In this Chats on the Road episode of the On Location with Sean and Marco podcast series, hosts Sean Martin and Marco Ciappelli dive into the business-like operations of ransomware gangs with their guests, L Jean Camp and Dalya Manatova. Discover the hidden organizational structures and nuanced social dynamics that make these cybercriminals so effective in their illicit activities, and learn how this research can transform our approach to cybersecurity.
Guests:
L Jean Camp, Professor, Luddy School of Computing, Informatics, and Engineering, Indiana University [@IUBloomington]
On LinkedIn | https://www.linkedin.com/in/ljean/
At BlackHat | https://www.blackhat.com/us-24/briefings/schedule/speakers.html#l-jean-camp-37968
Dalya Manatova, Associate Instructor/Ph.D. Student, Luddy School of Computing, Informatics, and Engineering, Indiana University [@IUBloomington]
On LinkedIn | https://www.linkedin.com/in/dalyapraz/
At BlackHat | https://www.blackhat.com/us-24/briefings/schedule/speakers.html#dalya-manatova-48133
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In this Chats on the Road episode of the On Location with Sean and Marco podcast series, hosts Sean Martin and Marco Ciappelli engage in an insightful conversation about the intricacies of modern cybercrime, specifically focusing on ransomware gangs. The discussion revolves around the research conducted by their guests, L Jean Camp, a scholar specializing in the economics of security and privacy, and Dalya Manatova, a PhD student studying security informatics and the organizational social dynamics of e-crime.
The episode explores how ransomware gangs, such as the notorious Conti group, operate much like legitimate businesses. These criminal organizations exhibit structured hierarchies, recruit testers who may not even realize they are part of an illegal operation, and employ professional negotiation tactics with their victims. The guests emphasize that the threat posed by these gangs is often misunderstood; rather than facing advanced government operations, most individuals and organizations are dealing with commoditized cyber-attacks that follow business-like procedures.
Jean and Dalya share intriguing details about their methodology, including the linguistic and discourse analyses used to map out the relationships and organizational structures within these criminal groups. These analyses reveal the complexities and resilience of the organizations, shedding light on how they maintain operational efficiency and manage internal communications. For instance, the researchers discuss the use of jargon like “cat” to refer to crypto wallets, a nuance that highlights the challenges of interpreting cybercriminal chatter.
Additionally, the conversation touches on the implications of these findings for cybersecurity practices and the broader business landscape. Jean notes the importance of information sharing and understanding the flow of chatter within and between criminal organizations. This awareness can empower defenders by providing them with better tools and methods to anticipate and counteract these threats.
Overall, the episode provides a comprehensive look at the sophisticated nature of ransomware gangs and the importance of interdisciplinary research in understanding and combating cybercrime. The session mentioned in the episode, "Relationships Matter: Reconstructing the Organizational and Social Structure of a Ransomware Gang," is slated for Wednesday, August 7th at Black Hat, promising to offer more extensive insights into this critical issue.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
This Episode’s Sponsors
LevelBlue: https://itspm.ag/levelblue266f6c
Coro: https://itspm.ag/coronet-30de
SquareX: https://itspm.ag/sqrx-l91
Britive: https://itspm.ag/britive-3fa6
AppDome: https://itspm.ag/appdome-neuv
____________________________
Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllRo9DcHmre_45ha-ru7cZMQ
Be sure to share and subscribe!
____________________________
Resources
Relationships Matter: Reconstructing the Organizational and Social Structure of a Ransomware Gang: https://www.blackhat.com/us-24/briefings/schedule/#relationships-matter-reconstructing-the-organizational-and-social-structure-of-a-ransomware-gang-39725
An Argument for Linguistic Expertise in Cyberthreat Analysis: https://www.researchgate.net/publication/372244795_An_Argument_for_Linguistic_Expertise_in_Cyberthreat_Analysis_LOLSec_in_Russian_Language_eCrime_Landscape
Building and Testing a Network of Social Trust in an Underground Forum: Robust Connections and Overlapping Criminal Domains: https://www.researchgate.net/publication/371353386_Building_and_Testing_a_Network_of_Social_Trust_in_an_Underground_Forum_Robust_Connections_and_Overlapping_Criminal_Domains
Usable Security Lab: https://usablesecurity.net/
Learn more about Black Hat USA 2024: https://www.blackhat.com/us-24/
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Reconstructing the Organizational and Social Structure of a Ransomware Gang | A Black Hat USA 2024 Conversation with L Jean Camp and Dalya Manatova | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco
Marco Ciappelli: Sean. Is
Sean Martin: that better than the vroom vroom?
