How Do You Run A Cybercrime Gang?

Cybercrime has many forms, the most common of which is theft and fraud. Aspiring cybercriminals may begin with off-the-shelf malware or phishing kits and run amateur, but profitable, campaigns. Banking Trojans were the next step up, which intercept and manipulate connections during online banking procedures for exploitation and wire fraud. Several infamous groups that graduated from these campaigns went on to form organised crime syndicates and launch 'big game hunting' ransomware campaigns. Ransomware in particular, has caused mass disruption on a national level and huge financial losses.

This blog will explore three top-tier cybercrime syndicates which are tracked by the private cybersecurity industry as EvilCorp, WizardSpider, and FIN7. These threat actors are financially motivated cybercriminals whose campaigns have become a scourge to organisations and society at large. So much so, that they are closely tracked by intelligence agencies and international law enforcement.

Fig. 1 - Anatomy of the EvilCorp cybercrime gang
>> click to expand <<

Active since 2009, EvilCorp (also known as IndrikSpider or GoldDrake) developed the Dridex banking Trojan and is behind several 'big game hunting' ransomware campaigns. The true size of EvilCorp is unknown. Two of the group's leaders - Russian nationals - were indicted by international law enforcement in December 2019. The UK NCA also reportedly arrested eight people who were part of EvilCorp's money laundering network, who helped launder over $100 million of funds stolen using Dridex. Interestingly, the indictment for "AQUA" included that he had close dealings with the Russian FSB security service and was reportedly employed by the agency from 2017 to conduct cyber-espionage and other offensive operations. 

EvilCorp is arguably best known for its Dridex malware, which began life as a traditional banking Trojan but soon evolved into a prolific botnet that provides initial access to launch ransomware attacks. EvilCorp usually establishes an initial foothold into a victim's network using either Dridex, SocGholish, or Ursnif Gozi. This is followed by the 'hands-on-keyboard' stage of the attack, using penetration testing frameworks such as PowerShell Empire or Cobalt Strike. Once the victim's network is under their control, EvilCorp operators will deploy the ransomware. 

Over the last three years, EvilCorp has used several ransomware families, including BitPaymer, WastedLocker, Hades, and PhoenixLocker. Security vendors have also reported that one part of EvilCorp split off from the main group to form the Doppel Spider gang that uses a successor to BitPaymer called DoppelPaymer, which has also recently evolved into Grief ransomware. Both EvilCorp and Doppel Spider are linked to the Cutwail botnet operators, known as Gold Essex, who used the spam bots to push Dridex, Ursnif Gozi, and other malware families.

Like many well-resourced cybercriminal organisations, EvilCorp has a network of affiliates that they either provide services to or purchase services from. EvilCorp is connected to other publicly tracked groups such as MummySpider (the operators of the Emotet botnet), TA505 (who are a Dridex affiliate), and TA575 (another Dridex affiliate).

Fig. 2 - Anatomy of the WizardSpider cybercrime gang
>> click to expand <<

WizardSpider is also a Russian-speaking organised cybercrime group. It is most well-known for its Trickbot banking Trojan, which first appeared in 2016. The Trickbot botnet has reportedly infected over one million systems worldwide and is pushed in large-scale malicious spam campaigns or dropped by other malware, such as the BazarLoader or Emotet (which shut down in January 2021). With this level of access, the WizardSpider group can then pick and choose which target environments to ingress further to drain bank accounts or launch ransomware. 

In June 2021, the US Department of Justice unsealed charges against a 55 year-old Latvian national "ALLA WITTE" for her role in a "transnational cybercrime organisation" (WizardSpider) since at least November 2015. She previously resided in Suriname and was arrested in the US. She was charged with creating and deploying Trickbot. According to the indictment, the rest of the Trickbot group operates in Russia, Belarus, and Ukraine, as well as Suriname. The unsealed charges showed just how interconnected and well-organised this botnet operation is. A large number of front companies had been created for money laundering and the wire transfers listed range from $44,900 to $230,400 across most of 2017 to 2018. There was even a failed attempt to transfer $691,570,000 between 19 and 20 October 2017, which would have been one of the largest bank heists in history.

