These ransomware operators emerged in early 2016 and changed the ransomware threat landscape drastically. They didn't focus on regular users and single devices; instead, they attacked various companies, focusing on a human-operated approach, moving laterally and encrypting as many devices as possible, including those with the most important data.

The targets were very different and included the healthcare industry, the education sector, and even whole cities. A notable example was the city of Atlanta, Georgia, which took place in March 2018. As the result, the city had to pay approximately $2.7 million to contractors to recover its infrastructure.

The group commonly exploited vulnerabilities in public-facing applications, for example, JBOSS systems, or just brute-forced RDP-servers to gain the initial foothold to the target network.

To elevate privileges, the threat actors used a number of common hacking tools and exploits, including the notorious Mimikatz, so they could obtain domain administrator credentials.

Having elevated credentials, SamSam operators just scanned the network to obtain information about available hosts, then copied a piece of ransomware to each of them and ran it with help of another very common dual-use tool – PsExec.

The attackers had a payment website in the dark web. A victim could find all the necessary information on file decryption in the ransom note generated by the ransomware, as shown in Figure 1.1:

Figure 1.1 – SamSam ransom note example

Being active from 2016 to 2018, the group earned approximately $6 million, according to Sophos (source: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf).

Who was behind the SamSam ransomware

On November 28, 2018, the FBI unsealed an indictment charging Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with deploying SamSam ransomware internationally:

Figure 1.2 – An excerpt from an FBI Wanted poster

Both subjects are from Iran. After the indictment was unsealed, the threat actors managed to finish their malicious activities, at least under the name SamSam.

These threat actors showed others that enterprise ransomware attacks may be very profitable, so more and more groups emerged. One example is the BitPaymer ransomware.

The BitPaymer ransomware is associated with Evil Corp – a cybercrime group believed to be of Russian origin. This ransomware strain introduced another trend in human-operated attacks – Big Game Hunting.

Everything started in August 2017, when BitPaymer operators successfully attacked a few hospitals from the NHS Lanarkshire board, demanding the astronomical ransom payment of $230,000 or 53 BTC.

To obtain the initial access to the target network, the group leveraged their long-standing tool – the Dridex trojan. The trojan allowed them to load PowerShell Empire – a popular post-exploitation framework – so the threat actor could move laterally through the network, and obtain elevated credentials, including with the use of Mimikatz, just like the SamSam operators.

To deploy the ransomware enterprise-wide, the threat actors leveraged a Group Policy modification, which allowed them to push a script on each host to run a piece of ransomware.

As the means of communication, the threat actors offered both emails and online chats; both could be found in the ransom note:

Figure 1.3 – BitPaymer ransom note example

In June 2019, a new ransomware was born from BitPaymer, called DoppelPaymer. It is believed that this specific ransomware was operated by a spin-off group from Evil Corp (source: https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/).

The mastermind behind the BitPaymer ransomware

On November 13, 2019, the FBI released an indictment charging Maksim Viktorovich Yakubets and Igor Olegovich Turashev with managing Dridex trojan operations:

Figure 1.4 – Excerpts from FBI Wanted posters

Maksim Viktorovich Yakubets is currently wanted for multiple counts of cybercriminal activity. According to various sources, it is stated that there is a $5 million reward for the apprehension of Maksim. Of course, Dridex was not the only trojan used in human-operated ransomware attacks. Another notable example is Trickbot, which is tightly connected to the Ryuk ransomware.

The Ryuk ransomware took Big Game Hunting to new heights. Associated with the Trickbot group, also known as Wizard Spider, this ransomware strain is still active today.

Throughout its history, the group has attacked various organizations and made at least $150 million, according to AdvIntel (source: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders).

For quite some time, it was called triple threat, as typically such infections started from the Emotet trojan, which loaded Trickbot, which was used for downloading post-exploitation tools and final ransomware deployment. Usually, Trickbot was used to download a PowerShell Empire agent or a Cobalt Strike Beacon – another extremely popular post-exploitation framework.

Recently, the group changed the toolset and started to use a new trojan called Bazar. Interestingly enough, they started to use vishing (voice phishing) in their distribution scheme. The phishing emails don't contain any malicious files or links, just some information about a fake paid subscription and a phone number to call to cancel it. If a victim calls the number, the operator guides him or her to download a weaponized Microsoft Office file, open it, and enable the macros, so the computer is infected with Bazar. Just like with Trickbot, the trojan is used to download and execute a post-exploitation framework – most commonly, Cobalt Strike.

