A Close Up Look at the Consumer Data Broker Radaris

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

Formed in 2009, Radaris is a vast people-search network for finding data on individuals, properties, phone numbers, businesses and addresses. Search for any American’s name in Google and the chances are excellent that a listing for them at Radaris.com will show up prominently in the results.

Radaris reports typically bundle a substantial amount of data scraped from public and court documents, including any current or previous addresses and phone numbers, known email addresses and registered domain names. The reports also list address and phone records for the target’s known relatives and associates. Such information could be useful if you were trying to determine the maiden name of someone’s mother, or successfully answer a range of other knowledge-based authentication questions.

Currently, consumer reports advertised for sale at Radaris.com are being fulfilled by a different people-search company called TruthFinder. But Radaris also operates a number of other people-search properties — like Centeda.com — that sell consumer reports directly and behave almost identically to TruthFinder: That is, reel the visitor in with promises of detailed background reports on people, and then charge a $34.99 monthly subscription fee just to view the results.

The Better Business Bureau (BBB) assigns Radaris a rating of “F” for consistently ignoring consumers seeking to have their information removed from Radaris’ various online properties. Of the 159 complaints detailed there in the last year, several were from people who had used third-party identity protection services to have their information removed from Radaris, only to receive a notice a few months later that their Radaris record had been restored.

What’s more, Radaris’ automated process for requesting the removal of your information requires signing up for an account, potentially providing more information about yourself that the company didn’t already have (see screenshot above).

Radaris has not responded to requests for comment.

Radaris, TruthFinder and others like them all force users to agree that their reports will not be used to evaluate someone’s eligibility for credit, or a new apartment or job. This language is so prominent in people-search reports because selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).

These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically do not include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).

But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and another people-search service Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.

An excerpt from the FTC’s complaint against TruthFinder and Instant Checkmate.

The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.

“All the while, the companies touted the accuracy of their reports in online ads and other promotional materials, claiming that their reports contain “the MOST ACCURATE information available to the public,” the FTC noted. The FTC says, however, that all the information used in their background reports is obtained from third parties that expressly disclaim that the information is accurate, and that TruthFinder and Instant Checkmate take no steps to verify the accuracy of the information.

The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.

The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.

WHO IS RADARIS?

According to Radaris’ profile at the investor website Pitchbook.com, the company’s founder and “co-chief executive officer” is a Massachusetts resident named Gary Norden, also known as Gary Nard.

An analysis of email addresses known to have been used by Mr. Norden shows he is a native Russian man whose real name is Igor Lybarsky (also spelled Lubarsky). Igor’s brother Dmitry, who goes by “Dan,” appears to be the other co-CEO of Radaris. Dmitry Lybarsky’s Facebook/Meta account says he was born in March 1963.

The Lybarsky brothers Dmitry or “Dan” (left) and Igor a.k.a. “Gary,” in an undated photo.

Indirectly or directly, the Lybarskys own multiple properties in both Sherborn and Wellesley, Mass. However, the Radaris website is operated by an offshore entity called Bitseller Expert Ltd, which is incorporated in Cyprus. Neither Lybarsky brother responded to requests for comment.

A review of the domain names registered by Gary Norden shows that beginning in the early 2000s, he and Dan built an e-commerce empire by marketing prepaid calling cards and VOIP services to Russian expatriates who are living in the United States and seeking an affordable way to stay in touch with loved ones back home.

A Sherborn, Mass. property owned by Barsky Real Estate Trust and Dmitry Lybarsky.

In 2012, the main company in charge of providing those calling services — Wellesley Hills, Mass-based Unipoint Technology Inc. — was fined $179,000 by the U.S. Federal Communications Commission, which said Unipoint never applied for a license to provide international telecommunications services.

DomainTools.com shows the email address gnard@unipointtech.com is tied to 137 domains, including radaris.com. DomainTools also shows that the email addresses used by Gary Norden for more than two decades — epop@comby.com, gary@barksy.com and gary1@eprofit.com, among others — appear in WHOIS registration records for an entire fleet of people-search websites, including: centeda.com, virtory.com, clubset.com, kworld.com, newenglandfacts.com, and pub360.com.