Marco Ciappelli: Better than vroom vroom? Yeah, it's more realistic because we're not driving to Las Vegas. It is more realistic. I think it's clear by now, uh, with all the pre event, uh, chats on the road that we've been doing. But we're not changing the name. It's still named Chats on the Road because that's how it started and that's how it's going to be.
So it's not going to be Chats on the Cloud. Although, it could work. Okay.
Sean Martin: Well, I'm excited for this conversation. Let's ride some lightning. Hopefully not. I'm excited. I know. What are we talking about today? This is a cool, uh, a cool topic. Um, and it's one where it pretty much describes how, why we started ITSP Magazine, where we're bringing the human element, the social element, the technology, stack, you like the word stack?
So, uh, I'll bring that in there. But we bring it all together and, and of course, some of the other conversations we had with some folks [00:01:00] from, uh, that are speaking at Blackout, we're looking at economics of things. And, uh, the national political state of things, both from, from, uh, an adversary perspective and a government's readiness perspective.
And, and this particular talk is about, uh, ransomware gangs and the fact that Guess what? They're humans, too. And guess what? They're organized, just like many other businesses and, and our two guests have been doing some research on one gang in particular, and probably broader beyond that we're going to find out today.
And what do they look like as an organization? And what's their structure? How do they function? Are they efficient? Do they care about the same things that
the, uh, business Practitioners and people protecting our society care about and that's, we're going to find out. So anyway, I'm done talking, uh, Dahlia and Jean, Jean and Dahlia, thank you so much for joining us today.
L Jean Camp: Thank you [00:02:00] for, thank you for your interest in our work. We're really excited to have a non academic audience, the ability to have an impact is exciting.
Dalya Manatova: Yeah, thank you so much for having us.
Marco Ciappelli: Yeah, it's, uh, it's interesting, especially for someone like me that has been dealing more with the political science and sociology of things for many years, and then Sean dragged me into cyber security. So I'm not the technical guy, but more and more, as Sean said at the beginning, we discover that, uh, things are real just because there is the word cyber attached to it doesn't mean that it's real.
All virtual or an existent or in this case, not those, uh, Old school hacker, cyber criminal working alone in a, in that famous or infamous garage at this point or in the basement of their parents. So, um, this is interesting to, to shed a light on how we're [00:03:00] really facing criminals and not criminals.
Something out of this world. So I will start with you Introducing yourself a little bit. So to prove that you are also real and we'll start with jane and then Dahlia, and then we can dive into the conversation.
L Jean Camp: Well, i'm jane camp. I work mostly in economics of security and privacy And my interest tend to be where the human meets the keyboard And the keyboard meets the network.
Dalia?
Dalya Manatova: Um, I am Dalia Manatova. I am a PhD student. Uh, Jean is my advisor. I am studying informatics, security informatics, and I'm interested in organizational social dynamics of e crime, but also specifically what are the computational methods that we can use to trace those [00:04:00] organizational social dynamics.
Marco Ciappelli: Okay, so let's dive in. What, what did you find out? Who, who did you target?
L Jean Camp: So one of the One of the things we hear so often is ransomware as a service, ransomware as a, you know, as a commodity. And what does it mean that these, these particular attacks become commodities? Is suppose spam is the ultimate commodity, right?
It's just spam and DDoS was this very customized thing, phishing was customized, and it follows a path and becomes a commodity and like you said, you know, the hacker, either in the basement or in the secret government facility. It's got a big hoodie. You know, like [00:05:00] you can't tell what they're going to do.