WizardSpider's two main ransomware families include Ryuk and Conti. Ryuk ransomware first appeared in mid-2018 and was based on an older malware called Hermes. It has been deployed against many large organisations and caused significant disruption against the US healthcare system during the COVID-19 pandemic. Using the Bitcoin wallets provided by the Ryuk ransomware operators, researchers studied the blockchain and estimate that group has made at least $150 million (£110 million). Conti is different to Ryuk as it is Ransomware-as-a-Service (RaaS) operation, which first appeared in mid-2020. It is one of the most prolific data-theft-extortion groups in the current ransomware ecosystem. Over 400 organisations have appeared on its 'Conti News' darknet leak blog, with untold amounts more likely having paid the ransom to avoid such a fate. Conti has also notably targeted healthcare, alongside almost every other sector, causing mass disruption to the Irish Health Service Executive (HSE) during the COVID-19 pandemic. Interestingly, during early August 2021, a rogue affiliate of the Conti RaaS dumped the 'playbooks' provided by Conti, which disclosed in detail the tactics, techniques, and procedures (TTPs) and training material for affiliates of the RaaS. These 'playbooks' have been a boon for defenders who can detect, block, and protect against these style of attacks, with much greater confidence, knowing exactly what TTPs the affiliates are using to deploy Conti ransomware. 

WizardSpider also has a wide network of service providers and customers. One of their more interesting clients allegedly includes the Lazarus group (a North Korean state-sponsored APT) who used some of WizardSpider's tools to support their own cybercrime campaigns. MummySpider (the operators of Emotet) were also a significant partner for WizardSpider; the Emotet-Trickbot-Ryuk triple threat was one of the most prevalent campaigns for up to two years. The group's connections to LunarSpider (the IcedID developers), TA551 (the Shathak botnet operators), and FIN6 (the More_eggs operators) further represent how WizardSpider is one of the top groups in the world and certainly one of the most advanced.

Fig. 3 - Anatomy of the FIN7 cybercrime gang
>> click to expand <<

FIN7 (often referred to as the Carbanak group) is an active international cybercriminal group that first emerged in 2013. It has primarily targeted Point-of-Sale (POS) systems, usually in the hospitality sector. This is alongside banks, ATMs, and the SWIFT network. For these campaigns the group used a range of custom malware, such as the Carbanak Trojan, GRIFFON, Bataleur, and Pillowmint. By targeting POS systems, FIN7 stole vast quantities of payment card data, which were later sold on darknet marketplaces, such as the infamous Joker's Stash.

In April 2020, FIN7 abruptly shifted from targeting POS systems and banks to 'big game hunting' ransomware campaigns. This began with the deployment of REvil ransomware, which is a RaaS developed by PinchySpider (the gang also behind GandCrab). In August 2020, however, FIN7 developed its own ransomware called DarkSide and in November the group began the DarkSide RaaS operation. In May 2021, the DarkSide RaaS was shut down following a disastrous attack on the Colonial Pipeline that caused highly problematic fuel supply issues for the entire East coast of the US. A couple months after DarkSide closed and FIN7 went dark, the group re-emerged in late July with a new RaaS called BlackMatter. 

To support its lucrative campaigns, however, FIN7 and the other organised cybercrime groups need money launderers. In June 2020, a Nigerian national by the name "Hushpuppi" was arrested by Dubai police and extradicted to face charges in the US. He was reportedly responsible for a string of high profile business email compromise (BEC) attacks and was connected to an elaborate money laundering network that laundered hundreds of millions of dollars for other financial crime groups, including FIN7. In an interview with the FBI, Hushpuppi also discussed an attack on a foreign financial institution where €13 million was stolen ($14.7 Million USD). Although, it is not stated in the FBI paperwork, it is highly likely this was the Bank of Valletta, Malta, later attributed to FIN7. Hushpuppi allegedly assisted in laundering the money for this heist and received a €500,000 pay-off.

In August 2018, the US Department of Justice disclosed that three high-ranking Ukranian nationals who were members of the FIN7 hacking group were arrested across several European countries. The unsealed charges revealed that FIN7 targeted more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries. FIN7 successfully breached the computer networks of companies in 47 states, stealing more than 15 million customer card records from over 6,500 individual POS terminals at more than 3,600 separate businesses. Companies that have publicly disclosed FIN7 attacks include such recognisable chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.

Interestingly, to support its campaigns the FIN7 group used a front company called 'Combi Security'. According to the website, it was headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise. Combi Security’s website also indicated that it provided a number of security services, including penetration testing. Interestngly, the front company’s website also listed multiple US victims among its purported clients. 

In April 2021, one of the three Ukranian nationals, Fedir Hladyr, was sentenced to 10 years in prison by the US DOJ after being extradicted to the US from Germany. Hladyr was said to be a crucial member of FIN7 and helped run Combi Security as the System Administrator. He reportedly managed the tens of millions of stolen payment cards and server infrastructure. It is estimated by the DOJ that FIN7 has caused an estimated $3 billion in damages to banks, merchants, card companies, and consumers. 

Fig. 4 - Anatomy of an organised cybercrime group
>> click to expand << 

The three organised cybercrime gangs analysed in this blog share several similarities. Ransomware continues to be one of the most profitable methods of monetising access to networks. The current 'big game hunting' campaigns are supported by various types of cybercriminals networks: RaaS affiliates, access brokers, botnets, data brokers, credential and cookie markets, malware developers, exploit writers, and money launderers, among others. 

The combination of using a phishing email pushing a Trojan that drops Cobalt Strike is currently one the most common methods of ransomware distribution. Other popular initial access vectors include compromised credentials for services like RDP or VPNs and exploiting public-facing applications and servers. However, the three groups described above heavily rely on phishing. These phishing campaigns have been refined and honed for years before the current ransomware epidemic due the banking Trojans campaigns we have seen in the past, delivering the likes of Trickbot and Dridex. 

All three groups have also have or have had a presence on Russian-speaking cybercrime forums. This is where they solicit services and hire affiliates. These forums are home to a variety of threat actors that provide one or multiple of the types of services previously mentioned. Most communication, however, takes place 'offline' on end-to-end encrypted (E2EE) messaging apps such as Telegram or Tox chat. 

Cryptocurrency also plays a significant role for cybercriminals. Bitcoin and Monero are usually the two virtual currencies of choice. Firstly, either have been demanded as ransom for data and decryption keys. Some ransomware groups have asked for Monero instead of Bitcoin and will offer a discount if the victim chooses Monero. This is because Monero is a privacy coin and it is near impossible to trace transactions compared to Bitcoin. In the past, blockchain analysis firms have been able to link certain Bitcoin wallet addresses to cybercriminals to have them frozen and have the funds returned. 


Organised cybercrime has gone above and beyond what we saw last decade. Although it may have begun with raiding bank accounts and stealing card numbers, it has grown into a vastly wealthy illegal enterprise with front companies and dozens of employees. Several groups have reinvented themselves to launch ransomware campaigns, highlighting just how wealthy it is making top players. Until ransomware becomes unprofitable it is unlikely these threat actors will adjust their campaigns. 

These highly well-resourced organised cybercrime syndicates have proved an incredible challenge for private organisations and goverment institutions alike. Certain cybercriminal groups have also partnered with foreign nation states, such as North Korea, or worked on behalf of their own government (i.e. AQUA) before and after launching financially motivated campaigns. In March 2021, US insurance firm, CNA Financial was attacked by Phoenix Locker ransomware, which has several links (through code overlaps with BitPaymer and WastedLocker) to EvilCorp. CNA was able to restore its systems but reportedly paid a $40 million ransom. This was the third-highest ransom demand known to have been secured – the highest two was $70 million demanded from Kaseya and $50 million demanded from Acer both by the REvil ransomware group.

Critical infrastructure such as hospitals during the COVID-19 pandemic, JBS foods, or the Colonial Pipeline are also being increasingly caught in the cross-fire. Although in attack scenarios such the Irish HSE or the Colonial Pipeline incidents were not necessarily profitable for WizardSpider or FIN7, respectively, as no ransom was paid successfully in full, it still caused tens, or potentially hundreds, of millions of dollars in damages. The Colonial Pipeline incident was one of the most disruptive attacks on US critical national infrastructure (CNI) to date. For each ransomware group, very little was lost in the grand scheme of things. They simply moved on to the next target if no ransom is paid. However, for the rest of us, there are real world catastrophes that can lead to severe economic repercussions, shortages, or loss of human life.


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks