Law Enforcement Is Finally Making Progress on Ransomware

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by runZero .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

For the first time in history it feels like law enforcement may actually be doing some damage to the ransomware ecosystem. Over the last few months Operation Endgame, a multinational joint law enforcement operation, has been tearing through the criminal underground like a bull in a china shop.

Last week Dutch police announced that, in collaboration with US and Finnish authorities, they had taken down AVCheck, a testing service used by cybercriminals. Per Risky Bulletin which has further coverage :

The service has been around for over a decade and allowed malware developers to test their code against major antivirus engines and malware scanners.

It ran the engines and scanners in isolated cloud environments that cut off telemetry and prevented them from phoning back home to the security firms with warnings when malware was detected.

Threat actors bought subscriptions on AVCheck, uploaded their payloads, fine-tuned the malware code until it wouldn't trigger any detections, and then deployed it in real attacks, knowing it wouldn't be spotted until it was too late.

Earlier in May, another action targeted initial access malware , malware that is used to get unauthorised access to systems in order to deploy ransomware or steal data. This takedown affected  seven different malware strains including DanaBot (which we discussed here ), Qakbot and Trickbot. 

That same month authorities took down Lumma Stealer (aka LummaC2). Lumma is an infostealer, a type of malware that infects systems and extracts login and authorisation credentials from various apps and sends them to attacker-controlled servers. Risky Bulletin described what made Lumma popular amongst the criminal set: 

For a few bucks, you would get the Lumma malware itself, but also your personalized control panel where victims would send their data. Customers who bought Lumma also had the option to take all the credentials they collected and sell them on a private marketplace operated by the Lumma creators themselves.

This made threat actors flock to Lumma ever since it was released in February 2023 and allowed it to effectively monopolize the infostealer market.

Lumma had a simple point-and-click process that even the dumbest of threat actors could handle and a marketplace where they could monetize their stolen caches.

So, in just one month Endgame has carried out significant actions that disrupt the services that cybercriminals use to find credentials, test malware so they are sure it won't be detected and get access to networks. It's not just doing this by onesies and twosies, either. In each category it is knocking off the major player completely or landing hits on a range of participants in the field.

It's great to see ransomware being tackled holistically.

In addition to disruptions and takedowns, Endgame is naming and identifying suspects and highlighting arrests that have followed takedown operations. 

Endgame is also trying to send messages in more creative ways. Its website hosts professionally-produced short videos tailored for the criminal audience, complete with Russian subtitles and catchy jingles. This one , (Consequences aka episode 4 from season 2, lol), mocks DanaBot administrators, in full anime style, for infecting their own computers . 

Another video, 'Yin and Yang' , is a direct appeal for criminals to go straight. This complements the 'SYS initiative' from Prodaft, a threat intelligence company and one of Endgame's private sector partners . The company offers to buy access to criminal forums. Part of its pitch is that respondents can report things that don't align with their values and "it's never too late to change". 

It's not all good news though. 

Malware operators can be very resilient. Even after severe disruption, they often bounce back. Bumblebee and Trickbot, for example, were among the malware targeted in the last month. Both were also hit in Endgame's first operation in May last year, so it is good to see that it is engaging in an ongoing suppression strategy. 

But as long as Russia remains a safe haven for cybercriminals, it is unlikely that a large number of them will be brought to justice. Although Endgame's creative videos and attempts to appeal to criminals' virtues are interesting, anime and pop punk jingles are distant second-bests to actually arresting suspects. 

Endgame won't eliminate ransomware. But with luck, the days of endless free kicks for the bad guys are over.

Spyware and the Syrian Regime's Fall

New Lines Magazine this week suggests a mobile spyware app installed on the personal devices of Syrian army soldiers was a key contributor to the Assad regime's sudden collapse months later, in late 2024. The article describes a veritable tour de force for a spyware app targeting military personnel. But we are not convinced that correlation equals causation.

The app, known as STFD-686, was installed by victims lured by the promise of financial aid. The aid was purportedly from the Syria Trust for Development, a humanitarian organisation run by Bashar al-Assad's wife, Asma al-Assad. 

It's not clear who was behind the app. The article merely says "the Assad regime's enemies benefited from the app in some way — although exactly how is difficult to confirm, and it is difficult to surmise who was behind it". 

After installing the app victims were redirected to an external website with a questionnaire. Per New Lines :

…users were asked to submit a series of seemingly innocent details: full name, wife's name, number of children, place and date of birth. But the questions quickly escalated into riskier territory: the user's phone number, military rank and exact service location down to the corps, division, brigade and battalion.

Determining officers' ranks made it possible for the app’s operators to identify those in sensitive positions, such as battalion commanders and communications officers, while knowing their exact place of service allowed for the construction of live maps of force deployments. It gave the operators behind the app and the website the ability to chart both strongholds and gaps in the Syrian army's defensive lines.

The app also installed SpyMax spyware which can collect conversations, text messages and screen recordings.

It's pretty easy to see how the app's data collection combined with real-time espionage could provide a significant advantage to opposition forces. 

The financial aid supposedly on offer was pretty good too. The promised USD$40 per month was higher than the officers salaries according to New Lines. The Telegram channel distributing the malware claimed it made 1,500 payments in July. In the context of a war, USD$40 per install seems like great value. 

At the same time, the article points out the Syrian army was "a shadow of its former self" after a decade of war and that economic collapse had turned soldiers' and officers' salaries into a "cruel joke": 

Officers and soldiers no longer focused on military duties; they scrambled for any opportunity that might sustain them. They traded anything and everything just to stay alive, without exaggeration.

Imagine an army where officers sold the remains of stale bread rations meant for their men. Where senior officers bought solar panels and rented out charging services to soldiers desperate to light their shelters or charge their phones.

It seems to us that poor pay, poor morale and the absence of security protocols could have led to STFD-686 being widely installed and therefore could have led to an intelligence bonanza for opposition forces.

Of course, we don't know who was behind this operation and how well they leveraged any intelligence into real-world advantage. Turning tactical intelligence into military victory takes more than just phishing pages and spyware. 

In our view, the conditions that possibly turbocharged the STFD-686 spyware operation are exactly the ones that could lead to a sudden military collapse anyway. 

GRU Unit 29155: Part-Time Hackers, Full-Time Assholes

The Insider has a wonderful deep-dive into how Russia's military intelligence's sabotage and assasination group came to be involved in cyber operations. 

The group, the GRU's Unit 29155 , is probably best known for the attempted murder of Sergei Skripal and his daughter Yulia in Salisbury using the Novichok nerve agent. It has also been linked to assasination and sabotage incidents across Europe. 

The Unit's OPSEC is terrible, at least when it comes to its hackers. According to The Insider it relied on "a trove of leaked emails, social media posts, phone records, and, crucially, unprotected server logs and left-behind burner emails and disused VK and Twitter accounts" for its reporting. 

According to The Insider's report, Unit 29155 began its foray into cyber operations more than a decade ago. In 2014 its head recruited former cybercriminal Tim Stigal. Over time its hacking team has grown through the recruitment of other criminals or by scouting Capture the Flag hackathons. 

Some of the operations strike us as bizarre. In 2021 the team ran a graffiti campaign across Ukraine:

As a result, "Zelehuylo" – "Zelensky is a dick" – and other variations thereof were daubed on buildings in multiple Ukrainian cities throughout the summer of 2021. This folder kept geolocated "proof of delivery" photographs and chats with remotely-recruited assets in Ukraine who were paid the equivalent of between $1 and $5 for the graffiti, depending on the importance and risk involved in marking a certain location. The assets were also required to report their walking routes and "number of steps walked" per day.

The article says that cryptocurrency addresses associated with the campaign show hundreds of thousands of dollars were spent at the time.

