Are You Trollin Me?

 Did Black Suit Ransomware just try to troll me?

by Dominic Alvieri

July 3rd, 2024

@AlvieriD

The story goes a little something like this...

/Conti_Royal_BlackSuit/
                       |_BlackSpade/

That random mixed letter and numbered social media account chimes in. To make a long story short several people both known and unknown to me recently mentioned the same thing, "...a guy from Black Suit started his own group and is responsible for a major incident. The group is called Black Spade."

Who is Black Spade?

The Royal (Ransomware) Flush

Black Spade would be the continuation of the group formed by a Conti member who created Royal Ransomware then rebranded to Black Suit then either is planning on spinning off or rebranding to this new alleged Black Spade group.

Black Suit was attributed to the recent damaging CDK cyber incident. A  CDK spokesperson originally said "it will take months to fully restore our network" and now they will be up and running by July 4th. Now that the incident appears over I think it is important to bring this to light. Bad actors with or without ransomware in general will lie, cheat and steal to get the money they feel entitled to. They will even try to bribe or fool a researcher, reporter or analyst into making false statements during a ransom negotiation to influence the outcome. Millions of dollars are at stake. 

Is there a Black Spade? The Major Plot Twist

I really had the feeling I was being trolled. A pro level troll. Royal payback if you will. Contacted during a major incident with a major plot twist in the middle of alleged negotiations. I have never heard of such a thing. It is also rare for a group to willingly give their new spinoff and or rebrand name out beforehand. It defeats the purpose.

So is there a Black Spade? Not yet. The new Black Spade claims came somewhere a day or two before CDK's sudden positive change towards the cybersecurity incident. Once again CDK was never posted by Black Suit and they should be fully operational by Independence Day, July 4th which is tomorrow.

Once again two individuals mentioned the same name on the same day with bold new claims. The new group called "Black Spade" was a former/current Black Suit with a major victim. I asked for something concrete, an IoC, a new strain or anything that could back the claim. You just have to produce a ransom note, a data sample, post it or some evidence with a claim like that.

I had a feeling I was communicating with Royal who is still probably a little sore at me from the old Twitter days when Royal was online known as @LockerRoyal before being suspended.

I need some proof of compromise, a ransom note or something 

For those of you that do not follow threat actors as closely as I do here is a little back drop. Black Suit recently posted a record (for them) in posting 9 new victims in a day and another leaked school district that was originally posted before as their 10th post for the day. Black Suit hasn't ever posted 10 victims in a week or that frequently on a monthly basis. It did look like Black Suit was cleaning house and possibly preparing to rebrand and or exit. 

Skeptical I mentioned to both security researcher and I presume now to be the threat actor that I would put a feeler post out in a few hours mentioning the new threat group but I needed something solid to go forward with anything more. It's not a new ransomware group without a new strain so it isn't Black Spade Ransomware and it sounded somewhat feasible and a possible threat. 

My post above

Careful not to create a major stir I toned down the threat eliminating the possibility that this new group was a LockBit or AlphV BlackCat rebrand just in case it was used for leverage with potential victims during a ransom negotiation. The timestamp is underlined.

Their post roughly an hour later...

Roughly an hour after my post Black Suit posted Kadokawa. Kadokawa was the 11th post and 10th new victim for Black Suit within 2 days which is a first. The Black Suit post rate is well below that number.

The Ransomware News bot from VX Underground post with timestamp underlined.

The Black Suit Kadokawa post

It may have just been a wild coincidence with the poker reference but it didn't feel like it.

The Ace of Spades

...we prefer not to show all the aces we have prepared within the sleeve." 

No points for the poor Russian to English translation above but I did catch the reference. It may have been nothing, probably just another cybersecurity coincidence. 

"...we are only interested in money.' - Black Suit Ransomware

The Ugly Side of Cyber - Negotiations

CDK has never been posted by Black Suit or any other group to date. The original ransom request was believed to be $10 million with online rumors ballooning it to as high as $80 million. The truth is probably somewhere in between and closer to the lower figure. Ransomware groups and threat actors routinely ask for way more than they are willing to settle for. They over inflate their claims and use whatever other means are needed.

Just like that one of the two deleted their account and the next day fortunes turned for the encrypted.

CDK should be back fully operational by the time you read this. Once again CDK was never posted by Black Suit but confirmed the cyber incident and actor as being Black Suit. Kadokawa was leaked by Black Suit.

Is Black Spade for real? Is Black Spade coming? I'm not sure but if that name does come up make sure to do your due diligence.

