Aidan Murphy: 

Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host, as each month we take a look at a different aspect of the dark web, based on a story that’s been in the news. In this episode we’re going to look at one of the biggest stories...

Aidan Murphy: 

Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host, as each month we take a look at a different aspect of the dark web, based on a story that’s been in the news. In this episode we’re going to look at one of the biggest stories of the month, the ransomware attack against the National Health Service in the UK, orchestrated by the ransomware group, Qilin, or “Qilin”, depending on how you want to say it. We’re going to take that as a starting point, and look at the ransomware landscape half the year into 2024. Which is, fair to say, in a very different place to where it was at the beginning of the year. Joining me to discuss the latest groups and trends in the ransomware world, we have two returning guests to The Dark Dive podcast. Joe Honey, threat intelligence engineer at Searchlight Cyber, and a voice that regular listeners will remember from our dark web forums episode. Hello, Joe. 

(TC: 00:00:55) 

Joe Honey: 

Hi, Aidan. 

(TC: 00:00:56) 

Aidan Murphy: 

And Louise Ferrett, senior threat intelligence analyst at Searchlight Cyber, and I believe the most frequent guest on the podcast to date. You could find Louise in the episodes on dark web marketplaces, our first ransomware groups episode, and our recent episode on the take-down of LockBit. Hello again, Louise. 

(TC: 00:01:11) 

Louise Ferrett: 

Hi, Aidan. 

(TC: 00:01:12) 

Aidan Murphy: 

Before we get into the attack itself, and as I’ve said, which was against the National Health Service, or the NHS, in the UK. I would like to start by looking at the group behind it. Personally I’d never heard of Qilin before this news story. Louise, could you tell us a little bit about the group? I think first maybe we should agree how we’re going to pronounce their name. So, I’m saying ‘Qilin’, because you told me that’s how it should be pronounced. I know a lot of other news outlets say ‘Qilin’, but I think we’ve agreed on ‘Qilin’. Is that right, Louise? 

(TC: 00:01:42) 

Louise Ferrett: 

Yes, that’s what I’ve been trying to do. I’ve actually been saying it ‘Qilin’, so a third option, the whole time. Up until yesterday, when we decided on pronunciation. But yes, ‘Qilin’. I think the name comes from, like, a Chinese mythological creature. They have been active since 2022, I believe. They’ve got over 100 victims listed on their dark web site. They are a pretty standard ransomware-as-a-service gang, suspected to be based in Russia. Have been observed trying to recruit pen testers, shall we say. So, people that can gain access to company systems on dark web forums, usually in Russian, and that’s the blurb on them. 

(TC: 00:02:33) 

Aidan Murphy: 

So, as you say, I guess a pretty standard ransomware group bio. Especially with the suspected to be based out of Russia, and with a typically obscure, but quite aggrandizing name. Just I guess to put it in context for people listening, so a ransomware group from 2022, with over 100 victims. I guess it’s safe to say, again, that’s relatively typical. We don’t-, 2022 is quite old for a ransomware group, I would say, and over 100 victims is pretty active. Is that right? 

(TC: 00:03:11) 

Louise Ferrett: 

Yes. So, as I’ve been working in this industry, it does seem like ransomware gangs are sticking around for less and less time. Everything’s, sort of, starting to move quicker. So, I would say in the current landscape, being around for two years is pretty good innings. They’re pretty, sort of, senior as far as the ransomware landscape goes. And over 100 victims? Yes. I mean, if you say, ‘This one group has attacked over 100 companies,’ it sounds pretty big, but I think we have-, or I do anyway, have a bit of a, kind of, skewed perception of what it means to be active. When you have groups like LockBit, for instance, who would sometimes post, like, 50 victims in one day. Or Cl0p, when they go on their sprees, and are just dumping hundreds and hundreds of victims in one go. But yes, I’d say they’re, you know, a fairly mid to high activity threat actor. 

(TC: 00:04:16) 

Aidan Murphy: 

I guess that might be why I hadn’t heard of them before then. So, we’re talking about-, they’re going to love this description, if they’re listening. A mid table ransomware group, and like you say, not someone who’s entered into our, kind of, top rankings over the last couple of years. Joe, is there anything else that stands out for you, about Qilin, that you think is relevant? 

(TC: 00:04:35) 

Joe Honey: 

Yes, we did-, I mean, not so much about Qilin, we just wanted to pick up on something Lou said just a moment ago. Even though, sort of, Qilin have-, Qilin, however we’re pronouncing it, have only been around for two years or so, it doesn’t necessarily mean though that all of the affiliates, all of the threat actors in this group, only have two years of experience. So, Qilin, they’re a ransomware-as-a-service group. They have affiliates, they have pen testers. Essentially contractors, in business terms, and these affiliates, they’re not necessarily the most loyal of people, as far as I’m aware. So, they will change whichever groups that they support. Some perhaps even use different strains of ransomware, to try and maximize their own personal earnings. So, even though, sort of, Qilin have only been around for two years, some of the ransomware affiliates may have been doing this for two, three, five, ten times that. So, you know, I think with ransomware groups in particular, you can judge based on the length of service they’ve been alive, but you do need to be aware that actually some of these guys may have very, very experienced pen testers working on their behalf. And ultimately need to be taken seriously, whether they’ve been around for 30 days, or 30 years. 

(TC: 00:05:39) 

Aidan Murphy: 

Yes, it’s a really good point I think, and I think something that is often underestimated about how affiliates, in particular, move between these different groups. If people would like to find out more about how ransomware-as-a-service operations function, I would urge you to go back and listen to the original ransomware groups podcast we did as part of series one. Because we go into some depth in there, exactly as Joe was describing here, about how things are more fluid between the groups. Some people often appreciate one, and in terms of the developers, many developers go from one group to another, but exactly as Joe was saying, the affiliates may be using one ransomware strain one day, and another the next. Has Qilin had any noteworthy victims before the National Health Service, or any specific victimology, a type of organization they target, Louise? 

