This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.
Kate Linebaugh: In the last couple of years, there’s been a huge surge of ransomware hacking attacks. Companies all across the US in different parts of the economy have been hit.
News announcer 1: A cyber attack forced one of the nation’s largest fuel pipeline operators to shut down operations. The ransomware attack hit Colonial Pipeline yesterday.
News announcer 2: Ransomware hackers are reportedly targeting computer company Acer demanding $50 million.
News announcer 3: The world’s largest meat producer canceled shifts at its US and Canadian meat plants on Tuesday after JBS said it was hit with a crippling cyber attack over the weekend.
Kate Linebaugh: These hacks are happening more often and the size of the ransoms are getting bigger.
Bob McMillan: It’s boom times for ransomware operators. It’s been gradually becoming the number one problem for cybersecurity. The Treasury Department says that ransomware is bringing in about a $100 million a month in the United States.
Kate Linebaugh: That’s our colleague Bob McMillan, who covers cybersecurity. He says one of the biggest criminal operations in ransomware is a hacking group known as Fin7. And recently new details have emerged about how this group operates, in particular, how Fin7 has been trying to lure tech professionals to come and work for them.
Fin7 has been recruiting out in the open and actually much of how this criminal enterprise operates looks a lot like a regular tech company.
Bob McMillan: They’re using all of the same systems that we use here in Silicon Valley. It’s just amazing to me how they are this sort of dark mirror reflection of the legitimate technology industry.
Kate Linebaugh: Welcome to The Journal, our show about money, business, and power. I’m Kate Linebaugh. It’s Thursday, October 28th.
Coming up on the show, with ransomware booming one prominent hacking group is recruiting tech workers in plain sight.
The hacking group Fin7 has been around for years. It started out in the business of hacking credit card information.
Bob McMillan: Well, Fin7 started by breaking into companies, stealing payment card information, and then selling that, and they made quite a lot of money doing it. They’ve been connected with more than $3 billion in financial losses, according to the Department of Justice. But that was a business that started to fade a few years ago as the industry just kind of took on this problem of credit cards being stolen and sold and made some changes.
Kate Linebaugh: To fight credit card fraud banks introduced new technology. They ditched the old swipe and sign cards and rolled out new cards with chips, which are more secure. This made credit card fraud a lot less lucrative for groups like Fin7. So Bob says last year, Fin7 did what a lot of companies do.
Bob McMillan: They pivoted. They re-branded themselves as a ransomware operator.
Kate Linebaugh: Ransomware, the big new trend in the hacking world.
The way a ransomware attack works is that hackers gain access to a computer system and lock it up. If the users want to get back into their computers, they have to pay a ransom. That’s why they call it ransomware.
At first, the ransomware groups were asking for small sums of money, but over time, the ransoms got bigger and bigger.
Bob McMillan: Everybody was making a lot of money. It was really obviously the future of cyber crime. And a lot of these older actors pivoted and sort of started doing ransomware because there was just so much money being made. The amount of money that you could ask for a ransomware hack, five or six years ago, it would maybe be a few hundred dollars, maybe a few thousand dollars, but the numbers just kept going up and up. It was hundreds of thousands of dollars and then it was millions of dollars and then tens of millions of dollars. So the profits were astronomical.
Kate Linebaugh: So who are the biggest groups in ransomware?
Bob McMillan: So you have Ryuk, famous for hitting hospitals. You have REvil, the entity that took out JBS Foods, and you have Fin7.
Kate Linebaugh: Because Fin7 is a criminal enterprise, getting a clear look at how it operates can be tricky. But based on court documents, federal prosecutors, researchers, and Bob’s reporting, here’s what we know. Fin7 ramped up its ransomware operation last year, first by doing its own attacks, and soon after it launched a new business line.
Bob McMillan: They started developing their own version of ransomware. And at first it was just something they used themselves, but by November of 2020, they started marketing it. They started producing it as a software as a service.
Kate Linebaugh: Like enterprise software?
Bob McMillan: Well, not enterprise, it’s criminal software, different category.
Kate Linebaugh: Fin7 had decided to take its ransomware software and start offering it to other hackers. It packaged it under a brand called DarkSide.
So now other criminal groups could use DarkSide for their own ransomware attacks, and Fin7 made money by taking a cut of the ransoms.
Bob McMillan: So it was basically, they started saying like, “Hey, this DarkSide software that we’ve been making all this money with can be yours too. And all you have to do is go to our friendly DarkSide portal and enter some credentials and we’ll give you access to it. And you can start your whole ransomware campaign. You can decide whether you want to infect Linux or Windows machines. You can decide how much Bitcoin you want to charge people, or maybe you want to charge them Monero, another digital currency.”
It’s basically like this web-based interface to run crime out of.
Kate Linebaugh: This business model had another appeal.
Bob McMillan: An online service like that is scalable. We already see companies get great valuations for building software as a service in a scalable way in Silicon Valley, and they’re basically just doing the same thing, but in the criminal world.
Kate Linebaugh: Offering DarkSide software to other criminal groups was a breakthrough for Fin7.