Still more people-search platforms tied to Gary Norden– like publicreports.com and arrestfacts.com — currently funnel interested customers to third-party search companies, such as TruthFinder and PersonTrust.com.

The email addresses used by Gary Nard/Gary Norden are also connected to a slew of data broker websites that sell reports on businesses, real estate holdings, and professionals, including bizstanding.com, homemetry.com, trustoria.com, homeflock.com, rehold.com, difive.com and projectlab.com.

AFFILIATE & ADULT

Domain records indicate that Gary and Dan for many years operated a now-defunct pay-per-click affiliate advertising network called affiliate.ru. That entity used domain name servers tied to the aforementioned domains comby.com and eprofit.com, as did radaris.ru.

A machine-translated version of Affiliate.ru, a Russian-language site that advertised hundreds of money making affiliate programs, including the Comfi.com prepaid calling card affiliate.

Comby.com used to be a Russian language social media network that looked a great deal like Facebook. The domain now forwards visitors to Privet.ru (“hello” in Russian), a dating site that claims to have 5 million users. Privet.ru says it belongs to a company called Dating Factory, which lists offices in Switzerland. Privet.ru uses the Gary Norden domain eprofit.com for its domain name servers.

Dating Factory’s website says it sells “powerful dating technology” to help customers create unique or niche dating websites. A review of the sample images available on the Dating Factory homepage suggests the term “dating” in this context refers to adult websites. Dating Factory also operates a community called FacebookOfSex, as well as the domain analslappers.com.

RUSSIAN AMERICA

Email addresses for the Comby and Eprofit domains indicate Gary Norden operates an entity in Wellesley Hills, Mass. called RussianAmerican Holding Inc. (russianamerica.com). This organization is listed as the owner of the domain newyork.ru, which is a site dedicated to orienting newcomers from Russia to the Big Apple.

Newyork.ru’s terms of service refer to an international calling card company called ComFi Inc. (comfi.com) and list an address as PO Box 81362 Wellesley Hills, Ma. Other sites that include this address are russianamerica.com, russianboston.com, russianchicago.com, russianla.com, russiansanfran.com, russianmiami.com, russiancleveland.com and russianseattle.com (currently offline).

ComFi is tied to Comfibook.com, which was a search aggregator website that collected and published data from many online and offline sources, including phone directories, social networks, online photo albums, and public records.

The current website for russianamerica.com. Note the ad in the bottom left corner of this image for Channel One, a Russian state-owned media firm that is currently sanctioned by the U.S. government.

AMERICAN RUSSIAN MEDIA

Many of the U.S. city-specific online properties apparently tied to Gary Norden include phone numbers on their contact pages for a pair of Russian media and advertising firms based in southern California. The phone number 323-874-8211 appears on the websites russianla.com, russiasanfran.com, and rosconcert.com, which sells tickets to theater events performed in Russian.

Historic domain registration records from DomainTools show rosconcert.com was registered in 2003 to Unipoint Technologies — the same company fined by the FCC for not having a license. Rosconcert.com also lists the phone number 818-377-2101.

A phone number just a few digits away — 323-874-8205 — appears as a point of contact on newyork.ru, russianmiami.com, russiancleveland.com, and russianchicago.com. A search in Google shows this 82xx number range — and the 818-377-2101 number — belong to two different entities at the same UPS Store mailbox in Tarzana, Calif: American Russian Media Inc. (armediacorp.com), and Lamedia.biz.

Armediacorp.com is the home of FACT Magazine, a glossy Russian-language publication put out jointly by the American-Russian Business Council, the Hollywood Chamber of Commerce, and the West Hollywood Chamber of Commerce.

Lamedia.biz says it is an international media organization with more than 25 years of experience within the Russian-speaking community on the West Coast. The site advertises FACT Magazine and the Russian state-owned media outlet Channel One. Clicking the Channel One link on the homepage shows Lamedia.biz offers to submit advertising spots that can be shown to Channel One viewers. The price for a basic ad is listed at $500.

In May 2022, the U.S. government levied financial sanctions against Channel One that bar US companies or citizens from doing business with the company.

The website of lamedia.biz offers to sell advertising on two Russian state-owned media firms currently sanctioned by the U.S. government.