(TC: 00:06:34) 

Louise Ferrett: 

So, I was going to mention this actually, as another reason why they might have, kind of, flown under the radar up until now. They don’t seem to have a particular victimology, like, a particular industry or geographical location that they’re particularly keen on attacking. I think like most ransomware activity, it is skewed in favor of US companies. Whether that’s down to just the sheer number of companies that exist in the US, or a more, kind of, quasi-political angle, I guess. Which might come up again later. No big victims, off the top of my head. I would say they don’t go for really, really small companies. There’s, sort of, quite a lot of healthcare, a lot of software and IT service companies. A lot of consumer goods and services companies as well. 

(TC: 00:07:36) 

Aidan Murphy: 

So, that makes sense. There wasn’t a victim of the, I guess, notoriety of the UK’s National Health Service before this. 

(TC: 00:07:44) 

Louise Ferrett: 

But I should make a point, actually. You have said it was the UK’s National Health Service that was the victim a few times now. The actual victim wasn’t the NHS itself. 

(TC: 00:07:56) 

Aidan Murphy: 

That is a very important point, and I was just going to come to. So, yes. Okay, let’s talk about the attack itself. So, it is important, as Louise was just about to do, to highlight that the attack wasn’t directly against the National Health Service, or the London hospitals that were impacted, which we’ll come to in a second, but actually against a company called Synnovis. I wonder, Joe, maybe if you can give us a little bit of an overview of what happened in the attack, and maybe we can take it from there? 

(TC: 00:08:24) 

Joe Honey: 

This is very much a supply chain attack. So, whilst the National Health Service and, you know, huge amounts of hospitals, and healthcare providers across London had been impacted by this, it wasn’t the National Health Service itself that was attacked. So, it was a company called Synnovis. So, Synnovis are a very large organisation, they specialise in, sort of, laboratory testing-type services. One of the main parts that was in the news about this was around blood testing. So, anyone who is going into a London hospital, needed to have certain blood tests run, you know, even just as simple as trying to find out what blood they would need in the event of an emergency. All of those samples were taken, they were handed to Synnovis, a third-party company. Synnovis would do the tests, and then communicate those results electronically back to whichever NHS personal service, sort of, requested it. There isn’t huge amounts of detail so far that we can see, in terms of how this happened. So, what we know for sure is that late June time, it was around the 20th, if I remember right, they experienced massive IT downtime, and this eventually came out to be ransomware that was caused by Qilin. So, obviously this caused instant problems. Testing services failed, people couldn’t communicate with each other, they couldn’t necessarily communicate with suppliers, and essentially, kind of, medical services inside London effectively ground to a halt completely, certainly for a couple of days. Luckily, we did manage to get on top of that, kind of, fairly quickly. Well, I say, ‘We,’ the royal ‘we’. They spun up extra capacity with other labs elsewhere, outside of London. Other companies were brought in, and other methods of communicating were happening, but it still caused, you know, a massive impact. Some of the numbers I’ve seen vary, but over 1000 operations were canceled, transplants were stopped, or moved. Although, luckily, I think they did manage to move those organs to other recipients. So, they’re weren’t wasted, but for the people waiting on those it was a very big impact. Yes, even down as some planned Caesarean sections were canceled, because they couldn’t get the blood supplies and such there, in case there was a problem. 

So, you know, there was a massive impact to the UK. Both financially, in terms of the downtime, and the loss of healthcare. Huge amounts of, kind of, personal lives were potentially put at risk, and I think we’re still getting to the bottom of the financials. The actual financial cost of this attack is going to take months to, kind of, come through, based on the instant response, all the work that needs to be done for paying for the other services, all of the work that’s going to be done, hopefully in the future, hardening systems against this type of attack. 

(TC: 00:11:00) 

Aidan Murphy: 

Yes, that’s brilliant, Joe. That’s a great overview. I mean, and I think we may come onto this in a second, but this is just the initial impact of the attack really. Because then we start to get into the ransom itself, and the data that was stolen. But as you say, so yes, the impacted hospitals in London were London’s King College Hospital, and NHS Foundation Trust, and Guy’s and St Thomas’ NHS Foundation Trust as well. Which are, for international listeners, major hospitals, and the National Health Service in the UK has said that this, exactly as Joe described, had an impact on national blood supplies. Because obviously London is such a large part of the UK population. I think the latest figures are that 8000 patient procedures would have been disrupted, and I think that’s just a number that keeps growing. Because as I understand it, even now, over a month on from the initial attack, the impact is still being felt. So, that was the, I guess, initial development, and then we had the ransom demand of Synnovis. Maybe, Louise, you can pick up the story then what transpired, I guess, after this initial disruption? 

(TC: 00:12:13) 

Louise Ferrett: 

Yes, sure. So, I just want to jump back a little bit, to when the attack first happened. So, that was actually on Monday 3rd June, Synnovis put out the statement about their systems being down. So, that just shows you how long it’s actually taken for this to play out, and then the recovery, as you both said, is still ongoing. So, yes, Monday 3rd June, ransomware attack occurred. A few days later on the 5th June, Qilin was named as, sort of, the number one suspect, I believe by the former head of the National Cyber Security Centre. Then for a long time there was, sort of, a long period of not much happening, just reports of the disruption coming out. And then on the 19th June, so a few weeks later, interviews started coming out from Qilin representatives to, it was a few fairly big outlets. I think the BBC and Bloomberg were a couple of them, that these ransomware reps were talking to, and aggrandizing their attack. Obviously it was very impactful, it did cause a lot of problems, but they added some extra, sort of, flair to it, shall we say? Claiming-, 

(TC: 00:13:43) 

Aidan Murphy: 

Embellishments to the story. 

