Video: Syndicate: Inside the life of a Ransomware Operator | Duration: 6956s | Summary: Syndicate: Inside the life of a Ransomware Operator | Chapters: Introduction and Welcome (5.84s), Speaker's Personal Introduction (71.57s), Underground Digital Economy (141.51s), Soviet Economic Collapse (277.91s), Modern Cybercrime Allure (435.975s), Cybercrime Recruitment Pipeline (574.97s), Strain Theory Explained (773.28s), Cybercrime's Alluring Trap (1059.07s), Paranoia and Coping (1415.635s), Cybercrime Evolution Tactics (2061.235s), Ransomware as Service (2194.525s), Biorobots in Cybercrime (2468.665s), Ransomware Group Recruitment (2852.825s), Money Laundering Challenges (3194.37s), Ransomware Payment Challenges (3410.595s), Ransomware Group Dynamics (3685.465s), Syndicate Level Operations (4093.87s), Advanced Cybercrime Operations (4566.51s), AI in Cybercrime (5028.94s), Ransomware Syndicate Structure (5485.25s), Q&A and Conclusion (6576.905s)
Transcript for "Syndicate: Inside the life of a Ransomware Operator": Hello, everyone. Hello. Hello. Hey. Awesome. So I see people are here from Germany, from India. I got people from Malta. Shout out to Alberta, Canada, Paris, Denver, Montreal. Hi from Toronto. We got lots of people here today. So I wanna get the jump right into this. This is gonna be, hopefully, really interesting talk and, a really an exploration of how threat actors like, what threat actors go through and on a psychological model, also on, like, a day to day of their lives because they're human and they do have the same hopes and fears as we do. So their moral compass and their ethics can be skewed, very skewed. But let's have a look at what we can see here and how they live. So a little bit about myself. I'm a senior threat intelligence researcher and certified dark web investigator at Flare. You don't know who I am, that QR code will bring you directly to my inst sorry, my LinkedIn. And then from there, we can basically start connecting and discuss this more if you want. I'm a huge cat mom. I love photography and especially the photography on, like, patterns and different types of textures and how shapes work together. That's the type of photography I love and also landscape. I also am a huge astronomy nerd, especially, like, talking about theoretical, like, astrophysics. So talking about, like, dark matter and things like that, I'm a huge fan of that. Love listening to techno. And on my spare time, whenever I have that, I love to run. I love to play badminton during the summer, and I also play tennis. So this is really a psychological profile in three acts. So we're gonna go and explore how these individuals in different tiers, in different ways, basically, live their lives and how they can operate. So it's really an economy at scale. It's worth billions of dollars, And but not everyone at every tier is making money. And a lot of there's a lot of pain, and there's a lot of fear, and there's a lot of struggle at all of this at all the levels. So let's start with act one. And to start the whole story, I wanna take you back to, a fabric and understand the underlying, reasons why we're here today, or some of the reasons why we're here today. For for example, there's there's this concept of the underground economy. There's second economy. The, the left hand, the the as we say, in Russian, or, this was a concept that was really, really strong and, and prevalent, during the collapse of the Soviet, like, the Soviet era. And what we wanna look at is basically again, this is not something that is exclusive to Russian speaking countries or Russian speaking threat actors. This second economy is prevalent everywhere. Every country has this type of economy. But I wanna basically put a spotlight on the the Soviet version of this because it does shape and it does introduce an interesting concept of, like, how we got here today and why we're looking at, like, how things basically started back then, like, the late eighties and early nineties. And, essentially, basically, we're seeing a mirror of the same economy today, but just in the digital realm. So, like, was during the collapse of the Soviet Union, there was a lot of shortages. Now and Russia was really, really a tough spot to be in because, they had no money. They were completely bankrupt. And then, basically, you if you wanted, like, the whole joke of if you wanted a loaf of bread, you had to line up. Like, that was very much a reality back in the day. And I've for this talk, I've spoken to a lot of individuals who grew up in that era, and the the stories that they were telling me was really, really touching. And so, essentially, like, if you wanted anything, right, you weren't going to depend on the, surrounding of the, like, you the government or you the social safety net that a lot of us are accustomed to, like, wasn't a thing. Right? So you had to really depend on your, on your brothers, on your sisters figuratively and literally. You had to really be part of this secondhand economy. Right? If you needed a something, for example, for your factory. Right? Like, for your for your farming equipment or something like that. You and you needed a part. You wouldn't go through the official means. You would basically go to your friend who worked in the factories to get that part. It wasn't something that like, if you if you needed x something extra, if you wanted something extra, everything was done mostly through that market. Right? So this second economy was was basically how everything thrived. And this concept of credits and this because individuals were able to basically ask and have this, like, social credit that essentially allowed them to accumulate different things because, like, the money wasn't worth anything, and it wasn't necessarily a bartering system. So there was this this idea and concept of, like, IOUs and this, like, reputation that was growing within certain individuals that allows certain individuals to be able to to enforce and to basically provide more and get more and basically dictate how things were shaping. So we were looking at everything like, everything is is is really interesting at this point. So it brings us to today. And this today, we're looking at some a completely different generation with the same ideals. Right? So, for example, the skits of today or the kids are growing up in an environment where they are exposed to, basically, a filter list cybercrime environment. They can get exposed to hackers on or the hacking content or scamming content or fraud content, basically, through a whole different variety of, of, of platforms like TikTok, Instagram, Snapchat. Basically, all the social media platforms allow young individuals to see this type of content. Right? And to, and but not only is this the technical content that they're seeing, they're also seeing what could be the life that it could bring. Right? And they're seeing the the the money. They're seeing the they're seeing the not necessarily just the the the clout that it could bring them. Right? So they're seeing all of this, and they're seeing how much respect some individuals and and some status that it brings them online in this fake world that a lot of these individuals are creating outside of this fake world because it's like those fake gurus that sell a lifestyle, and that is the product that you're buy you're thinking you're buying a course, but you're actually to learn how to become like them, but that whole platform, that whole thing is like, no. You actually have to become a fake guru to sell fake courses to basically influence people. So it's it's very much the same. And a lot of these, like, are cloud chasers, and they're basically looking at leveraging their status of, of harming people, of hurting people to, build up on this on this clout. Now where do the skids like, so okay. So let's say they, see some individual on, on TikTok. Right? And then they're like, okay. So I see the money. I see the watches. I see the drugs. I see the the the girls. I see all of that stuff. It's the it's the bit it's also very much adjacent to the manosphere. And so they see all of this info this this, this lifestyle, and then they're like, okay. So with that, what do I need to do? So they get they get introduced to basically a Discord channel or a signal channel or a telegram channel. And then from there, they're taught about, the concept of downloading Stealer logs or looking or the introduction of, like, learning some scripts, which is definite the definition of, script kitties. Right? So it's like because a script kitty is a script kid or it's someone who isn't necessarily very good at hacking, but is can basically just copy paste a script, execute the script, and and, basically, that is hacking. It is sort of a form of hacking, but it is one of the lower tiers of hacking. Right? It's not like a top tier pentester. And we'll get to the affiliates and to the syndicate level, in a bit. But we're starting off with the lowest level because right now, we're seeing a and we're gonna get to this in a bit where we're seeing a shortage, right, in the in the good affiliates, in the top tier affiliates. And because the the old generation, the old guard, right, from the Conti days, from the Lockbit days, a lot of them have made their money, and a lot of them now have base essentially retired or taking a pause for now to enjoy their money and enjoy their lives. So now we're seeing a lot of, like, younger folks get into this world, right, and get trapped in this world because not only are they learning to hack, right, they're also falling into the vicious cycle of extortion themselves. Right? So this is where they're exposed psychologically to the fear that extorting someone can bring. Right? They're not only exposed to the technical, like I said, of downloading all this stuff, but their their their brains are literally getting rewired because they are learning to hurt people. Right? And this really goes into how this is, not only just an economy and just a, a way. It is also, it is also very much a lifestyle. So a lot of this is happening from a bedroom, right, or from a classroom or from a computer lab or from a cell phone. Right? And, like, the different levels it's not just necessarily ransomware that we're speaking about at this level because this is where the general fraud ecosystem is getting introduced. So we're looking at they're learning phishing. They're learning cryptoscams. They're learning sextortion, and they're learning all of these things at this point. Right? And these are all essentially tools of the trade. And the reason why