Author: DarkOwl Content Team

Doppel Partners with DarkOwl to Provide Actionable Intelligence and Strengthen Digital Security

September 12, 2023

Doppel, a key innovator in digital risk protection, and DarkOwl, the leading provider of darknet data, are thrilled to announce their strategic partnership to provide businesses and organizations with actionable intelligence to protect brands from phishing, counterfeiting, piracy and other digital threats worldwide.

In an increasingly interconnected digital world, where the internet is an integral part of everyone’s personal life and of every organization, the need for comprehensive, actionable threat intelligence has never been more critical. As cyber threat actors evolve in sophistication and cyberattacks increase in frequency, the ability to proactively identify emerging threats is essential to protecting a company’s brand, reputation, clients, and employees.

Through this partnership, Doppel will integrate DarkOwl’s industry-leading darknet intelligence capabilities into its product suite, enhancing its ability to proactively detect and mitigate cyber threats. DarkOwl’s unparalleled access to the darknet, coupled with Doppel’s cutting-edge AI-powered threat detection, will empower organizations to stay one step ahead of cybercriminals.

“We are excited to collaborate with DarkOwl to provide our client base with a comprehensive and holistic digital risk protection solution,” said Kevin Tian, Co-Founder and CEO of Doppel. “Integrating DarkOwl’s darknet data will give our clients further visibility into potential threats, enabling them to proactively secure their assets and mitigate threats.”

DarkOwl’s CEO, Mark Turnage, shared “Partnering with Doppel aligns with our mission to enable organizations with the resources necessary to counteract cyber threats. The combination of DarkOwl’s near-real time darknet data insights and Doppel’s cybersecurity capabilities will enable brands to identify risks and protect themselves against emerging threats.”

About Doppel

Doppel is the leading solution in modern digital risk protection for trusted brands. Our state-of-the-art AI scans over 10 million entities daily across the web, dark web, social media, and app stores, offering unparalleled breadth in detecting digital threats, including piracy, counterfeiting, phishing scams, executive impersonators, and more. Seamless integrations with domain registrars, web hosts, browsers, social media platforms, and digital marketplaces power real-time, continuous, and automated protection, making Doppel the best defense for your organization and your reputation. For more information, check out www.doppel.com.

About DarkOwl

DarkOwl is the industry’s leading provider of darknet data. We offer the world’s largest commercially available database of information collected from the darknet. Using machine learning and human analysts, we automatically, continuously, and anonymously collect and index darknet, deep web, and high-risk surface net data. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability to be queried in a safe and secure manner without having to access the darknet itself. Customers are able to turn this data into a powerful tool to identify risk at scale and drive better decision making. For more information, contact DarkOwl.

DarkOwl & Datastreamer Join Forces at Big Data London to Showcase The Future of Dark Web Intelligence

September 07, 2023

DarkOwl, a leading provider of darknet data solutions, and Datastreamer, a platform that unifies unstructured data from multiple sources, are excited to announce their joint participation in the upcoming Big Data London 2023 event. The companies will demonstrate how their solution eliminates the data engineering hurdles of harmonizing darknet information with other data for wide-ranging intelligence insights. 

Accelerating Web Data Integration for Intelligence Insights

While DarkOwl delivers comprehensive darknet data to cybersecurity teams and intelligence agencies, Datastreamer automates the data processing that fuses together disparate data for consolidated monitoring. With Datastreamer & DarkOwl’s combined solution, organizations can integrate dark web data without in-house engineering teams needing to maintain complex data pipelines. Furthermore, analysts can broaden coverage by merging additional web data including TikTok, Threads, news, forums and more. Previously raw unstructured data is federated for analysts to perform queries and real-time surveillance as easily as they would with structured data. 

“Teams engaged in data product development for market insights, investment guidance, and fraud detection are increasingly interested in darknet data.” says David Strucke, CEO of Datastreamer. “It’s an honor for us to partner with a reputed leader in the dark web space to cater to these needs.”

What To Expect At Big Data London 2023

Attendees of Big Data London are invited to stop by the Datastreamer booth – X653, under the Decision Intelligence Theater to see:

  • Live Demonstrations: Watch robust pipelines with darknet and other web data in action – or bring your unstructured data challenges to us and watch data experts craft pipeline solutions on the spot.
  • Data Compliance Discussions: As a featured partner, Private AI will be at the booth to discuss how organizations can utilize data while staying compliant with HIPAA, GDPR, and other regulatory frameworks.
  • Technical Q&A: Engage in insightful dialogue with Tyler Logtenberg, Datastreamer’s VP of Operations, to discover how their platform is reshaping the way organizations use unstructured data.

A Unified Vision of Accessible Data

Considering that up to 90% of data is unstructured and the dark web holds essential information on threats to safety, both Datastreamer and DarkOwl share a vision of making complex data easier to act upon. With a bridge that makes these data types accessible – analysts are equipped with tools that cut out noise to pinpoint relevant information.

“Time is of the essence when it comes to threat detection and mitigation. Reducing the engineering burden of implementing darknet data enables organizations to redirect efforts towards in-depth analysis,” explains Mark Turnage, CEO of DarkOwl. “The technical agility delivered by Datastreamer’s platform will hasten the discovery of emerging threats and existing vulnerabilities aimed at brands or private individuals.”

With the complexity of bad actors operating across various platforms, blending darknet data with other web sources becomes an indispensable tool for a holistic threat assessment.

About Datastreamer

Datastreamer’s unstructured data pipeline platform sets engineering teams free from the most time-consuming aspects of data ingestion and transformation. Founded by data scientists and analytics experts, Datastreamer simplifies the integration of complex data sources that traditional ETL tools don’t support. Organizations are empowered to turn diverse data into ready-to-query insights with fully managed connectors from a network of data partners. As the backbone of industry-leading data products, businesses leverage Datastreamer to train specialized AI models, perform KYC/AML diligence, extract market insights, monitor threat intelligence, and more. For more information, visit www.datastreamer.io.

About DarkOwl

DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, contact us.

A Digital Taliban: Governing and Spying under the Taliban Regime, 2 Years Later

In just under two decades, the Taliban has evolved from insurgents to a hardline ruling group who use social media and technology to suppress the population of Afghanistan. The conservative Muslim group who once banned the internet in 2001 has now harnessed it, prolifically using apps and social media platforms to recruit new members, spread its politics, threaten those speaking out against it, and spy on its own citizens. Highlights in this report from the DarkOwl analyst team include:

  • The Taliban has evolved from an internet-banning insurgency to a hardline ruling group who harness technology to recruit new members, spread its politics, threaten those speaking out against it, and spy on its own citizens. It also uses the internet to attempt to influence international opinion about its rule.
  • As the Taliban establishes its online presence, policy makers and tech experts must work to influence the Taliban to keep the internet open and keep its citizens connected. This is a tough task considering the Taliban’s ideology as well as the practices of surrounding countries, most of which are authoritarian governments with little focus on human rights and free speech. 
  • The world must fight against an isolated Afghanistan, as the Taliban present one public reality which differs vastly from actual daily life and cannot leave Afghan citizens to suffer while also experiencing the brutality of these fundamentalists.

Have any questions for our team? Interested in learning how our analyst team can help your research and investigations? Contact us.

Threat Intelligence RoundUp: August

September 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. US Gov Rolls Out National Cyber Workforce, Education Strategy – Security Week

At the very end of the month, the Biden administration announced the National Cyber Workforce and Education Strategy (NCWES). This comes as the gap in talent needed to fill cybersecurity jobs remains. The new strategy will include a series of “generational investments” to address the cyber workforce needs, starting with education and making training more accessible. Read full article.

