Cyber sleuths reveal how they infiltrate the biggest ransomware gangs

When the AlphV/BlackCat website went offline this month, it gave cybersecurity defenders an early holiday gift, creating a buzz that law enforcement may have taken down a notorious cyber criminal gang. The excitement was short-lived as the website resurfaced after five days, appearing to be in a worse condition than before, with new victims already listed. Despite the ransomware group attributing the outage to a "hardware issue," doubts linger about law enforcement involvement. While it is uncommon, seeing a ransomware group dismantled by authorities is always a welcomed event. What is even more unusual is gaining insights into the infiltration tactics used during such takedowns. Having marked its 20th year in the cybersecurity sector, Singapore-based Group-IB has conducted numerous incursions into various ransomware groups and their associates, with exact figures kept confidential. Prior to law enforcement seizing control of Hive earlier this year, Group-IB's researchers had managed to penetrate the group since 2021, posing as affiliates to observe their operations and gather valuable insider information. In 2023 alone, they successfully infiltrated affiliates of Qilin and farnetwork, building upon their track record of similar achievements over the years, although specific incidences have not been widely publicized. The threat intelligence team at Group-IB discussed with The Register their methods for consistently breaching cybercriminal organizations and the extensive effort involved in each operation.

Group-IB researchers infiltrated ransomware groups and their associates, resulting in a breach. This incident yielded valuable insights into their activities, contributing to the improvement of incident response and the effectiveness of cybercrime inquiries.