Cyber chatter flowed on Twitter today after a researcher, who goes by the handle @pancak3lullz, posted about claims from ransomware gang REvil that EvilCorp and Maze are actually one group operated by eight people with ties to the Russia government.
While interesting, should rank-and-file security pros even care about this kind of talk?
Probably not in terms of defense tactics, said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, who agreed that while defining attribution to prominent ransomware groups is as intriguing as it is challenging, for the majority of enterprise defenders, it’s largely a distraction.
“Your defenses don’t dramatically change whether you are up against a traditional cybercriminal or state-affiliated one,” Holland said. “Patching known vulnerabilities, enabling multi-factor authentication, and disabling macros will go a long way no matter the threat de jour.”
Joe Slowick, senior security researcher at DomainTools, warned that until substantiated, claims of a link between the two groups should be treated with extreme skepticism.
“Overall, short of having direct access to adversary infrastructure communications, or operational planning, it’s very difficult to ‘pinpoint’ such groups, especially as ransomware operations increasingly break down into multiple ‘teams’ selling access, services, and tools to each other,” he said.
Just as some question the validity of supposed ties between the groups, or association with Russia’s Federal Counterintelligence Service, some see the claims as a potential red herring.
“Personally, I think it’s all a ploy to create distraction from legitimate investigative work on the topic and more darknet drama around an already anxiety-fueled darknet commodity,” said Mark Turnage, CEO of DarkOwl.
Open source reporting from December 2019 linked EvilCorp to Maxim Yakubets and the federal government issued indictments for Yakubets and other leading members of the EvilCorp hacking group, assessed to be heavily protected by the Russian government. Nonetheless, Tor and similar decentralized networks that protect the originating IP address of its users make deanonymization of specific users extremely challenging.
What is clear, however, is that groups within the community periodically dismantle or reincarnate with new branding and personas.
“There’s no doubt that many of the groups are working together, Turnage said. “But to what extent they are all one in the same is left to be revealed.”
The post Claims of ties between ransomware groups met with skepticism among threat researchers appeared first on SC Media.