Be very suspicious. I would say one of the the big takeaways is think about this as a business. You are probably not facing an incredibly targeted government operation that's just focused on you. That is You Very unlikely. You are, how, how do you think about attacks once they become commodities? How can that change your conception?
And we want our presentation to be both empowering, So that you walk away as a defender, perhaps feeling a little less, uh, terrified. Because probably, you know, if you're laundering money, yeah, the [00:06:00] North Koreans are coming after you. But most of you, most of you aren't. A way to think about the threats, evaluate the threat monitoring services you're getting.
And here are a set of tools and methods that can help you to understand these attackers. Now, Daya is doing the core of the methodological presentation. So if you could just give a quick. presentation of the sets of tools you're, you, you'll be using and presenting?
Dalya Manatova: Yeah. So, um, as Jean mentioned, those, those, those, the e crime as a commodity, uh, becomes a business, right?
And we can actually look at those group of businesses and we can refer to the science of organizations, how they [00:07:00] organized and how they collectively bring those actions together and they build resilience. And we refer to those theories of resilience of organizations and how organizations build relationships between members.
And we actually can, um, can use methods to sort of extract and map those, um, markers that show that the relationship is building, um, based on those theories. So we, we actually look at the text, we do this like linguistic and discourse analysis to extract those potential relationships. And there's a way to actually model not, not just relationships, but in general, the dimensions that make organizations so successful in terms of their resilience.
And yeah, one of the examples we'll look at is Conti, the major ransomware group, which was disrupted, but still as a, as a collective action as a group of members still exists and actually existed long before [00:08:00] it became Conti. They started back in 2014. So we, um, just it was this internal chat leaks, we can sort of show how it could be done.
Sean Martin: Interesting. And are you, are you able to, cause Jean you mentioned ransomware as a service and then that they're also a business. And just like most other businesses, we, we have our core capabilities that we kind of hold dear, and that's our secret sauce as a business. And we invest heavily in that. And then some of the, I'll say mundane operational stuff we might.
Outsource either to a service provider or an online cloud based service. Are you finding That these gangs are doing Similar things.
L Jean Camp: I don't let Dahlia follow up on this because she has some very interesting results and I think this aligns with [00:09:00] What we've seen where people get recruited and they literally don't know they're working for an e crime organization of course The difference here is when they're doing customer identification, also known as victim or target.
identification. Uh, you don't want to become a customer. You don't want to experience their expertise. So we are offering a way of reconceptualizing advanced persistent threats as resilient, mature e crime organizations. And the people who come to Black Hat, they are going to have You know, they're, they're incorporation.
Some of them are entrepreneurs, many, they're going to have better kind of business intelligence and marketing sense than, you know, that kind of intelligence [00:10:00] than we bring to the floor. What we're doing is offering them new ways to use the tools and their understanding of the I suppose legitimate or legal business world and saying you can turn this and use it for threat analysis.
But yes, their task list is your attack chain. So do you want to talk about our task breakdown?
Dalya Manatova: Um, yeah. So it's, it's pretty much like a business model, a business process processes. There's target identification where you do all the research. They actually use a lot of OSIN tools. Uh, they do research on the, on the profit making of different victims.
And there's also like development, uh, core, the development, actual malware product where a lot of testers are recruited. And some of [00:11:00] the testers don't even know that they've been recruited for, um, a legal group or a legal company. And some of the testers do know, and they actually aspire and aspire to become more than just testers, but.
It's an interesting case, I think, right, Gene, that the testers are quite, uh, weakest link, but also, uh, getting a lot of code and a lot of products that, um, they, they need to test on different, uh, platforms and networks. And there's also, um, an, after that, there's a whole preparation in, to, for the attack, and then essentially, Executing the attack itself and then this negotiation and, um, talking to the victims and have this like a whole victim support, um, infrastructure, the whole chat and the whole, um, processes for transferring money back to the group.