(TC: 00:13:45) 

Louise Ferrett: 

Yes, exactly. Embellishments is the right word. Claiming that they had used a zero-day. So, that’s basically an unknown vulnerability in some software, that’s zero days till exploitation. So, yes, they claimed they used a zero-day vulnerability to get access to Synnovis’ systems. They also claimed a political motive for the attack, which we should probably explain now. Very unusual for ransomware attacks. Not unheard of, there’s definitely some groups that will deploy ransomware as a, kind of, political statement, or as almost a wiper. So, they’re not really interested in even getting any money, they just want to cause disruption, but for these kind of ransomware-as-a-service gangs it’s odd. The primary motive is financial, they want to extort money out of the companies that they have attacked, but in this case Qilin gave a, sort of, confused reasoning. It was definitely related to the war in Ukraine, and I think the UK not donating enough, kind of, medical equipment, I believe. 

(TC: 00:15:03) 

Aidan Murphy: 

To Ukraine? 

(TC: 00:15:05) 

Louise Ferrett: 

Yes. It was-, up until this point everyone had, sort of, assumed that this group was based in Russia. They were now appearing to-, again, it was quite vague, but appearing to come out in support of Ukraine. Now, you can argue all day about whether this was, sort of, a bait and switch, or a way to make them appear more favorable in the eyes of the UK public. Because they also put some statements out with, sort of, a half-hearted apology to all the people that this disruption had affected, and saying, ‘We’re not the ones to blame. You should be blaming your leaders.’ All in all, yes, a big confused, but this, again, isn’t unheard of with ransomware gangs. They quite often will do, kind of, press opportunities, where it can be seen as a way to bolster their reputation, and make them more feared than their peers. 

(TC: 00:16:10) 

Aidan Murphy: 

Yes. I think as you’re aware, cyber criminals speaking to the press is one of the topics that I just find endlessly interesting, along with exit scams. So, there’s quite a lot I want to jump into. So, firstly, like you said, they’ve made two claims. One that they used a zero-day, and secondly that they are politically-motivated. That they deliberately targeted Synnovis, knowing that it was going to impact London hospitals, and that was what was behind the attack. I guess I’d like to get both your takes on what you think of those claims. I mean, obviously I think for both of them we can’t say for certain whether they’re true or not, but Joe, maybe I’m going to be mean and pick on you. What do you make of the claim that they used a zero-day? Like you say, it hasn’t come to light yet how they did access Synnovis, but is it possible that there was a zero-day involved? 

(TC: 00:16:59) 

Joe Honey: 

Yes. I mean, obviously it’s all speculation at the moment, there hasn’t been any official confirmation either way. In terms of them using a zero-day. Yes, it’s possible. There is so much technology in use by every different business nowadays. It’s very difficult, if not impossible, to make sure that everything is 100% secure, 100% of the time. That being said, you know, zero-days I think are still relatively rare, and when we do see proper zero-days, you start seeing stuff like the GoAnywhere incident with Cl0p. Where you see thousands of victims, kind of, falling in very quick succession. Also when you look back at, kind of, the activity from Qilin, that they tend to focus on more spear phishing attacks. So, send very well-crafted emails, you know, very well-targeted as well. People with sufficient influence, or admin rights, that sort of thing inside of an organization. They try and persuade them to download a particular piece of malware. They’ve got some history of using, sort of, vulnerable drivers. Sending downloads, which install these vulnerable drivers, and that then gains them a foothold in the system, and they can work out from there. And typically, you know, if you consider that out of every ransomware group, yes, there is probably going to be one or two people who are proper in-depth, penetration testers. Can find, and exploit, and weaponize, kind of, proper zero-days. The majority of them are probably going to be low to, kind of, mid tier, in terms of knowledge and skill. So, they are going to be more likely to use either simpler means, you know, tools developed by other people. So, I think for me, kind of, gives a bit more credence into the spear phishing-type angle, but again, they’re a ransomware group, they’re a criminal. We also need to bear in mind that they are going to be saying as much as they can, to try and either draw attention to themselves for, kind of, marketing purposes. And LockBit, for example, does that very, very well. Which is probably why, you know, they attract so many affiliates, but they also are not necessarily going to tell the truth. Because that’s potentially then going to give people like us, like law enforcement, more information, more ammunition to ultimately find and catch them. 

It’s an interesting line to walk, being a ransomware group, or a ransomware affiliate. Because, you know, ultimately you’re a criminal. You need to be anonymous, you need to hide in the dark. Otherwise it’s going to be very, very easy for law enforcement to catch up with you. But also on the ransomware side of things, you need to be visible, you know, you need to be seen as a threat. You need to be taken seriously, you need to be popular. Both, you know, to try and make sure that you attract good quality affiliates, which obviously are then going to go on and make you money, but also if a hacking group that nobody has ever heard of hacks somebody, if you don’t believe that they’re a valid threat it’s much less likely that you’re going to pay any kind of ransom. So, they need that publicity, they need that notoriety, to try and bolster their reputation and maximize their chances of being paid. So, it’s an interesting line to walk, and you’ve got to, kind of, bear that in mind when you’re judging any claims made by these groups. 

(TC: 00:19:48) 

Aidan Murphy: 

That was very well-put, in terms of they have a motivation to bolster themselves. Louise, my sense from how you described it, is you’re also slightly skeptical of these claims that the attack was politically-motivated? 