2. Researchers Expose Space Pirates’ Cyber Campaign Across Russia and Serbia – The Hacker News

Research has revealed that Space Pirates, a threat actor linked to attacks against at least 16 organizations in Russia and Serbia over the past year, has been harvesting PST email archives and making use of Deed RAT – showing that they are adding new cyber weapons to their TTPs but their main goals are still espionage and theft of confidential information. Read more.

3. Cuba ransomware group observed exploiting high-severity Veeam bug – SC Media

Cuba ransomware group exploits Veeam bug, targets CIKR. The Cuba ransomware group is actively exploiting CVE-2023-27532, which allows for procurement of stored encrypted credentials. Furthermore, their increase of activity allowed for deeper analysis revealing that the ransomware terminates if Russian language packs or the Russian keyboard is detected, likely indicating this is another Russia-based group. Read more.

4. Attackers Dangle AI-Based Facebook Ad Lures to Hijack Business Accounts – Dark Reading

Credentials were stolen after a Facebook advertisement promised to boost business productivity and revenue using the latest trends in AI. TrendMicro discovered the false Facebook pages and alerted Meta, who took the pages down. Clicking on the false ads led unsuspecting users to an LLM-themed website, which then stole cookies, browser information, user access tokens, and other sensitive data. Community researchers compared this latest campaign to the spring 2023 RedLine stealer campaign. Read full article.

5. Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware – The Hacker News

Syrian threat actor EVLF reportedly authored several Android remote access trojans (RATs) which he sold on a marketplace since 2022. The RATs can control device cameras and microphones. EVLF runs several Telegram channels in addition to selling on marketplaces. He posted on 23 August 2023 that he would be shutting down, presumably after being publicly outed by the media. Read more.

6. North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns – The Hacker News

The US FBI issued a statement indicating that individuals linked with North Korea could make efforts to convert pilfered cryptocurrency valued at over $40 million into actual funds. They attributed the blockchain activity to TraderTraitor, aka Jade Sleet. Read full article.

7. CISA Adds One Known Exploited Vulnerability to Catalog – CISA

CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability has been added. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Highlighting Women in Cyber for Women’s Equality Day

Interview with DarkOwl’s Caryn Farino and Steph Shample

August 28, 2023

For the second year in a row, in honor of Women’s Equality Day this past Saturday, August 26th, the DarkOwl Marketing team interviews our Director of Client Engagement, Caryn Farino, and Senior Intelligence Analyst, Steph Shample. Last year, we sat down with Chief Business Officer, Alison Halland, and Director of Technology, Sarah Prime – check out that blog here. DarkOwl is very proud of our women leadership and workforce, with 45% of our staff being female and strives to continue to build a balanced workforce with the most talented and effective team possible.

Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Team

To commemorate Women’s Equality Day, DarkOwl’s Director of Marketing, Dustin Smith sat down with Caryn Farino, Director of Client Engagement and Steph Shample, Senior Intelligence Analyst for a candid interview about working in the cybersecurity industry.

Editors Note: Some content has been edited for length and clarity.

The (ISC)2 2022 Cybersecurity Workforce report reported that pathways to cybersecurity are changing, “Traditional habits are being broken and diverse perspectives are entering the field, as the next generation uses new pathways to jump-start their careers.” (ISC)2 estimates the global cybersecurity workforce in 2022 at 4.7 million, an 11.1% increase over 2021, but still reports a gap of 3.4 million cybersecurity workers worldwide, a 26.2% year-over-year increase.

Tell me about your background and your journey to where you are now – did you know you always wanted to be in cyber?

Caryn: I did not. I am definitely one of those individuals that fell into cyber by accident. I was working at a small firm conducting corporate due diligence research, when our clients started asking us for assistance with investigations into individuals who were causing them problems online. I found that the skill set of identifying problems in someone’s background translated really well to uncovering someone’s digital footprint and tracking that anonymous person’s activity. Those one-off research projects blossomed into a full career tracking threat communities and helping clients mitigate the biggest risks to their organizations and their intellectual property.

I would say this career has provided me with a lot of exposure to the different aspects of the cyber world, which includes both open and closed source intelligence, brand protection, insider threats, anti-piracy, and even physical investigations. Now I help DarkOwl’s clients use the darknet to feed their security programs.

Steph: That’s such a great answer. I did not always want to be in cyber, but I can’t imagine not having ended up here. I was also accidental. When I started off, my entire career was based on foreign language translation, so I was a translator for the US army and then ended up at the Department of Defense. Everything was dictated by what languages I spoke, and I’d spent two years in Afghanistan fighting terrorism and narcotics and weapons smuggling. I always concentrated on physical aspects of the mission.

And then, when cyber capabilities started to emerge in the world, those of us in who could speak foreign languages were needed; What are these people saying? What are they doing online? And it was interesting for me because as a Farsi linguist with Iran, we don’t have a lot of physical interactions with them. You know, we can’t really meet up. We don’t have diplomatic representation. We knew they were in Afghanistan in certain places, but that was it, that was the extent. But in cyber, they are all over the place. They are in every chat room and stealing intellectual property and stealing weapons manuals and all of this. So that was really interesting to have the digital and physical, kind of hybrid instance, where we could finally see that. I learned even more about Iran and started understanding their cyber capabilities.

So then I left the government and I went commercial in 2019, and I have done everything from OSINT [open source intelligence] to ransomware campaigns, tracking IOCs [indicators of compromise] and now really following the space with the hybrid conflict, which is where maybe there’s a DDoS [distributed denial of service] attack over one place because they’re physically attacking everything like on the border of Syria or in Iraq, where there’s kind of sectarian violence. So, I love cyber, and it’s everywhere and it’s contributing to a lot bigger conflict space.

Has working in this field dispelled any misconceptions you had about your own abilities or interests?

Caryn: For me, it definitely has. I always joke that I do not actually consider myself a technical resource. However, I find I’m able to bridge the gap between the technology and the business side of the house based on the kind of exposure I’ve had during my career. I was an analyst with a business background. It surprised me that in a lot of meetings people are often making false assumptions about what everybody else understands in the room. And I really enjoy working cross-functionally with those teams and making sure that everyone understands the problems, the solutions, and the course of action from the security teams and though legal recourse.

Steph: I also was floored with the opportunities in cyber for people who are not “on the wire”, don’t program, don’t code. It really requires every kind of thinking and every kind of background, especially analytical. And, you know, Caryn’s exactly right. I think what we might share there is we have to take what we witness and see in our day to day and translate that to every entity of a business, right? Cyber actors are going to target HR [human resources] and finance with personal information all the way up to the C-suite. So, you’ve got to be able to explain and make your case for why we need tools, resources, analysis and how we can protect ourselves as well as our industry, starting with every level employee of every company. It really does require every kind of background and every kind of personality and every kind of skill set. And it’s wonderful to see them all meld together, especially now that AI has come into the picture. That’s going to require even more creativity and divergent thinking. It’s really exciting to be in the space at this time.

The (ISC)2 2022 Cybersecurity Workforce report reported that 43% of organizations reporting a shortage of cybersecurity staff reported the reason being that they can’t find enough qualified talent. Other main reasons included: not prioritizing cybersecurity and not training staff sufficiently.

Can you talk about your professional development? What courses or certifications would you recommend? What advice would you give to a woman who is at the entry-level in the cybersecurity industry? 

Steph: There are a lot of groups being established. For women especially, I would join a WiCys, a women in cybersecurity group – there are chapters all over the country. There’s also a national chapter. I would be happy to be that point of contact – feel free to contact me on LinkedIn, I’d love to get people set up. And then there’s also Women in Security and Privacy [WISP]. Two different groups with national chapters and they sponsor conferences. There are scholarships for SANS courses or certificates as well. It’s really wonderful to have those resources.

