How to be successful in the Ransomware game
"Money is paid based on the results of negotiations, and in negotiations - you need a trump card."
In the past few months, I’ve been exploring about 40GB of historical data pulled down from an active ransomware gang’s stash. Included are past victims, potential victims, batch files, tools, and so on.
It’s appears to be a moderately skilled gang that’s going after low-hanging fruit, not attracting any serious attention to itself, but probably making a pretty good living at it considering how many years they’ve been active.
Once a week (more or less), I’ll be sharing details that I found particularly interesting, starting with today’s post.
The following is an excerpt from a .txt file that’s been machine translated from the original Russian. It reads like an orientation for new members.
“The purpose of writing this is to make things easier for us all.
Locking is only the first stage, and is not yet a guarantee of results.
Money is paid based on the results of negotiations. And in negotiations, you need a trump card. It’s just that they don’t pay money to simply unlock cars.
It is very important (if possible) to gain control over domains, servers, websites, and/or their sources, etc. Certificates, some keys, etc. that are impossible or difficult to restore. This will show everyone that the company is in trouble. Laying out the site is a very big plus.
Now let’s move on to the most important thing - the date. From what you download and save, it depends how much and how quickly everyone will earn money.
WHAT DO WE TAKE
It’s better to take 300 MB of good stuff than 3 TB of garbage.
1. The most important thing is confidentiality. That is, there is no point in taking something that is public and that everyone can see anyway. For example, invoices (accounts), payments (unless you see something unusual or illegal), presentations, and other nonsense, there is absolutely no need to download.
What do you need? Something for which there will be PROBLEMS for disclosing. First of all (and what is everywhere) PAYROLLS. Also tax forms: Form W2, Form 941, Form 1040, Form 4506-T, other options. - WE NEED DOCUMENTS THAT CONTAIN SSN (9-digit number), full names of people, addresses, emails!!!
All medical information is completely confidential, that is medical records, tests, diagnoses, doctor’s notes.
2. We are looking for other confidential information, such as …..
The full document is available for download including the original in Russian and the English translation for paid subscribers. Just click the link below.
Next week’s article will feature a Chinese auto parts company (one of the top 100 globally) with offices in the U.S., that was compromised by this gang several years ago after more than six months of having them in their network. As far as I can tell, this attack has not been made public and I’m reaching out to the company for confirmation.
Keep reading with a 7-day free trial
Subscribe to Inside Cyber Warfare to keep reading this post and get 7 days of free access to the full post archives.