LEGAL ACTIONS AGAINST RADARIS

In 2014, a group of people sued Radaris in a class-action lawsuit claiming the company’s practices violated the Fair Credit Reporting Act. Court records indicate the defendants never showed up in court to dispute the claims, and as a result the judge eventually awarded the plaintiffs a default judgement and ordered the company to pay $7.5 million.

But the plaintiffs in that civil case had a difficult time collecting on the court’s ruling. In response, the court ordered the radaris.com domain name (~9.4M monthly visitors) to be handed over to the plaintiffs.

However, in 2018 Radaris was able to reclaim their domain on a technicality. Attorneys for the company argued that their clients were never named as defendants in the original lawsuit, and so their domain could not legally be taken away from them in a civil judgment.

“Because our clients were never named as parties to the litigation, and were never served in the litigation, the taking of their property without due process is a violation of their rights,” Radaris’ attorneys argued.

In October 2023, an Illinois resident filed a class-action lawsuit against Radaris for allegedly using people’s names for commercial purposes, in violation of the Illinois Right of Publicity Act.

On Feb. 8, 2024, a company called Atlas Data Privacy Corp. sued Radaris LLC for allegedly violating “Daniel’s Law,” a statute that allows New Jersey law enforcement, government personnel, judges and their families to have their information completely removed from people-search services and commercial data brokers. Atlas has filed at least 140 similar Daniel’s Law complaints against data brokers recently.

Daniel’s Law was enacted in response to the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge (his mother). In July 2020, a disgruntled attorney who had appeared before U.S. District Judge Esther Salas disguised himself as a Fedex driver, went to her home and shot and killed her son (the judge was unharmed and the assailant killed himself).

Earlier this month, The Record reported on Atlas Data Privacy’s lawsuit against LexisNexis Risk Data Management, in which the plaintiffs representing thousands of law enforcement personnel in New Jersey alleged that after they asked for their information to remain private, the data broker retaliated against them by freezing their credit and falsely reporting them as identity theft victims.

Another data broker sued by Atlas Data Privacy — pogodata.com — announced on Mar. 1 that it was likely shutting down because of the lawsuit.

“The matter is far from resolved but your response motivates us to try to bring back most of the names while preserving redaction of the 17,000 or so clients of the redaction company,” the company wrote. “While little consolation, we are not alone in the suit – the privacy company sued 140 property-data sites at the same time as PogoData.”

Atlas says their goal is convince more states to pass similar laws, and to extend those protections to other groups such as teachers, healthcare personnel and social workers. Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states would limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminals charges against media outlets that publish the same type of public and governments records that fuel the people-search industry.

PEOPLE-SEARCH CARVE-OUTS

There are some pending changes to the US legal and regulatory landscape that could soon reshape large swaths of the data broker industry. But experts say it is unlikely that any of these changes will affect people-search companies like Radaris.

On Feb. 28, 2024, the White House issued an executive order that directs the U.S. Department of Justice (DOJ) to create regulations that would prevent data brokers from selling or transferring abroad certain data types deemed too sensitive, including genomic and biometric data, geolocation and financial data, as well as other as-yet unspecified personal identifiers. The DOJ this week published a list of more than 100 questions it is seeking answers to regarding the data broker industry.

In August 2023, the Consumer Financial Protection Bureau (CFPB) announced it was undertaking new rulemaking related to data brokers.

Justin Sherman, an adjunct professor at Duke University, said neither the CFPB nor White House rulemaking will likely address people-search brokers because these companies typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

“These dossiers contain everything from individuals’ names, addresses, and family information to data about finances, criminal justice system history, and home and vehicle purchases,” Sherman wrote in an October 2023 article for Lawfare. “People search websites’ business pitch boils down to the fact that they have done the work of compiling data, digitizing it, and linking it to specific people so that it can be searched online.”

Sherman said while there are ongoing debates about whether people search data brokers have legal responsibilities to the people about whom they gather and sell data, the sources of this information — public records — are completely carved out from every single state consumer privacy law.