To deploy Ryuk, the threat actors leveraged multiple techniques, including the previously mentioned PsExec and Group Policy modification.

First, they provided emails to allow the victims to contact them, but soon started to use Tor onion services:

Figure 1.5 – Instructions embedded into the ransom note

Ryuk ransomware operators are still active, and, according to AdvIntel and HYAS, have earned more than $150 million (source: https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders).

Who was behind the Ryuk ransomware?

On June 4, 2021, the FBI released an indictment charging Alla Witte, aka Max, for being involved in a transnational organization responsible for creating and deploying the Trickbot trojan and ransomware.

Some other Ryuk-related threat actors were the Emotet botnet operators. They were arrested in January 2021 as the result of a collaborative operation between law enforcement in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. As a result, the authorities took full control of the botnet's infrastructure.

One of the most notable things was what exactly the Emotet operators' workplace looked like:

Figure 1.6 – Emotet operators' workplace

More insights are available in the following video: https://www.youtube.com/watch?v=_BLOmClsSpc.

Despite the fact that threat actors are being arrested, more and more cybercriminals want to join the big game. So, another phenomenon has emerged – ransomware-as-a-service.

2019 was the year of the rise of ransomware-as-a-service programs, and it is still the main trend today. Multiple ransomware developers started to offer their products to various threat actors in exchange for a percentage of the ransom received.

REvil, LockBit, Ragnar Locker, Nefilim – these are just some of the ransomware families distributed under the ransomware-as-a-service model. Although multiple threat actors may use the same ransomware strain, their tactics, techniques, and procedures may be very diverse.

At the same time, nowadays most ransomware-as-a-service programs affiliates share the same approach – they exfiltrate data before actual ransomware deployment. The trendsetters for this technique were the Maze ransomware affiliates back in 2019, but nowadays almost all threat actors involved in such attacks have their own Data Leak Site (DLS).

Here is an example of a DLS used by DoppelPaymer ransomware affiliates:

Figure 1.7 – DoppelPaymer's DLS

Usually, affiliates do not perform the whole attack life cycle, but rather use other threat actors' services. For example, threat actors may cooperate with initial access brokers, who provide them with access to compromised corporate networks. In some cases, they may pay additional pentesters for privilege escalation or defense evasion, so they can deploy ransomware enterprise-wide and nothing can stop them.

Depending on the role, the threat actors involved in the project may receive various percentages from the obtained ransom payment. Usually, ransomware developers, who run the program, receive around 20%, affiliates receive around 50%, initial access brokers 10%, and the rest goes to additionally hired threat actors, for example pentesters or negotiators.

Ransomware-as-a-service is extremely common nowadays. According to Group-IB's report Ransomware Uncovered 2020/2021 (https://www.group-ib.com/resources/threat-research/ransomware-2021.html), 64% of all ransomware attacks were performed in 2020 by RaaS affiliates.

Who was behind ransomware-as-a-service programs?

One of the NetWalker ransomware affiliates, Sebastien Vachon-Desjardins, who is a Canadian national, was charged in January 2021, and is alleged to have raked in more than $27.6 million overall from his ransomware activities.

Another example is a couple of Egregor ransomware affiliates, who were arrested in Ukraine with help of French authorities, who traced ransom payments to them.

Another example is the Cl0p ransomware affiliates, who helped threat actors with money laundering, and were also arrested in Ukraine in June 2021. There's a video available from this operation at https://youtu.be/PqGaZgepNTE.

As you can see, ransomware-as-a-service programs allowed many cybercriminals to join the big game with ease, even if they lacked skills and capabilities. Of course, this fact played an important role in making human-operated ransomware attacks the cyberpandemic.

In this chapter, you've walked through the history of modern human-operated ransomware attacks and learned a bit about threat actors' tactics, techniques, and procedures, their business model, and even some people who were behind such attacks.

In the next chapter, we will dive into the modern human-operated ransomware threat landscape, focusing on the attack life cycle, from obtaining the initial access to actual ransomware deployment.