(TC: 00:21:49) 

Louise Ferrett: 

Your senses are correct, yes. I agree with what Joe is saying, about how these groups do have to walk a line. Between not getting too much attention, that puts them firmly in the crosshairs of law enforcement, but enough attention so that they have a bit of notoriety, they have a reputation, they have people wanting to join their team. And also, yes, have a level of fear around them, that is going to induce more victims to pay the ransom just to get their data back. In terms of the political-, the claimed political motivation, it’s not 100%. It would be very hard to prove whether this is true, or untrue, right? You’re ultimately having to take it at someone’s word, but if we look at the broader context, look at how Qilin was selecting victims previously, and since this attack, there has been, sort of, no other mentions of political motivations for their victim choices. Personally, I think the most likely explanation is that they did not select Synnovis as a victim on purpose. In this, kind of, ransomware-as-a-service ecosystem, you’ve got so many affiliates bringing access to different systems at once. A lot of the time they don’t really know, you know, what the victim company does, and that can often lead to situations where companies are misidentified on the ransomware gang’s own websites. They might see a company name in a document somewhere and say, ‘Oh, we’ve breached this company, put that as the title.’ It’s actually a completely different company that might be a partner or just happened to have that name somewhere in their files. So, yes. I think they didn’t select Synnovis on purpose. They didn’t expect the level of disruption that this would cause and after seeing that, there are, kind of, two things on the group’s mind. Probably (1), this could get too hot if I, sort of, cast my mind back to the Colonial Pipeline attack. 

I’m sure you guys remember that back in 2021. The oil pipeline on the east coast, I think, of the United States that completely shut down and caused, you know, so much disruption and such a crisis that the ransomware gang responsible, DarkSide, effectively had to disband because there was too much pressure on them and the FBI had announced that they were going to be investigating it. So, you can crumble from that kind of pressure or take the opportunity and try and, sort of, make the best of it. So, bolster your reputation, try and give off the kind of ethical hacker, sort of, persona. Because people generally are a bit more amenable to that then just cold, hard financial gain. But, yes, I think the most important thing to look at is how the rest of the ecosystem operates and how Qilin has operated before this point and since this point. I think that does lead you to the conclusion that it’s unlikely the attack was politically motivated. 

(TC: 00:23:36) 

Aidan Murphy: 

Whether it is or wasn’t, what’s interesting about this incident and about this group, is that like you say, they decided to lean into it. Whereas in the past, other groups haven’t. So, I remember even LockBit when hospitals were attacked in the past, would come out and say, ‘This is against rules for our affiliates.’ Unbelievable. Maybe that ransom may be following rules but apparently LockBit did and, kind of, apologized. Whereas, like you say, Qilin made the decision to go out do, kind of, the media tour. Try and position themselves ethically while also not really being particularly apologetic about the disruption that they had caused to hospitals, you know, in reality thousands of people’s lives so it’s an interesting development. And, then I guess that leads us on to what happened next. So, I think it was Qilin, themselves, who claimed that they had asked for a ransom of $50 million. It wasn’t paid. So, Louise, what happened next? 

(TC: 00:24:38) 

Louise Ferrett: 

So, I have only seen it from Qilin, directly, I believe that the ransom amount was 50 million. Yes, we can assume that it wasn’t paid. I believe there is some sort of policy in place for public sector organizations, in the UK, at least, that ransoms shouldn’t be paid. Obviously Synnovis is, technically, a private company. The day after the press tour, shall we say that Qilin had done, they presumably wanted to capitalize on that extra attention. They had already posted Synnovis on their dark web leak site on the 19th June but with no data so, kind of, as a teaser. And, then the next day, the 20th of June this year, the post was updated with a link to a Telegram channel. Telegram is just a messaging app where you can have big groups, big channels. It’s quite popular in the cybercrime community to disseminate this kind of stolen data. And, they uploaded, roughly, 400 gigabytes of data that was claimed to be Synnovis data, I think, four days after that so the 24th of June and Synnovis did confirm that the data that was published originated from its systems. 

(TC: 00:26:13) 

Aidan Murphy: 

So, just to put this into perspective and I know that we have tried to look at some of this data as well. But this is a huge amount of data they broke it out into 104, what they call archives, of 3.8 gigabytes each. Like you say put this out over Telegram because that’s the limit, as I understand it, on how much data you can put on Telegram at a time. Is that right? 

(TC: 00:26:38) 

Louise Ferrett: 

Yes. It’s like a 4 gigabyte limit. You can do more if you buy the premium. This isn’t an ad. This is just me. Ransomware gang broke, they should invest. 

(TC: 00:26:50) 

Aidan Murphy: 

Yes. I mean, it’s kind of unbelievable, isn’t it? If you’re asking for a 50 million ransom and you got paid for premium Telegram. 

(TC: 00:26:56) 

Louise Ferrett: Ridiculous. 

(TC: 00:26:57) 

Aidan Murphy: 

I’m going to say, at this point, reports, this isn’t our observations. But reports say this data includes patient names, date of birth, national health service numbers and descriptions of blood tests. So, there it is. Some sensitive patient data in there, for sure. In the last episode of the podcast, we were talking about data leaks and obviously this is another major example. In that episode, which obviously, I encourage people to go back and listen to, we did discuss health data as a particular problem because like all datasets, once it’s out there, it’s quite hard to get back. Maybe, Joe, do you have a sense on, I guess, the potential impact of this data being out there and effectively, as I understand it, anybody can access this, right? They didn’t, kind of, limit-, they didn’t sell the data at all. They just made it public. Is that correct? 

