Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack

The eCrime ecosystem is an active and diverse economy of financially motivated threat actors

engaging in a myriad of criminal activities to generate revenue. With the CrowdStrike eCrime Index (ECX), CrowdStrike’s Intelligence team maintains a composite score to track changes to this ecosystem. The ECX is composed of several key observables covering different aspects of criminal activity that are combined using a mathematical model. In recent weeks, the Intelligence team observed a notable shift in big game hunting (BGH) activity and tactics, techniques and procedures (TTPs) that resulted in a downward trend of the ECX. As noted in a previous CrowdStrike Intelligence blog, the intense attention surrounding the Colonial Pipeline and JBS incidents had a significant impact on the criminal marketplace and the political landscape. Get more Intel updates on the latest eCrime activity and TTPs at Fal.Con, our annual cybersecurity conference, Oct. 12-14 — register for free today.

ECX Suggests Downward Trend in Ransomware Operations Following Colonial Pipeline Attack

By the time of the Colonial Pipeline attack on May 7, 2021, observed BGH ransomware incidents had reached a yearly high. However, publicly observable BGH activity declined throughout early June 2021, immediately after the incident, amid reports of mounting U.S. pressure to pursue BGH actors. A similar decline was also observed in the number of specific leaks posted to adversaries’ dedicated leak sites (DLS). Despite the decline in the ECX, there has been sustained ransomware activity, likely indicating that a number of adversaries are remaining active despite the dismantling of other groups.

BGH Actor Developments

 

BGH adversaries responded to the Colonial Pipeline ransomware incident and the resulting widespread media coverage in many ways. Some named actors shuttered ransomware-as-a-service (RaaS) affiliate programs — at least publicly — while others have continued deploying ransomware.

CARBON SPIDER (operators of DarkSide ransomware) continues to create active command-and-control (C2) servers to deploy their Domenus PS backdoor and Cobalt Strike post-exploitation framework. The activation of new C2 servers demonstrates that CARBON SPIDER has not halted activities despite allegedly losing control of DarkSide-related infrastructure and having their ransomware funds seized by the U.S. government.¹ However, in late July 2021, CrowdStrike Intelligence observed a new ransomware called BlackMatter being distributed. Code overlaps indicate that BlackMatter is highly likely the successor of CARBON SPIDER’s DarkSide ransomware. CARBON SPIDER has also created a Linux version of BlackMatter that resembles the Linux version of DarkSide in multiple ways. After taking a short break, CARBON SPIDER reinstated their BGH operations involving this RaaS and have stated that they have an interest in purchasing and executing unauthorized access to corporate networks. RIDDLE SPIDER (operators of Avaddon ransomware) closed down their operations in late June. Earlier in June 2021, media sources allegedly received emails containing a password and links to 7zip files containing Avaddon ransomware decryption keys.² RIDDLE SPIDER’s DLS also went offline in June. While CrowdStrike Intelligence cannot confirm RIDDLE SPIDER’s motivations for closing down the Avaddon RaaS, the decision was likely influenced by the Colonial Pipeline incident and its resulting effects throughout the ransomware industry. GRACEFUL SPIDER had several members of their group arrested on June 16, 2021, by a joint international law enforcement operation.³ These members were involved in laundering cryptocurrency funds acquired through the use of GRACEFUL SPIDER’s Clop ransomware.