Stay safe online and off.

Dominic Alvieri

@AlvieriD

How I Hacked Your Mother

Did you know I can hack you from several yard sale items?

by Dominic Alvieri

June 12th, 2024

@AlvieriD

Can You Help Me With My Smart Dryer?

Kids did I ever tell you how I prevented your mom from getting hacked?

Cybersecurity articles are either way too technical or way too simply not containing any concrete or actionable information the average person can utilize.

In the simplest terms any device that has been connected to the internet will leave a digital trail and be left stored in that devices memory. They don't just magically disappear...you have to remove them.

It can without wiping your old IoT device memory.

A Simple Question Asked and Not Answered

Whenever you dispose of any IoT device what must you do with the devices memory? 

36 out of 36 random people that I asked this question to failed to answer it correctly. You must successfully wipe clean your old device memory before selling or disposing of the device. Not one of the 36.

***Important Disclaimer***

A proper forensic investigation should be done on a copy and not the original to avoid chance of corruption or tampering and it is usually copied as an image and then added as a data source to investigate further depending on the tool you are using. Please do your own research on how to properly conduct a forensic investigation but that is a key principle to strictly adhere to.

Secondly just to be safe I am leaving out the brand names of the devices researched. Remember that any device that connects to the internet will leave a digital trail. The credentials don't just disappear. 

Smartphone, Tablet, Camera, Printer...

I was driving around the other day and saw a yard sale sign and looking for a few things.

How is Your Smart Washer Connecting to the Internet?

The Yard Sale Hack

It didn't take long to see an old Android smartphone and a printer for sale. I asked the owner if she new that I could find all types of credentials and data left if she didn't clean the memory from her devices. She didn't know how to respond. I explained the research I was doing. She said she deleted all the photos on the phone so she was ok. ( yikes! ) I explained how to properly dispose of any IoT device. She agreed to the sales and research. I returned the devices in a few days and revealed my findings.

Digital Forensics

I've been hacking and breaking things for a long time but I also track and trace cyber criminals & cryptocurrencies and forensically go over all types of devices. Autopsy is one of my favorite tools but I use several depending on what type of device ( desk top hard drive, smartphone, printer, etc.) I am going to go over and what I am looking for. I used several tools and addons for this project so I won't bore you.

Different devices have different types of memory. The hard drive in your computer is obviously different from the memory and storage in your smartphone. That is a blog for another day. 

It's All in the Credentials

In short the printer had her Wi-Fi credentials in plain text and the smartphone had a treasure trove of information that could be used against her. I agreed not to expose any personal details except for the minimal details that we agreed upon so sorry no redacted screen shots.

                                                                       Sample of Autopsy

How I Prevented Your Mother From Getting Hacked

What is the Best Thing to do When Disposing of an IoT device?

The best single piece of advice when getting rid of old IoT devices is to wipe clean your old IoT device memory. Every single IoT device. It is just that simple. Your can remove and destroy the storage media which also works but isn't very practical with smartphones.

How?

Again in simple term depending on the type of storage media there is professional software like Eraser or other commercial tools available. For all other devices such as printers, assistants and other non-smartphone type devices they will have instructions usually in their settings and should be a factory reset as a worst case minimum.

 Check your devices manual and carefully go over their instructions. 

Stay safe online and off. 

Typosquatting with Mikhail

The Infrastructure Boss

by Dominic Alvieri

April 10th, 2024

@AlvieriD

What does a former Boris Yeltsin era Defense Minister for the Russian Federation have to do with cybercrime and ransomware today?

Since early 2023 I have been tracking a cybercrime infrastructure that now accounts for over 800 phishing websites pretending to be banks, software companies and cryptocurrencies deploying malware and dropping crypto stealers.

All of the 800+ phishing sites have two things in common. They are all registered with NiceNIC.NET and the WHOIS registrant organization is "Mihail Kolesnikov." 

Several countries of origin are used including Belize and Belgrade. A few websites were also registered under the correct spelling of Mikhail with the vast majority registered as "Mihail."

Hunters International is the latest ransomware and data extortion group to join.

Several of the websites were deploying bumblebee malware along with various stealers. Redline stealer and new versions of Rilide and Fletchen stealers. 

A quick look - Fletchen stealer features some of the same wide array of malicious activities as other stealers including credential theft, Wi-Fi login details, browser history and cookie retrieval along with several crypto clipper options. 

Fletchen stealer is written in Rust with simple panel access and is easy to navigate but script kiddies beware, you need technical abilities to encrypt the stealer.exe file.