“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman wrote. “Tennessee’s consumer data privacy law, for example, stipulates that “personal information,” a cornerstone of the legislation, does not include ‘publicly available information,’ defined as:

“…information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”

Sherman said this is the same language as the carve-out in the California privacy regime, which is often held up as the national leader in state privacy regulations. He said with a limited set of exceptions for survivors of stalking and domestic violence, even under California’s newly passed Delete Act — which creates a centralized mechanism for consumers to ask some third-party data brokers to delete their information — consumers across the board cannot exercise these rights when it comes to data scraped from property filings, marriage certificates, and public court documents, for example.

“With some very narrow exceptions, it’s either extremely difficult or impossible to compel these companies to remove your information from their sites,” Sherman told KrebsOnSecurity. “Even in states like California, every single consumer privacy law in the country completely exempts publicly available information.”

Below is a mind map that helped KrebsOnSecurity track relationships between and among the various organizations named in the story above:

A mind map of various entities apparently tied to Radaris and the company’s co-founders. Click to enlarge.

Identity Security | How Best to Strengthen Enterprise Security

Identity-related attacks are one of the most common vectors of compromise in modern cyber attacks. In these attacks, threat actors work to steal identities, impersonating real users so they can move laterally and access resources on the network. Identities with greater access and admin-level privileges to valuable data are most likely to be stolen or ransomed.

Enterprises often think they have identity security in place, but many solutions on the market only protect access, rather than digital identities or the greater identity infrastructure. Endpoint detection and response (EDR) and endpoint protection platform (EPP) solutions, for example, protect identity data only to the extent of detecting or stopping malicious tools attempting theft. However, most endpoint security solutions do not stop attackers from conducting identity-based attacks.

This blog post delves into how enterprises can strengthen their security tech stack with robust identity security that focuses on minimizing the identity attack surface, securing Active Directory (AD), and advanced detection and response for identity-based assets.

What Is Identity Security?

When asked what their company does for identity security, many frequently bring up Identity and Access Management (IAM), Privileged Access Management (PAM), or Identity Governance and Administration (IGA) solutions. While useful, these solutions are for authentication, access management, and compliance requirements; they do not protect identities and credentials. Other solutions like multi-factor authentication (MFA) or Single Sign On (SSO) further secure the authentication process, but still leave identity data open to attack.

Let’s use an analogy to clarify. Suppose a network is an office building with many doors. When employees go to the office, they check-in at the front desk to get an access badge showing they work there. As an employee, they can open the doors, but the doors have locks. Employees need explicit permission to open these doors, signified on their access badges as colors matching the doors. They check out the key from a guard at each door to open the lock. The guard checks the colors on the access badge to confirm that the person has permission to get a key to open the door.

Relating this back to the fundamentals of identity security:

  • Authentication is checking in to get the access badge showing they are employees.
  • Access is having the proper color on the badge to get the key for the door.
  • IGA handles procedures to grant access badges and provides an audit trail of who has to access the door.
  • IAM is the guard checking the access badge to validate that the person has permission to get the key to open the door.
  • PAM is a specific color on the access badge for doors that lead to sensitive areas, with a particular key that the guard only gives to the appropriate people and a log book to sign in and out.
  • MFA is when a door requires a key and access code to open.
  • SSO is an access badge with multiple colors showing permission for several doors.

What happens if someone steals or copies a key or access badge? They can get access to the office. None of the controls mentioned above prevent this from happening. In this scenario, nothing stops an attacker from masquerading as a legitimate employee and entering the office.

Identity Security in the Security Stack

To continue with the analogy in the previous section, identity security is the safe that protects the keys and access cards themselves from unwanted targeting by malicious parties and outright theft. It is a secure lanyard that hides the access badge from view, so attackers cannot take pictures and copy it. It can also be thought of as additional precautions that protect the actual credentials so attackers are unable to take advantage of them.

Since there is no universally accepted definition of the term ‘identity security’, a working definition is a category of security controls focusing on securing identity data (such as credentials and passwords) and identity infrastructure (such as directory services like Active Directory).

Cybersecurity secures information systems and networks by reducing existing risk and then managing residual risk. Identity security is no different and provides two core capabilities:

  • Reducing existing risk by addressing identity attack surface vulnerabilities
  • Managing residual risk by detecting and responding to identity-based attacks

Identity security should cover identity data no matter where it resides, whether on the endpoint or on the network in Active Directory. It should be able to detect local credential theft, whether from the operating system (OS) or application credential storage, as well as any  attempts to harvest identity data from domain controllers.