(TC: 00:27:55) 

Joe Honey: 

Yes, I believe so. See, that’s one of the key things. Kind of, one of the key tools that ransomware groups, sort of, try and leverage. If the ransom isn’t paid they make the data available to absolutely everybody who wants to view it. So, they’re, kind of, relying on this social pressure of, you know, ‘Oh my God, my data’s out there.’ To try and force, kind of, the companies to pay but then it also does open up lots of other potential avenues for exploitation. So, you know, that could range from another ransomware group or another criminal group of some sort, getting hold of that data, finding a weakness or another point of access into Synnovis’ systems and going back and attacking the same kind of company again and almost having another crack at getting a ransom out of them. There have also been examples, both from the ransomware groups and for other threat actors who have got hold of, sort of, PII, personally identifiable information and PHI, personal health information about victims who’ve had their data compromised. 

Then reaching out to the victims individually and saying, ‘You know, look, Aidan, I’ve got all your information. I know everything there is to know about you. Pay me £50 or I’m going to share it all over the dark web or I’m going to sell it to your employer.’ All that sort of stuff. So, they just, kind of, layer extortion, using the same sort of dataset. So, I haven’t seen any instances of this being done with this dataset so far but that being said, we’re only months, six weeks or so, kind of, post-attack. So, if Qilin are planning something like this they may still be working it. Another threat active group may have this data and may be planning something. Another option is they may have just seen the amount of, kind of, media coverage and focus that this attack has got and gone actually, ‘You know what? It’s not worth it. I’m going to try and let this one pass, fly it under the radar. Go back to attacking people who are less likely to get me attacked in return.’ I mean, these ransomware groups, they’re constantly evolving what they do. 

When they first, kind of, started they would just encrypt all the data. And, you would pay your ransom you get your decryptor and that was it. And, that caused enough problems. People started getting wise. Started realizing that actually, if I pay the ransom there’s no guarantee that I’m getting my data back so I’m not going to pay. So, the ransomware groups, then, started exfiltrating the data and threatening to leak it to so-called double extortion and then they moved on to triple extortion, where they, you know, they lock the data. They encrypt your machine, they exfiltrate the data and threaten to leak it. And, they then, also, threaten to reach out to news, press, customers, suppliers explaining that you’ve been breached and causing, kind of, more damage. So, I mean, they’re constantly evolving and testing, kind of, new methods, new ways of making money. And, you know, in some instances, this reaching out to individuals may have generated some costs. It also may be improving on the ransomware side of things that actually it’s just not worth the effort. Whether that’s the effort of the time it takes to do that individually or the media attention and stuff that it’s going to bring. 

(TC: 00:30:43) 

Aidan Murphy:

Yes. You’ve, kind of, touched on it a little bit but I did just want to ask about this decision to just leak the data. Because, like you say, these are financially-motivated people but it seems like a, slightly, strange end of the story, that they would just put this data out there for free. Again, I know we’re just completely hypothesizing here but what could be the potential reasons behind that. I guess, (1) is that they realize they’re not going to get the ransom now, off, Synnovis so there’s no reason to, kind of, keep hold of the data. But is it also, I guess, maybe a warning to future victims, you know, if we threaten you we’re going to follow through on the threat? 

(TC: 00:31:19) 

Louise Ferrett: 

I think that’s quite a big part of it, yes. Having to, sort of, show that you mean business and that you’re not going to ask for a ransom and then when you don’t end up getting paid, just do nothing with the data. And, I think it’s kind of more impactful to just leak it for free, for anyone to access than if they were to come back a few days or a few weeks later and say, ‘We’ve found a buyer and they’re going to buy all your data and do something with it.’ You know, the idea that your personal data is exposed to potentially millions of people, rather than just one person, even if that one person might be better equipped to exploit that data, I think, that’s a, sort of, a more powerful image in victims’ eyes. And, it’s more, sort of, embarrassing for the victim organization itself because anyone can get hold of it. So, although from the, kind of, financial-motivation perspective, it might seem a bit strange, I think again, it’s one of those, kind of, PR decisions that gangs have to make to keep their reputation. 

(TC: 00:32:37) 

Joe Honey: 

There’s got to be a consequence, hasn’t there? If you’re hacked and you know that the result of you not paying the ransom is absolutely nothing, there’s nothing bad that’s going to happen. Obviously, you’re not going to pay the ransom because there is no downside to that. But if you don’t pay the ransom and all your data gets leaked for free, where anybody with a computer could view it, that’s the consequence. And who knows what’s in that dataset. Who knows what, kind of, dirty secrets Synnovis may or may not have that they may not want to get out in the world, it’s just that kind of pressure. I think it’s also like a bit of an honesty thing for me, as well. You know, if a ransomware group says they’re going to do something, whether it’s leak your data, provide you with a decryptor so you can access your systems again, they’ve got to follow through with that. Because, again, if they don’t follow through with either restoring your systems after you’ve paid them or not leak your data, again, it’s just going to call their honesty into question. It’s just going to start this spiral of, ‘I can’t trust ransomware group X, I’m not going to pay them. I’m just going to try and work over my systems.’ 

(TC: 00:33:36) 

Louise Ferrett: 

I’m not sure if you remember, Aidan, but there’s also the, kind of, GDPR angle that some groups were taking for a bit. Of, kind of, trying to get victim organizations in regulatory trouble by leaking their data on the dark web so I think that’s another kind of level of the potential extortion that they can get away with. 

(TC: 00:33:59) 

Joe Honey: 

I think that’s one of the things that, you know, the ICO here in the UK or the SEC in the States will, kind of, consider. So, obviously there is going to be some regulatory fall-out for Synnovis from this. The extent of it, will obviously depend on what the investigations says but if they can make that kind of fall-out bigger, again that’s another leaver that the ransomware group can pull to try and maximize their chances of getting paid. I don’t know if you’ve seen anymore Lou, but the only one I remember is BlackCat in end of 2023, I think, it was. They actually reported their victim to the SEC because they hadn’t disclosed the breach or filed the breach to them in that particular way. So, using that, kind of, regulatory pressure as well, is another driver we’re seeing some of these groups start to play with. 

