Security researchers penetrate structure of ransomware group

[German]Security researchers from CyberNews have managed to apply for a job with a ransomware gang that works on a division of labor. During the interviews, some details about their work processes were revealed, which the security researchers have now documented.


CyberNews has sent me the information a few days ago – thought it made a nice Sunday topic. It’s about how a CyberNews expert managed to penetrate the structures of the Ragnar Locker ransomware group. The expert went undercover and was invited to a supposed job interview. 

(Source: CyberNews)

The folks at CyberNews write that ransomware groups are now trying to fill their “manpower shortage” by recruiting new members on hacker forums frequented by experienced and aspiring cybercriminals alike. But cybercriminals aren’t the only users hanging out there – because security researchers also hang out there.

In June 2020, while gathering information on a popular hacker forum, people came across a strange recruitment ad that appeared to be posted by a ransomware group. In order to gain valuable insights into the ransomware group’s structures and prospects, the security researchers decided to pose as a Russian cybercriminal and responded to the said ad.

To great surprise, the security researchers were invited to a private qTox chat room for an “interview.” Those present with individuals claimed to be associated with a notorious ransomware group. Also present were hackers, the threat actors who had allegedly been responsible for running an offshoot of the ransomware gang for more than 10 years. During the alleged recruitment interview, the group revealed quite a few things.


(Source: CyberNews)

The ad lured with the fact that if the partner accepted the offer, he would receive up to 70-80% of the successfully paid ransom, while REvil itself would collect the other 20-30%. Above picture shows the offer in question, those who make more than one million US dollars per week in ransom payments will get 80% participation. But the undercover people were not sure to really negotiate with members of the ReEvil group (it could have been an undercover action of law enforcement).

To prove that the job posting was legitimate, the ransomware gang recruiters publicly deposited $1 million worth of Bitcoins into their forum wallet. From then on, security researchers were convinced to negotiate with the cyber criminals. When asked, “Are you guys gangsters?” the response was “No, we’re Russians.”

Surprisingly, having the right skills and experience was only part of the application process. The Ganz recruiter insisted that potential partners also had to be native Russian speakers. To weed out impostors in this area, interviewers wanted to establish the identity of candidates by quizzing them on Russian trivia. This included Russian and Ukrainian history, as well as folk/street knowledge that “can’t be Googled.” 

The security researchers were probably persuaded, as the interviewers revealed many details. For example, one heist netted the five people involved $2.5 million. The whole thing was conducted in Russian, the security researchers then published the whole thing in English in this blog post. More dDetails can be read here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *