Post-GandCrab, Cybercriminals Scouring the Dark Web for the Next Top Ransomware

A detailed look at underground forums shows that cybercriminals aren’t sure where to look on the heels of the GandCrab ransomware group shutting its doors – and low-level actors are taking advantage of that by developing their own strains.

Ransomware continues to be a top threat, with Friday’s ransomware attack on 23 Texas local government and agencies and two in June on dual Florida cities – Lake City and Riviera Beach, resulting in a decision to pay off the hackers — acting as perfect examples of just how lucrative this type of malware is.

Behind the scenes, cybercriminals aren’t having as easy of a time selecting tools as it may seem. According to new research, after the notorious GandCrab ransomware gang shuttered operations in June, many have been left adrift.

The recent Recorded Future study found that about 50 percent of posts on the underground were from buyers saying they don’t know where to go, but expressing interest; while on the vendors’ end, low-level actors are experimenting with developing and sharing their own ransomware strains.

“Effectively we’ve reached a point in which there’s a general interest in ransomware that’s very large in underground forums, but criminals in this case still don’t know where to look, and especially since GandCrab has retired… there’s not really a vendor that has reached that level of popularity yet,” Winnona DeSombre with Recorded Future told Threatpost in a video interview.

Looking ahead,”I would say that the thing that concerns me most is what vendor will emerge as the new primary ransomware vendor,” DeSombre said. “Given how popular [GandCrab] was, I imagine that there will be multiple vendors trying to emerge that will compete in a similar manner.”

For the full video interview, see below or click here.

See below for a lightly-edited transcript of the video.

Lindsey O’Donnell: Hi, everyone. I’m Lindsey O’Donnell with Threatpost and I’m here today at Black Hat USA 2019, here with Winnona DeSombre with Recorded Future. Winnona, how are you doing?

Winnona DeSombre: Good Lindsey, how are you?

LO: I’m good, just arrived here at Black Hat, so excited to see what’s to come. So to start can you give an introduction to yourself?

WD: Yeah, for sure, my name is Winnona. I’m a threat intelligence researcher at Recorded Future. I focus a lot on East Asian hacking communities and also malware and data-driven research.

LO: Great. So one thing I wanted to talk about today was malware trends and different variants that you’re seeing that are becoming more popular. I definitely see that as something that will be discussed a lot here at Black Hat this year. And I know that Recorded Future just came out with a malware report on how different malware variants were referenced in underground forums, and you took the lead on that. What were some of the biggest takeaways there? What really stuck out to you about that report?

WD: Yeah, for sure. So one of the biggest takeaways definitely revolved around the references for ransomware. And so effectively, we figured out that while ransomware was the most popular malware category mentioned over the course of the year, a lot of the actual specific posts surrounding those references, so like forum-vendor requests or discussions between different buyers and sellers, were related to any ransomware. So about 50 percent of these posts were either buyers saying, “Hey, I don’t really know where to go, but I’m interested in ransomware.” And on the vendor side, people experimenting with creating their own ransomware. So effectively, we’ve reached a point in which there’s a general interest in ransomware, that’s very large on underground forums. But criminals in this case, still don’t know where to look. And especially since GandCrab has retired, they retired in June. There’s not really a vendor that has reached that level of popularity yet.

LO: Right. Yeah, that’s really interesting, too, because I feel as though the popularity of ransomware – there was discussions of it decreasing in the past. And you know, this year, there was kind of a resurgence of ransomware, targeting state and local governments. Did you guys see that at all in your report?

WD: Yeah. So we actually wrote a separate report on ransomware, targeting state and local governments, there’s definitely been a resurgence from 2017 to 2018. And even on the 2019 scale, it’s actually supposed to either hit or exceed that if we’re to extrapolate the data. But I will also say – fun fact – that even when you have these number of local and state governments that are being hit, it’s not necessarily targeted. So you have criminals that end up infecting a machine that belongs to a local or state government, and then realizing “Oh, this is actually a government owned system,” and then encrypting the important data there.

LO: Yeah, I’ve heard that it’s kind of almost like a spray tactic. And then they just happen to get lucky. And it just happens to hit Atlanta or wherever. Yeah. But that’s really interesting. And so in looking at the report, were there any types of malware variants that really stuck out to you? Or did it really depend based on the different forums that you guys looked at? What did you see there?

WD: Yeah, so there were definitely different variants in different families of malware that were more or less popular, depending on the language of forum. So for example, mobile malware would be more prevalent on Chinese forums, followed by English forums, and then Russian forums, I will say that overall, in each of the top 10, for all of the languages analyzed, there were some similarities, though. So for example, you see really old malware at least showing up once on the top 10. So by really old, I mean, about three years old or even older than that, even some open source variants, which suggests that these open source lower-level pieces of malware are still successfully infecting victim hosts somewhere. There were also things like regular penetration testing tools, so Metasploit, HashCat, things like that were also being traded or reference to on underground forums. So any tool that was popularized by a red team may also be in the hands of a criminal.

LO: So yeah, that brings up an interesting question too – when you guys were looking at underground forums did, was there a number of forums that you guys looked at? I mean, was it in the hundreds, was there any you specifically were trying to target?

WD: Yeah, so I would say that within the scope of research, because this was 4 million posts, it was quite a number of forums. And I would say that it’s not just the Dark Web forums that we focused on, we also focused on Open Web forums, as well as third-party chat applications and things where we knew criminals were operating on – or forums in which we knew criminals were operating on – because even though many people like to think that criminal monitoring is solely on the Dark Web or whatnot, it’s really wherever criminals can communicate with each other online.

LO: Right? Yeah. I mean, I even read an interesting thing the other month about social media, and how a lot of people are using social media to talk about malware and malicious activities.

WD: Precisely, although there’s a difference between talking about it and actually selling it.

LO: For sure. I had a question to0 about the malware in terms of, are you seeing more newer types of malware or more traditional malware that are either adding more modular function or switching up their tactics?

WD: I would say that it’s really last about the malware itself, and how it’s being advertised – if it’s updated regularly, frankly, individuals who are trying to purchase malware want to know that it’s being updated or whether or not it’s really worth their while to purchase. So what they look for is good vendors, things they’ve seen in the news. Also, really anything that they’ve seen as having good reviews on underground criminal forums or whatnot.

LO: That’s really interesting. I guess my final question would be looking ahead at 2019 and beyond, what are the top malware related trends that you see coming to a head?

WD: I would say that the thing that concerns me most is what vendor will emerge as the new primary ransomware vendor, the GandCrab affiliate program on on the underground criminal forums was so popular that if these cybercriminals weren’t able to find GandCrab from their own means they would actually post about it in a variety of languages, asking where they could find it. And given how popular that was, I imagine that there will be multiple vendors trying to emerge that will compete in a similar manner.

LO: Well, something definitely to be looking out for. And I’m curious too how sessions at Black Hat will really touch upon this. Thank you so much for talking to us.

WD: Thank you for having me.

For more top infosec news and videos interviews, subscribe to Threatpost’s Youtube channel here. 

Suggested articles