they're doing this now there has to be a reason. Right? There's always we are always looking for that reason of why are people going and doing this. Right? Like so one of the reasons and this is basically a a concept that was coined by Merton in 1936. And this is a concept called the strain theory. And the strain theory, basically, at its most fundamental reason, is someone snapping and someone going breaking bad, essentially. And some of the main reasons why, like, this is it has basically five pillars. There's conformity. There's innovation. There's ritualism. There's also retreatism, and there's rebellion. Now I wanna talk to you about, like, these concept of why someone can essentially, like, commit these crimes. And and this really applies to the younger generation and really to to anyone. But why are you going down this path of essentially, like, breaking bad and or are you going down this path of exploring cybercrime? Now conformity is when you're looking at, for example, the world around you. Right? There's this box that everyone one is in. You're looking at, like, everybody in your surrounding and your society is doing things a certain way. You're forced to conform to something. You're feeling trapped. Right? So you want to basically, like, buck the trend or you wanna get away from this conformity. Right? This pressure to conform can lead you to basically going against the grain. There's also the the the the, idea of innovation. Right? So innovation doesn't always necessarily mean that you're gonna be doing it the right way. Right? So there's people who want to innovate, but then there the the sole fact of innovation is is it is it, like, right? Is it wrong? Like, there's a lot of of interesting concepts of of, like the lack of innovation can push someone to to basically do something that basically, like so for example, when you have a business model or you want to basically create a RAS, like, in a like, RAS is innovation. Right? And it is constantly being innovated. Now I'm gonna skip ritualism just for now, but I wanna basically talk about ritual retreatism because that is one of the biggest ones I I think is one of the biggest important concepts here. And retreatism is essentially the the concept that if you cannot leave or you cannot, basically, get out of your current situation, of your, like, bad or shitty situation, if you have to be forced to conform the lack of innovation, you will rebel because you have to be able to retreat. So, essentially, this is why we call vacations going to a retreat. Right? You are going you are able to escape your your issues, and, basically, you are able to go and you're basically able to go and and and go somewhere else and distance yourself and disconnect from your hardships. So the idea that is that all of these things are are happening makes you rebel. Right? And if you are able to rebel now that's why we have a lot of laws against, like, being able to protest and being able to do things is to like, at least able to vent and to get some stuff out and to but if you're not able to rebel, right, that will lead you to just the fact that you're not able to rebel if anything is like, the fact that you're going against that is rebellion, then that is considered crime. Then it so there's a lot of reasons why people can go towards this strain. Like, they're feeling the strain of of having to conform, having to not no innovation and and ritualism. Now ritualism basically is the concept that everybody has these little rituals that we do every day. Right? And if we can't, like we're not allowed to do these rituals, right, or these little rituals are harming us, then we will go against the the buck. And we're going to essentially, like, start looking at ways of going against the grain. Now this is the what's looking we're looking at now. Kids today, when they're looking at all of their their lives, sometimes they're okay. Economically, they they're they're young, and they wanna make money. Right? Because they want independence. They don't want they they want the status. They want the the, they want to innovate. Right? They they are seeking that inter entrepreneurial aspect of of trying to, create something. Right? They want to rebel. Most of us had a rebellious, like, teenage year. Right? And these are the ways that because it's so accessible, it's it's also, like, very exotic. It's taboo. Individuals gravitate to this, like, world, the CD on the belly of the of the underground world so that they can start exploring it. The problem with that is it is a vicious area, and it's vicious. And it will people will fall into this and, unfortunately, will get caught up into some with some very, very bad people. And a lot of them don't even graduate to the higher tiers. Right? Because this is literally a meat grinder at this point. And this whole world of and and these are the basically, they think that they're gonna become they're gonna become predators, but they become the prey at this level. So when they're going in at this way, at this level, right, they want to basically become like, they want the wealth. They want the clout. They want the status, but it really isn't meant for them sometimes. And they end up losing out on this on this level. So I sort of alluded to this a little bit earlier. But, basically, now that they're in this level, right, they're in the seedy under your belly of the of the, of the ransomware operators or just the frauds in the cybercrime world. Like, this is where they learn the techniques from their peers. Not only are they learning the techniques, they're learning also to rationalize the crimes. Right? And so this rationalization is basically helping them to cope. It's the same concept that when you go to prison, you come out a better criminal. Right? Because you're you're gonna be exposed to more criminals. They're you're gonna be exposed to, basically, individuals who will pass on their their ability to to to understand this. Now this whole concept is basically known as the apprenticeship of of crime, and this is a concept that was coined by Sutherland in 1939. And, basically, it allows people to deal and to cope with the the crimes that they're committing. Now from Sutherland, the actual theory is called differential association theory. But, basically, the core idea of this is that it you learn your criminal behavior. Right? It's learned through interactions. And this is the crime that we're learning is learned online nowadays. It's learned also in the classrooms. It's learned in, basically, anywhere where people can, basically exchange information now, we can exchange the we can exchange, criminal ideas. But the mechanisms of this is is really what's like, back in the day when when this was, like, this coin, like, the concept of the Internet wasn't a thing. And, like, we now today, we have the online anonymity or pseudo anonymity on top of this. Right? And the ability that you can don't need to get, that you won't get touched, right, is is a is a big indicator of of of fake protection saying that I can do this. Right? It's an allure. It's a veil that you're saying, oh, I can do this. So this ties into another theory, and this is called the neutralization theory. And, essentially, this is all about denial. Right? So the kids are basically taught that they this doesn't hurt anybody because it's data. Right? But if it does hurt people, right, they deserved it. And, basically, the the people that are doing this as well is, like, I can the reason why I'm doing this is because I'm doing the I'm stealing from companies. Right? Or I'm I'm, I'm not necessarily hurting people. They have insurance. I'm I'm stealing their data, and I'm hurting the company, and the company is bad. Right? And, they did it to us. They're corrupt. Everything so this is basically the neutralization theory. So when you apply all of these theories together, you get this concept of a completely dissociated individual who believes these things. And, basically, you have to, find a way to counteract these beliefs online. But the way online, what what people are showing is it is so easy to radicalize individuals into this mindset of, like, get into cybercrime that they're showing all of this thing the like, the money. They're showing the cars. They're showing the watches. They're showing the the Bitcoin wallets. Like, most of it, like, as we're gonna see today, is is is only a select few that can do pull this off. Right? It's always a select few. Right? There's only a select few of people. It's always there's always a 1% versus a whole bunch versus the 99%. And most of us is are the 99%. And so when we're looking at this, it it's it's really fascinating to see how, like, kids can get swept up in this because they don't understand. They don't have the history, and they basically fall prey to this. Now I really wanna talk about the paranoia of all of this because you when you sign up into go into this world. Right? You think you're signing up for a I'm going to be able to stay anonymous and basically make money or, like, if you have these these tendencies towards, like, psychopathy or, like like like, socio sociopathy, like, you can basically, like, say, I'm not I'm gonna be able to do something that I want to do in these, like, narcissism tendencies. So you're basically going into this, and then the paranoia starts to to to seep in. Because everything you do online, it leaves a trace. Right? We all know this. Like, we're we're there's a good mix of us in here that have a forensic background or have, like, some form of of a pen testing background. And when we are, like, doing anything, we we can basically, any connection or any handshake leaves a log. Right? So the thing is is, like, when you're first starting off as a skid, right, you don't have the best operational security. You're learning. You're learning how to do this. So you are there's there's you're this is where everyone is vulnerable. Right? And your past, it doesn't necessarily need to be within the the the that week, that month, that year. Like, something that you did two, three years ago, the Internet doesn't forget, and then it can come and bite come back and bite you. So what's fascinating to me is how individuals cope with this. And it's not just necessarily the the the the paranoia of, of, like, other, like, threat actors coming after you and trying to dox you. We we've seen this very much within the community, especially the DockSpin community, especially, like, the breached forms community, especially, the the scattered spider and the comms community. Like, the it is it is a