(TC: 00:34:46) 

Aidan Murphy: 

Yes. I would like to pivot from this story now into talking about the ransomware landscape, as a whole, as I feel like this is, kind of, where the conversation is naturally going at this point. So far, this year, it feels like it’s been a little bit of a mixed bag. So, Louise, two months’ ago we did a podcast on a very big law enforcement action against LockBit who we’ve discussed at length in this podcast, as well, who were, but the most prolific group and seemed to be severely disrupted by Operation Cronos, this, kind of, international law enforcement collaboration. But then we have had, you know, this attack which, to be frank about it, is quite devastating on two fronts, the initial disruption to patients and then the data that has been leaked. This is a huge question but Joe, based on your observations, where is the ransomware landscape now, I guess, halfway through the year? Joe. 

(TC: 00:35:40) 

Joe Honey: 

It’s a huge question. I mean, there are so many different ways that you can look at it. I mean, ultimately, I mean, ransomware is here to stay. It’s proven as a way for criminals to make money and until that possibility of earning money is taken away from them completely, they’re still going to try and do that. I think it’s fair to say it’s more fragmented. There are a lot more different groups out there posting, so if we compare like for like. So, if we compare 2023, first half of the year, there was, I think, about 46 ransomware groups posting victims. If we compare the same period this year, 2024, we’re up to 72% ransomware groups posting new victims, that’s over a 50% increase in the number of groups themselves. There could be many different causes behind that. I mean, you mentioned the LockBit take-down and law enforcement operation earlier. Have affiliates from that lost confidence in LockBit, banded together with people that they know and trust and started their own little groups, we don’t know. 

Without, kind of, infiltrating these groups one by one and finding out their motivation, it’s going to be very difficult to say. I think it’s, kind of, fair to say it’s also getting worse as well. So, again in the same time period, H1 2023, just under 2000 victims. I think 1917 victims were listed on various leak sites. Same half of the year, 2024, 2879 so again another massive increase in the number of victims that these groups are posting. That looks bad, it absolutely is. We just, kind of, take those numbers with a bit of a pinch of salt, I think. Ransomware groups often lie and exaggerate their claims to make themselves appear more lethal, sort of, so to speak. But also there are likely to be victims of ransomware that we don’t see on their leak site. 

So, let’s take the 2023 numbers. 1917 victims were posted on ransomware sites. It’s, probably, a fairly safe assumption that they’re the only people who didn’t pay the ransom. So, how many people did pay the ransom and out of some sense of honesty or whatever it is, the ransomware group didn’t post it. It’s almost, kind of, impossible to know because these victims aren’t going to go about calling attention to themselves, that they’ve been hacked. Yes. So, ultimately, it’s very much, kind of, a growing problem that I think is going to stay. The amount of technology that’s out there at the moment, the amount of access broker posts that we’re seeing is, kind of, increasing. I haven’t got any stats on that to hand but it’s proven as a way for criminals to make money. And, as long as they can make money from it, they’re going to continue doing it, I’m afraid. 

(TC: 00:38:11) 

Aidan Murphy: 

It’s a pretty devastating picture, I think, especially after some law enforcement wins earlier in the year. Louise, what do you make of those numbers? And, I guess, do you have the same assessment of where we are at the moment? 

(TC: 00:38:25) 

Louise Ferrett:

Yes. I mean, it’s definitely not going anywhere. Joe’s right on that part. It can be disheartening, I guess, because, as you mentioned, there was a pretty big law enforcement action against LockBit earlier in the year. And they took, sort of, a bit of a novel approach to it of, kind of, trying to beat them at their own game, almost. Turned their leak site into a leak site about the ransomware group themselves, de-anonymizing the administrator the, kind of, leader of the operation. I will say that LockBit, a quick glance at the stats that I, kind of, maintain. LockBit do still have the biggest share of victims in the past three months. But it has been greatly reduced from the percentage that they used to have of the total. I think it’s gone from, maybe, about 30% to just under 20% so there has been a reduction in their activity since that operation. 

But I think, one of the things of note, sort of, in this first half of the year, is the fact that there are a lot more groups like Joe said, it is more fragmented. There are new groups, popping up every couple of days it seems. But at least once a week, we’ll have a new, kind of, operation pop off on our radar. They don’t all stay around for long, obviously, some can be very flash in the pan. It does seem like the overall landscape is becoming, yes, more polarized. There are less of, kind of, a few big core groups that are responsible for the majority of attacks. So, if you look back in the early days it was, like, Maze. They were, kind of, like the top dog then obviously LockBit have maintained success for quite a long time. We’ve had groups like ALPHV or BlackCat which is no longer operating, under that name at least. 

(TC: 00:40:29) 

Aidan Murphy: 

Yes. I was going to ask you about this. So, last year the groups that we identified at the beginning of this year, as having been most active last year were LockBit, BlackCat and Cl0p. Is that still the case? I mean, obviously you’ve just said BlackCat has gone. LockBit is diminished. What about Cl0p? Not heard from Cl0p for a while? 

(TC: 00:40:52) 

Louise Ferrett: So, Cl0p are quite an interesting one. They don’t tend to operate like a lot of the groups that we track. So, most of the groups we track, it’s a near constant, kind of, onslaught of new victims and data being leaked. Cl0p do seem to go through periods of hibernation, almost, where they won’t post anything for quite a long time. The last, maybe, two or three times they’ve, sort of, come back on the scene and dumped a load of victims, it has been those supply chain attacks. So, I think Accellion file transfer was one of them, the GoAnywhere bug. So, yes. They haven’t been, kind of, seen from, on the dark web side anyway, for a while but as Joe mentioned, you know, there are a lot of ransomware victims that we won’t see because they simply don’t get posted. 