SentinelOne’s Singularity Identity and Ranger AD provide proactive and intelligent identity security capabilities in real-time, helping to reduce risk across the entire identity attack surface.

Ranger AD | How to Reduce Risks Originating from Active Directory

Ranger AD identifies vulnerabilities within the Active Directory and Entra ID (formerly Azure AD) domain controllers and provides remediation assistance to fix them. Ranger AD looks for weak settings, improper access control list entries on objects, and numerous insecure parameters in the AD database that attackers can exploit to progress their attacks.

For example, it can identify if an object has unrestricted rights to replicate the AD database, which can lead to a Golden Ticket, DCSync, or DCShadow attack. Ranger AD can identify if insecure protocols like Server Message Block (SMBv1) are still allowed. Further, it can flag an Entra ID account that has permission to allow external users to access the Azure cloud instance.

Ranger AD checks several hundred settings and can identify over 130 different vulnerabilities. It can automatically fix some of these vulnerabilities with its remediation scripting engine and provides the remediation steps and all references to understand vulnerabilities that require manual intervention. This significantly reduces the identity attack surface available for malicious activity and restricts the attacker’s ability to exploit those vulnerabilities to perform lateral movement.

Ranger AD-Protect is a bundled offering that provides attack detection capabilities for domain controllers. Using data inspection, event log analysis, and behavioral correlation, Ranger AD-Protect can detect attacks originating from any device on the network. It prevents Kerberos-based attacks and AD enumerations in real time. Some examples of these attacks are Golden and Silver Ticket attacks, Pass-the-Hash (PtH) attacks, and enumeration of critical AD users and groups. It is a simple solution that installs on the domain controller but provides critical detection capabilities.

Singularity Identity | How to Stop Credential Misuse in Active Directory Environments

Singularity Identity secures identities by using concealment and misdirection. Singularity Identity conceals the locally stored credentials from discovery, whether memory-resident or stored locally in applications and the OS.

For example, attackers looking for credentials stored in Chrome, WINSCP, or dozens of supported applications will not find them. It also identifies AD queries attempting to harvest data from the domain controller, such as members of privileged groups, domain controllers, Service Principal Names, and more, and conceals the results. Singularity Identity then provides decoy identity data as lures and bait for local and AD objects so the attackers do not suspect anything is wrong and continue their activities. Attackers that fall for these baits and lures have their attack activity misdirected away from the production assets.

Singularity Identity generates an alert on the SentinelOne console when the attackers attempt to query AD for sensitive or privileged objects or when they try to enumerate and access locally stored credentials. This detection happens during the early part of the attack cycle, during the reconnaissance phase, and provides the earliest possible detection of any security control.

Since Singularity Identity is part of the SentinelOne agent, defenders receive market-leading, AI-driven EDR with first-in-class Identity Threat Detection and Response (ITDR) capabilities. By adding SentinelOne’s extensive cloud offerings, its native Singularity Data Lake, and Purple AI, security operation centers (SOCs) gain the ability to respond to enterprise-wide threats with natural language queries, AI-driven threat hunting, and the ability to look across data from every SentinelOne product and partner solution.

Conclusion

Today’s enterprises have centered their businesses around identity-based infrastructure to scale their day-to-day operations and develop in the long run. At the same time, identity continues to emerge as a principal target for threat actors who exploit vulnerabilities and misuse Active Directory, contributing to some of the most damaging ransomware attacks to date.

To secure the identity layer of their tech stacks, global organizations trust in SentinelOne to close identity-based gaps and build up resilience within their sensitive AD crown jewels. Learn more about SentinelOne’s identity security solutions or request a demo today.

Singularity Identity
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare

There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

Image: Varonis.

In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.

On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.

“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”

Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.

Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.

On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.

BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.

However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.

The seizure notice now displayed on the BlackCat darknet website.

“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”

BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.

“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”

Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.

“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”

BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.

LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.

But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.

Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.

Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.

Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.

PinnacleOne Exec Brief | China’s AI-Enabled Cyber Capabilities

Last week, PinnacleOne examined how contractors like I-Soon (上海安洵) fit into the larger Chinese hacking ecosystem and highlighted key implications for business leaders.