a meat grinder in there. And so the they also have to contend with the fact that law enforcement is after them. And if they've done enough to be on law enforcement's radar, we have to look at the fact that this is they are going to be, like, distrustful of everyone. Right? So they believed that they were going into this world where they're gonna be able to make have this support network, this alternate safety net. Right? But, unfortunately, that safety net wasn't real. And now they've got to contend with basically piranhas on both sides, and they're left alone. And this basically how do you how do these individuals live with this level of paranoia? So I want to look at a specific individual named, Sevi. And Sevi basically was the one that reached out to VX Underground and basically said, hey. I'm part of the the new chapter of the scattered lapses shiny hunters group, and I'm communicating with them. I'm part like, I am one of their PR individuals, essentially, like, professionally speaking. And I wanna show you something. This is contains flashing lights, so just heads up. But this is just basically, like, the queen of the calm. Right? So, basically, when we're looking at these the this individual, Sevi, like, she put herself out there and how she copes with all this paranoia and the stress of being the front and the face of such a high profile group is essentially by drinking, and Sevi drinks a lot. And Sevi has basically said that she's she's an alcoholic. She struggles with it. She's said that she wants to quit drinking. But this is essentially like and this is the stress and and the factors that that are being placed on someone. Right? So a lot of these individuals turn to drugs to to deal with the stress and the hardships and, like, the loneliness of this. Because if you can't even be friends with your the peers that are in your environment, like, how like, it's very lonely. Right? And a lot of people want to and this affects the the this affects your parasocial relationships, especially, but this also affects all of your relationships on the outside, in the real world, where people are not like, you're trying to make friends with people, but you don't know if they're law enforcement. You don't know if they're they're out to get you. You the like, the level of this trust in everything, it it cannot be understated for this. So let's now talk about what comes after this. Like, once you've passed the the meat grinder of this stage, of the first stage, right, of the world of skids, and you've actually, like you were able to learn enough skills. You were able to learn how coping mechanisms, psychological coping mechanisms. And you have you've made some very, very few trust you have some very, very few trusted people. Right? You can now start to operate. Again, the dangers of getting backstabbed are not gone. They're still very much there. But let's see what happens. And before we start act two, I just want to jump on this, and I just wanna look at to see if we have any questions. Let's just see a quick QA. Training in the chat. So this is a fantastic question, and this question is from Robert Chikowski. Apologies if I mispronounced your last name. Basically, it says, is there a correlation with ADHD, abuse, being poor, and access to technology? I think that's a fascinating question because there very much is. Like, we it's also education. Right? And, like, we see it's it's also like like, if you have access to the infrastructure around you to and you have access to the technology around you to do this, you want to look at basically all of the data that's around you. And a lot of the times when we're we're on these these chat rooms with these individuals and we're looking at it, like, it is a common thread for them to discuss their mental disorders, like autism and ADHD. And it very much does, like, apply. Like, because you have some individuals who hyperfocus and, basically, accumulate this, like, encyclopedic knowledge on on specific things, and they have this ability to basically create projects really quickly, but then after that, they move on to something else. Now when they create these, like, leak sites or these communities or these forms and then they move on to something, like, it leaves them vulnerable because a lot of these were built quickly. They were vibe coded, and then it basically, like, all collapses. Right? So we see these, like, ups and downs in these forms sometimes. These individuals who aren't very like, who wants to be part of that community, who wants to be at the top of that community, but just don't have the technical skills to get there. Now AI is helping us, like, helping, like, bridge that gap. The problem is is that it's not, like, necessarily very good. Right? So we're we're seeing a lot of these, like, forms pop up, pop up go down. Infrastructure is very shaky. Like but at the at the end of the day, these individuals are, are just naive. Right? And they're getting played by people who are taking advantage of them. Right? Because it is very much like a pyramid scheme where you constantly need new bodies to come in so that you can basically fund your your own extortions and your own crime. So let's let's move on to see if there's any other questions. Why is this window so slow so tiny? That is weird. Apologies. I have, like, this much space to read a quick question right now. Actually, one second. Angela, can you remove that pin? Because I cannot see there we go. Thank you so much. So Hamza says, always remember to route the connection via proxies and routers just as we learned playing uplink and unlink and in all the films shows to be unknown. So, yes, the concept that's a technical skill. Right? You learn that. Right? But when you're first starting off, you don't necessarily know about Tor or I like, I two p. Or now we're seeing these more sophisticated ransomware groups using ICP and how to basically use the blockchain to decentralize their, their operations and their infrastructure. So and we could get definitely gonna get to that a bit later. But the it's fascinating that this is all something that you're taught. So, like, when you're first logging in, you're gonna be logging in maybe with a VPN. Right? Maybe you're gonna you're just gonna go clear web with, like maybe you're gonna think that incognito is gonna be protecting you. Right? But the the thing is is, like, you get a dopamine rush. Right? But the thing about dopamine rushes is that you always have to surpass yourself. Right? It's like drugs. You have to, like, do more every time you get desensitized. You become you you you have this, like, tolerance that you build. And then this tolerance basically makes you do more things, more extreme things so that you can, get that same rush. Now let's keep going, to the next slide. So right now, what we're looking at is we're looking at the affiliate. Right? We're looking at the affiliate's level, the next level. Right? Now that you've got you've gotten your your tools, I wanna show you even though you think you've gone to the next stage and you're no you're, like, potentially immune to getting caught up into something, I I wanna throw this concept, right, about the biorobot to you. And this is not a new concept. Right? This is something that has that keeps happening. And this is from the eighties, the nineties. All of this happens. And I wanna show you a clip from Adam Curtis, and the movie is called well, it's it's really a TV show. And it's called Russia from 1985 to 1999. It's called trauma zone. Phenomenal, phenomenal documentary. And I wanna show you just a short clip of this, basically, and to to think about affiliates and how they are essentially biorobots. So we can basically watch this clip. So that's the now let's talk about that. Let's unpack that because that is quite something. Ransomware as a service is designed it has different many different levels, but it's designed like a SaaS, software as a service. It's essentially a way to allow individuals to take software or and a whole bunch of different tools most of the time now and basically conduct their own attacks with them. Now as we know, a lot of the top tier groups, like the top groups, aren't necessarily completely immune to, basically, state sponsored ideas and alignments and, like, basically, language. A fantastic researcher known as Anastasia Shasheng basically says that a lot of these groups are following the language of these these threat actors. Right? The the language of their home country. And this is reflected in how they're conducting their attacks of who they're allowed to target. Right? If they're allowed and how can they target certain industries and which countries can they target. Like, certain industries, basically, they'll say we don't encrypt. We only steal. And some sometimes they'll say we don't attack any countries. A lot of this is usually a BRICS, the BRICS nation, which is, like essentially, it has been revised, but it started off as, like, Brazil, Russia, India, China, and South Africa. But a lot of these, like, country and then you have other CIS, which is the common Commonwealth of Independent States, which is, like, essentially the ex Soviet bloc. So, basically, like, don't target where you live, and you don't wanna necessarily upset the people around you. But but now I wanna talk about the biorobots because you have basically this warfare. This is literally warfare. And when we we have this these tools that these individuals are creating to basically shut down entire companies and if you look in 2021, right, there was sorry. Not 2021, but you had DarkSide. Right? DarkSide was able to launch one of the most sophisticated attacks that crippled all of colonial pipelines and basically took out all of the fuel supply in on the East Coast Of The United States. Right? And so the thing is is, like, you are in need of people, affiliates. They're known as affiliates or partners. Right? But to to basically work on your behalf because the tools of this warfare can only go so far. Right? And what we're looking at is, basically, they're they they need people to bridge the gap to to finish, the attacks. So we the tools can self propagate. The tools can do a lot of damage by themselves, but they need people to push the buttons to basically get the to pivot, to exfiltrate. So affiliates really are the biorobots. And this is not something that's new, like, as we saw. It's it's a concept of, basically, the machines couldn't do it, so we need people to do it. And this is a concept that really applies to today with all the talk of AI and all the talk of