(TC: 00:41:45) 

Aidan Murphy: 

Do we have a sense of who the big players are in the first half of this year, then, who had the most victims? 

(TC: 00:41:51) 

Louise Ferrett: 

Yes. So, there are a couple of names of, kind of, more established groups. So, groups that have been around for a couple of years. BlackBasta, they’ve been about for a while and have a lot of, sort of, custom tools that they use and even lease out to other threat actors. PLAY, as well. Another, sort of, very consistently active ransomware operation. I think they claim not to be a ransomware as a service so they claim to be a closed group so a bit more selective. But then we’ve also got newer groups. Groups like RansomHub, 8Base, even INC Ransom, Akira so there are definitely some, kind of, newer players that are posting really rapidly and getting those numbers up to the level of, sort of, the more established crews. 

(TC: 00:42:50) 

Aidan Murphy: 

But, I guess, if I just call out at this point and say the reason that we bring these groups up and I think the reason we talk about this even though, as you mentioned, Joe, the problem isn’t going away and there are challenges. By, I guess, keeping track of who these big players are, you know, who the most prominent groups are and incidents, for example, like the Qilin incident against Synnovis, there are things organizations can do if they, kind of, collect this data, if they continuously assess right. So, you know, it’s not just a case of ransomware is always going to be a problem, let’s bury our heads in the sand. The reason we continue talking about this, is that there are things that organizations can do. 

(TC: 00:43:30) 

Joe Honey: 

Yes, definitely. I mean, if we look at it from, kind of, a law enforcement side of things. You know, if you look at it on the surface, you know, they attacked LockBit. They took down loads of their infrastructure but LockBit is still around and still, kind of, posting at victims. But on the law enforcement side, they made a big difference to anyone that was ransomed by LockBit and got their data back. Got a decryptor. They’ve made it more difficult for LockBit to operate. You know, that might be one of the reasons why we’re seeing so many, kind of, new ransom groups pop up, is that law enforcement are getting very good at, kind of, locking down and disrupting some of these bigger groups so they’re having to fragment, having to become these, sort of, smaller organizations. But, yes, on the enterprise side of things, putting your head in the sand is probably the worst thing that you could do. Cybersecurity is never a guarantee but we’ve still got to, kind of, try and do it right. 

But if you look at a lot of the attacks and, kind of, how they operate, if you’re doing the basics of security well you’re massively going to reduce your risk of getting attacked. So, anything from using, like, 2FA, you know, if an access is gained, is it sold? If you can put 2FA in place, especially for admin credentials, making any big changes in the system, anything like that, that’s going to make it massively more difficult for a ransomware group to successfully execute an attack. Not impossible but a lot harder and the harder we can make these kind of things, the much higher chance we’ve got the ransomware group going, ‘You know what? I could spend six weeks trying to hack company X or I can pop door to company Y and be in and out within a week so I’m going to put my time where I’m more likely to get money.’ One of the other massive things to try and combat ransomware is just around back-ups. A major, kind of, part of the ransomware attack is making your systems inoperable, making your data inaccessible. 

If all of your data is backed-up and stored safely, securely, offsite, offline then you can just restore your latest back-up before the ransomware group, kind of, got in there and there you go, you’ve mitigated a massive chunk of damage that these guys are going to cause. And obviously, yes, we do need to beat that old drum as well but around patching. You know, as soon as a vulnerability is discovered in a key system, patch it. Deploy that update. Yes, it might cause a bit of a headache for the security team. Yes, you might have to look at other, sort of, bits of software or systems that depend on that system that you’re patching but the sooner we can close these potential points of entry into a system the less likely they are for a ransomware group, to undo it. If you look at, kind of, any of the cybersecurity organizations in your jurisdiction so, sort of, CISA in the USA, you know the NCSC, here in the UK, for example. If you, kind of, put, ‘Ransomware.’ Into their site, they’ve all got really good guides in terms of the best practice and basic to try and minimize the risk of that and it all comes down to things like good authentication, you know, least privilege. Backing your data up regularly so it’s something we encourage, to have a good read through those and try and apply as many of those controls as you can. 

(TC: 00:46:18) 

Aidan Murphy: 

And, I think, as we’ve discussed today, these tactics are always changing as well. And, the way that different ransomware groups approach things is changing. So, I think that’s why, as well, kind of, keeping on top of these intelligence trends is important. Which brings me, I think, to my wrap-up question. So, Joe, you mentioned that there are a lot of new groups that have emerged this year. I might ask each of you, if we just look at one new group each that you think is particularly interesting or our listeners, probably, won’t have heard of before that they should be aware of. Louise, maybe, I’m going to pick on you first. Is there a group that, kind of, catches your eye? One that’s emerged in 2024? 

(TC: 00:47:01) 

Louise Ferrett: 

I knew that was coming. I’ve been too lucky so far. So, getting picked on first. 

(TC: 00:47:08) 

Aidan Murphy: 

Got to be even-handed. 

(TC: 00:47:09) 

Louise Ferrett: 

That’s an excellent question. I would say RansomHub is, kind of, interesting. From a genealogy perspective, I’m fairly certain it was RansomHub anyway but I believe they, kind of, sprung up in the wake of the ALPHV attack against Change Healthcare. Kind of, the story of a disgruntled affiliate who didn’t get paid their chunk of the ransom that was secured from Change Healthcare and, kind of, span off on their own group. Obviously ALPHV, famously had some run-ins with the FBI, I believe. US law enforcement, in some capacity shut down their site, they brought it back online then they claimed that another law enforcement operation had been done against them and that’s why they were shutting down. Law enforcement, then, came out and said, ‘We don’t have anything to do with this one.’ So, it’s, kind of, an interesting exit scam by a ransomware group. We love exit scams, Aidan. 