Bob McMillan: To me, it kind of reminds me of like in the tech industry, when we went from the PC to the mobile phone. It’s like, “Oh, it’s a paradigm shift. Only the nimble will survive this kind of thing. You have to change your business model and get with the new ways.” And that’s exactly what Fin7 did.
Kate Linebaugh: Fin7’s licensing move worked. Other criminal groups were snapping up DarkSide for their own attacks. US officials have said DarkSide was behind this year’s attack on Colonial Pipeline. And to keep up with all this new business, Fin7 needed more people, the same kind of people that legitimate tech companies hire.
Bob McMillan: They have to have a technology platform. They have to have computer servers that are up and running. They have to have software development people. They have to have the geeks building the ransomware. They have to have cyber security experts, people who can hack into companies, and for them to put the ransomware on the networks. They even have media relations people because part of what they’re doing is building a brand. When you get hit with ransomware, you want it to be a trusted ransomware brand so that you know that if you give them $11 million, they’re actually going to give you a key to decrypt all of your ransomware. They have to have just sort of management people who are on top of all of this.
Kate Linebaugh: But criminals can’t just recruit talent by putting a listing on a job site saying, “Come hack for us.” Or can they?
With Fin7’s operation booming, the group needed more people. Criminal hacking groups like Fin7 usually recruit through the dark web. There’s a handful of forums where they can go to find skilled workers willing to do criminal work. But recruiting on these forums is getting harder.
Bob McMillan: These forums are increasingly filled with law enforcement and with intelligence researchers who are trying to learn about the ransomware groups and so there’s a sense like you can’t trust the criminals you meet online in these forums, because they might be law enforcement or they might disclose your methods to the public.
Kate Linebaugh: So Fin7 had to get creative about how to find more workers. And it’s resorted to a tactic that’s actually a lot less covert, advertising jobs on the open internet. Researchers at Microsoft and an intelligence firm called Recorded Future both identified this new tactic. What they found is that Fin7 had started recruiting in the open. It was putting run of the mill II positions on legitimate Russian and Ukrainian job boards, but it wasn’t posting these roles under the Fin7 name. They were posted for a company called Bastion Secure.
So can you tell us about Bastion Secure?
Bob McMillan: Well, Bastion Secure is a public facing website designed to look like a security company, which is actually run by a criminal organization, according to Microsoft and Recorded Future. It’s a website that parrots a lot of legitimate information, or legitimate looking information. The text of the website is taken from the text of a legitimate British cybersecurity company. So all the verbiage that you see there, the names of partnerships that they have, it all looks legitimate, because it’s really taken from a real security company site. The name Bastion Secure is one that is used by a number of companies that are all somewhat security related.
And the point of this is that so if you say, “Oh, Bastion Secure, is that a legit company or not?” And you Google it, something will come up and it will look as if it’s legit.
Kate Linebaugh: This legit looking website had a similar listing to the ones posted on the job boards.
Bob McMillan: They say it’s going to be a Monday to Friday job, nine hours a day, with lunch breaks included. If you see a job posting that’s advertising this and you were to look at this website, you’d think, “Okay, this is potentially a legitimate site.” There’s nothing on the website that flashes ransomware hacking group. You know what I mean? I think that’s the point of the site.
Kate Linebaugh: Researchers told Bob that having a site like Bastion Secure might help these criminals attract better talent at a lower cost than they could on the dark web. And there’s evidence that at least one job seeker fell for Fin7’s ruse. Researchers from Recorded Future spoke to a Russian speaking man who found one of Bastion Secure’s job postings and decided to apply. The man said Bastion Secures hiring process seemed pretty unorthodox.
Bob McMillan: Going through the job seeking process there were a few red flags. The first of which was this company didn’t want to meet face to face or even talk on the telephone. So there are no voice interactions that happened. It was all through encrypted messaging chat, two programs called Telegram and Talks. So it’s weird when you’re looking for a new job and the employer doesn’t want to talk to you .
Kate Linebaugh: From there, things only got stranger.
Bob McMillan: At one point, this company Bastion Secure asked him to connect to something they referred to as a client, but they didn’t offer any evidence that it really was a client. And they asked him to run some software on this client’s network and the software was doing the kind of things that you would want to do if you were a ransomware operator.
Kate Linebaugh: Gradually this job seeker started to suspect the recruiting assignments weren’t related to security work, but to illegal hacking. He shared the software he’d been given by Bastion Secure with researchers at Recorded Future. And when they looked at the software, they linked it to Fin7.
What does it say to you about these big ransomware groups that they’re recruiting more publicly?
Bob McMillan: The most interesting part about this story is the fact that cyber criminals, people you think of as people who hide in the dark corners of the internet, are actually for a variety of strange reasons being forced to go out into the open.
When we talk about cyber crime or criminals, we have these ideas in our minds of what they are, of somebody wearing like a hoodie sitting at a keyboard, and that’s completely ridiculous. The people that are doing this are geeks and they operate like geeks. If the more you think about this as a business, as a tech business, the more everything makes sense.
Kate Linebaugh: That’s all for today, Thursday, October 28th. The Journal is a co-production of Gimlet and The Wall Street Journal. If you like our show, follow us on Spotify or wherever you get your podcasts. We’re out every weekday afternoon.
Thanks for listening. See you tomorrow.