprint

By Dominic Alvieri

Aug. 13th, 2023

@AlvieriD

"You have no choice, the company is switching over."

Imagine being forced to give your biometric fingerprint away to third party. Now imagine your employer mandating this and you having no choice in the matter? Well imagine no more.

Meet the Kronos Biometric fingerprint time clock. Can you guarantee that my biometrics are safe. Where is the security answer please? 

I am so opposed to this and I can't do a thing about it. Being forced does not constitute consent.

For the record I object again. 

Which finger?

 Point in fact Kronos settled a lawsuit in 2022 stemming from their data breach in 2021.

Millions of workers are being forced to hand over their fingerprints. There is no consent. You are required to abide by company rules and companies are switching over to fingerprint readers because Kronos is switching over to biometric time clocks. 

Period. You have no choice. Once again I am so against this.

Fairly soon ransomware groups may be able to get their hands on your fingerprints.

I cannot state this point any clearer, you have NO choice except to clock in with your finger. 

I am strongly opposed to the forceful relinquishment of and collection of biometric data

Stay safe.

Dominic Alvieri

@AlvieriD

The Cyber Show 

The Mushroom Policy

Is Obstructing Security Obstructing Justice?

by Dominic Alvieri

June 13th, 2023

@AlvieriD

 

What does a mushroom have to do with cybersecurity?

Let's put a name to what has been going on in the corporate world regarding ransomware attack communications. Yes, I said ransomware. The Schneier Blog just put out an excellent short blog on some of the legal tactics behind some of the recent delays for incident responders and security efforts.

How does one grow mushrooms? 

If you know how to nurture mushrooms you're wanted in corporate public relation departments around the globe. In most cases to grow mushrooms you to keep them in the dark and feed them a lot of crap. Literally that's all you have to do. Very much like the lawyer-fed communication orders given to PR rooms to disseminate lately.

"to grow mushrooms you keep them in the dark and feed them a lot of crap."

In many cases I don't believe that every company would come forward if samples, flashes or exfiltrated data itself didn't leak out. Many companies wouldn't say a word about it. After being confronted several companies have come forward with vague crafted statements months after the fact. Truth be told sometimes it does take some time to do a complete forensic investigation. 

Don't mention or use the word ransomware, say cyber incident. It sounds better. They didn't name names.

The Ostrich Policy

You could just bury your head in the sand and hope it goes away.

Employees of Highland Homes in Texas have reached out in April saying that their bosses kept denying the Alphv BlackCat posts claiming that they breached the company. BlackCat finally dumped alleged company data a few weeks ago in late May.

Accountability

If you are going to make money off of my data you have to protect it better. Stand up a be the good corporate citizen we always hear about.

Stay safe. 

Dominic Alvieri 

@AlvieriD