Introduction

When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. 

The aim of this blog is to extract actionable cybersecurity lessons from the ICO’s findings as well as open source reports surrounding the breach from a cyber threat intelligence (CTI) analyst’s perspective to help SOC and CERT teams, and CISOs understand what happened and how to avoid the mistakes made by others.

BLUF Incident Impact Summary:

• Capita was attacked by BlackBasta ransomware in March 2023
• Over six million individual’s records were exfiltrated from Capita’s systems
• A £14 million fine was issued to Capita by the ICO
• Capita said in May 2023, the incident cost up to £20 million to recover

Important context about Capita

The Capita Group is a business process outsourcing (BPO) and professional services group employing approximately 34,500 people worldwide and with a reported annual revenue of £2,421.6 million. For readers outside of Great Britain, Capita is best known as the UK’s go-to managed service provider for large-scale, data-sensitive public sector operations.

Companies within the Capita Group act as data processors for a range of business services to both public and private sector organisations. Capita plc is the ultimate parent company of a large corporate group consisting of multiple legal entities.

Capita has long been one of the UK government’s biggest suppliers of outsourced services.

They manage (or have managed):

• The BBC TV Licensing system
• The UK Congestion Charge for Transport for London (TfL) 
• The National Pupil Database – via contracts with the Department for Education.
• Electronic tagging of offenders – under contracts with the Ministry of Justice.
• Council administration and call-centre services – many local authorities (e.g., Birmingham, Southampton, Sheffield) 
• Numerous Local Government and private sector pension schemes (including universities, utilities, and insurance companies).
• Ministry of Defence (MOD) – Training and support contracts for the British Army’s Recruitment Partnership Project (including vetting systems) and Royal Navy training programmes.

The ICO established that during the Incident, data was exfiltrated from two legal entities which were acting as data controllers, and from four legal entities which were acting as data processors:

• Capita plc - Capita plc’s focus includes Central Government, Local Public Service, Defence, Education, and Pensions. Capita was selected to administer the UK’s Civil Service Pension Scheme (CSPS) from September 2025, via a contract worth £239m over 10 years.
• Capita Resourcing Limited - is a subsidiary of Capita plc focused on resourcing/human-capital services, i.e., recruitment, contingent staffing, talent acquisition.
• Capita Business Services Limited - is another subsidiary that provides business-process and digital services (as a part of the Capita outsourcing ecosystem). The supplier record shows over £331.9m recorded government spending linked to this entity.
• Capita Pension Solutions Ltd (CPSL) - a regulated pensions business within the Capita Group. Its role: delivering pensions administration and consulting services for pension schemes, including defined benefit schemes.

Breach Timeline

In the ICO’s report, a timeline of events that led to data exfiltration and ransomware deployment was provided. The timeline diagram below helps illustrate what happened.

TheRecord also reported that Capita’s share price dropped more than 12% from a high of £38.64 ($47.97) on March 30, the day before the incident was first reported, to £33.72 ($42.58) on Wednesday morning.

On 3 April 2023, Capita released a public statement about the cyber incident. At the time, Capita said the “issue was limited to parts of the Capita network and there is no evidence of customer, supplier or colleague data having been compromised.” 

On 8 April 2023, Brett Callow spotted that Capita had been listed on BlackBasta’s Tor data leak site before it was quickly removed that same day.

Security researcher Kevin Beaumont who analysed the leaked data samples at the time identified copies of stolen passport scans, PII records, bank account details, internal floor plans of multiple buildings from various schools as well as Capita Nuclear, part of Capita Business Services.

It took Capita until 20 April 2023 to confirm that some of its systems were in fact breached and that data had been stolen.

Types of Stolen Data

In the ICO’s report, we learn that 6,024,221 data subjects for whom Capita was the data processor had personal data exfiltrated, as determined by Capita’s forensic provider.

Types of data stolen included sensitive such as Home Address, Email, Phone Number, National Insurance Numbers, Driver’s License Scans, Passport Scans, Bank Account Numbers & Sort Codes, Credit Card Numbers, Biometrics, Criminal Record Checks, and Employee Login details.

BlackBasta Operator TTPs

The tactics, techniques, and procedures (TTPs) of the BlackBasta operators provided in the breach timeline by the ICO are useful for understanding what technical steps were involved that led to the breach and ransomware attack. A summary of the aspects of the attack have been mapped to a diamond model diagram below.

Outside of the breach timeline, some additional technical details were shared:

• Following initial access, the Threat Actor accessed the ‘CAPITA\backupadmin’ service account approximately 4.5 hours later. Capita could not confirm how the Threat Actor was able to escalate their privileges; however, there were traces of Kerberos credential harvesting and reconnaissance activity found following the Incident.
• The Threat Actor was able to use the ‘CAPITA\backupadmin’ domain administrator account to pivot to administrator accounts in different Capita domains. In total no fewer than 8 domains were compromised, a very large quantity of data was exfiltrated and the Threat Actor attempted to deploy ransomware on at least 1057 hosts.
• Even though Capita quarantined the device through which the Threat Actor first gained access on 24 March 2023, by this time the Threat Actor had deployed software into the network which had enabled them to establish persistence and ultimately allowed them to continue moving laterally across the network into different Capita domains and to access/exfiltrate data, before deploying ransomware on 31 March 2023.

The domain "corpcitrix.ad.capita.co.uk" appears to be an internal Active Directory domain name used by Capita to host its corporate Citrix environment. The "ad" label shows it’s an AD DNS namespace, "corpcitrix" indicates the environment is for Citrix-published desktops/apps or related infrastructure, and "capita.co.uk" is the organisation’s FQDN.

The command shown above is a PowerShell invocation (potentially via Cobalt Strike) to enumerate every system in the domain, resolve each machine’s IP address, and save the results to “SFS_pc.txt” file. Powerpick runs the code in an unmanaged PowerShell environment and can execute without being dependent on powershell.exe.

In short, this command shows a BlackBasta operator running net reconnaissance mapping hosts and IPs (likely to plan lateral movement, targeting, exfiltration or ransomware deployment).

Notable moments during the Incident

• Critical alerts were mishandled or deprioritised: The initial malicious file (‘jdmb.js’) triggered a P2 (High) alert at 08:00 on 22 March 2023, indicating compromise. The SOC did not act for nearly 58 hours, despite automatic escalation warnings for missed service-level agreements (SLAs). The ICO also noted that “at no point in the six months before or after the Incident did Capita meet their SLA for any alert level.”
• Excessive delay between detection and containment, plus a lack of automation: Isolation of the device from the rest of the Capita network still required human intervention, which took 58 hours to arrive. Capita’s SOC lacked the ability to isolate the device automatically. By then, the attacker had already gained domain admin access and moved laterally.
• Inadequate incident response procedures: Capita did not invoke its Major Incident Management process until 09:22 on 29 March 2023, which was seven days after compromise. By that point, data exfiltration was already underway and it was two days before ransomware was deployed on 31 March 2023.
• Understaffed and overburdened SOC team: Capita is understood to have had 1 SOC analyst per shift in place at the time of the Incident in March 2023. This combined with historic underperformance indicates systemic issues within the SOC, including inadequate staffing, insufficient training, and/or inefficient processes.

Lessons Learned from the BlackBasta Ransomware Attack on Capita

• Having tools isn’t enough, they must be configured, integrated, and monitored effectively
• Capita had Trellix EDR, a SIEM, and a SOC, but alerts were missed and containment delayed.
• Lessons: Security tools are only as effective as the people, processes, and automation supporting them. Critical security alerts must have clear, measurable response times with automatic escalation if breached. Security Leadership must define and enforce strong Service Level Agreements (SLAs) for incident response.
• Implement proper Active Directory (AD) tiering
• Lack of AD tiering allowed attackers to move laterally from low-privilege systems to domain controllers (specifically a backup service account with domain admin privileges).
• Lessons: Segregate admin privileges between tiers (workstations, servers, domain controllers) to contain breaches. Limit, rotate, and monitor privileged accounts using a PAM solution to enforce least privilege. Regularly review service accounts, ensure unique credentials, and monitor their activity for anomalies.
• Act on penetration test findings promptly
• Multiple pentests also warned of AD and privilege issues months before the breach, but fixes were delayed.
• Lesson: Treat pentest reports as actionable tasks with deadlines and executive oversight.
• Automate incident response where possible (SOAR)
• Lack of Security Orchestration, Automation and Response (SOAR) led to manual triage delays.
• Lesson: Use SOAR playbooks to automate containment, escalation, and alert enrichment for faster response.