people getting losing their jobs and everything. Like, Will Thomas on his latest podcast had a really interesting quote, which is if artificial intelligence can replace your job, you should be scared. Of course. But at the same time, it's like we have pretty much been biorobots for a long time doing something that machines can do, and this is only gonna become more true. Right? And the concept of these affiliates, and it's reflects exactly into cybercrime, the concept of these biorobots and these affiliates basically being able to to thrive. So when we're looking at as a defenders, right, we're looking at not necessarily what can code do and what can, threat actors do and what like, how much automation can do. Right? Because, of course, we wanna defend against automation and what automation is capable of because automation is being is more sophisticated every day. We also wanna basically prepare and fight against the sophisticated and the intelligent, like, individual who's able to, really do something. We're not just defending against scripts. We're not just defending against individuals against automation. We're we have to defend against these individuals because these individuals are the ones that have the capabilities. But as I said earlier, feelings are getting far and far and and if fewer. And because of that, campaigns are being run on forums and things like that, RIP ramp. Can I get an RIP ramp in the chat? I wanna see that in the comment section. I will have to see that. Yes. Thank you. RIP ramp. RIP ramp. Yeah. RIP ramp. Yeah. Exactly. So RIP ramp and so, like, a lot of these, like, forums allowed for individuals to, promote their, their services, to recruit their services, to recruit affiliates, those very rare and, capable and, talented pen testers who could actually conduct these attacks. But, again, at the same time, like, it's getting harder and harder. Right? And companies are getting more have more and more sophisticated means of defending themselves. Their their, security is more mature, which is amazing. We're doing a good job. We are actually doing a dent in this. We're we're doing good. But the threat actors are always trying to figure out something new. Right? They're always trying to figure out a new way to get around all of this. And one of the ways that that these threat actors are are doing is, like now this is, a little dated in terms of, like, the this specific group, is not not around anymore. This is Van Helsing. But I wanted to show you that Van Helsing came up with an interesting idea to recruit more individuals to basically say, come work for me. Come join my RAS. And I wanna show you this. And this is really novel because we they were really one of the first ones to sort of do this. And at least, like, polished like this, they had a really good video. So I wanna show you this commercial. This is an actual advertisement by a ransomware group to say, come and join my group. So these groups are trying to recruit more people. And now this sort of allowed and sort of inspired more groups to follow suit. And, like, for example, this is Global who also just recently announced that they were shutting down, and they were selling their source code for $80,000, and that included the panel, the affiliate panel, the dashboard, the DLS, some some of the infrastructure, all of the source code for the for the lockers, which included, like, Linux lockers, NAS lockers, Windows lockers, ESXI lockers. So this is really, interesting. Let me show you this one. So Global was able to create these videos, and it was really trying to recruit more individuals. Again but you can also think about, like, how expensive it is to create this and also to host your own RAS. Like, it's not it's not cheap. Right? You you gotta pay developers. Or if you're a developer yourself, you gotta feed yourself. You gotta pay for the in any in infrastructure. Like, all of this is not cheap. Like, you have to pay for hosting. You have to pay for bandwidth. You have to pay for storage. You have to pay for all of these things. And but, essentially, as someone pointing out in the comments, this is this is a great point. Basically, these these are targeted to the skids, to the affiliates that want to join that are coming out of that skid tier, and they're basically learning to like, because there is very much a a, basically, a decline in the the the sophisticated and the good affiliates. There are more affiliates than ever. There are more threat actors than ever. Right? Don't get me wrong on that, but I'm talking about the good ones. Right? The ones that that are have the skills to be able to pull off an absolute takedown on an entire, like, Fortune 500, company, like, an enterprise, like, those are the individuals that I'm talking about. Those are the ones that are, becoming less and less. And a lot of the times, we see groups try to leverage big names by attacking, like, subsidiaries of a big name company in different countries or in different, like, localities and basically saying like, hey. Like, we breached this big company, but it was a small subsidiary in the on the other side of the world. So the the idea is that a lot of these companies now and we're doing good. As I said earlier, we are maturing. We're doing we're we're learning from these threat actors and how they're moving and and how they're operating. So, again, what I wanna look at is these are really the, recruitment, and this is how, basically, they're trying to get these individuals to come on board, right, and to, to conduct attacks using their software, right, their their malware, their ransomware. So when you're looking at, like, this this type of stuff, you're like you're looking at, for example, Anubis here. You're looking at Van Helsing, is the functin, and you're looking at Nova here. These these groups, like, offer very lucrative, like, splits. Like, Nova is 90 10. Basically, Anubis is, like, eighty five fifteen, and Van Helsing, right, was 80%, eighty twenty. Like, if you're, like, if you're hitting someone and you're hitting, like, a $100,000 or $200,000 and you get to take 80% of that, that's that's an incentive. Right? And now going back to the fact that going back to the strain theory that a lot of the other people that are are geared towards this, right, have a condition in their lives where this makes sense. Right? And the the the risk factor is is worth it. Right? The like, unless you have some form of disorder where you cannot factor in, like, risk properly and you're you have impulsivity, but the most people will assess their risk and say, like, hey. And but, also, they're they're sort of blinded by the beaconing of the Internet's anonymity. Right? And and that plays a role. And, also, people overshoot because conducting the attack isn't the hard part. Cashing out is the hard part. And if you cannot launder your money properly, right, I I showed a huge aspect of this with my previous talk called cryptos, and you should definitely take a look at that. Basically, it's showing threat actors who want to basically have to launder their money and take out their money from their ransom payment. They have to mix it. They have to tumble it in a bunch of different mixers. They have to convert it. They have to go cross chain, and they basically, they have to try to find a way to convert their crypto to fiat. And they have to find people that are willing to cross state lines or cross country lines to be able to deliver them the cash. Right? And not everybody is good at laundering money because laundering money is is a whole different world. It's you need the cooperation of, like, on the ground organized crime and local organized crime to be able to pull this off. Right? And not a lot of people have the ability to start up shell companies or to be able to, start up and and have the the facilitations and the connections, to be able in the real world to do that money laundering part. Like, a lot of the time, you end up having individuals, and we see this a lot with with, the younger crowd who sit on a bunch of crypto. Right? And this these are ill gotten, ill gotten crypto, and they just they they they're gambling it on gambling sites, or they're, basically buying, usernames and things like that. They're trying to wander it in different ways, but converting it to to actual fiat, right, is is extremely difficult. Right? It's not impossible. Lots of people do it, but it's it's it's one of the most challenging aspects of this whole operation. And so now going back to this this affiliate model, right, you have the ability now to to conduct an attack, and you can basically figure all of this out. But now what we're trying to look at is what happens next. Right? And what I wanna show you is this is a really interesting concept because, I'm gonna leave this Russian version. I have the English version coming up next, translated. But, for those who can actually read, Russian, here you go. But, essentially, like I said, this is a concept that's that's we're struggling with. And, like, the threat actors right now are the the like, Mike Melton, this is the operator of Chaos Ransomware Group. And Chaos Ransomware Group has some lineage tied to, like, the ex Conti teams loosely either through depending on which side of the of the branch family you look at, it could either be coming from black suit, from the royal family, or from the black Vasta family. There's been different, like, pieces there are different publications to suggest both. And but, basically, the idea is that when you're a new affiliate and you're going into these ransomware groups, right, and you're able to secure your first payment, right, and your first ransom, you'll take the lowest potential offer that you can get. Now I did a LinkedIn presentation about, like, a couple weeks ago showing a group called Warlock, and they were started off their ransom at 3 and a half Bitcoin, and the victim basically said, like, we cannot pay 3 and a half Bitcoin, 3.5 Bitcoin. We need you to negotiate with us. We need you to work with us. And they were able to work Warlock down, right, by offering, like, zero point two first and then working all the and then doing 0.4, but basically going all the way up to 0.5. So they took were able to reduce their whole payment from 3.5 to 0.5 Bitcoin. Right? And that is a significant drop. And, basically, chaos points to this as well. And here's the English version. So, essentially, chaos is saying that these new affiliates are put are taking the the payments to, they're too low. Right? The ransom payments are too low. They're taking 10. They're taking 20. They're taking 50 k. And the thing is is, like, this impacts the group because a lot of the negotiation firms and the insurance companies talk. Right? They're they're all very much interlinked together. They all of course, they do. Like, these ins incident response firms, basically, are pros at dealing with this. And they know that, essentially, if you can mark down chaos down to a certain number, they can basically label this whole and say, like, hey. Like, I dealt with you in the past, or I know I can bring you down. And so the the that brings a lot of pressure on these threat actors. Right? So chaos here is saying that they they don't allow affiliates to take less than $200,000 for their ransom. Right? And this is not a new problem. LockBit had the exact same problem all the way back in 2023. Right? When you're an affiliate model and your goal is to to like, you're you're trying to make money off of this and your whole like, there's a risk factor. Right? Will you be taking $10.20, $3,050,000 dollars, which could be a a life changing amount of money an affiliate living in conditions, right, strenuous conditions, this could be what they want. But for you as a as a chaos as a a ransomware operator, like, it it's really not enough for you. Right? And these big ransomware groups like, we're looking at, like, for example, Lockbit. Lockbit was documented to have made almost a $100,000,000. Right? So, like, at least that's what they were that's what they had in their as a cut from their their side of the operation. And so the this puts a lot of pressure on everybody, right, to ask for more to and but companies are and these firms that are very smart can knock you down quite a bit. So this is really good news. So the thing is is that even at this stage, you have paranoia. Right? Even at this stage, you are trying to figure out, am I part of a honeypot? Am I part of a like, even if you are the operator, are my affiliates the honeypot? Like, are they are are they researchers? We see this all the time, right, where individuals are saying, like, oh, we absolute like, we we like, when we're trying to do infiltration and things like that into groups, there these operators are very wary of researchers. They're very wary of law enforcement or or feds as they call them. And we're so we're looking at basically this this reality, right, of, like and, also, there's whole concept of who controls the wallet. And this is an a concept that, for example, Cryo has been really good at, but we'll get to that in a bit. But, essentially, like, when you organize your payment for that $80.20 split or whatever, that ransom payment, the victim will make a payment into a wallet, and then the wall who controls that initial wallet? Right? Because there's the risk that as an affiliate that the ransomware group can basically exit scam, right, and just pull out and and run away with the money. So a lot of the times, you'll see sometimes where affiliates will be able to put in their wallet upfront and or they'll basically say, this is the wallet, and this is my wallet. But most of the time, it's it's the the ransomware group will control the initial payment, and then they'll give the the affiliate their cut. Now some groups, again, as a way to attract more talent, they're saying we can also do an initial, like, mixing of the coins before we pay you, which can be an attractive prospect. We've seen we've seen that with some of the groups. And the the thing is is that you can trust that or some other groups, but then you you lose a bit of money. But at the same time, it's convenience. And or do you take like, try to take all the money up front? So before we get to act three, I wanna go and take a quick look at the chat here and see if there's any questions. Okay. So this is a really interesting question. This comes from Cody Koepin. Do you think a lot of this comes from social social techno norms being so new? And are there no rituals or true virtues to be passed down to the young on how to act on the Internet? That is a fantastic question. Thank you very much for sending that. So I think the Internet, right, when it first started, right, it was meant and this is, like, you can go all the way back to what the EEF was trying to do, the Electronic Frontier groups were trying to do. And, like, this this was very much the the wave of the anarchist mindset of, like, there are no rules. This is gonna be, like, a completely different, way of operation. We we don't have to listen to to to to the man. Right? The you can watch a a another fantastic documentary by Adam Curtis on this called can't get you out of my head, and that is a five part documentary, and it does dip dig into this. There's also hypernormalization by Adam Curtis, which touches on this as well and basically explains, like, that. But I wanna just discuss that that concept of, like, heritage, right, on the Internet where there is not really a heritage. Every generation has their memes. Every generation has their their their platforms and their content. And, like, we have our protocols. We have our way of doing things, and everything gets built on top of each other. Right? But the like, I find it a fascinating concept of like, there's the concept of, like, what can you pass down to people as as when we are working towards, like, a way of, like, owning less things, right, where, like, if things become more subscription based, like, do you pass down subscriptions, which feels a little dystopian? Or people are passing down, like, steam libraries. People are passing down, like, their their accounts now as a form of heritage. But I I think it's a it's a fascinating concept because, like, the the Internet doesn't forget, but a lot of the Internet is forgotten, if that's a interesting fact. And so I I look at that, and I'm like, like, how can we build on the lessons that we have learned and that we we so we can share with other generations to to not do this? Like, there's of course, there's there's the basics of like, even the language is different. Like, when when we I was growing up, I and I was in the chat rooms. I was it was all about, like, ASL, ASL, ASL. But, like, now that is not necessarily a thing to do anymore. Right? So it it's it's it's a fascinating concept. Thank you. Thank you very much, Cody, for that question. So I wanna address one more question before we go on to the next section, and this is comes from Gerald Oger. Sorry. So this is it says the question is, from first segment, so feel free to ignore, I wonder why the first level can't level up to the next tier. Is it through lack of development or the top tier actors don't allow them to access the development opportunities? Now so look at it from a professional aspect. How, like, how many people can you realistically mentor throughout your life? Right? And you can write like, third actors are publishing, information. Like, look at Bastard Lord or aka Fisheye, for example. They have a they published a very well known how to on attacking as a ransomware affiliate and a ransomware operator, attacking companies through these manuals, these these, like, basically, these these ransomware manuals. And there's volume one and volume two. If you want a copy, let me know, and you can do so on Discord on the Flare Academy channel. And let me know, and I'll drop some copies there. But these basically, these PDFs are are dated. Right? Because it's a medium that doesn't update, and you have to maintain this this this constant information to be updated. Because, like, when Vassar Lord wrote the manuals, they were good for 2021 and and then he wrote the next version in 2023, January 2023. And those are interesting, and they were basically like a follow-up to each other. But that's a lot of effort. Right? And the this is something that has to be funded, and this is knowledge that has to be transferred. And there is there are groups. So, like, for example, there's a website forum that Killen was part of. Right? And Killen was on this like, was funding this forum. It's not RAMP. It was another one. And they were funding this forum through advertisements, through helping with moderation, and and things like that. And they were actively teaching younger the younger generation on how to do certain things, like how to set up secured messaging and how to secure, like, set up secure servers and how to deploy panels and things like that. Like, they were actively teaching. The thing is is also, like, it's a return on investment. Like, how much time and effort do you wanna put into mentoring that these individuals in in a younger generation so that you can actually start, like, making money. Right? You can only do so much for free before you need to to reconsider your business model. All of this is a business model. Right? And you're leveraging people on a commission only basis. Right? And you're so you're you're no one's making money unless some ransom is pay is paid. Right? So it it's and then only, like, the really big groups, like, for example, like, Blackbasta and Conti, like, at the their peak, peak, peak, they they the the people in there had a salary. Right? The top level people had a salary. But, like, this is only because they were they were able to receive payments. And we'll we'll look at the syndicate level next. Act three is all about the syndicate level. So it it that's a really good question. Thank you. I'm just gonna look one more. We have time, so I just wanna look at another question here. Okay. So Wells Fargo has an interesting question here. It's what is the point of threat groups to repost old data or reuse the same data that is breached every time to try to advertise all the time? That is an interesting question. I call that repacking or reposting, the same thing. So when you're so think of it there's two there's two reasons. There's from a data hoarder digital archiver mentality, And then there's also the, I'm building a reputation, and I have data. And a lot of the times when you repost something, like, it it it can show, like, do people really know what they have access to? Because, like, do do does the person that know that is putting that data up, do they know that that's already been reposted or that's been leaked? Like, it could be that they've they came across it, and they're like, oh, this I believe this is new, and I'll post it. Or they were scammed into buying a piece of data that was previously breached. Right? Because scammers will scam each other, and fosters and thieves will will all there's no honor amongst thieves in at this level. And so they they could they probably don't know what they have. And if they do know, they probably are trying to also, not necessarily re extort the victim. Right? It's it's really more about, like, hey. I have this dataset. I am putting it up there because the there's no it's like a repost or a repack. If you look at the piracy world, like, when something is no longer available, people will request it, and then people can bring it back online and seed it. Or this I'm talking about, like, the private for torn trackers in the private, like or the the Usenet community where you basically, like, can repost something if you ask for it, and you can pay through you can in exchange for not necessarily crypto, but sometimes it is crypto, but it's also, like, sort of forum credits or other things. And so the the idea that, like, when you're putting up all of this information there, you're you're not necessarily trying to reextort the victim. Right? Most of the time, you're you're just re sharing this information and, like, a completist or an archivist in terms of, like, putting that data up there to the community. You're supplying the community and not necessarily trying to to harm the victim. I think I think if that's the idea, that's at least how I understand of it. But, yeah, that's a great question. Perfect. So the question is, well, a follow-up question from Wells Fargo is, do they have that much available storage? Now as I mentioned, storage is expensive. Right? And if you look at, for example, right now, breach forums breachforums.bf, they are offering a CDN, and the shiny hunters DLS is hosting all of their leak data. So, like, all the victims right now that range in different sizes are, like, dot zip dot seven zips, and they are hosted like, the biggest one is right now is 30 gigabytes, and that is hosted on the breach form CDN. So when you click on it on the DLS, you can download it right away, but you can also just copy that link, put it into a into a download manager or wget script, and you can download it extremely fast. I was able to peak at, for example, 500 megabytes sorry, 50 megabytes per second, 50 Mbps, And that was that was impressive. And but, again, that costs money. Right? And the more they have to pay, the more expensive things get. And they will they they like, we all know what hosting costs or have an idea of what it costs, and they're not immune to this. Right? And the more we fund them, the more they they can operate. So and I know sometimes it's not an option to fund, and you have to pay. But, like, that's why it it is, like, funding cybercrime only facilitates it. Great question. Okay. So let's go and have a look at, act three now. So we're gonna talk about the syndicate level now. And some of you are like, oh, that's where the title comes from. So the syndicate level is very interesting because now we we get to see from the very, very top, and we're gonna look down now. And we're gonna see how things operate. This a lot of these top groups, once they have and I alluded to this. Once the top groups are basically they've made enough money, they can operate, and they can run offices. They very much operate like a corporation, and they very much operate like an a like a business. They have HR. They have managers. They have people that are in charge of negotiations. They have public relations. They have developers. They have maintainers. They have pen testers, red teamers. They have, though, everything. They have everything. Right? And it's extremely well structured. Right? So what's fascinating here is at the very, very top, right, you are running this this criminal enterprise. Right? You have the paranoia from all of the upper the lower levels. Right? And I also wanna say that, like, going up and growing up, the the world has like, it's it's it's an interesting concept to say, but the world has very much different Internets. Right? We have, like, the Western American Internets where a lot of us are familiar with it because that's a where a lot of the big, like, platforms are are coming from. But, like, China has its own completely different in, like, Internet. Right? And, like, Russia has its own or Russian speaking Internet is completely different. Right? So the it's hard to as someone from an outsider, like, going from Western to the Russian sphere or the Russian speaking Internets and then or going to the Chinese speaking Internet, like, that is a challenge. Right? And now there's the concept of with current political the current political situation, we might very well see, and we're already starting to see because of GDPR. We that was basically the start, European Internet. Right? So we might end up this whole thing with, like, four Internets. Right? Or may then maybe, like, 4.5. But it's basically, that's gonna be a a a really interesting concept of, like, these different types of Internets with different types of rules and how all of these these these criminals are they gonna, like, operate within their own bubbles, or are they gonna and then on top of that, you layer the concept of, like, CIS, and you layer on top of the concepts of, like, bricks and, like, how all of these, like, geopolitics interact with basically the the the the socioeconomic levels of the Internet. And so that's gonna be something that I I wanna explore, and we can definitely take a look at. So oh, Kim Jay has a fantastic question here. What's your opinion on CLOB's current campaign? Is there info that you're using GladNet as the initial access vector, or are they posting their the victims from Oracle EBS? So right now, they like, I I believe they've moved on from their Oracle EBS from my last like, the the they finished their campaign. So one way that you that historically has been sort of accurate for Clop is in, like, monitoring their campaign is when they create archive pages. So when they created archive 11, I believe it was, that was the I I want to say that was the end of the Oracle EBS. And now they've migrated to their next campaign. I've heard rumblings of it being GladNet, but there's also different campaigns that they've they've they've started. And so and this is basically an interesting one because Klump has been on a tear recently. And what's interesting is that, typically, between these massive campaigns that they do, they've been able to take breaks. Right? So, like, move it, go anywhere, Clio, and, they they were able to especially move it because that was their most profitable. It was estimated that they made millions of dollars off of that, that campaign in 2023. But now with, like, OEBS and the other one, they they're and this one, Clearnet, so there's three right now back to back. They are basically changing their script, and they're attacking they're publishing a lot of victims. Now just the Oracle EBS data, which I was able to study, that was about a 100 close to a 100 terabytes of data. And if you're thinking of it, like, how do they how does someone leak a 100 terabytes of data, right, with first of all, securely. Right? And by securely, I mean, being able to offer it in a a way that they they don't get arrested. Right? But so but at the same time, it's all about your the the ability to establish your threat. So if you cannot leak data effectively, you don't have a threat. So CLOP has been one of the the the best at doing this, and they are the most effective, I believe, at leaking data. Their their their data has always been quick to to obtain. It's efficient, and it's effective. Like, before they were doing before these campaigns, they were offering, everything through Tor, and, you can use it, like, a download manager to just download all the parts, and it was quick. Now they're offering everything through BitTorrent, and everything is split up over three servers. And these servers are all hosted in Bulgaria. And these basically are, these massive, like, servers that are hosting, like, all of their their most recent campaigns or three recent campaigns. So, these servers, what what I was able to do is I was able to look at the IPs and find out the the host provider and look at the plans of that hosting provider and look at what type of, like, cost. And each server is about $400 a month. Right? So, like, right now, with three servers of, let's say, a 100 terabytes and is, like that's at least a 100 $1,200 USD per month, right, in in terms of hosting. The like so you you gotta recoup those costs, but they've made millions on Move It, right, allegedly. If you follow some of, like, the chain analysis research that was published back then at in 2023. So it's like, they can do this. They have the infrastructure, and they have the threat. And so it is it is a a very CLOP is very interesting. Like, that is a successful, like, quote, unquote, successful group that is able to to create their threat and basically to to to leverage that. Thank you, Ken, for that. Let's go back. So when you're at the top of your top of the game and you're creating these the these infrastructure and everything trickles down from you so, like, let's look at Lockbit, for example. Lockbit had a leak, right, in terms of their source code or essentially their builder that allowed individuals to create the cryptographically paired encryptor and decryptor, and that allowed people to start their whole operation. For example, for those of you who don't really remember or didn't know, that is how DragonForce started. DragonForce started with a copy of the LeakLock BitLock builder, and they were originally posting the data on on the original breach forums during the Pompompurin era. And that was essentially like, they didn't have a DLS. They basically had a a a unique file server or you unique page, like an onion page for each of their victim. Right? And that basically, that's how they were they were posting that link. They were using ReachForums as their DLS until they basically came out with their own DLS. And then they once they had enough money, they were able to pivot from using the LeakLoggedBlack Builder into using their own code now that they've completely like, they they don't they they haven't used it for years. Right? But they're they're using all their own stuff now. But this is the like, that that was really the the fascination of, like, a group, like, evolving over time as they got more funding and they were able to extort more individuals and get more ransom payments. And, like, you can see, like, the snowball effect that it has. Right? That like, because, like and the the concept of this and, like, how we're fighting cybercrime and especially ransomware, and it's an an interesting fight because, like, you could do your best as an individual, a victim. Right? And you can have the most meaningful conversations with your legal team of, like, we're not going to fund this. We're not going to pay this ransom because and we can we have the means of recovering. Right? But, like, you have no control and, like, even, like, authorities and and government officials do not have the the ability to control what all the other players do on different jurisdictions. Right? So, like, when the, like, the the US government says they they're highly considering, like, banning ransomware payments or, like, Australia who doesn't who basically came out publicly and saying that they're not gonna be paying ransom payments anymore after they their health care sector got targeted. The again, it doesn't it has to be a collective shutoff of the tap. It can't be like, if there's enough trickles, it will still snowball. Right? So it's a fascinating concept that that I I keep looking at. Ray says it's getting more difficult to support these guys since they are now incorporating AI to look for zero day vulnerabilities and to automate their attacks to make time for an infection much shorter. Yeah. AI speeds everything up. It's it's a really it's a big challenge because but, again, quality is not you can't right now, at least, we're not associating quality with AI. What we're associating with AI is speed. Right? And some and, like, AI is really just the average, like, the the the median average of things. Like, the definition of the content that comes out of of like, the reason why AI is not good or the code from AI is not good and stuff like that, because it's it's literally, statistically, the the the median of something. Right? This is the most probable thing that will that will happen because it's a statistical and probabilistic model, at least the AIs that we're using the LLMs, to basically say, like, this is most likely what you want and give you that output. And by definition, that is an average. Right? So it and it is average. So, I'm not too worried about that. The there's it's not great. And that's why we, as as people, should look at AI in that in that sense and have some some confidence in knowing that, like, we at least we can be we can be better than AI, at least at this point. And we know AI is only gonna get better. That's the thing. As more data gets aggregated into AI, that that ability to move that average towards the better and better and better position and better outcomes is is only gonna happen. But, like, how right now, we're still using, like, the the GPT, which is the the procedural text model, and that's been around since 2017. It it's not necessarily revolutionary right now. All we're doing is we're feeding more data to it, and we're spending more on infrastructure, data centers, and and energy to to basically process bigger, bigger, bigger chunks of data. So the the so we're not necessarily gonna like, we're still able to craft goods, better stuff. Right? So I think that's what we have to find solace in, and it's basically the ability that we can be we can still make things that are much better and not settle for the average that the AI is doing. But, for example, what I wanna get back to Ray, and that's a great point, is that, like, it's speed right now. They're able to put out code and find things that are low hanging fruit and good enough code to attack us. And, I think it's it's a it's a wake up call for us to also just, like, level up, skill up, and, to start learning things and and become students again. And not necessarily, like, we have a competitor in the in the on the Internet now. It's AI, and it's out there. It's always learning. And I don't wanna necessarily, like, lead everyone to burnout, but we have to find solace that we are going to be better. And we have the ability to be better is basically what I'm getting at. Alright. So what I wanna talk about now is a specific individual. And I also wanna shout out to one of my colleagues, Oleg, for this. Oleg has been instrumental in sharing his data and his research on this. So huge shout out to Oleg on this, but thank you very much. And so I wanna look and explore a specific individual, specifically Tramp. Now recently, BKA has officially named an individual as Tramp, and that is Oleg. I can't pronounce his last name right now. It's it's escaping me. I apologize. But, essentially, Oleg, not my colleague. This is a as an in another individual, has been able to basically create an empire on this this whole RAS model. Right? And this individual has been connected to Conti. And then when Conti broke up in 2022 because of the at the time Conti was sided with Russia during the initial war with Ukraine, the Ukrainians that were part of of Conti did not like that. So individuals from the Conti leaked all the source code. We all know that story. And, essentially, Oleg was part of that. Tramp was part of that and of of of Conti and started off his own team. There was essentially, there was Conti team one, Conti team two, Conti team three, and then from there, we had a whole bunch of different lineages come out. If you depending on the research that you read, we can see there's loose affiliations and loose lineages of, like, Akira going, going back to their royal and, Zion Quantum and, Black Basta, for example, all have their lineage towards their Caracut as well. And they all had their own flavors, and they all had their own, like, interesting concepts of, like, diff approaches to the business model and how they were approaching things. Like, Caracut was only focused on trying to do extortion. And a lot of groups now are battling the biggest age old concept of do we encrypt? Like, is it what's worth more ROI? Is it like, look at Clop right now. Clop is doing purely exfiltration. They're no longer locking systems. They're we can't necessarily call Clop a ransomware group at this point anymore because their all their past their previous campaigns bar one or two victims in the here or there, have been a part of these massive file server exfiltration campaigns. So they develop and they they put their resources in finding a phone file servers that have vulnerabilities that they can exploit and basically funding these exploits. And, basically, that's their campaign now. We're looking at different groups now that pour their money into their lockers. Right? Because the whole concept of, like, if you have a really good locker that can that can reliably encrypt and decrypt, that you offload the cost of hosting the data onto the victim, so they have to keep all of that data. And, basically, a lot of people would love to just do single extortion, which is the locker, because you don't have to deal with data. You don't have to pay for data. You just have to do you just have to give back the locker. Right? So in a perfect world, that would be great. But a lot of the times, the the ransomware that that is gets pushed out there, like, have issues. We just saw in a recent article that was basically published by saying that Sakari was having issues and it was because it couldn't handle large files. And we've seen this with other ransomware operations before, even before the age of AI where, like, a lot of the the the files the the decryption would happen on, like, these massive, like, hypervisor files, like the VM flats and the stuff like that. Like, they would just fail because the files were too big. And, like, again, like, when you're in the middle of an attack and you're doing incident response and you see ransomware actively encrypting your environment, like, you have to you have to come to the realization and you have to make a decision and an executive decision of are you going to stop the encryption, or are you gonna let the encryption go? I wanna see what the the chat says. Do you do you think you stop the encryption, or do you let the the attack finish? Because I wanna know what you think. Yeah. Depends on how far along it is. If you stop it, would you be able to decrypt it? Because the encryption didn't finish. So you have a partially encrypted file. Interesting. Yeah. TJ Williams. I was on the stop train until you said that. Yeah. Exactly. So a lot of the times, like, you you should let the encryption finish. Right? Because you wanna basically be able to to to finish, to be able to successfully decrypt. Right? Because if you stop something and it was, like let's say the file the the because a lot of different ransomware has different ways of encrypting data. So they have, like, partial fast, which is sometimes just the header, and partial, it will be, like, an intermediate encryption of, like at a at a specific byte order. Or sometimes you'll have different ransomware that will just, like, do a full encryption. And if it's doing if it's programmed and the the the threat actor said, wanna do a full encryption and it goes halfway through the file, like, you'll never be able to recover that file. Like, that is basically a a wiper at that point. So is it and then this the thing is, like, if these are encrypting your your databases, your MySQL databases, and they weren't shut down, right, you're you're just corrupting data at that point. So it's it's really, really difficult. It's a and it's a it's a a decision that you have to make. So let's go back to to our conversation here. And, again, shout out to Oleg Lipko on this. This has been invaluable work. And, basically, I want to we're gonna zoom in on on on these areas, but this is the syndicate overview of a company overview or literally a business org chart of Blackbuster. And this is how these threat actors are operating. Right? And they have strict roles. They have they have managers. They have the people that are are looking over them, and they're able to essentially conduct their business. Right? And from there, we have people who go under multiple different pseudonyms, and they're able to, they have offices, and they're basically able to conduct their business. So right now, like, let's take a look at this specific, scene right here. You have the, internal team, which was the team that was responsible for pen testing. They were able to do the ransomware deployment, and they were support. Now they had a different nomenclature and a different syntax for how they were named, and everything here is hosted on a matrix server. This was the matrix leak that happened last year. So from there, we can see that, like, you have, like, a threat actors named n n, zed zed, f f, t t, and JJ, DD. And from there, we have the initial access brokers. Now these are the