The R Word: Retelling the Recent Rise and Resurgence of Resilient Ransomware-as-a-Service Operators

SANS Ransomware Summit 2022 Speaker: Jono Davis, Senior Analyst, PwC Global Threat Intelligence Team The Ransomware threat landscape has evolved markedly since the first big "players" entered the scene in 2019. 2022 has seen a continuation of the themes of 2021, where the Ransomware-as-a-Service (RaaS) market has dominated both discussion in the security community and mainstream headlines. In this presentation, we will talk about the most infamous Ransomware-as-a-Service (RaaS) operator of 2021: BlackMatter/Darkside: a threat actor PwC's threat intelligence team tracks as White Apep. The group has become infamous for its resilience, having undergone multiple rebrands in the face of operational crackdowns by US law enforcement. We also present evidence that supports the theory that the operations of White Apep have continued in the form of a new RaaS known in open source as BlackCat, or ALPHV-NG; with the operator of this affiliate program tracked by PwC as White Dev 101. We present these findings as a unique case study of advanced and successful techniques, tools, and procedures (TTPs), alongside an affiliate program that has proven to be difficult to eliminate. This session is a chance to expose how the ransomware itself evolved as it became necessary for White Apep: and then potentially White Dev 101 to alter the binary so as to maintain its corner of the RaaS market. We will detail the elements that we assess are unique features of the ransomware codebase, which allow us to draw similarities between BlackMatter and BlackCat, as well as those features that are more common to other ransomware binaries. In doing so, we hope to provide useful information for both technical and strategic analysts when it comes to the tracking and analyzing of RaaS binaries, as well as the pitfalls of common TTPs that could be misread as unique. View upcoming Summits: http://www.sans.org/u/DuS Download the presentation slides (SANS account required) at https://www.sans.org/u/1iaE