This week, we focus on China’s application of emerging AI tools to augment their rapidly improving cyber capabilities and emphasize the urgency for defenders to keep pace.

Please subscribe to read future issues – and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: China’s AI-Enabled Cyber Capabilities

Highly capable nation state threat actors like China are looking to leverage AI to augment and accelerate their cyber operations. While we make this assessment with high confidence, the specific real-world effects will remain hard to discern and attribute. The UK’s National Cyber Security Centre found in a recent assessment that:

“AI is likely to assist with malware and exploit development, vulnerability research and lateral movement by making existing techniques more efficient. However, in the near term, these areas will continue to rely on human expertise, meaning that any limited uplift will highly likely be restricted to existing threat actors that are already capable. AI has the potential to generate malware that could evade detection by current security filters, but only if it is trained on quality exploit data. There is a realistic possibility that highly capable states have repositories of malware that are large enough to effectively train an AI model for this purpose.”

While use cases like deep fakes and synthetic media for influence operations are overt and more easily detectable, we believe that technical indicators that an attacker like China is using AI to augment other cyber activities may be sparse for some time. Instead, AI tools may improve offensive operations in a way not easily observed by the defender. This is owing to how adversaries are considering using AI for offense.

How China is Using AI for Cyber

Public research indicates that some universities connected to People’s Republic of China (PRC) security services host research institutes and PhDs working on applying AI to “APT attack and defense”. Among the topics covered by some of these schools include using AI to improve the pace at which software vulnerabilities are discovered – a capability that would improve PRC operational tempo, but which would not be easily discernible as an impact of AI by the defenders.

OpenAI’s recent blog post identifying activities by specific threat actors on ChatGPT supports this analysis. Hacking teams used ChatGPT to help debug or write code, perform open source research on foreign intelligence agencies, and translate technical documents. None of the actions outlined by the blog would appear in technical indicators seen by defenders.

Similarly, China has begun hosting competitions to automate vulnerability discovery, exploitation, and patching – another process that would improve operational efficiency but go unseen by the defenders. The timeline below shows the competitions held to automate this process, including through the use of machine learning techniques. Many of the universities conducting research on AI and cyber attack and defense participated in these competitions.

Finally, it is clear that the PRC has built cyber ranges to build and test these capabilities. Peng Cheng Labs hosts a cyber range with significant computational resources, ties to the security services, and an interest in automating attack path decision making with AI. Another cyber range in China, Zhejiang Labs, had a researcher publish about using AI to improve attacks on ICS systems.

Security Impact on Western Firms

None of the technologies being researched by actors in the PRC and covered here would provide technical indicators that AI was used to enable the attack. Instead, vulnerabilities discovered and exploited – and the attack paths taken by attackers – will continue to look “normal.”

Near term, evidence of AI in offensive operations may only be discernable in the operational pace and efficiency of operations – analysis that would require more complete knowledge of PRC hacking operations than any one cybersecurity firm may possess.

The impact of China’s efforts will be to accelerate the pace and effectiveness of their overall cyber operations. This will exacerbate the existing significant challenge the U.S. and its allies already face in confronting broad-scale and aggressive PRC cyber activity. It should motivate a sense of urgency in driving development and adoption of AI-enabled defensive tools and capabilities by public and private organizations across the Western world.

The Good, the Bad and the Ugly in Cybersecurity – Week 9

The Good | US Bans Sale Of Personal Data To China & Others

The Biden administration this week took steps to ban data brokers from trading personal information of U.S. citizens to nations on a list of ‘countries of concern’, currently expected to be China, Russia, Iran, North Korea, Cuba and Venezuela. The Executive Order to protect Americans’ sensitive personal data was issued on Wednesday.

The government says that hostile foreign powers are leveraging AI to weaponize sensitive data bought in bulk from commercial data brokers. The data is then used for surveillance, scams, blackmail and privacy violations. Authoritarian governments can make use of such data to target journalists, dissidents and political activists.

AG Merrick Garland said that the EO will allow the Justice Department to block countries that pose a threat to U.S. national security and prevent them from harvesting sensitive personal data such as personal health and financial data, biometrics and genomic data. However, critics say the EO doesn’t go far enough and fails to prevent other countries from harvesting the same data and exposing it to those in the prescribed list.