And then I would say, just put yourself out there. There’s always going to be naysayers. There’s always going to be people who tell you that you don’t belong in any industry… ignore it. And I know that’s hard. But as you get used to ignoring it and as you build yourself up, lean on your crew, right? Lean on your coworkers. Lean on those women’s groups. Lean on any group that wants to support you. And for entry-level, you just have to be curious. If you are somebody who needs routine and does the same thing every day, cyber might not be your calling. You’ve got to be curious. You’ve got to be constantly wanting to learn.

Also, start off with, CompTIA Network+ and Security+ – they’re easy courses that you can do on your own time. They provide guides and visuals and manuals. It really is a good way to introduce yourself by fire hose to basic security concepts to see if cybersecurity is for you. And those ones are not as expensive. If you decide to stay in the space and in the industry, it is worth going after a SANs course. They are pricey, but they are very hands-on, and you will apply them to your job. Those are some of the courses that you can do. And for the SANs courses, use those websites or the women in cybersecurity scholarships or opportunities.

Caryn: I definitely don’t want to undervalue certificates, but I’m a big believer in more of that hands-on experience as the best method for learning. Those cybersecurity courses, especially the ones that Steph mentioned, are so important to build the foundation in this space. And I’m sure, we’ve all read the Michael Bazzell’s books and done his courses. However, the tactics used by these criminal organizations are constantly changing, so it’s really important to embed yourself in those real life situations and investigations and learn as much as possible from them. I encourage everyone to get involved in as many different types of cases as possible within your organization and really embed yourself in the start to finish of working a case.

The other thing I do outside of that is I regularly listen to a variety of cyber podcasts so I can hear what others in the industry are experiencing and make sure I understand those different issues. So when we’re working with our clients, I know what they might be going through that may be unique to their space.

As for the advice portion of what I would give to somebody entering into the cybersecurity industry – find a mentor, somebody who can help guide you through your career. And don’t be afraid to fail. I know for me, personally, most of the biggest wins I’ve had in my career have come out of my biggest fails. They were incredible opportunities for me to learn. Lastly, we want to make sure that we are getting different viewpoints and looking at things from different angles. So the other advice I have is to listen just as much as you contribute during these conversations.

Steph: She brings up amazing points on that. In cyber, you’re going to be wrong, right? I know in medicine and science and other fields, they’re very unforgiving and the preciseness is there because it has to be. But in cyber, the actors and the people you’re working against to keep yourself safe, they’re setting you up for failure. They want you to be wrong and they’re trying to mislead you. And she’s exactly right. You’ve got to be resilient and bounce back from that. That’s a great point.

The data from the 2021 Cybersecurity Workforce study from (ISC)2 suggests that a reliable estimate of women in the cybersecurity workforce globally remains at 25%. The (ISC)2 2022 Cybersecurity Workforce report states that 57% of organizations are investing in diversity, equity, and inclusion initiatives, to decrease staff turnover and lower the gap.

What is it like as a woman working in the cybersecurity industry?  Are there any challenges or advantages to working in a male-dominated industry?

Caryn: I feel very fortunate to work at DarkOwl as this company really empowers their female staff. It’s not like that everywhere. I have been in so many situations where I am the only female voice in the room but I don’t really want to feed into like that gender bias. I think the biggest challenge we face as women in the industry is overcoming that imposter syndrome, right? So that feeling that we don’t belong. We do belong and I want to keep stressing that different perspectives are often the key to solving these complex issues we face. And as a whole, I want to see more diversity, not only in the cybersecurity space, but also at the management level and above at companies. I think women will really be surprised how receptive anyone, not just males, are to their thoughts and ideas if they’re choosing to participate in areas outside of their comfort zone.

Steph: She’s right. It’s not just a gender thing. There’s conflict in every industry. What’s really hard in infosec and cyber is that it started off male dominated, and the interest and the push early on for math, science and stem was more for men. And it was just accepted in society that women can have careers, but cyber and networks and computers really are a man’s world. And that’s categorically false.

I will say in the military intelligence community, I really didn’t experience a ton of male versus female conflict or sentiment. In the military, you all suck it up and suffer and experience together, in Intel at least. I’m not saying women in other fields like Infantry, Artillery, and more don’t experience misogyny – they do, let me recognize my sisters in uniform for that. But intelligence is different. I did see more inappropriate behavior and open hostility towards women emerge when I came into DOD cyber and the commercial infosec world. But I do think that the message has been received, women are pushing back, stand up for themselves and one another.

I, too, would like to shout out DarkOwl. When I was looking to change jobs and looked at the org chart for this company, I was blown away at women’s leadership because I will tell you, in previous jobs, there were no women above a team lead, if that. There were no women execs, no VPs, nothing, and I would be lying to you if I said at times I had thought of leaving cyber because it just seemed like I was running myself up against a brick wall where you were just getting shot down and shut down. And that’s hard. That takes a toll on you. I know of companies where they won’t even let people acknowledge days like this, the reason we’re doing the interview, and they wouldn’t acknowledge International Women’s Day in March.

Slowly, that is changing. And how do we combat that? Nominate women for conferences, push them to present, get out there publicly. Caryn made a great point about mentorship. Male or female, have a mentor. When I first started, I had a technical person on every single project that I would go to and say, “Where am I wrong? Can you sanity check me? What writing do I need to change?” And that is how you’re going to learn, when you find that constructive criticism. We need to stick together.

Caryn: It’s definitely our responsibility as women to help bring other women up with us. We don’t want to be in the position where we’re not part of the solution. We want to empower other females in our organization and our industry.

Steph: Let me add to that, too. I was really fortunate. The very first boss that I had in cyber in the DOD was a male, and I went to him and said, “Are you sure I belong here? Like I can barely work a computer. You positive?” He sat me down and built me up and then put me on special projects to help me learn. And then when I was thinking about grad school to up my credentials because I was hooked by cyber, he had done the same program and I went to him and I said, “Do you think I can hack this program? Do you think I can do this?” And he was like, “absolutely”. And that was seconded by my husband. So I want to say, I have really great male role models. And there are men in WISP and it’s wonderful. So we’re getting there.

What do we not understand about cybersecurity as a field and its job opportunities? What does cybersecurity mean to you?

Steph: I think there is a community failure of understanding how many different perspectives it takes to make sense of cyber. That’s because you need the people who are on the network speaking only ones and zeros, you need the people who can speak mainly to computers and make them “do” and build the tools that we need. But we also need translators, etc. At a conference last year in Saudi Arabia, I was floored that the biggest topic of conversation was the cyber psychology of online actors. Why do people act the way they do behind the scenes? Why do they act one way on the computer and then differently in public? There’s a whole emerging neuroscience and psychology aspect behind the actors on cyber criminals.

Furthermore, geopolitics enters into this in a huge way. We are now seeing, of course, people take sides with Russia and then people take sides with Ukraine. And you have to understand why entities come after American or Western businesses or go after Five Eyes businesses to try to hurt them because of the geopolitics physically playing out. And then we’re also seeing that in Syria, where there’s all kinds of different interests and entities and sectarian violence. It cannot be overstated the amount of expertise, you have to have a mixture of thinking, you have to have thought groups collectively working together.

This year, actually just at Defcon and Black Hat, the private public partnerships are essential. Maybe back 30, 40 years ago, the military was considered perfect at conflict, no one else contributed. Doctors were doctors and that was their expertise. Cyber doesn’t silo everything like that. Cyber requires every perspective to have an informed and intelligent conversation and adequate problem solving. We need academia, we need government, and we need the commercial sector. We truly need everybody from all backgrounds.