Additional Resources

1. Qakbot - https://attack.mitre.org/software/S0650/
2. Cobalt Strike - https://attack.mitre.org/software/S0154/ 
3. Bloodhound - https://attack.mitre.org/software/S0521/ 
4. Rclone - https://attack.mitre.org/software/S1040/ 
5. SystemBC - https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc   
6. BlackBasta Ransomware - https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta 
7. Credentials from Web Browsers (specifically performed by Qakbot) - https://attack.mitre.org/techniques/T1555/003/
8. Steal or Forge Kerberos Tickets - https://attack.mitre.org/techniques/T1558/ 
9. Exfiltration Over C2 Channel (performed by SystemBC and Rclone) - https://attack.mitre.org/techniques/T1041/
10. BlackBasta Leaks: Lessons from the Ascension Health attack - https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html 
11. The Continuity of Conti - https://blog.bushidotoken.net/2022/11/the-continuity-of-conti.html 
12. BlackBasta Group Profile (Ransomware Tool Matrix) - https://github.com/BushidoUK/Ransomware-Tool-Matrix/blob/main/GroupProfiles/BlackBasta.md 
13. BlackBasta Group Profile (Ransomware Vuln Matrix) - https://github.com/BushidoUK/Ransomware-Vulnerability-Matrix/blob/main/GroupProfiles/BlackBasta.md

Introduction

The Ransomware Tool Matrix continues to be a useful passion project that I am happy to continue maintaining. One piece of common feedback I've received for the Ransomware Tool Matrix was that individuals would like to contribute their observations to it, but do not have public links they can cite (such as a formal blog post on a company website). Therefore, I came up with a plan to make a reporting template to help with this.

What are Community Reports?

Individuals can now share what tools they have seen various ransomware groups, affiliates, or initial access brokers (IABs) use via the new Community Report Template. The level of detail provided is the contributor's choice. The more verifiable information shared, the increased level of reliability and credibility.

You can view the current list of Community Reports on GitHub here.

Why the need for Community Reports?

Most of the sources of CTI about ransomware TTPs comes from open source reports by organisations such as the US Cybersecurity and Infrastructure Security Agency (CISA), The DFIR Report, and other cybersecurity vendors. From the beginning it was important to recognise the importance of the having public citations by reputable organisations to maintain the reliability and credibility of the resource overall. Consumers of the Ransomware Tool Matrix should feel confident that the information provided is of high standard and legitimate.

The problem was, however, that members of the cybersecurity community who may work with victims of ransomware attacks also have information about what tools which ransomware group uses. 

The sources of this information could come from various sources, such as from Digital Forensics and Incident Response (DFIR) service providers, Managed Security Service Providers (MSSPs), Endpoint Detection and Response (EDR) vendors, or security researchers who manage to obtain threat intelligence about ransomware groups via various other means, such as infiltrating cybercrime forums or open directory hunting.

These sources of information did not currently have a way to contribute to the Ransomware Tool Matrix due to the missing factor of a publicly citable blog.

How do Community Reports work?

Members of the Community with information and tools used by ransomware groups can now share their observations via a structured report template shown below.

Whether to include all the details here is up to the contributor, but this type of reporting system is an option for community members to share their findings with the rest of the community who are interested in this information.

Anyone who wants to submit a Community Report can copy the code, edit in their findings, and submit a pull request to the GitHub repository. Alternatively, they can fork the project and then I can merge their commits to the main branch. More details about how to creating a pull request from a fork can be found in the GitHub's Docs here.

Conclusion

One of the problems of cybersecurity vendor blogs is that a lot of them are marketing material and therefore, details about every ransomware incident a company worked on is not great marketing. However, as CTI analysts, incident responders, threat hunters, and detection engineers, these details are crucial for our day-to-day lives. Hence why the Community Report system was one of the most common pieces of feedback I received and why I created it.

I look forward to the contributions from the community to this new reporting system and hope it helps many more who are keen to see and read about what the latest tools are that the ransomware cybercriminals are using.

Introduction

This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be. It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around. For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.