Hunters International registered their clearnet leak site with the registrant organization of Mihail Kolesnikov in January of this year.

All of the malicious websites have been registered since 2022 and continue under the typosquatted registrant organization of Mihail Kolesnikov. 

Typosquatting Mikhail.

Clippers replace the destination address and replace them by generating a corresponding address with Fletchen stealer (pictured below) currently stealing Bitcoin, Ethereum, Litecoin USDC, USDT even Dogecoin and other cryptocurrencies.

"history",

"webRequests",

"tabs",

"clipboardWrite",

"clipboardRead",

"management",

"<all_urls>"

],

Former Rilide C2 domain /silent-scale.com

A full report will be out in the month or so detailing the Chinese registrations and Russian C2's associated with all of these "Mihail Kolesnikov" websites and malware.

Dominic Alvieri

X @AlvieriD

The Part Timers

The Part Time Ransomware Groups.

by Dominic Alvieri

February 18th, 2024

@AlvieriD

It seems like everyone is attacking critical infrastructure these days. There are several nation states and 12 current active ransomware groups that have attacked critical infrastructure around the world. Here are 7 of the 12 active ransomware groups:

ALPHV BlackCat

Black Basta

Hunters International

LockBit

Play Ransomware

RansomHouse

Rhysida Ransomware

Can you name any of the other 5?

Remember the dentist/part time ransomware operator?

There may be another dentist deploying ransomware. Or maybe even a slick lawyer. The rash of bad actors attacking critical infrastructure has to be dealt with immediately. 

Who are these part time ransomware operators and why we should make examples out of them? Tracking several of these groups and I can safely say it wouldn't take long to take down at least 2 of the 5 groups I mention below. I predict that at least one of the groups listed below should be comfortably viewing life behind some cold steel bars sometime this year. 

Attacking critical infrastructure should be heavily penalized and actors jailed for so long that it should never cross the pea brain of any ransomware idiot. 

What is a part time operator?

A part time ransomware operator attacks and posts fewer than about 8 victims per month by my definition and for the purposes of this analysis and article. The part time operator more than likely has another job and or profession in addition to breaching companies. 

Cuba Ransomware would be a perfect example but exempt from this discussion due to their backing which is fairly safe to say it stems from the Russian Government and has nothing at all to do with Cuba.

Who are the part time ransomware operators?

Qilin Ransomware

Infrastructure breached - Electric utility

Qilin started quietly on the ransomware seen in 2023 but has ramped up and is set to graduate to a full time operator. Business is good for Qilin who breached and evidentially negotiated with Electric Power of Serbia posting and removing the utility serval times before finally leaking them.

Qilin appears to have quit his day job and about to deploy ransomware full time. 17 posts year to date thru 6 weeks of 2024. 

Lorenz

Infrastructure breached - Hospital

Strictly business includes critical infrastructure.

Lorenz is a classic part time operator. A dentist? Probably not. Lorenz has more technical skills than some of the other part timers. I could write a whole other article about Lorenz but let me just say for the purposes of this topic that Lorenz has also breached critical infrastructure in Cogdell Memorial Hospital.

Daixin Team

Infrastructure breached - Hospitals, health networks & water districts

Daixin is the worst of the part timers. Daixin is not a dentist, not by far. I would define the group as the state sponsored nasty version of Cuba. I say this with a moderate degree of certainty from some of their TTPs. Daixin has the most experience and is probably the most likely to continue to cause havoc of any group on this list. 

A majority of the Daixin Team attacks have been against critical infrastructure.

Here is a visual snapshot of Daixin critical infrastructure attacks:

Meow Leaks (seriously)

Infrastructure breached - Hospital

Meow Leaks breached Vanderbilt University Medical Center and Hospital early in 2023 before they created their leak site later in the year. It is difficult to take a group calling themselves Meow seriously but they have attacked critical infrastructure and eventually I will take a deeper look at the group.

Money Message

Infrastructure breached - Hospital

The Money Message group came on the scene in 2023 and joins the not so famous list by breaching Anna Jaques Hospital. MM also breached a major dental company in 2023 so this may not be the first or last venture towards critical level companies. 

Money Message is trying to stay quiet behind the scene but they are now on radar.

Something has to be done.

Examples have to be made of these bad actors otherwise every pimple faced ransomware wannabe may start attempting to attack critical infrastructure. That will not end well.

The Cyber Show 

Dominic Alvieri

X - @AlvieriD 

Where Are They Now?