Caryn: 100% agree with that. Cybersecurity nowadays is just a very broad term and it encompasses so many different aspects. I think a lot of people still look at cybersecurity from the vulnerability management perspective and the hacker in the basement, right? But organizations have to worry about so much more because not only do you have insider threats and external threats, but then you have these unintentional threats. And they are really your biggest weakness, in my opinion. That is going to be those non-malicious events where an employee exposes an organization by reusing a password, accidentally sharing IP [intellectual property] to a public facing system, or clicking on a malicious link. There are just thousands of human error type activities out there, and they’re really difficult for this industry to account for. So for me, cybersecurity is really more about the OPSEC [operations security]. That opens up so many different career paths.

Steph: I have to pivot off of that because she again, makes wonderful points. So you have the practitioners who are working against the malicious forces. But she’s [Caryn’s] exactly right. There are people who are just in this operating day-to-day and to them it’s benign, they don’t realize that they’re exposing themselves or their families. So kids on Facebook accidentally posting vacation pictures, opens up targets of opportunity. An employee who just wants to maybe get good press for their company and doesn’t realize that what they’re exposing is personal or sensitive information, corporate speaking. So that is a risk. These is, of course, the malicious factor, but the human factor is what everybody talks about. It takes a human to click on a spear-phishing link. It’s a human to post accidental information. So everybody, I think, sees cybersecurity and cyber and thinks of a computer and they think networks, they think “I have no part to play in this.” The human element will never, ever go away, even with AI. Cyber is so broad and I think we’re only a decade into this, but now we’re going to have specialties. People are going to step up and say, “I’m an AI expert. I’m a crypto expert. I can talk about the blockchain and smart contracts and the underlying tech. I can talk about cyber psychology compared to human psychology.” So it’s just an endless opportunity for cybersecurity. It’s going to keep broadening.

Caryn: I want to make one more point to wrap this up. It’s important for organizations to have that holistic view of their threat landscape, because as cybersecurity professionals, we not only have to consider the inside perception of what is most damaging to our organization if it’s exposed, but also the consumer perception. So what do people outside your organization perceive as the most valuable data to obtain from you? Make sure we’re looking at it from both perspectives. A lot of people just want to batten down the hatches and protect their networks, but they’re not really considering what those outsiders are looking for – you know what your organization’s crown jewels are, but that might not be what somebody else is going after. So it could be that they’re going after your financial data, not your intellectual property. No one is immune anymore. And that human error component I mentioned earlier is really evident on the darknet.

At DarkOwl, we’re regularly seeing the results of those social engineering and phishing campaigns that result from those kind of attacks. The education piece is really important here, is your operational security and training your staff and your family members at the same level? Steph mentioned earlier if somebody has sloppy OpSec [operational security] out of your organization, the chances that they’ll have sloppy OpSec inside your organization increases. And we really want to make sure that people are approaching it in both directions. So my last comment here would be to really encourage all organizations to make sure they have a comprehensive monitoring program that includes a variety of data sources, including darknet data.

Key Takeaways from Caryn and Steph’s Perspectives

There is no perfect background or one way to have a successful career in cyber. Individuals interested in a career in cybersecurity need, above all, curiosity and determination. Individuals should not underestimate their potential to contribute to the cybersecurity realm. The diverse array of skills required to tackle current and future threats necessitates a range of expertise and backgrounds.

Efforts to bridge the gender and representation gaps in the cybersecurity field are underway, but these disparities do still exist and women need to continue to raise each other up. As always, it is important to look into an organization and make sure that they align with your own beliefs, morals and goals – if these align, it will be so much easier to be a supportive, hardworking and happy employee, no matter what field or role you are in.


Looking for a career in cybersecurity? DarkOwl is hiring! Check out our open positions here.

[Developing] Updates on Wagner Group from the Darknet

Last Updated August 28, 2023 – 9:00 EST
August 28, 2023 – 9:00 EST

Over the weekend, on Sunday, it was reported that Russian investigators officially stated that genetic tests confirmed that Yevgeny Prigozhin, was in fact in the plane crash and a victim of that crash. As mentioned in the previous posting, conclusions should not be made until confirmation from a source outside of Russia has also confirmed the death. More can be read on the Russian investigators statement here.


August 25, 2023

The leader of Russian Mercenary Group Wagner, Yevgeny Viktorovich Prigozhin’s life reportedly ended on 23 August in a plane crash outside of Moscow near Tver, Russia. The world witnessed Prigozhin try to undermine, betray, and even overthrow Russia’s Vladimir Putin when he orchestrated a coup in June 2023. Anyone following Russian geopolitics knows that even questioning Putin earns a jail sentence or torture session; to openly declare mutiny against Putin and march on Moscow almost certainly sealed Prigozhin’s death, with many in the global community awaiting an announcement of Prigozhin’s death sooner rather than later.

However, there is another more complicated, vague aspect to this. Russia is one of the most sophisticated intelligence actors in the world. Putin himself, as a former high ranking KGB intelligence officer, has crafted successful intelligence operations his entire life, even after leaving the KGB. Is all this a distraction, or a ploy to mislead the West, and those who support Ukraine? Prigozhin is only suspected to have been onboard the plane. It is not outside of the norm or capability, in Russian intelligence operations, to falsify a plane’s passenger manifest. Much of the global community was surprised that Prigozhin stayed alive as long as he did after his declared mutiny, and furthermore, taking “refuge” in a Putin-sympathetic country, Belarus, was also questionable. Many think that Prigozhin and Putin were working together to stage this event, and that same suspicion surrounds Prigozhin’s purported death.  

DarkOwl analysts outline chatter on the darknet and darknet adjacent sites using DarkOwl Vision and will continue to do as developments occur.

What is Russia’s End Goal?

In 2019, rumors also circulated about the death of Prigozhin, and it was also purportedly caused by a plane crash. Until there is cemented intelligence and pictures from outside of Russian sources, this entire event and surrounding should be considered unconfirmed. Prigozhin has multiple passports, and even has body doubles that travel for him to remain elusive and shrouded in mystery. On Telegram channels, speculation surrounding the Prigozhin event is running rampant, even within the Wagner channels: 

Figure 1: Conspiracy theorists on 4Chan debate who was involved in causing Prigozhin’s death; Source: DarkOwl Vision
Figure 2: Additional theories circulate regarding the actual reasons for the death of Prigozhin; Source: DarkOwl Vision

Regardless of the final outcome of Prigozhin, what happens to Wagner now? Whether dead or alive, Prigozhin will likely not publicly lead Wagner.  