Background on the current ransomware ecosystem as of May 2025

Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual. The exit scams and law enforcement infiltration operations have created a zero trust environment for the cybercriminals participating in the ransomware economy. The days of affiliates putting their faith in one RaaS platform seem to be long gone and many are experimenting and going from one RaaS to the next.

Sources of Threat Intelligence for the RTM

The RTM was updated with OSINT reports shared by cybersecurity researchers at various private service providers or vendors. The thing to remember about these reports is that the tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.

From the reports, threat groups such as Qilin, BlackSuit, RansomEXX, Medusa, BianLian, Hunters International and PLAY have been active for over one year or for multiple years. These are established groups. Since RansomHub and LockBit have shut down, it is more likely than not that the affiliates have already shifted to one of the other RaaS platforms, like Qilin, among others.

There has also been a number of ransomware operations suspected to be linked to Chinese cyber-espionage groups, such as RA World (for using PlugX), NailaoLocker (for using ShadowPad and PlugX), and CrazyHunter (for its focus on Taiwan).

Threat groups such as IMN Crew, QWCrypt (linked to RedCurl), NightSpire, SuperBlack, and Helldown are all rising threat groups that have more recently begun their ransomware campaigns.

These factors have led to seeing a large variety of tool usage in ransomware operations being observed across the landscape. The reliance on tools from sites like GitHub and other free software sites, however, continues to remain a constant theme among all of these ransomware operations.

List of sources used for the May 2025 major update to the RTM:

Tools Used by Multiple Groups

• EDRSandBlast and WKTools are relatively new tools that are being used by multiple groups to deactivate and overcome EDR tools that many victims will have on their networks to prevent ransomware attacks.
• Typical ransomware tools, such as PsExec, Mimikatz, and Rclone remain effective and still used by multiple ransomware gangs for the foreseeable future.

New Tools Added to the RTM

• The most notable new tools added to RTM include several defense evasion tools for deactivating EDRs, discovery for sensitive files, and tunnelling tools to conceal adversary network connections.

Exploits used by Ransomware Gangs added to the RVM

• As is now usual, multiple ransomware groups have been targeting Fortinet networking devices for initial access into to victim environments.
• Multiple ransomware groups continue to exploit the Windows Common Log File System (CLFS) for local privilege escalation to run hacking tools and steal credentials.
• Other exploits involve targeting edge devices, such as Check Point VPNs or PAN Firewalls, or exposed servers, such as Atlassian Confluence Data Center Servers.
• The targeting of Veeam backup software should come as no surprise as preventing backups or stealing sensitive files, such as Active Directory backups, are key objectives of ransomware gangs to complete their mission.

Conclusion

My recommendation for defenders who continue the fight against ransomware is to take some of the findings from this report and begin threat hunting, detection rule writing, and start blocking some of these tools not present in the environments you are protecting.

Here are a few sites to help you get started with:

• https://rulehound.com/rules
• https://detection.fyi
• https://www.snapattack.com/community

Introduction

This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups.

The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent ransomware as a service (RaaS) operation run by Russian-speaking cybercriminals.

These two threat groups have been linked together through cooperation on intrusions and IOCs and TTPs shared by multiple CTI sources. The implication of this link is critical due to RansomHub being the most active ransomware gang and is working with a well-known sanctioned affiliate.

Who is RansomHub?

Active since February 2024, RansomHub is a RaaS operation formerly known as Cyclops and Knight and is run by Russian-speaking adversaries. It is currently used by more and more cybercriminals that are ex-affiliates of other RaaS operations. This includes the ALPHV/BlackCat RaaS and the LockBit RaaS, which have since shutdown or disappeared. This has made the RansomHub RaaS one of the most widespread ransomware families as of early 2025.

Due to having a high number of affiliates, the tools and TTPs observed before the final RansomHub payload is deployed can vary significantly. Each affiliate may have their own set of tools and TTPs to achieve the final objectives of data exfiltration and ransomware deployment.

Who is EvilCorp?

Evil Corp is an international cybercrime network sanctioned for orchestrating large-scale financial cyberattacks led by Maksim Yakubets. EvilCorp’s operations have evolved over time, expanding from Dridex banking trojan campaigns into developing ransomware like BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker.