 The Conti Boys

By Dominic Alvieri

1/14/2024

@AlvieriD

Ransomware groups have come and gone but few have continued to resonate across the criminal ransomware spectrum as the former members of Conti Ransomware. We all know the pipeline hacking name so let's cut to the chase.

Where are members of Conti? Start with the list below.

The list below does not include leaked source code offshoots like Monti or any others. All of the following groups can be attributed to former Conti. 

In alphabetical order:

Akira Ransomware, Black Basta, Black Byte, Black Suit (Royal Ransomware),  Karakurt Team, Three AM

Royal on The Run

Royal Ransomware was arguably on the run after their attack on the City of Dallas, Texas and has rebranded as Black Suit. Royal Black Suit of you like. Black Suit is active again.

100 Days Without Fam

By all accounts Karakurt has been inactive for over 100 days now. No posts. No attacks. No nothing.

So what happened? No speculations please.

Karakurt Team in high level discussions.

Black Byte Bitten

The Black Byte leak site was only active for a few hours over the past 2 months only producing a black and white logo change. That's it. I don't expect Black Byte to rebrand. Time will tell as it always does.

Akira Ransomware

Akira Akira. Not my favorite. Why don't we call him angry Conti. Angry Conti has set up his own thing including a cool retro site. Just a reminder that this cool retro site is trying to peg your system and steal your credentials as you browse their leak site. Phish your visitors. Great evil business model.

Black Basta

If there was ever a racist Conti this is it. More hateful. Targeted. The question is whether for Black Basta to retool or rebrand after the "Basta Busta" released. LockBit proved that you can continue without rebranding. Black Cat ransomware is also challenging what you would think to be the norm.

Black Basta was named by one of the most racist white guys ever. 

There are arguments to be made to include a few other names and strains. I fell like I missed a name or two. 

Don't mount a locker or hack illegally.

Dominic Alvieri X- @AlvieriD

The Cyber Show

2023 Record Ransomware Group Totals and Who to Watch in 2024

New Groups to Look Out for in 2024

By Dominic Alvieri

December 31st, 2023

@AlvieriD

By all accounts it has been another record year for ransomware across the board. Hospitals, schools, large cities and small towns. With one day left in 2023 here is the unofficial top 5 ransomware group victims posted in 2023 by my count. These are only the number of victims posted that we know of.

Both LockBit and Black Cat have posted new victims while I have been typing this blog so these numbers are fairly accurate:

LockBit 1031

ALPHV BlackCat 432

Clop Ransomware 388

Play Ransomware 314

BianLian 255

-- other top 10 notable rising posters include Akira and Medusa Team.

Where are they now?

Hive Ransomware

Hunters International

Hive Ransomware was one of the 3 ransomware group disruptions in 2023. There were no arrests.

ALPHV Black Cat holiday seizure c/o Brian Krebs article.

Hive Ransomware was the first ransomware group disruption in January of 2023. New self proclaimed ransomware and data extortion group Hunters International is using a close match to a Hive strain so much so that the group even posted a rebuttal on their leak site blog denying the accusation. 

Hunters have already emailed extortion threats to hospital cancer patients in December of 2023. 

Enough said.

BlackByte

BlackByte has been offline for over 2 months now with only a brief showing of their new white colored logo and then they disappeared again. BlackByte has been creating custom tools like their ExByte data exfiltrator and braded logos like the ones pictured above, 

If BlackByte is not running from the law they should be back menacing companies.

Royal Ransomware

Royal Black Suit

In a wildly unpopular blog that I rewrote several times and have been unable to publish here for some reason Royal Ransomware is on the run and has rebranded to Black Suit. Comparing their binaries they have matched and Royal has taken down their old leak site for the better part of the end of the year. 

Royal has recently also taken down their victim portal and have started to post more frequently now on their Black Suit leak site. Hence the name I have given them Royal Black Suit.

Vice Society

One of my favorite logos and most hated groups has been Vice Society. Vice has not posted for over 3 months now with their main leak site down for a majority of that duration. Vice Society has pulled down all of their back up leak sites right before the ALPHV BlackCat Ransomware leak sire seizure. 

There has been some rumors and talk of Vice Society rebranding and they do resemble a new group which I will release in more detail early in 2024.

NoEscape

NoEscape, formerly Avaddon has pullled an exit scam. 

Groups to Watch for in 2024

In no particular order here are some of the new groups that have create a stir and defenders should be aware of. More detailed profiles along with TTPs will be out early in 2024.

Akira Ransomware, Hunters International, Cactus & Rhysida.