Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Fighting Cybercrime: Law Enforcement vs. Hacktivists
On October 18, 2023, an international law enforcement operation facilitated the seizure of the Ragnar Locker ransomware operation’s TOR negotiation and data leak site. On October 17, 2023, the Ukrainian Cyber Alliance – a group of cyber hacktivists – hacked into and wiped the servers of the Trigona ransomware operation. While both groups were targeted and disrupted, the results are interestingly different. This blog post will outline the difference in results from an international law enforcement operation and a group of hacktivists targeting a ransomware group.
Ragnar Locker is one of the longest-standing ransomware operations in the cybersecurity threat landscape. Active since at least December 2019. Ragnar Locker bears similarity to other operations in its tendency to move laterally to other devices, collect and exfiltrate sensitive data, and threaten to leak the data on their data leak site if the victims neglect to pay the ransom demand. As a semi-private operation, Ragnar Locker did not actively recruit affiliates on cybercriminal forums like other groups, but instead worked with specific third parties. The group did not always encrypt victims and has most often targeted the industrials vertical, which includes the manufacturing, construction and engineering, and professional and commercial services industries.
On October 19, 2023, the Ragnar Locker data leak site displayed the following message that the site had been seized as part of an international law enforcement operation.
Figure 1: Ragnar Locker (aka RagnarLocker) TOR site
It is a normal practice for such messages to be displayed following the disruption of cybercriminal and data leak sites by for international law enforcement operations. Similar messages also appeared following the disruption of the Hive and NetWalker ransomware operations, respectively.
Samples of the much newer Trigona ransomware operation date back to early 2022, but the group officially declared their name and publicly launched their data leak site in October 2022. Trigona operators have most often targeted organizations in the manufacturing, financial services, construction and engineering, and technology verticals. In April 2023, the group targeted Microsoft SQL servers exposed on the internet by using brute-force or dictionary attacks.
It was not law enforcement, the Ukrainian Cyber Alliance (UCA) hacktivist group that took down Trigona’s servers. Initiated in 2021, the UCA is comprised of volunteers worldwide that purportedly work to defend the country’s cyberspace against Russian attacks. The group claims to have conducted multiple attacks that resulted in the exposure of Russian activity and propaganda efforts. Around October 12, 2023, UCA hackers reportedly gained access to the Trigona ransomware infrastructure by leveraging a public exploit for CVE-2023-22515 (CVSS 9.8) in Confluence Data Center and Server. UCA maintained persistence and eventually wiped the servers completely. The group told researchers with BleepingComputer that if there were decryption keys in the exfiltrated information, then they would release them and turn over the stolen information to law enforcement. The Trigona ransomware site briefly displayed the image below before it was taken offline completely.
Figure 2: Trigona data leak site
The disruption of the Ragnar Locker ransomware group highlights the increased spotlight that law enforcement shined on ransomware operations. Most ransomware operations are located within “safe harbor” countries that often turn a blind eye to ransomware activity, with the condition that organizations within that region are not to be targeted. This results in law enforcement operations focusing on infiltrating and disrupting a ransomware operation’s infrastructure, rather than targeting the individuals separately. Participating law enforcement agencies will likely release additional information relating to the operation.
The disruption of Trigona highlights how no group, organization, or individual is immune from the exploitation of vulnerabilities to gain initial access. Ransomware groups often target critical vulnerabilities in ubiquitous software. It is ironic that one of those same vulnerabilities resulted in the exposure and disruption of one of those groups.
Law enforcement agencies leave behind a seizure notice, which is likely a warning to other threat actors that no group or actor is immune to the threat of being disrupted or captured. Yet, hacktivists stick to their TTPs and deface cybercriminal sites before taking them down. It is likely that law enforcement agencies will continue to focus on the disruption of cybercriminals’ operations, while hacktivist operations like UCA will continue to exploit vulnerabilities and weaknesses in infrastructure to deface sites and steal sensitive information over the next 12 months.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.