The Justice Department says the EO is a ‘targeted national security measure’ aimed at blocking specific adversaries. The EO also allows the program to exempt certain categories of data from the transfer ban, “such as those ordinarily incident to financial services, in order to allow low-risk commercial activity to continue unimpeded”.

The exact scope of the regulations will be worked out in an ANPRM, which is open to public comment

The Bad | BlackCat is Back, LockBit Lingers On

Law enforcement action to take down ransomware operators looks to have taken a setback this week as authorities warn that BlackCat RaaS has embarked on a new campaign targeting the healthcare sector. Meanwhile, despite last week’s high-profile raid on LockBit, the gang appear to be still in business.

First appearing in November 2021, BlackCat has established itself as one of the most prolific ransomware threats today. The advisory describes how BlackCat (aka ALPHV) affiliates use advanced social engineering techniques to gain initial access. These include posing as helpdesk or IT and staff and using phone calls and smishing techniques to steal credentials from employees.

Once inside the target network, the threat actors use remote access software such as AnyDesk and Splashtop to facilitate data exfiltration. Dropbox and Mega have also been observed as vehicles to move or download victim data. CobaltStrike and Brute Ratel C4 are used to beacon out to the attackers C2.

BlackCat ransomware execution chain (Windows version)

According to CISA, some affiliates extort victims solely through threats to expose stolen data, while others deploy ransomware to lock files and systems as well. In both cases, data is either deleted or destroyed unless the victims have backups or rollback systems in place.

In December, the Justice Department announced that it had severely disrupted BlackCat/ALPHV by seizing its infrastructure and releasing a decryptor; however, it appears the gang have been able to recover. Similarly, LockBit operators have this week responded to last week’s seizure of its infrastructure by publishing links to a new blog and data leak site and issuing a rambling rebuttal of claims that it was no longer operational.

The cat-and-mouse will inevitably continue; meanwhile, organizations can take proactive steps to exempt themselves from the cybercrime cycle by implementing recommended security controls.

The Ugly | APT29 Targeting Cloud for Initial Access

The advanced threat actor behind the SolarWinds breach among others, Russian intelligence agency SVR (aka APT 29, NobleBaron, The Dukes), is now targeting cloud services for initial access, the U.K.’s National Cyber Security Centre warned this week.

In a move that mirrors the wider enterprise trend away from on-prem servers in favor of cloud infrastructure, the Russian-backed threat actor has looked to supplement its traditional means of initial access such as exploiting software vulnerabilities with cloud-specific techniques and tactics.

The NCSC says these tactics include targeting service accounts with brute force and password spraying attacks. Service accounts with weak or default credentials are attractive since they cannot be protected with MFA as there is no human user to authenticate them. Dormant or inactive accounts, such as when an employee has left but the account has not been deactivated, have also been targeted.

Other tactics observed include stealing cloud-based authentication tokens. Once authenticated, these tokens remain valid for a period of time without needing further authentication. Once the SVR operators have gained initial access, they will frequently enroll new devices on the cloud tenant.

Tactic ID Technique Procedure
Credential Access T1110 Brute forcing The SVR use password spraying and brute forcing as an initial infection vector.
Initial Access T1078.004 Valid Accounts: Cloud Accounts The SVR use compromised credentials to gain access to accounts for cloud services, including system and dormant accounts.
Credential Access T1528 Steal Application Access Token The SVR use stolen access tokens to login to accounts without the need for passwords.
Credential Access T1621 Multi-Factor Authentication Request Generation The SVR repeatedly push MFA requests to a victim’s device until the victim accepts the notification, providing SVR access to the account.
Command and Control T1090.002 Proxy: External Proxy The SVR use open proxies in residential IP ranges to blend in with expected IP address pools in access logs.
Persistence T1098.005 Account Manipulation: Device Registration The SVR attempt to register their own device on the cloud tenant after acquiring access to accounts.

In light of these tactical changes, defenders are advised to ensure that MFA and 2SV (two-step verification) are used wherever possible; that token validity periods are set to a minimum, and that user and system accounts are regularly reviewed and dormant or inactive accounts removed. Further detailed mitigations are provided by NCSC here.

