Fake Company Sheds Light on Ransomware Group Tactics

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Ransomware groups seem to change form daily. In the latest news, the BlackMatter ransomware group announced it was shutting down – and just hours later came news that its victims were being transferred to the rival LockBit site.

This followed reports that Russia may or may not be cracking down on ransomware groups, which followed reports that the REvil group had its servers taken over by law enforcement. And in between all that one security company shared a BlackMatter decryption tool, which might have helped to hasten the group’s demise.

Although the form of ransomware groups seems to change quickly, you can assume they’ll always be back – and their tactics and threats will continue to get more aggressive.

Take the example of FIN7 – which, along with BlackMatter, deploys the Darkside ransomware used in the Colonial Pipeline attack and also manages Darkside ransomware as a service.

Also read: Best Ransomware Removal and Recovery Services

FIN7 Dupes Security Job Applicants

FIN7 is notorious enough that its tactics were the focus of a MITRE security test so you can expect it to be not far from the cutting edge of cyber attack tactics.

One example was uncovered last month by researchers from Gemini Advisory, who revealed that FIN7 had created a sham cybersecurity company called “Bastion Secure” to lure security experts. The group published detailed offers on popular job boards and conducted multiple job interviews.

The goal was to make the victims run illegal penetration tests and ransomware attacks unwittingly.

FIN7 is a Russian-speaking criminal organization classified as an advanced persistent threat (APT). It goes by many names, such as JokerStash, Navigator, or Carbanak. Specialists describe these hackers as remarkably disciplined, working as a regular business, with normal schedules.

According to Gemini Advisory, they could have a billion dollars on hand after several years of service, making $50 million every month and employing managers, money launderers, and software developers.

They’re known for their credit card malware and phishing campaigns. They also update their tools regularly with more effective tactics. Now they seem more and more interested in the ransomware landscape.

Also read: How to Recover From a Ransomware Attack

A Fake Company that Looks Surprisingly Real

FIN7’s hackers built a website based on legitimate information provided by actual cybersecurity companies.

The Gemini researchers reported that the company appeared legitimate in many respects, such as:

  • job descriptions
  • practice assignments and job interviews
  • starting salary

They targeted specific profiles such as system administrators who know how to map corporate networks, locate backups and identify users within a system, which are critical steps in ransomware attacks.

Naming the company “Bastion Secure” was a pretty smart choice to gain legitimacy, as companies with very similar names, such as Bastion Security Products Ltd. or Bastion Security Group, are highly ranked in Google search results.

They even used credible addresses for the so-called office locations around the world and took the time to build a clean website with appropriate content by copying a legitimate company’s website. The FIN7 site is now flagged by Chrome and Safari as a deceptive site.

The cost of ransomware attacks can be high. In addition, hiring from the dark web is not that easy and can turn nasty. Applicants can be either untrusted mercenaries or undercover cops. In contrast, hiring real cybersecurity specialists ensures the success of the operation and limits unforeseen events.

In this case, the hackers turned the situation to their advantage, as starting salaries do not exceed USD $1,200 a month in post-Soviet states. Employees didn’t expect more than a monthly salary, so the hackers did not share in ransom payments.

Law enforcement arrested three high-ranking members of FIN7 in August 2018, so it’s not the first time the group has used that trick. They created a fake company called “Combi Security” that hired computer experts.

fake ransomware company
Fake vs real security company (source: Gemini Advisory)

See also: Best Ransomware Removal Tools

IT Experts Missed Warning Signs

It’s easy to say in hindsight, but there were a few red signs that the most vigilant experts could have spotted. According to Gemini’s researchers, job descriptions were particularly credible.

The recruitment scam included common steps such as job interviews, non-disclosure agreements, and test assignments.

However, in the last stages, the fake company gave real assignments with typical tasks to prepare ransomware attacks, such as targeting domain administrators, locating backups, attacking hypervisors. The fake employers provided access to compromised networks without any legal documentation (pretty unusual) and specific tools to avoid detection.

The differences between a real pen test company and a criminal group can be subtle sometimes, but real companies do not exclusively focus on one type of attack. The goal is to spot flaws to provide effective recommendations, and real companies take measures to keep all information confidential.

Real companies could not provide illegal assets such as anonymous bank accounts or bitcoin wallets to their employees as an escape strategy.

Besides, an employer who raises eyebrows every time you discuss the legal and ethical aspects during the job interview is a huge red flag. Asking those questions is a great way to escape the trap, as they’d likely cut off your application early.

Further reading: Best Backup Solutions for Ransomware Protection

Julien Maury Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required