McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.
Experts often describe the hierarchy of a conventional organized crime group as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.
While criminals collaborating in the world of cybercrime isn’t a new concept, a RaaS group’s hierarchy is more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates.
For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.
However, this growth isn’t without consequences. Recently we have observed certain events that might be the beginning of a new chapter in the RaaS ecosystem.
Cracks in the RaaS model
Trust in the cybercriminal underground is based on a few things, such as keeping your word and paying people what they deserve. Just like with legitimate jobs, when employees feel their contributions aren’t adequately rewarded, those people start causing friction within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.
Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online, as shown in the screenshot below.
In the past, ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.
Recently, security researcher Fabian Wosar opened a dedicated Jabber account for disgruntled cybercriminals to reach out anonymously and he stated that there was a high level of response.
Moreover, the popular cybercrime forums have banned ransomware actors from advertising since the Colonial Pipeline attack. Now, the groups no longer have a platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.
When analyzing RAMP and looking at the posting above from the main admin Orange, it’s hard to ignore numerous references that are made: From the names chosen, to the avatar of Orange’s profile, which happens to be a picture of a legitimate cyber threat intelligence professional.
RAMP Ransom Anon Mark[et] Place
RAMP was created in July 2021 by a threat actor TetyaSluha, who later changed their moniker to ‘Orange.’ This actor claimed the forum would specifically cater to other ransomware-related threat actors after they were ousted from major cybercrime forums for being too toxic, following the high-profile ransomware attacks against the Colonial Pipeline and Washington D.C.’s Metropolitan Police Department in the spring of 2021.
At the time of the initial launch, Orange claimed the forum’s name was a tribute to a now-defunct Russian-language underground drug marketplace, “Russian Anonymous Marketplace,” which was taken down by Russian law enforcement agencies in 2017. The re-launched cybercrime forum’s name now supposedly stands for “Ransom Anon Mark[et] Place”.
The forum was initially launched on the same TOR-based resource that previously hosted a name-and-shame blog operated by the Babuk ransomware gang and the Payload.bin marketplace of leaked corporate data. The forum was later moved to a dedicated TOR-based resource and relaunched with a new layout and a revamped administrative team, where Orange acted as the admin, with other known actors MRT, 999 and KAJIT serving as moderators.
Why the name Orange?
Why the admin changed handles from TetyaSluha to Orange isn’t 100 percent clear. However, looking back, the early days of RAMP provides us some evidence on who this person has been affiliated with. We found a posting from where the names Orange and Darkside are mentioned as potential monikers. Very shortly after that, TetyaSluha changed their handle to Orange. While the initial message has been removed from the forum itself, the content was saved thanks to Intel 471.
The name Darkside might sound more familiar than Orange but, as we saw with the naming of RAMP, TetyaSluha is one for cybercrime sentiment, so there is almost certainly some hidden meaning behind it.
Based on ATR’s previous research, we believe the name Orange was chosen as a tribute to REvil/GandCrab. People familiar with those campaigns have likely heard of the actor ‘UNKN’. However, there was a less well known REvil affiliate admin named Orange. A tribute seems fitting here as these successful ransomware families, GandCrab and REvil, shaped the RaaS ecosystem as we know it today.
In the past, UNKN was linked to several other monikers, however Orange was hardly mentioned since there wasn’t a matching public handle used on any particular cybercrime forum. However, REvil insiders will recognize the name Orange as one of their admins.
Based on ATR’s closed-source underground research, we believe with a high level of confidence, that UNKN was indeed linked to the aforementioned accounts, as well as the infamous “Crab”
handle used by GandCrab. Crab was one of the two affiliate-facing accounts that the GandCrab team had (The other being Funnycrab). We believe with a high level of confidence that after the closure of GandCrab, the individual behind the Funnycrab account changed to the account name to Orange and continued operations with REvil, with only a subset of skilled GandCrab affiliates, (as described in our Virus Bulletin 2019 whitepaper) since GandCrab grew too big and needed to shed some weight.
The posting in figure 5 is also shedding some light on the start of the Groove Gang, their relationship to Babuk and, subsequently, BlackMatter.
Groove Gang
In the post from Figure 5, “Orange” also claims to have always had a small group of people that the group collaborates with. Additionally, the actor claims that the name has not been mentioned in the media before, comparing the group to the Israeli secret service group Mossad. The group’s comparison to Mossad is extremely doubtful at best, given the drama that has publicly played out. Groove claims several of Babuk’s victims, including the Metropolitan Police Department, brought them a lot of attention. The several mentions to Babuk isn’t by mistake: we have evidence the two groups also have connections, which we’ve pieced together from examining the behavior of — and particularly the fallout between — the two groups.
Babuk’s Fallout
Originally, the Babuk gang paid affiliates by each victim they attacked. Yet on April 30, it was reported that the gang suddenly had stopped working with affiliates, including the act of encrypting a victim’s system. Instead, their focus shifted to data exfiltration and extortion of targeted organizations. That was followed by the group releasing the builder for the old versions of its ransomware as it pivoted to a new one for themselves.
The attention that Babuk drew by hacking and extorting the Metropolitan Police Department meant their brand name became widely known. It also meant that more firms and agencies were interested in finding out who was behind it. This kind of heat is unwanted by most gangs, as any loose ends that are out there can come back to bite them.