Fulton County, Security Experts Call LockBit’s Bluff

The ransomware group LockBit told officials with Fulton County, Ga. they could expect to see their internal documents published online this morning unless the county paid a ransom demand. LockBit removed Fulton County’s listing from its victim shaming website this morning, claiming the county had paid. But county officials said they did not pay, nor did anyone make payment on their behalf. Security experts say LockBit was likely bluffing and probably lost most of the data when the gang’s servers were seized this month by U.S. and U.K. law enforcement.

The LockBit website included a countdown timer until the promised release of data stolen from Fulton County, Ga. LockBit would later move this deadline up to Feb. 29, 2024.

LockBit listed Fulton County as a victim on Feb. 13, saying that unless it was paid a ransom the group would publish files stolen in a breach at the county last month. That attack disrupted county phones, Internet access and even their court system. LockBit leaked a small number of the county’s files as a teaser, which appeared to include sensitive and sealed court records in current and past criminal trials.

On Feb. 16, Fulton County’s entry — along with a countdown timer until the data would be published — was removed from the LockBit website without explanation. The leader of LockBit told KrebsOnSecurity this was because Fulton County officials had engaged in last-minute negotiations with the group.

But on Feb. 19, investigators with the FBI and the U.K.’s National Crime Agency (NCA) took over LockBit’s online infrastructure, replacing the group’s homepage with a seizure notice and links to LockBit ransomware decryption tools.

In a press briefing on Feb. 20, Fulton County Commission Chairman Robb Pitts told reporters the county did not pay a ransom demand, noting that the board “could not in good conscience use Fulton County taxpayer funds to make a payment.”

Three days later, LockBit reemerged with new domains on the dark web, and with Fulton County listed among a half-dozen other victims whose data was about to be leaked if they refused to pay. As it does with all victims, LockBit assigned Fulton County a countdown timer, saying officials had until late in the evening on March 1 until their data was published.

LockBit revised its deadline for Fulton County to Feb. 29.

LockBit soon moved up the deadline to the morning of Feb. 29. As Fulton County’s LockBit timer was counting down to zero this morning, its listing disappeared from LockBit’s site. LockBit’s leader and spokesperson, who goes by the handle “LockBitSupp,” told KrebsOnSecurity today that Fulton County’s data disappeared from their site because county officials paid a ransom.

“Fulton paid,” LockBitSupp said. When asked for evidence of payment, LockBitSupp claimed. “The proof is that we deleted their data and did not publish it.”

But at a press conference today, Fulton County Chairman Robb Pitts said the county does not know why its data was removed from LockBit’s site.

“As I stand here at 4:08 p.m., we are not aware of any data being released today so far,” Pitts said. “That does not mean the threat is over. They could release whatever data they have at any time. We have no control over that. We have not paid any ransom. Nor has any ransom been paid on our behalf.”

Brett Callow, a threat analyst with the security firm Emsisoft, said LockBit likely lost all of the victim data it stole before the FBI/NCA seizure, and that it has been trying madly since then to save face within the cybercrime community.

“I think it was a case of them trying to convince their affiliates that they were still in good shape,” Callow said of LockBit’s recent activities. “I strongly suspect this will be the end of the LockBit brand.”

Others have come to a similar conclusion. The security firm RedSense posted an analysis to Twitter/X that after the takedown, LockBit published several “new” victim profiles for companies that it had listed weeks earlier on its victim shaming site. Those victim firms — a healthcare provider and major securities lending platform — also were unceremoniously removed from LockBit’s new shaming website, despite LockBit claiming their data would be leaked.

“We are 99% sure the rest of their ‘new victims’ are also fake claims (old data for new breaches),” RedSense posted. “So the best thing for them to do would be to delete all other entries from their blog and stop defrauding honest people.”

Callow said there certainly have been plenty of cases in the past where ransomware gangs exaggerated their plunder from a victim organization. But this time feels different, he said.

“It is a bit unusual,” Callow said. “This is about trying to still affiliates’ nerves, and saying, ‘All is well, we weren’t as badly compromised as law enforcement suggested.’ But I think you’d have to be a fool to work with an organization that has been so thoroughly hacked as LockBit has.”