external affiliates. Right? And they're also could be the ones that do, like, some pentesting and things like that. But these users like, Blackbuster was a closed group. Right? And they were basically the ones that were you had to be invited into it. You had to know the people that were into it. They weren't necessarily, like, advertising super openly on forums. They were present on forums, but they weren't necessarily, like, creating those recruitment adverts that we're we're used to seeing from other ransomware operations like Anubis and the ones that we saw earlier. But now that we see that they have, like, the separation of, like, their dealings with, like, initial access brokers and they're dealing with other their internal team, we can see that, basically, there's also these other sorry. There's these other, tier of affiliates that actually don't know they were working for a RAS, and we're gonna see that. There was actually some dialers, and we're gonna take a look at Arslan. Arslan was this individual. He was allegedly from Pakistan, and he was working for roughly $20 a week. And he was dialing all the victims that to make sure that and this these were dial dialers that he was doing through Microsoft Teams, and he was also doing it through Skype. He was also doing it through different means, like the old school telephone to make sure that, I apologize. Okay. Much better. Basically, going through all of these, dialings and these victims like a Rolodex too and a spreadsheet to see who if the information was accurate and to see who the the the victims were able to they were able to target. So going back to to this idea, this is our plans spreadsheet. Now in the datasets that Blackbuster was able to leak, we saw this information. Right? And all of these links, even though they were dated from 2024, they were still active. Right? And we still saw how people would recently log in, and Arslan was still actively trying to participate. And there was a funny, really funny message where was basically through a message on these spreadsheets was saying, hey. Hi. I'm available for more work. Please contact me. But they were basically, like, these threat actors are not, like, it was it's a challenge. Right? They're trying to to they believe they're working for a, a legitimate company. Right? And sometimes you have these threat actors who are, like, the not these threat actors, but these individuals are a little bit smarter or able to to realize earlier. I think it would be a better fairer assessment to say that they're working for for a criminal enterprise. And they basically use because there was another individual who was more technically sound and more technically advanced and was able to do the actual testing of the credentials, and they realized fairly quickly that they were working for a RAS. And so there's different levels to this. Right? But I want to finish off this talk with Evil Corp. And Evil Corp is really a family business. Now a lot of this data comes from the NCA, and a lot of this comes from the operation Kronos part two that they did. So I wanna take a look at this. And a lot of these individuals are sanctioned, and I want to ask the group, the chat, when you're making a payment and when you're trying to facilitate a payment, how important is it to check I'm just gonna name drop it like this. How important is it to check OFAC, o f a c? Yeah. Exactly. So these and you wanna know if you're about to make a payment to a sanctioned entity. Right? Because that could put you into a whole bunch of trouble. So a lot of these individuals are sanctioned. And, for example, Igor, this individual right here in the middle of the of the of the of the image here. When I was in Munich and I was going through passport control, and I saw a wanted poster, right, of them. And they're still actively to this day, like, being chased down by law enforcement. Right? They cannot go to Europe. They cannot go at least with the this identity. Right? And we've seen some individuals go through radical changes like plastic surgery and things like that and fake identities, fake passports. But it it's it's a fascinating world at this point where they cannot even, like, move through they have to stay in their country at this point. Right? Because they're absolutely wanted everywhere. So let's take a quick look at this and dive into the syndicate level affiliates and how they live their lives. And this is, Maxim right here, and he is basically the one that attacked Australia, and that's why he's sanctioned in Australia for that medical. And this has a lot like, Evil Corp has a lot of, like, overlap with, like, Tripod and IceBot and sorry. IceID and QuackBot and all these things. So there's there's a lot of developers, malware developers, but, like, there's a lot of merging with different, like, Conti brands and different, like, groups here. But, essentially, we can start to see this here. Don't worry. The tiger does not get hurt. At least in the video. So I want to end this talk today with a specific question. And that question is, basically, what happens when threat actors stop believing in this structure? And I I am fascinated with what I what what you all think of this. Like, what happens when and we're starting to see this with crypto, with, like, cry cryo, sorry, where they're moving away from this world of trying to establish trust, and they're using cryptography and zero trust now. And it's a fascinating evolution. But I wanna know what what else do you think. What happens with two threat actors when they stop believing in this power structure of, like, going through, like, leveling up through these different stages and learning and grinding your way, or is this just, like, a rites of passage thing, or is this just, like, how, like, people are human and this is this is how they live their lives? I wanna know more. I wanna know what you y'all think of this. And let's have a look at some questions here. So with the proliferation of scammers and honeypots in cybercrime, how does an entry level threat intelligence analyst identify a true starting point to monitor the real threat actors? So if you're getting into threat intelligence, the the way I see threat intelligence, right, it's a multidisciplinary, like, career where the more you know about different things, I believe the more successful you'll be. And you you would definitely wanna know, like, how to read, the MITRE framework. You definitely wanna know how to look at IOCs. You definitely wanna know all of that stuff. And but, also, you wanna look at the socio like like, sit like, the the reasons why people the psychology. You wanna look at the geopolitics of things, what's allowing people to do this, what frameworks and circumstances people do things like this. This also is extremely important. And there's like, threat intelligence is all a big thing. And what I would recommend to you is basically do like, pick a subject that fascinates you and you're extremely passionate about because your passion will drive you. Right? And find that that topic. For me, it's ransomware. It could be DDoS. It could be cybercrime. It could be extortion. It could be a whole bunch of different things and, like, start learning it up on it. There's a lot of lore that happened in the yesteryears of before you started your career. Read up on the past. When I tell people to who wanna get into ransomware and learn threat intelligence from the ransomware aspect, the first thing I tell them to do is learn about WannaCry and learn how that basically started. Learn about the old ransomware and then migrate to reading about Logbit. And then I that you have the background because you'll spend potentially a couple of months learning all about that stuff, and that's gonna give you a decent foundation on a whole bunch of different topics, or it could take you even longer depending on how deep you go and and how much research you wanna do. But, like, that is how you would essentially start. And if you're just starting as a junior analyst, I I I would say read up on the lore of the groups that happened prior because all the groups today, like, come from like, are standing on the shoulders of these other groups. And they've their their refinement of their their tactics and their techniques and their procedures are only possible because other groups have tried the different things and have failed, have caught caught, so have been seized. So that's how you learn. Do they have a blue team for threat actors? April m says so that's an interesting one because the LockBid had a bounty program for the longest time. And even though that failed to defend against the PHP vulnerability that basically had their whole infrastructure seized through operation Kronos because of the NCA. That is yes. They they they don't necessarily have blue teams. I would I would I wouldn't be surprised if they do have dedicated people that are looking at at that, especially with the more, like, state funded stuff, but they definitely have bug bounties. For example, breach forms had a bug bounty, and Blockbitt had a bug bounty, like, public bug bounties. Other groups have also, like, private at least discussed bug bounties and rewards for that stuff on a at a private level. But yes. Do you think ransomware would still have been a problem if cryptocurrency? So, like, if cryptocurrencies did not exist, yes. Ransomware would still be an issue. Ransomware was an issue before cryptocurrency. We had in the eighties, there was ransomware was distributed by Diskette. And so one of the first examples we have of that was basically this mal this ransomware called AIDS, which was distributed at the World Health Organization in New York and at a conference, and you had to make the payment via PO Box. That was an actual thing. That actually happened. You can read up on it. It's it's a fascinating story, and, basically, you, it was meant to bring awareness to the AIDS, crisis that was happening in the early nineties, late eighties. Perfect. Let's go to Chad. Awesome. So what I'm gonna do is I'm gonna go over to the Discord in about five minutes, and I will continue our conversation there. And if you wanna interact and ask me questions, I'm gonna be in the voice chat there and on the Flare Academy Discord. So thank you very much for attending here, and I'll answer more of the questions there as well. So if you I didn't get the chance to answer your question, I'm sorry. But you can come and see me, on the Flare Academy Discord, and I'd be more than happy to answer your question there. So I will see you all in a bit. Bye.