Marco Ciappelli: Well, victim support. [00:12:00] I love that. So yeah, let's talk about it. So they actually going to say, okay, we got you. But don't worry. We're here for you. We're going to help you out as long as you pay us, which brings me also to us. The next and connected question is we have this conversation before I've talked about with people on how these companies because they're real companies, cybercrime companies are actually marketing themselves.
They have a brand to respect in the dark web. So they also need to deliver if they say they're going to give you the, uh, your stuff back after you pay, they need to do it. Otherwise they don't have that respect or that integrity. It's hard to use this word in this conversation, but integrity to keep doing the business the way they are.
So the support, I'm intrigued by it. Can you, can you tell me more [00:13:00] about it?
Dalya Manatova: Yeah, they want to make sure like they have actual professionals in their area to negotiate with the victims. Um, well, they, like, they set up a price that the victim's supposed to pay, but then also they try to ease this pressure and say, you can Google us, we're a pretty famous group.
Uh, other victims just paid and it was pretty smooth. So just follow instructions, everything's going to be great and just don't panic. We'll give you this time. If you need more time, let us know. So it's, it all does seem like a customer support, except this is actual victims.
Marco Ciappelli: Do they actually give I don't know vouchers for the next random ransomware where they get a discount
L Jean Camp: I don't think it's a card punch situation.
I don't think anybody wants conti points
Sean Martin: That's right A
Marco Ciappelli: credit card. Yeah sean you [00:14:00] go get tech. Yeah, because i'm like all over the business here
Sean Martin: Well, actually, I want to, I'm going to bring this out a bit, um, because it is interesting, but I don't want to get too deep and give away too much from, from the talk.
So I want to step back a little bit and, and maybe start with Eugene on kind of your view of how this fits the bigger picture of cybersecurity and you mentioned the economics there again. So there's, there's the economics of them creating a business that's profitable and having a market that they can target and make some money from.
Then there's the, the defense part of it, where the whole economics of that, how much, how much money do we make and how much of that should we be spending to protect ourselves so that we don't go out of business. So how, how does this research kind of help you look at that bigger picture of economics?
L Jean Camp: One of the. large questions in both [00:15:00] computer security and economics. And you just set it how much you give away. How much information do you share? Who do you share information with and what information do you need? So even minimal information sharing. I think that it is critically important. So if you You have suppose you have a forum monitor and you're paying for monitoring your own company.
Is anybody Mentioning you is anybody mentioning, you know, Sean Martin. No, I'm sure they're not. I'm sure you're fine Uh, but if they do Is it uh as Danya said a tester? Who literally doesn't know? that they are working for criminals and is just, Oh, I want to see this, this podcast, or is it someone who's much more deeply embedded in the organization [00:16:00] who is talking about you matters.
The existence of chatter is not as critical as understanding how it is flowing in an organization. And there is a, You know, sometimes you can do, you can do well by being nice. So you may also, because you know your own business landscape, you know who your major competitors are. You know who is similar to you.
And you can look for them also. So look at, what is it, MGM and Caesars. Yeah. If MGM had known about Caesars, maybe they could have avoided the situation. Are you a sector that's under attack? So if you think about it as Just part of your business landscape. So we have logistics we have to deal with We have to watch what our customers are doing in the marketplace their [00:17:00] ads And their pricing you also have to think about this as part of a marketplace Where you're part of an industry sector you are not Just you know the person alone in the woods with the bear.
So Did that did that answer your question?
Sean Martin: Yeah, absolutely
Marco Ciappelli: Well, I have one, one, one more question for, for Dalia. So you study like the social dynamics of, of this, um, like complex organization. And there is literally hierarchical level and connection. And then can you tease a little bit about. Something interested in people will discover when they come to see your presentation there.
Dalya Manatova: Yeah, so there's definitely some sort of [00:18:00] hierarchy. If we look at just, um, like one on one patterns of communications, we can see there's like, uh, definitely some people are super connected. So we can infer, oh, there's some sort of a management for those few people. But that's just a sort of a tip of an iceberg.