Today, the same recruitment techniques developed during the graffiti campaign are used for far more sinister purposes:

GRU operatives remotely locate and use Telegram to recruit saboteurs from countries including the United Kingdom, Poland, the Baltics, and Germany, offering them cryptocurrency for setting fire to strategic sites such as military installations or defense plants, or to softer targets like warehouses, shopping malls, or bus depots. More ambitious plots, which have so far been thwarted by Western counterintelligence and law enforcement, include smuggling incendiary devices encased in sex toys and cosmetics aboard DHL cargo planes bound for North America.  

The report provides a fascinating insight into the wild west, anything goes culture of Unit 29155. It is by turns laughable and terrifying. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. The official APT cheat sheet: Microsoft and CrowdStrike have announced that they are working on a reference guide that links threat actors names across their respective taxonomies and have published a first cut ( here and here ). The guide is based on discussion between company analysts, so it is a step up from previous efforts conducted by researchers who read the tea leaves in public reports to divine links between names. Other security organisations including Google's Mandiant will also be contributing to the effort. Catalin Cimpanu at Risky Bulletin is skeptical and has more coverage . 
2. Cyber scam hosting network sanctioned: The US government has imposed sanctions against Philippines-based Funnull technology and its administrator, Liu Lizhi. Funnull hosts scam websites that it sells to cyber criminals on IP addresses it buys from major cloud services, according to the US Treasury. It says Funnull is linked to "the majority" of cryptocurrency investment scam websites reported to the FBI and that US-based victims have reported over USD$200 million in losses. Further coverage at Krebs On Security . 
3. Firefox gets crypto-wallet theft protections: Mozilla announced a new mechanism to identify and stop scam extensions known as crypto wallet drainers. These drainers masquerade as legitimate crypto wallet extensions to convince victims to input private keys and credentials. Mozilla has detected hundreds of scam crypto wallets over the past few years and recommends that users only install a crypto wallet's official extension. 

Sponsor Section

In this sponsored interview, Risky Business Media’s brand new interviewer Casey Ellis chats with runZero founder and CEO HD Moore about why vuln scanning tech is awful and broken. He also talks about how they’re trying to do something better by glueing their own discovery product to the nuclei open source vulnerability scanner.

NSEC Keynote: A Pirate’s Guide to Snake Oil & Security - HD Moore

Watch HD’s keynote at NSEC, where you are taken on a satirical voyage through the crowded world of vulnerability management.

runZero HD Moore

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq   look at NSA's take on information warfare, all the way back from 1997. 

Or watch it on YouTube!

From Risky Bulletin :

Windows Update will soon deliver individual app updates: Microsoft will open up the Windows Update mechanism to third-party apps and driver makers so they can deliver updates to users in a faster and more seamless manner.

The new feature is currently under testing and will ship in a future Windows 11 release.

Microsoft has asked developers this week to sign up and help test out the new software update orchestration platform before its official release.

The platform, which currently has no official name, will handle everything on their behalf. It will scan for new updates on the developer's servers, handle the update installation process, handle user notifications, force device restarts, handle errors and fails, and even impose installation deadlines.

[ more on Risky Bulletin ]

Public DB exposes Russia's nuclear bases: Over two million documents with extremely sensitive details on Russia's nuclear weapons bases have leaked online via an internet-exposed database. The documents contain extremely detailed blueprints and layout information on all of Russia's nuclear missile sites. They include details on recent repairs, new buildings, and even new bases. The leaky server was discovered by Danish journalists who spent months exfiltrating the data and analyzing it together with Der Spiegel. The leak was described as "absolutely incredible" and is the first time since the 70s that Western countries have accurate blueprints of Russian nuclear bases. [ Additional coverage in Danwatch ]

Meta and Yandex abuse localhost ports for tracking: Meta and Yandex have used a secret technique that abuses localhost ports to track mobile users as they navigate the web. Websites using the Meta Pixel and Yandex Metrica scripts open local ports on Android devices. Meta and Yandex apps running on the same device connect to these ports to receive information such as browsing metadata, cookies, and advertising IDs. Researchers have named the technique web-to-app ID sharing and say it bypasses privacy protections such as Incognito Mode, Android's permission controls, and clearing cookies. Meta stopped using the technique after it was disclosed by researchers. [Additional coverage in ArsTechnica ]