The information security world is packed with technical knowledge and advice on how to stop cybercriminals from wreaking havoc on organizations. Yet even with all that information, cybercrime continues to rise, with estimates that it will cost organizations upward of US $10.5 trillion annually by 2025, a 250 percent increase from 2015’s cost of US $3 trillion.
The cybercrime underground, where a lot of these schemes proliferate, operates as a highly organized environment consisting of products, goods and services, across forums and marketplaces. Forum and marketplace members take advantage of this ecosystem through its provided anonymity, secrecy and interconnectedness. This rise in cybercrime is likely a result of the complex ecosystem afforded to cybercriminals. Some actors thrive within it and are operationally secure, while others have failed to elude law enforcement.
The goal of this two-part blog is to advance knowledge on how threat actors operate by examining social patterns and psychological traits of these highly-effective cybercriminals, who continuously adapt their capabilities to maintain their stronghold in this ecosystem. By pinpointing common behaviors in significant financially-motivated cybercriminals, organizations can develop mitigation efforts by anticipating threat actors’ specific characteristics and how their successful maneuvers will influence similar schemes and strategies in the future.
We will share insights into how the Intel 471 Intelligence Team has tracked and analyzed insights from 2010 to 2022 across the cybercrime underground. Our focus is on some of the most effective actors in the cyber underground — Ransomware-as-a-Service operators (RaaS), network access brokers (NABs), and prolific carders.
The Team analyzed underground forum posts, Intel 471 Breach Alerts, Information Reports (IRs) and Spot Reports (SPOTREPs) over a 12-year period. The scope of this research highlights trends in threat actor activity and cites examples supporting assessments from 2020 to 2022. Our baseline examines commonalities between actors earning more than US $1 million, reputations, credibility and reliability in the underground for at least a year. The actors we analyzed have not been apprehended by law enforcement at the time of this blog.
1. Trust is everything
Social psychologists and neuroscientists describe trust as an efficient mechanism humans use to handle complexity, especially in situations of risk and uncertainty. There are few areas in modern human civilization that are bigger breeding grounds for uncertainty than the cybercriminal underground, as malicious actors rarely conduct crimes with people they know in real life. Efficient cybercriminals are acutely aware of how important trust is, understanding they must convey elements of familiarity, similarity and technical intelligence to encourage “successful” engagements. For example, the time and meticulous effort RaaS operators put into ensuring they have the right people coming onboard demonstrates how actors intentionally attempt to establish a group of capable and trustworthy individuals that will advance their own goals through long-term partnerships.
The scrutiny placed on trust can be seen in prominent affiliate programs, which use highly selective processes to ensure their crimes are carried out by capable and “trustworthy” individuals. These processes can be seen in the leaked chats from notorious RaaS group Conti, which meticulously watched over team members’ productivity and skills in order to carry out a litany of attacks.
We can also draw insights from the inverse of trust: when cybercriminals feel a lack of trust among their group members, they are quickly removed from operations. For example, in March 2022, one of the leaders of the prolific LAPSUS$ group had a falling out with some business partners and suffered the consequences. Other threat actors doxed the leader by maliciously revealing the individual’s personal information including address, name and social media pictures, which led to an arrest and public accusations of engaging in cybercrime. The implications of not maintaining positive relationships or forming productive partnerships can lead to an actor losing out on financial gains, or worse, being apprehended by law enforcement and consequently suffering the legal consequences that follow.
2. Lead by example
Successful, veteran cybercriminals demonstrate transcendent abilities while making effective judgments and decisions. They often mirror successful legitimate leadership qualities: They are effective managers, decision makers and problem solvers because they adhere to strict principles governing themselves and their teams. They also demonstrate authority by delegating tasks while managing their team’s expectations and attract skillful, financially-motivated and highly-qualified partners. These actors often cut through the noise among their peers and the media (which they do read) by primarily focusing on financial gain above everything else.
Intel 471 has observed one actor who has demonstrated consistent effective leadership by maintaining a positive reputation on the underground, which has helped them power financially lucrative cybercriminal operations for over a decade. This particular actor has been active since 2009, pivoting from carding to ransomware operations in 2018. The actor has oversight over both technical and personnel decisions, highly involved in ransomware development and fostering group cohesion. Over the course of their tenure, there is evidence the actor made decisions on complicated matters, including practices conducted to minimize media visibility, engage in sophisticated attacks and maximize Operational Security (OPSEC) practices. One example is when this actor removed a senior-level member of the gang after the senior-level member divulged some information on a Telegram channel that endangered the group's operations.
Another prolific actor—active as a carder since 2010—was very hands-on when it came to training and recruiting members of their cybercrime gang. The actor had candidates participate in lectures and tutorials in a private collaborative chat room and encouraged them to ask questions. The most promising candidates were selected to become group members. The actor adequately prepared members on how to conduct coordinated network intrusion attacks to compromise corporate networks, steal sensitive data and conduct ransomware deployment campaigns.
3. Adapt or perish
When disruptions to an actor’s operations occur—such as patched vulnerabilities, leaked source code or disrupted infrastructure—the way they handle these shifts can make or break their long-term success. High-achieving threat actors were observed pivoting numerous times to adapt to their environment. They undertake new TTPs, develop new malware and restructure teams and operations as needed. The most effective actors often are first recognized in the media or by elite researchers, pioneering certain attack methods before others soon copy their actions. Whether they are good at thinking on their feet, deliberating on the future or pivoting to alternative plans, these actors know that change is a constant in order to stay viable.
Intel 471 has observed a prominent actor who made such a pivot after operating on carding forums since 2010. In 2020, the actor joined a prominent cybercrime forum, selling access to companies worldwide via compromised Citrix, Pulse Secure virtual private network (VPN) and Microsoft Remote Desktop via Web (RDWeb) access credentials. It’s likely the actor recognized the potential profits of selling initial access, especially to ransomware operators seeking the most efficient ways to infect networks with malware. This has arguably created a symbiotic relationship between this actor and ransomware operators, who want to speed up their operations through removing the first step of gaining initial access. Along with the access broker wanting to make a quick profit for their compromised accesses.”
Ransomware groups have also had to pivot in order to profit. After having a member leak information about its operations, RaaS gang Lockbit announced the release of LockBit 2.0, which allegedly offered the fastest encryption software of any active ransomware strain at the time. Rather than continue with the same TTPs or close up shop, the gang demonstrated resilience by upgrading their tools and pivoting to new attack strategies.
In Part II of this blog, you will learn about four additional traits of highly-successful cybercriminals. Pinpointing the common behaviors in financially-motivated cybercriminals can assist organizations in developing mitigation efforts by anticipating threat actors’ specific characteristics and how their successful maneuvers will influence similar schemes and strategies in the future.