Why a Ransomware Group Is Pretending to Be a Real Company

Kate Linebaugh: Over the past couple of years, there has been a huge wave of ransomware hacking attacks. Businesses across the United States in different parts of the economy have been affected. Ransomware Group

News Announcer 1: A cyberattack has forced one of the country’s largest fuel pipeline operators to shut down. The ransomware attack hit Colonial Pipeline yesterday.

News Announcer 2: Ransomware hackers reportedly target computer company Acer demanding $ 50 million.

News Announcer 3: The world’s largest meat producer on Tuesday called off shifts at its meat factories in the United States and Canada after JBS said it was the victim of a crippling cyberattack over the weekend end.

Kate Linebaugh: These hacks are happening more often and the amount of ransoms is increasing.

Bob McMillan: It’s boom time for ransomware operators. It is gradually becoming the number one problem in cybersecurity. The Treasury Department claims that ransomware brings in around $ 100 million per month in the United States. Ransomware Group

Kate Linebaugh: This is our colleague Bob McMillan, who covers cybersecurity. He says one of the biggest criminal operations is a hacking known as Fin7. And recently, new details have emerged about how this group works, especially how Fin7 tried to attract tech pros to come and work for them. Fin7 recruited out in the open and in fact, much of the operation of this criminal enterprise looks a lot like a regular tech firm.

Bob McMillan: They all use the same systems that we use here in Silicon Valley. It’s just amazing to me how much of a dark reflection they are of the legitimate tech industry.

Kate Linebaugh: Welcome to The Journal, our show about money, business, and power. I am Kate Linebaugh. It’s Thursday, October 28th. Coming to the show, with the rise of ransomware, a leading hacking group is recruiting tech workers in plain sight. The Fin7 hacking group has been around for years.

Bob McMillan: Well, Fin7 started out by breaking into businesses, stealing payment card information, and then selling it, and they made a lot of money doing it. They have been linked with more than $ 3 billion in financial losses, according to the Justice Department. But it was a business that started to fade a few years ago, as the industry sort of tackled the issue of stolen and sold credit cards and made some changes.

Kate Linebaugh: To fight credit card fraud, banks have introduced new technology. They ditched the old swipe and sign cards and rolled out new cards with chips, which are more secure. This has made credit card fraud much less lucrative for groups like Fin7. So Bob says that last year Fin7 did what a lot of companies are doing.

Bob McMillan: They pivoted. They rebranded themselves as the ransomware operator.

Kate Linebaugh: Ransomware, the big new trend in the hacking world. How a ransomware attack works is for hackers to gain access to a computer system and lock it down. If the users want to get back to their computers, they have to pay a ransom. That’s why they call it ransomware. At first, the ransomware groups demanded small amounts of money, but over time the ransoms grew larger and larger.

Bob McMillan: Everyone was making a lot of money. It was truly the future of cybercrime. The amount of money you could ask for a ransomware hack five or six years ago might be a few hundred dollars, maybe a few thousand dollars, Ransomware Group but the numbers keep increasing. It was hundreds of thousands of dollars, then millions of dollars, then tens of millions of dollars. The benefits were therefore astronomical.

Kate Linebaugh: So who are the biggest ransomware groups?

Kate Linebaugh: Because Fin7 is a criminal enterprise, it can be difficult to get a clear picture of how it works. But based on court documents, federal prosecutors, researchers, and Bob’s reports, here’s what we know.

Bob McMillan: They started to develop their own version of ransomware. And at first, it was just something they used themselves, but in November 2020 they started to market it. They started producing it as software as a service.

Kate Linebaugh: Do you like business software?

Bob McMillan: Well, no business, it’s criminal software, different category.

Kate Linebaugh: Fin7 had decided to take their ransomware and start offering it to other hackers. He packaged it under a brand called DarkSide.

Bob McMillan: Basically they started saying, “Hey, this DarkSide software that we’ve made all this money with can also be yours. And all you have to do is go to our user-friendly DarkSide portal and credentials and we’ll give you access. And you can start your whole ransomware campaign. You can decide whether you want to infect Linux or Windows machines. You can decide how much Bitcoin you want to charge people, or maybe you want to charge them Monero, another digital currency. ”It’s basically like this web interface to eliminate crime.

Bob McMillan: An online service like this is scalable. We’re already seeing companies get great ratings for building software as a service scalable in Silicon Valley, and they’re basically doing the same thing, but in the criminal underworld.

Kate Linebaugh: Providing DarkSide software to other criminal groups has been a breakthrough for Fin7.

Bob McMillan: To me, it reminds me a bit like the tech industry, when we went from PCs to cellphones. It’s like, “Oh, it’s a paradigm shift. Only the agile will survive this sort of thing. You have to change your business model and embrace the new ways.” And that’s exactly what Fin7 did.

Kate Linebaugh: The license transfer from Fin7 worked. Other criminal groups were seizing DarkSide for their own attacks. U.S. officials have said DarkSide was behind this year’s attack on Colonial Pipeline. And to keep up with all of this new business, Fin7 needed more people, the same kinds of people that legitimate tech companies hire.

Bob McMillan: They must have a technology platform. They must have operational computer servers. They must have people responsible for software development. They must have the geeks who are building the ransomware. They must have cybersecurity experts, people capable of hacking businesses, and for them to put ransomware on the networks. They even have media relations people because part of what they do is build a brand. When you get hit with ransomware, you want it to be a trusted brand of ransomware so you know that if you give them $ 11 million, they’re actually going to give you a key to decrypt all of your ransomware. They have to have some sort of management staff to take care of all of this.

Come hack for us. Or can they? This is the next one. With the boom in Fin7’s operations, the group needed more staff. Criminal hacking groups like Fin7 typically recruit through the dark web.