Yeah. But if we look at the linguistic markers in those conversations, we can start inferring this afforded relationship between people, especially if you look at the different types of languages, they have this different types of addressings or different linguistic markers that show that I am talking to someone for perceive as a boss, or even in the conversations when you don't see reciprocity of small talk, or there's no reply, it could give us certain the level of, um, confidence that this is a person.
Um, there's a power dynamic where the person is talking to his subordinate. So all of this sort of adapt, um, adds up to this [00:19:00] confidence interval that we calculate for authority or different types of relationships. And it shows us a more nuanced hierarchy than just looking at this like, um, social graph or network statistics.
So, Yeah, does that answer your question?
Marco Ciappelli: Yeah, I know. And of course, you're able to do this because you read in Russian, you're, you can see all the nuances of the language that you're really doing a psychological analysis there as well. It's, it's more like a linguistic
Dalya Manatova: analysis of the language, but hopefully in the future we can develop into more automated methods to do that.
L Jean Camp: So one of the. Joys of working with Dahlia is seeing this nuance and understanding what we've been missing. So I, our, our own lab is very pro cat. We're not anti dog. We just [00:20:00] all have cats. So again, you look at Conti, they talk a lot about their, the cat and, and dealing with the cat. Um, so Dahlia came in and, and explained to us that, that these were just not actually, you know, Kitty lovers.
That was, that was fun looking at the NLP failures. So what are they talking about when they talk about the cats, Danya?
Dalya Manatova: Um, yeah, they just, they use the, like a jargon word for a wallet, crypto wallet. And it happens to be that it, um, has a resemblance with the root for the Russian word cat. And by, uh, translation, machine translation, NLP sort of catches it as a cat.
It's, um, out of context, completely wrong, but also because the conversations are very short and they, it's part of the routine. They just tell each other, Oh, what about the cat? Where's my cat? [00:21:00] But it actually means like a crypto wallet.
Sean Martin: I guess I could see where that would come up quite a bit. Actually, where's my money?
Ah, super interesting. I'm sure there's a lot of lot of nuanced findings in there. And, and I'm sure you're still uncovering stuff as you continue to dig in. And kudos to, uh, Eugene and the university, Indiana University, for, uh, putting that together and allowing the, the team to, uh, do this work to find these, find these findings.
So the session is Relationships Matter, Reconstructing the Organizational and Social Structure of a Ransomware Gang. That's on Wednesday, August 7th at Black Hat, of course, 2. 30 to 3. 00, and, uh, I'm excited to see the session, and, uh, I'm, I'm tired of waiting. I want to hear, I want it now, but we'll wait for that session.
L Jean Camp: Well, we look forward to seeing you there.
Marco Ciappelli: Yeah, I'm [00:22:00] actually very excited because a lot of these pre event chats, they end up presenting A lot less technical and a lot more sociological and, uh, socio political, and I'm thinking like other conversation we had, aspect of what cybercrime is, but also what cyber security now is about, which is very different from 10, 15 years ago.
And, uh, I'm very, very excited about all of these. And I don't know if I can hit them all, but there is many, many presentation I want to see. And I'll definitely do my best to see yours.
Sean Martin: Yeah. And what's cool, Marco, there are many like this. So, uh, I mean, I don't know how many we've recorded, but the very few of them are.
Deep technical stuff. Of course, there's plenty of that too. Yeah, exactly. But, uh, yeah, I'm, I'm [00:23:00] thrilled to see the black hat has these types of conversations because I think This up level view, uh, can give us some really good insights into how we approach this space moving forward. So Jean Dahlia, thank you so much.
And, uh, everybody listening and watching. Thank you for joining us and be sure to catch their session Wednesday. The 7th, 230 to 3, Black Hat, Las Vegas. We'll see you all there. Thanks everybody for listening. Stay tuned. There's more Chats on the Road coming to you. And of course, all the On Location stuff when we, when we get to Vegas soon.
L Jean Camp: Thanks so much.
Dalya Manatova: Thank you.