Figure 3: Telegram chatter speculating what the next steps of Wagner might be; Source: DarkOwl Vision

Emotional outpourings and memorials have also popped up, both within and outside of Russia, demonstrating some sympathy for Wagner members: 

Figure 4: A telegram post detailing memorials for Prigozhin and Utkin; Source: DarkOwl Vision
Figure 5: More chatter and commentary about the memorials for the likely deceased Wagner members; Source: DarkOwl Vision

Speculation Runs Rampant

Speculation is rampant among the community following Wagner: 

  • Will they completely disband? Not only was their number one leader possibly killed, but reportedly, Wagner’s number two, Dmitriy Utkin was also onboard the plane, and presumed dead along with Prigozhin. A top aide of Prigozhin, Valeriy Chekalov, is the third rumored high ranking Wagner member on board. In addition to the high ranking Wagner members, other suspected Wagner mercenaries were also reportedly on board. The exact number is not confirmed as the passenger manifest is still being compared to the Wagner member manifest. 
  • Will Wagner exact revenge against the Kremlin? Prigozhin and several Wagner members were openly critical against Russia’s handling of the war in Ukraine. The death of several members could galvanize support for a bloody Wagner rebellion, especially since the Ukraine war is not going in Russia’s favor. 
  • Will Wagner move operations completely? Perhaps they abandon the risky area of operation, which is Eastern Europe. Russian personnel are all over that area. Belarus, which was temporarily Prigozhin’s safe space after his attempted mutiny, is led by Putin friend and sympathizer Alexander Lukashenko. Wagner already has several African strongholds: Libya, Mali, Sudan, and the Central African Republic (CAR). Shortly before his death, Prigozhin even encouraged Wagner to move operations and all focus to Africa. This is a strong possibility, and a potential safer area of operation for Wagner. 
  • On the complete opposite spectrum, perhaps Wagner will establish a stronghold in Belarus. They are still present in the country in large numbers. Belarus has also acted as a staging area for Russian troops during the entire invasion of Ukraine, with trains, military members, and weapons often originating from Belarus before going into Ukraine. Russian and Belarusian ally Iran also has a footprint in Belarus, and could assist with Wagner operations. 
  • Who will replace Prigozhin? 

Monitoring the Situation

DarkOwl is closely monitoring the official Telegram channels of the Wagner group to see what unfolds after the crash that claimed the lives of multiple Wagner members. While rumors emerged that Wagner would be quick to avenge Prigozhin, and act against the Kremlin, DarkOwl does not see any reflection of this chatter in the Wagner Telegram channels. They are instead urging caution and to wait for official reports to confirm the death:  

Figure 6: Official WAGNER Telegram channel cautions waiting for the official announcement regarding Prigozhin’s death, intimating even Wagner members do not yet believe the incident is complete; Source: DarkOwl Vision

Be the first see to get our research updates. Subscribe to email here.

How Cyber Criminals Exploit AI Large Language Models like ChatGPT

August 24, 2023

Artificial Intelligence (AI) has become a popular topic recently with the launch of ChatGPT and Bard. In this blog, DarkOwl analysts explore how it is being used by cyber criminals.

Criminal discussions around AI chat bots like ChatGPT do not discuss creating new AI systems from scratch, but rather building from current language models and finding ways to by-pass ethical standards around prompting. Cybercriminal applications of ChatGPT and other AI applications are still in their infancy and our assessment will continue to evolve as the technology and its varying applications evolve.

Despite increased media coverage of fraudster AI chat bots like WormGPT, FraudGPT, and DarkBard, there is skepticism within both the underground cybercriminal community and the threat intelligence community that the output from these fraudulent chatbots is effective as it still appears to be rudimentary. While services like WormGPT and FraudGPT can be effective for generating phishing campaigns, we have also observed darknet users discuss ChatGPT in a non-criminal manner such as automating pen testing tools.

Jailbreaking ChatGPT

DarkOwl analysts searched our Vision UI database and found over 2,000 results mentioning “jailbreak” AND “GPT” across various darknet forums, marketplaces, and Telegram channels. The number of results returned for this search was significantly higher than when searching for “WormGPT”, “FraudGPT”, or “DarkBard.” We have recently observed discussion of “jailbreaking” ChatGPT to by-pass ethical standards around prompting to engage in various activities being discussed in various formats.

One example, as seen in figure 1 below, is from the hacking forum called, Crax.Pro, where a user titled a thread as, “[GPT 4] WORKING PROMT JAILBREAK.” The user, Sadex, initially shared a link to a video tutorial allegedly instructing one how to “jailbreak” the prompt for GPT 4. Other users commented and validated that the video tutorial was effective, claiming: “Yoooooooo!!!! This is so legit thank you so much.”

Figure 1: Source: DarkOwl Vision

In another example, a Breach Forums user inquires how to jailbreak ChatGPT and claims tools like WormGPT are a scam. While another user suggests using a fraudster chatbot service called EvilGPT, which is similar to FraudGPT:

Figure 2: Breach Forums users discuss jailbreaking ChatGPT

DarkOwl analysts have also observed members of the extreme right-wing militants in the United States discuss jailbreaking Chat GPT to bypass “censorship.” One Telegram group chat shared links to a video tutorial of for jailbreaking ChatGPT:

Figure 3: Telegram users discuss jailbreaking ChatGPT; Source: DarkOwl Vision 

However, DarkOwl analysts have also observed the underground community discuss bypassing the ethical standards around GPT prompting to automate pen testing tasks. One GITHUB repository is called GreyDGL/Pentest GPT. PentestGPT describes itself as, “A penetration testing tool empowered by Large Language Models (LLMs). It is designed to automate the penetration testing process. It is built on top of ChatGPT and operates in an interactive mode to guide penetration testers in both overall progress and specific operations.” PentestGPT is like WormGPT in that both are building off previously created language models.

Figure 4: Above screenshot taken from the Pentest GPT Github repository

Fraudster Chatbots Exchanged on Darknet Marketplaces, Forums, and Telegram 

FraudGPT

Fraud GPT is an AI chatbot that uses popular language models created by Google, Microsoft, and OpenAI and strips away any kind of ethical barriers around prompting the AI. Thus, tools like FraudGPT are commonly used by fraudsters and cybercriminals to generate authentic looking phishing emails, texts, or fake websites that can fool users into sharing PII.

A recent advertisement on carding forum Carder.uk was allegedly selling a FraudGPT service for $200 USD monthly or $1700 USD annually and includes the following capabilities:

Figure 5: Carder UK user advertising the FraudGPT service 

Despite the proliferation of fraudster chat bots being sold on darknet forums and markets, some users are skeptical of the price of tools like FraudGPT. In the below screenshot from the predominantly Russian speaking cybercrime forum, XSS, a user discourages others from purchasing FraudGPT as recently as 8/7/2023 and claims to be able to provide proof as to why the service is ineffective:

Figure 6: XSS user criticizes the effectiveness of FraudGPT 

WormGPT

WormGPT is an alternative fraudster chatbot originally discussed on Hack Forums in March 2023. It only recently started being sold on various darknet forums and marketplaces as of June 2023. Recently, the 2021 GPT-J open-source language model was leveraged for creating this hacker chatbot. WormGPT reportedly writes malware using Python. The moniker, CanadianKingpin12 (also previously known as canadiansmoker), has been observed selling access to WormGPT across various cybercriminal forums and marketplaces.

Figure 7: CanadianKingpin12 advertisment on Club2Crd carding forum 

The above screenshot shows the user, CanadianKingpin12, selling the FraudGPT service on a well-known carding forum called crd2club.

CanadianKingpin12 has recently gained quite a bit of attention in the media for their involvement in advertising GPT fraud services (FraudGPT, WormGPT, DarkBard, DarkGPT) on various forums and markets, such as: Club2Crd, Libre Flrum, Sinisterly, Kingdom Market, for Chat GPT, Fraud Bot and Worm GPT. The following screenshot shows CanadianKingpin12, selling 12-month access to a ChatGPT Fraud Bot for $70 USD on Kingdom Marketplace.

Figure 8: CanadianKingpin12 selling Chat GPT Fraud Bot on Kingdom Marketplace – this post was removed from the actual marketplace; Source: DarkOwl Vision

DarkBard

DarkBard is yet another alternative fraudster chatbot, but less popular than those mentioned above, that is also being sold by CanadianKingpin12. The following screenshot shows CanadianKingpin12 selling access to yet another fraudster AI chat bot, DarkBard, for $100 a month on the hacking forum called Demon Forums.