(TC: 00:48:12) 

Aidan Murphy: 

Yes. 

(TC: 00:48:13) 

Louise Ferrett: 

Because typically, on the market side of things, rather than this, kind of, niche. 

(TC: 00:48:20) 

Aidan Murphy: 

Sorry. You’re saying RansomHub was, in some way, affiliated with BlackCat/ALPHV and now since they’ve disappeared RansomHub have taken the reins? 

(TC: 00:48:33) 

Louise Ferrett: 

It’s, allegedly, a former affiliate of ALPHV, yes. I should state none of this definite but I guess, I just find it interesting. Kind of, like, what Joe was talking about, at the beginning. That, sort of, evolution of affiliates just, you know, jumping around to different groups. I’ve been obsessed in the past with, like, particular affiliates that worked with Conti and then they went to LockBit and then they’d set up their own gang. It’s just, I find that, personally, very interesting to trace. The RansomHub also, is just a pretty competent operation. They’re pretty active and that’s why I think they’re one to be aware of. 

(TC: 00:49:21) 

Aidan Murphy: 

One to watch. You said they were one of the most prolific this year, so far, right? 

(TC: 00:49:25) 

Louise Ferrett: 

Yes. And, for the last three months they appear to be second after LockBit in terms of number of victims. 

(TC: 00:49:33) 

Aidan Murphy: 

So definitely one. Considering, they’ve just emerged this year, definitely one to keep an eye on. 

(TC: 00:49:38) 

Louise Ferrett: 

Yes. Definitely, look into what the, kind of, indicators and TTPs are and how you can defend against those and detect them. 

(TC: 00:49:47) 

Aidan Murphy: 

And Joe, how about you? Is there a particular group you want to call out. You’ve had a little bit more time to have a think about it than Louise. 

(TC: 00:49:54) 

Joe Honey: 

I think, kind of, the interesting one that I’m going to try and pay attention to is a group called APT73. So, in terms of when you look at this particular group and who they target, it seems to tie in very nicely with, ‘We’ll target anyone that we can make money from.’ You know, wherever they can get access so there aren’t really any trends, so far, that I’ve seen in terms of the victims, you know, the industries of the victims or the locations. The interesting one for me is, (a) it looks as if they’re an offshoot of LockBit. Obviously, to be confirmed. You know, we can’t, kind of, guarantee any of this but if you look at the, you know, compare the leak site, side by side, there a lot of similarities there. Whether that’s because that’s the same people behind it or whether they’ve just looked at LockBit and just gone, ‘You know what, that works. I’m going to copy that.’ We don’t know. 

The other interesting one is around their name. So, I’m sure most of the listeners who’ll be aware but obviously, APT, Advanced Persistent Threat is a naming convention that’s used by Mandiant and basically, they will name a group, an APT, once they’re, kind of, confident they are actually a valid persistent, kind of, threat. Advanced persistent threat. So, the fact that that they’ve given themselves the APT73 name is really interesting. Is it a marketing ploy? Are they just trying to pick up more, kind of, news coverage and stuff by using the APT name. Is it an ego thing? You know, are these guys essentially trying to say we are the best ransomware group out there. We’ve just, kind of, gone ahead and named ourselves an advanced persistent threat just to save you the time. You know, it’s a really interesting, kind of, psychology marketing, sort of, question that it’ll be interesting to see what these guys do. How much they post and what comes off the back of it. 

(TC: 00:51:28) 

Aidan Murphy: 

Yes. I’m really glad you brought up APT73 because I find, that, the naming convention thing really interesting. And, yes, like you say that’s Mandiant’s, you know, standardized naming. APT usually applies to state-backed groups. And, again, usually, we should say, ransomware groups aren’t state-backed. They’re financially motivated so there wouldn’t even be an APT but it does seem to be, like, a way to bolster their own credibility which is, obviously, something we talked quite a lot about in this episode. Really interestingly, I saw, earlier this week, another ransomware group whose name, I think, you pronounced Sexi, as in S-E-X-i ransomware, have rebranded as APT Inc so this is used to be a trend to be, kind of, claiming this APT branding at the moment so definitely something to keep an eye on. 

(TC: 00:52:22) 

Joe Honey: 

I mean, ultimately, these ransomware groups are, essentially, businesses. You know, they have contractors working for them, doing the damage but they also have leaders. They have people taking care of finances, people taking care of marketing. People taking care of customer support, almost and, kind of, handling a lot of those negotiations. And, you know, if you compare their business with ours, you know, any business that doesn’t evolve, doesn’t improve its products, doesn’t change, will eventually go out of business or will be beaten by someone that does. So, it’s, kind of, quite natural that they’re evolving their methods in response to everything that we do on the law enforcement side and the press, PR, media side as well. 

(TC: 00:52:56) 

Aidan Murphy: 

Yes. Absolutely. So, on that note, keep an eye on RansomHub, APT73 and of course, Qilin, who have proved themselves to be formidable ransomware group. I’m going to draw a line under this episode of the Dark Dive. A big thank you to Louise and Joe for joining me. And, if you have a topic you’d like us to discuss on the podcast, please feel free to get in touch through our e-mail address or the social media accounts that you can find in the show notes. And, if you can’t wait to find out more, remember you can subscribe for free on Apple podcast, Spotify, YouTube or whatever podcast app you use and get all of the episodes in the Dark Dive as soon as they’re released. Until next time, stay safe.