Then, on September 3, the threat actor with the handle ‘dyadka0220’ stated that they were the principal developer of Babuk ransomware and posted what they claimed was the Babuk ransomware source code. They claimed the reason they were sharing everything was due to being terminally ill with lung cancer.
On September 7, the Groove gang responded with a blog on their own website, titled “Thoughts about the meaning”, which rhymes in Russian. In this blog, the gang (allegedly) provides information on several recent happenings. Per their statement, the illness of ‘dyadka0220’ is a lie. Additionally, their response alleges that the Groove gang never created the Babuk ransomware themselves, but worked with someone else to produce it.
The validity of the claims in Groove’s latest blog is hard to determine, although this does not matter too much: the Babuk group, including affiliates, had a fallout that caused the group to break up, causing the retaliation of several (ex-)members.
Observed Behavior
The ATR team has covered Babuk multiple times. The first blog, published last February, covers the initial observations of the group’s malware. The second blog, published last July, dives into the ESXi version of the ransomware and its issues. The group’s tactics, techniques, and procedures (TTPs) are in-line with commonly observed techniques from ransomware actors. The deployment of dual-use tools, which can be used for both benign and malicious purposes, is difficult to defend against, as intent is an unknown term for a machine. Together with other vendors we have narrowed down some of the TTPs observed by the Groove gang.
Initial Access
The actor needs to get a foothold within the targeted environment. The access can be bought, in terms of stolen (yet valid) credentials, or direct access in the form of a live backdoor on one or more of the victim’s systems. Alternatively, the actor can exploit publicly facing infrastructure using a known or unknown exploit. To ATR’s understanding, the latter has been used several times by exploiting vulnerable VPN servers.
Lateral Movement, Discovery and Privilege Escalation
Moving around within the network is an important step for the actor, for two reasons. Firstly, it allows the attacker to find as much data as possible, which is then exfiltrated. Secondly, access to all machines is required in order to deploy the ransomware at a later stage. By encrypting numerous devices at once, it becomes even harder to control the damage from a defender’s point of view. The actor uses commonly known tools, such as Ad-Find and NetScan, to gather information on the network. Based on the gathered information, the actor will move laterally through the network. One of the most frequently observed methods by this actor to do so, is by using RDP.
To work with more than user-level privileges, the actor has a variety of options to escalate their privilege to a domain administrator. Brute forcing RDP accounts, the dumping of credentials, and the use of legacy exploits such as EternalBlue (CVE-2017-0144), are ways to quickly obtain access to one or more privileged accounts. Once access to these systems is established, the next phase of the attack begins.
Data Exfiltration and Ransomware Deployment
The actor navigates through the machines on the network using the earlier obtained access. To exfiltrate the collected data, the attacker uses WinSCP. Note that other, similar, tools can also be used. Once all relevant data has been stolen, the attacker will execute the ransomware in bulk. This can be done in a variety of ways, ranging from manually starting the ransomware on the targeted machines, scheduling a task per machine, or using PsExec to launch the ransomware.
Linking Groove to Babuk and BlackMatter
As discussed above, there was a fallout within Babuk. From that fallout, a part of the group stayed together to form Groove. The server that Babuk used, which we will refer to as the “wyyad” server due to the ending of the onion URL, rebranded in late August 2021. The similarities can be seen in the two screenshots below.
Another gang, known as BlackMatter, uses a variety of locations to host their extorted files, which can be done out of convenience or to avoid a single notice and takedown to remove all offending files. Additionally, the ATR team assumes, with medium confidence, that different affiliates use different hosting locations.
The data of one of the BlackMatter gang’s victims, a Thai IT service provider, is stored on the “wyyad” server. As such, it can mean that the Groove gang worked as an affiliate for the BlackMatter gang. This is in line with their claim to work with anybody, as long as they profit from it. The image below shows the BlackMatter leak website linking to the “wyyad” server.
The Groove gang’s website contains, at the time of writing, a single leak: data from a German printing company. Even though the website is accessible via a different address, the leaked data is stored on the “wyyad” server.
In the Groove gang’s blog on September 7, a reference is made with regards to BlackMatter, and its links to DarkSide. If true, these insights show that the Groove gang has insider knowledge of the BlackMatter gang. This makes the collaboration between Groove and BlackMatter more likely. If these claims are false, it makes one wonder as to why the Groove gang felt the need to talk about other gangs, since they seem to want to make a name for themselves.
Due to the above outlined actions ATR believes, with high confidence, that the Groove gang is a former affiliate or subgroup of the Babuk gang, who are willing to collaborate with other parties, as long as there is financial gain for them. Thus, an affiliation with the BlackMatter gang is likely.
Conclusion
Ever since Ransomware-as-a-Service became a viable, and highly profitable, business model for cybercriminals, it has operated in much the same way with affiliates being the sometimes underpaid workhorses at the bottom of a rigid pyramid shaped hierarchy.
For some affiliates there was an opportunity to become competent cybercriminals while, for many others, the lack of recompense and appreciation for their efforts led to ill-feeling. Combined with underground forums banning ransomware actors, this created the perfect opportunity for the threat actor known as Orange to emerge, with the Groove gang in tow, with the offer of new ways of working where an associate’s worth was based entirely on their ability to earn money.
Time will tell if this approach enhances the reputation of the Groove gang to the level of the cybercriminals they seem to admire. One thing is clear though; with the manifestation of more self-reliant cybercrime groups the power balance within the RaaS eco-climate will change from he who controls the ransomware to he who controls the victim’s networks.