Figure 9: canadiansmoker (aka CanadianKingpin12) selling DarkBARD on DemonForums; Source: DarkOwl Vision 

Conclusion

CanadianKingpin12 is also tempting users with “DarkBART” and “DarkBERT” advertisements. Purportedly, these tools trained completely on Dark Web lexicons will be more sophisticated than the aforementioned bots and can also integrate with various Google services to add images to output, instead of offering text only output. Researchers also anticipate eventual API integration, further fortifying and automating cybercrime efforts. DarkBERT is also the name of a benign LLM developed by Korean researchers. CanadianKingpin12 claims to have access to this LLM, using it for the foundation of the malevolent tool. DarkOwl analysts are unable to verify these claims, as South Korea claims DarkBERT is only available to academics.

As AI emerges, its use cases, both legitimate and criminal, will continue to evolve. This is the nature of technology – as tech emerges, so too do legitimate and fraudulent use cases. Companies must start a proactive response to newly generated fraud and scams powered by AI, chatbots, LLMs, and anything else that eases the barrier to entry for cybercriminals to attack.


Interested in learning how darknet data applies to your use case? Contact us.

DefCon Review: An Analyst Perspective

August 22, 2023

DefCon has been around for 3 decades and is the one of the oldest hacker conventions and one of the largest globally. DefCon 31 was a great gathering, as always. While a lot of people figured this year would be all and ONLY about AI, there were plenty of other topics covered in depth. AI did have its own village, though, along with the voting, industrial control systems (ICS), red/blue team, mis/disinformation, social engineering, and many more, to allow for hands on experience in the most crucial areas of cybersecurity.

The DarkOwl team sent a number of analysts from our Darknet Services analyst team to advance their skills, keep up to date with the latest trends and topics, and of course practice their skills. This blog outlines some highlights from this year’s event, from our analysts eyes.

Highlights

PyRDP

Remote Desktop Protocol (RDP) has always been an entry vector for attacks, namely ransomware. A pair of brilliant scientists from a Montreal organization, GoSecure, set up a RDP honeypot (PyRDP) to attract malicious actors to use it to study them. They studied actors for 3 years as the criminal actors used their platform in operations. PyRDP is open source and available on GitHub.

Using this tool, researchers and professionals can obtain actor credentials, operating system details, browser information, languages spoken, and more. The scientists openly stated they released this tool for free to put a dent in the current ransomware epidemic. DarkOwl analysts will implement PyRDP in operations where appropriate to do our part to reduce the ransomware epidemic.

RDP is a human process, and more targeted than some processes in cyber. While many parts of the criminal ecosystem can be automated and left to a machine, RDP and the actions to comb around a computer and its filesystem, exfil those, and then move on, all require humans.

Tool: PyRDP – https://github.com/GoSecure/pyrdp

Internet Censorship

Given the political climate and current world events, censorship online was a big topic. Russia, China, and Iran are all building their own internet, separate from the world grid. Additionally, these countries have their own apps equivalent to the western Facebook, Twitter/X, and Reddit. These apps are heavily promoted in the countries of concern to get a solid user base, making the transition from western apps to these authoritarian controlled and monitored apps easier. Russia’s Facebook equivalent is Vkontakte (VK), China has several platforms (Douyin in country is what TikTok is in the US), and Iran has iGap, which is a WhatsApp equivalent (these examples are not an exhaustive list). These efforts coming to fruition mean more isolation under authoritarians, and citizens who deal with lack of availability to information and education, truth, and global resources.

Interestingly enough, this panel couldn’t come to a resolution for this problem of censorship. It’s a tough issue which (like the rest of all things cyber) requires public and private partnerships (PPP) to effectively keep a society or country from becoming completely isolated from the world. The panel did highlight that sanctioning companies and individuals is not effective. If you turn off an internet service provider (ISP), such as Russia’s ROSTELECOM, this contributes to the malicious efforts to isolate – the citizens of Russia also lose access when you cut an ISP, so, this is quite damaging.

An interesting suggestion was to target individuals, including individual netblocks, versus taking an entire ISP offline. If you take only part of ROSTELECOM offline, and you are more precise, this does exert pressure on the malicious entity while preserving the access of individual residents of a country.

There is also a new treaty in progress attempting to combat cybercrime. The United Nations (UN) is negotiating this effort to try and assist with country and border agnostic policies to fight cybercrime while preserving digital rights and freedom, as well as internet access, more effectively to countries under authoritarian regimes. A timeline of the effort can be found here. DarkOwl analysts will monitor this developing cybercrime initiative by the UN for impacts in the space and see how they play out geopolitically. The last plea from this panel was that universities need to host TOR nodes to provide more access to TOR worldwide, as authoritarian and censorship creep continues.

NFC Over Point-of-Sale Systems

Near field communication (NFC) is what powers all the contactless payment systems coming into banks and retailers today. The technology uses radio waves to conduct encrypted data to point of sale (or other appointed) devices. With any growing technology, there is a risk for fraud and abuse, which is what this talk spoke of. This is true of NFC payments, even though the data is encrypted.

Website HappyATMs[.]com sells parts that facilitate NFC for Point-of-Sale (POS) systems, vending machines, and of course ATMs, as does eBay. This means that malicious actors can buy these parts and use them in everyday efforts to steal data and finances. The vending machine pictured to the left was not part of this talk, but it was an exercise on the main floor to hack it. So the concepts continued and were reinforced all over Def Con – pretty cool!

Data from NFC can be intercepted – if a criminal positions themselves in range of the two devices, they can intercept the transmitted signals as well as record the data. This means financial details, PII, credentials, and more sensitive information used to conduct NFC transactions can be stolen and used maliciously. Actors can resell personal data, drain money from accounts, or impersonate the person from whom they intercepted the data.

NFC tags can also be manipulated, which leads to the distribution of malware. Criminals can create fake NFC tags or work with existing ones to distribute hidden payloads. If the unsuspecting person scans the NFC tag, the malware is downloaded and installed in a flash and can also steal personal information.

All the information procured by a malicious actor can be cloned, so they can use sensitive data they stole (or copied) to bypass security and MFA, impersonate someone else, and again steal sensitive data.

DarkOwl analysts can now track the models of ATMs, POS systems, and other hardware that have open vulnerabilities, and monitor talk for it on the DDW, Telegram, and Discord. We can also setup mentions of any actor using happyatms.com to track purchase data and build out the bad actor network. This was an enlightening talk that gave a lot of insight into current financial fraud and theft TTPs, which are always changing. Really happy I caught this one.

Random Bits and Bytes

Growing Up Next Door to Russia

Mikko Hypponen’s talk on “Growing Up Next Door to Russia” was pretty spellbinding – ending with standing room only. He (IMO) took his life in his hands by outing and including pictures of very, VERY recent Russian cyber actors who had been sanctioned. You KNOW they, their associates, their family members, were there in Vegas. It was very brave of him to call out the recent actions and cyber activities of these actors, highlighting their disruption to daily life and contributions to global cybercrime campaigns. Definitely recommend checking out his book, If It’s Smart, It’s Vulnerable, as well as his podcast, Cyber Security Sauna.

  • One-Drive hacking/emulation to gain access to all Microsoft accounts.
  • Weaponizing plain text.
  • Tap to pay cards and RFID hacking.
  • Biohacking and how to hack implanted NFC/RDIF implants.
  • “Old College/High School Friend” is the current phishing technique. 
  • Company Swag – using swag to gain access to secure locations – importance of using different designs/styles for internal swag vs external swag.

Final Thoughts

Speaking of swag, the plushie Onion from the TOR vendor booth was a huge hit and highlight! 😀 Always eager to pass on giveaway ideas to the DarkOwl Marketing team and happy to report that they loved this too.

With all of the thought-provoking topics, trends, games, challenges and speakers throughout the week, the DarkOwl analyst team looks forward to diving into some of these topics and contributing to the research and conversation. The possibilities are endless! Make sure to sign up for emails to get the latest research first straight to your inbox. Looking forward to DefCon 32 already.


Interested in learning what our darknet analysts do for our customers? Contact us.

DarkOwl Review of Black Hat 2023

August 17, 2023

The DarkOwl team was happy to attend Black Hat USA in Las Vegas last week – another busy week in the books! Every year during the hot Vegas summer, information security professionals from around the world gather at Black Hat, collecting plenty of swag along the way, for one of the most internationally recognized cybersecurity event series focusing on the most technical and relevant information in security research. Black Hat is also known for a week full of insightful presentations, skill-enhancing workshops, product demonstrations, and chances for lots of networking. There really is something for every attendee.

This year followed the same trend, featuring an impressive lineup of training courses and presentations. These covered a wide array of topics, including: discovering new vectors to gain remote and root access in SAP enterprise software, using resources to defend non-profits, large language models, software supply chain risks, cryptanalysis, risks of AI risk policy, physical attacks against smartphones, cryptographic exploits and so much more.

DarkOwl Highlights

Members of both our executive team as well as our darknet intelligence analyst team attended to have meetings with clients, prospects and partners as well as make the most of walking the show floor and attending the talks throughout the week. You may have seen CEO, Mark Turnage, CBO, Alison Halland or Steph Shample, Senior Intelligence Analyst around!

The DarkOwl team remained busy meeting prospects and clients alike and showcasing our industry leading darknet platform, Vision UI, which allows users to search and monitor the most comprehensive darknet dataset. Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. 

With many current clients present, the DarkOwl team was able to spend time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider. The team also enjoyed some team bonding time, a nice plus when traveling to events with so much of the workforce remote! We look forward to the many more events all over the globe this year – you can check out where we are going to be next and request time to chat here.

Darknet Services

In the lead up to Black Hat, DarkOwl announced Darknet Services, our latest offering which allows customers to advance their darknet investigations and monitoring with DarkOwl analyst expertise. Our tailored, customizable darknet services enable customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence. Accessing and analyzing data from the darknet is challenging, even for the most experienced of analysts. DarkOwl is the darknet expert, with access to the largest database of darknet content.

Key features and benefits of DarkOwl’s Darknet Services include:

  • Comprehensive Darknet Visibility: DarkOwl’s extensive monitoring infrastructure constantly scans and indexes darknet, deep web, and high-risk surface net data, ensuring comprehensive visibility into evolving threats and malicious activity.
  • Actionable Threat Intelligence: Leveraging machine learning and human analyst expertise, DarkOwl transforms raw data into actionable intelligence, providing organizations with precise insights to identify emerging threats, assess risks, and enhance their cybersecurity posture.
  • Darknet Investigation Support: DarkOwl’s expert analysts offer enhanced support to organizations in investigating incidents related to the deep and darknet, providing critical insights into threat actors, their tactics, and potential vulnerabilities to a company, VIP or brand.

If interested in learning how we can be an extension of your team, contact us!


Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.

RansomAWARE

August 15, 2023

With just a few keystrokes, a malicious actor can gain access to a network, determine the scope and worth of information available, and then steal and encrypt the data, preventing access to it. Organizations have hopefully prepared themselves for these kinds of cyber incidents, known as ransomware attacks, by having an up-to-date system backup from which they can restore data and continue operations. Despite business continuity suggestions and planning advice, backups are still not a regular entity despite how common and how popular ransomware attacks have become in the past decade. Even changes from one year to another witness more stealth movement and larger impacts in the ransomware ecosystem.  

Ransomware’s explosion has been sustained for years. As tech advances, so do the actor tactics, techniques, and procedures (TTPs). Heading towards the final quarter of the year, it is imperative to explore the 2023 mindset of ransomware actors: They are pursuing “target rich, cyber poor” industries that will make them money by selling data, exploiting the victims they target, the partners and third-party services linked to the victims, and infiltrating supply chains. While double-, triple-, and quadruple- extortion practices are still around, actors are also adapting/changing their encryption processes to better emulate protective services such as anti-virus and file scanning software to blend in and provide no red flags to technical and cyber practitioners. This allows for a long-term, stealth presence in networks which facilitates lateral movement to collect as much information as possible. 

Ransomware is quickly evolving, and it is imperative to pay attention to its trends and try to get cyber practitioners, government, law enforcement (LE), Computer Emergency Response Teams (CERTs), and more collective bodies to take strides towards prevention and disruption of ransomware groups. With the use of artificial intelligence (Al) and internet of things (IOT) growing, the attack surface is larger than ever and must be addressed. Private and public partnerships (PPP) are one of the most effective ways to share intelligence and indicators of compromise (IOCs) to combat ransomware as the holistic problem it is. 

Key Findings:

  • 2023 ransomware profits are up as of the middle of the year 
  • This profit margin is expected to increase 
  • Multi-extortion layers and techniques are more common, and this is expected to continue throughout all ransomware operations 
  • As groups are caught by law enforcement or shut down to preemptively avoid legal actions, they are recruited into other groups and share expertise, tools, and TTPs 

2022 Compared to 2023

Ransomware is a cybercrime phenomenon impacting every industry, large and small. Additionally, there is a “hacktivist” angle to ransomware incidents, accompanying the criminal faction. Fringe groups are using the easily available ransomware as a service (RaaS) market to procure simple ransomware kits and then go attack. The 2022 Conti leaks showed the world that ransomware organizations are operating more like businesses than criminal groups, well-funded and organized. Furthermore, after Conti’s decline, more organizations are witnessing splinter groups and “copycat” actors, working together to have a maximum impact spreading ransomware and gaining profit and data. 

January 2023 saw the highest number of ransomware incidents ever reported for the month of January, with 33 reported incidents. The unreported incidents must also be considered: Organizations often choose to keep cyber incidents private, and malicious cyber actors don’t keep the most trustworthy stats and data. In July of 2023, data emerged demonstrating that 2023 is on track to be the most active ransomware year per reported incidents. According to some reviews, actors have already made ~$450 million dollars up to June 2023, and are on track to make approximately $900 million dollars if the rate of attacks continues through the second half of the year.

Ransomware incidents are expected to continue at a high pace, especially as hacktivists all over the world side with their chosen nation, government, or ideoloqv and then proceed with the intent to attack an organization who differs from the chosen ideology. This is in addition to technology trends like cloud computing and the IOT space increasing access points and increasing the overall attack surface area, allowing malicious actors more opportunities to enter a network. Available payment data for 2023 also indicated that ransomware is the only criminal market that saw an increase in profit while scamming, malware, and fraud operations all witnessed a decline in profit and revenue.

Changes in TTP: Extortion at Entry Level

Much like the cybersecurity industry changes and adapts to protect and defend, ransomware actors also change and adapt to remain effective and profitable. A focus on continued extortion techniques, higher profitization and a surprising change to encryption practices all emerged in 2022 and 2023 and are expected to continue throughout 2023 and into 2024. 

Traditional ransomware incidents involve unauthorized access to a system where actors steal sensitive data, encrypt it, and demand money from the victim for restored access. There is a new level of harassment implemented by ransomware actors, making their attacks multi-layered and more impactful: Extortion. 

Double, Triple, and Quadruple Extortion 

With double extortion, ransomware actors conduct a traditional attack and encrypt data. However, if an organization restores their data from a backup and does not pay the ransom, the actors then threaten to sell it on criminal forums, sell it through a bidding process, or permanently prevent access to the stolen data if there is no payment. This way, the reputation of the organization still suffers when it is revealed there was a security incident. Actors demand payment to keep quiet about the incidents if the organization can salvage data access on their own. 

As of June 2023, Base ransomware gang operated a prolific double extortion ransomware campaign. They listed victims from the legal, pharmaceutical, medical, agricultural, and many other sectors on their website:  

Figure 1: Source: Base8 ransomware’s onion site

Demonstrating the continued organizational efforts of ransomware groups, 8base also offers their contact information, a FAQ section, and a detailed rule section for their victims. This continues to prove the developing professional and organizational caliber of ransomware groups, which was previously revealed as Conti’s efforts and business acumen was detailed in 2022: 

Figure 2: Source: Base8 ransomware’s onion site
Figure 3: Source: Base8 ransomware’s onion site

8base’s operations reveal another trend: A pivot from procuring personally identifiable information (Pll) operations only, and going after blueprints, sensitive documents of physical layouts for buildings, and those related to critical infrastructure and key resources (CI/KR). Ransomware is no longer just about getting and selling Pll; now, more sensitive documents are stolen and sold on DDW forums. This is a hybrid security issue, both physical and digital. Ransomware gang Cl0p, who has made headlines in 2023 for penetrating hundreds of organizations, is also a prolific double extortion group. 

With triple extortion, the same process occurs as above, with the added threat (the third layer of extortion) including a distributed denial of service (DDoS) attack to the ransomware threat. The DDoS ensures an extra level of chaos and prevention of services while sensitive data is also stolen and encrypted. Ransomware groups Killnet, Avaddon, and Darkside are some examples of triple extortion ransomware operators. Extortion became quite popular during the Covid-19 pandemic, and criminal forums on the darkweb started to sell and offer extortion services and software to further ransomware operations. 

A 2022 post on criminal market XSS offers triple extortion software for purchase: 

Figure 4: Source: DarkOwl Vision UI

Quadruple extortion entails everything above, with the addition that ransomware actors threaten to directly contact partners or other customers of the organization, threatening the reputation as well as adding the risk of legal action against the entity that was breached. BlackCat and the now defunct DarkSide ransomware gangs were some of the noted users of quadruple extortion in their operations. 

Stealers, RATs, and Ransomware 

Infostealers take information from web browsers, chat platforms, email clients, cryptocurrency wallets, and more applications. Similar to ransomware, they have exploded in popularity among the criminal underground. Like all malware, infostealers vary in capability but focus on procuring tons of personal data to sell, use, and reuse in malicious operations. 

RedEnergy, a new Stealer-as-a-Ransomware technology, steals information from various web browsers while also facilitating ransomware activities. The entities behind RedEnergy use publicly available LinkedIn pages to target the oil, gas, and telecom sectors. After users click on a link that they expect to provide a typical browser update, RedEnergy exfiltrates data over FTP, and then encrypts the data and demands a ransomware payment. 

The combination of stealers and ransomware follows a similar combination of RATs and ransomware, which emerged in the wild in 2022. A September 2022 post on criminal market AlphaBay discusses how a RAT can be used as a triple threat in cyber operations: 

Figure 5: Source: DarkOwl Vision UI

A June 2023 post on criminal market XSS details the use of ShadowVault stealer, which specifically targets Mac operating systems and can be used in Chrome, Edge, Brave, and other browsers:  

Figure 6: Source: DarkOwl Vision UI

Cybercriminals are constantly evolving and combining malicious tools to procure as much information as possible from organizations while then attaching reputational damage onto the end of their operations by subjecting their victims to ransomware. The criminal underground forums facilitate the combination of tools and the advanced implementation of criminal processes to impart maximum damage to victims. 

As of July 2023, the financially motivated cybercrime group FIN8, active since 2016, is now using variants of ransomware in its activities. FIN8 originally started targeting point-of-sale (PoS) systems using malware specific to PoS theft in the retail, restaurant, entertainment, and hospitality industries. Now, however, researchers have identified backdoors purportedly authored by FIN8.  This additional combination of a general cybercrime group TTP combined with ransomware demonstrates that FIN8 is dedicated to maximizing their impact and profit. They also show a continued dedication to remaining undetected and updating and authoring their customized tools, all while dabbling in ransomware. 

A Club IO post from September 2022, detailing FIN8’s possession of White Rabbit ransomware: 

Figure 7: Source: DarkOwl Vision UI

Reduction in Using Encryption 

Actors proficient in ransomware also know that encryption is a time-consuming process. Both encrypting the stolen data and then decrypting, if/when the victim chooses to pay, are costly in resources and the flow of operations. For this reason, some ransomware groups are now practicing intermittent encryption, where only small portions versus the totality of a file are encrypted. Encrypting only select portions also helps evade security tools on a network. When only parts of a file are encrypted, this emulates legitimate software practices, and there are no flags or processes on the network that stop the activity. In some instances, ransomware groups have completely forgone encryption. Karakurt, who emerged from Conti after the latter disbanded, commonly operates this way. 

Future Predictions 

When the pro-Russia Conti ransomware group suffered a leak in 2022, it revealed an organized group of actors operating very much like a business. Emerging ransomware groups are following this business-plan setup, establishing organized points of contact, liaisons between ransomware group operators and victims, authoring rules of engagement, and working within stringent timelines. Researchers and everyone in cybersecurity were able to learn from the leaks and inform future cybersecurity tools, processes, and potentials. 

Conti’s internal chats, leaked by a disgruntled employee, revealed a professional setup replete with: 

  • Interviews to hire the right personnel 
  • Russian government involvement and funding 
  • Feature developments (for both deploying and improving their ransomware effectivity) 
  • A control panel for monitoring Conti operations, victims, and payment status 
  • Templates for phishing emails to use in operations 

Not only are ransomware actors setting up formal, almost corporate like operations, but they are also recruiting from now-defunct groups, as well as sharing TTPs between one another to help maximize the impact of their operations. Furthermore, there are segregated “branches” of ransomware. For example, some researchers and analysts deem Karakurt the “Extortion” arm of ransomware, as that is a specialty of Karakurt. 

In addition to ransomware operations continuing to focus on stolen personal information and data, automation, and the advent of Artificial Intelligence (Al) are both expected to facilitate ransomware groups further streamlining their activities. Several ransomware groups already use scripts and automation to scan for vulnerabilities and entry points to a network; this allows ransomware efforts with few personnel and minimal resources to identify appropriate targets which can easily be made into victims and earn them revenue with an attack. 

Ransomware groups are also branching out from focusing purely on Windows operating systems and moving towards attacking Linux based systems. This demonstrates a new sophistication when outlining attacks and identifying potential victims. Now that Linux based operating systems are in the crosshairs, this allows for entry into attacking both IOT and container orchestration platform, such as Kubernetes, greatly expanding the attack surface. 

Conclusion

Ransomware is an efficient criminal operation yielding high profit for minimal work. Due to pseudo-anonymous technology, using the dark web for ransomware operations and cryptocurrency for payments, as well as email and VPN services that do not track physical location, ransomware groups will continue their activities because the risk of punishment is minimal, and the operations are profitable. The lack of prosecution coupled with the increase of the attack surface ensures continuous and robust ransomware operations. Critical infrastructure, academic, technology, and government sectors must all raise awareness and assist in protection from ongoing ransomware campaigns. 


Interested in learning how DarkOwl can help get ahead of potential attacks? Contact us.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.