Notably, Aleksandr Ryzhenkov, was identified by the National Crime Agency (NCA) as a high-ranking member of EvilCorp and also LockBit affiliate. Ryzhenkov became a LockBit affiliate around 2022, contributing to over 60 LockBit ransomware builds and attempting to extort more than $100 million from victims. This discovery aligns with Mandiant’s previous reporting on EvilCorp shifting to LockBit as well.

The NCA also found that EvilCorp maintains close ties with Russian intelligence agencies through Yakubets' father-in-law, Eduard Bendersky, a former FSB officer, who is suspected of using his influence to shield the group from prosecution in Russia.

One of the TTPs that makes EvilCorp standout from the rest of the RaaS affiliates is their own affiliation to the SocGholish JavaScript malware (aka FAKEUPDATES). If ransomware deployment takes place following a SocGholish infection, then the attackers responsible for the attack will be affiliated with EvilCorp.

Reported Connections Between EvilCorp and RansomHub

On 15 July 2024, Microsoft shared a post on X stating that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest (which is Microsoft’s name for EvilCorp) following initial access via SocGholish (aka FakeUpdates) infections (which Microsoft tracks as Mustard Tempest).

On 15 January 2025, Guidepoint wrote a blog on a new Python backdoor used by an affiliate of RansomHub. Notably, the new Python backdoor was delivered by SocGholish. Therefore, this Python backdoor is another potential artifact worth monitoring for its connection to known EvilCorp-related malware.

The next day, on 16 January 2025, Google shared a report on EvilCorp (which Google tracks as UNC2165) that disclosed numerous tools and malware families they have been using to deliver RansomHub, including a Python backdoor dubbed VIPERTUNNEL (see the image below). The presence of a Python backdoor following a SocGholish infection is notable TTP that overlaps with the Guidepoint blog on RansomHub.

On 14 March 2025, Trend Micro disclosed further details that also confirmed the SocGholish malware is leading to the deployment of RansomHub ransomware. The operators of SocGholish are tracked as Water Scylla by Trend Micro. The operators distribute SocGholish via the Keitaro Traffic Direction System (TDS), a legitimate service used for marketing campaigns. Trend Micro also observed SocGholish dropping the same custom Python backdoor (aka VIPERTUNNEL) as well.

So What?

EvilCorp has been under US sanctions since 2019, making it illegal for affected organisations to pay ransoms to them without facing potential fines from the US Treasury’s Office of Foreign Assets Control (OFAC). Despite these sanctions, EvilCorp has continued its cybercriminal activities by adapting its tactics to include rebranding their ransomware and becoming an affiliate of RaaS operations, such as LockBit and RansomHub. 

The key indicator of EvilCorp's involvement in ransomware attacks continues to be the use of the SocGholish malware, which employs drive-by downloads masquerading as web browser software updates to gain initial access to systems.

EvilCorp’s affiliation with RansomHub raises the possibilities that RansomHub may soon face sanctions similar to those imposed on EvilCorp. Consequently, any victim that pays a ransom to RansomHub could become significantly riskier for cyber insurance organisations, incident responders, and ransomware negotiators, as they may inadvertently violate sanctions and face legal repercussions.

Given EvilCorp's prominence as a target for international law enforcement, its association with RansomHub is likely to draw increased scrutiny. This could result in RansomHub becoming the focus of future law enforcement actions, including potential takedowns and additional sanctions, further complicating the landscape for entities involved in ransomware response and mitigation.

There is also the increased likelihood that RansomHub will now rebrand. As we saw in the BlackBasta Leaks, ransomware groups pay close attention to the news, CTI reports, and even posts on X and even blogs by researchers. This association to EvilCorp and threat of sanctions is an issue for ransomware groups as it impacts their business model and makes earning harder. Therefore, by linking the two entities together CTI analysts can impose cost on these cybercriminals.

References:

1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
2. https://www.bankinfosecurity.com/blogs/ransomhub-hits-powered-by-ex-affiliates-lockbit-blackcat-p-3703
3. https://www.ransomware.live/group/ransomhub#ttps
4. https://home.treasury.gov/news/press-releases/sm845
5. https://web.archive.org/web/20200213115628/https:/www.nationalcrimeagency.gov.uk/news/international-law-enforcement-operation-exposes-the-world-s-most-harmful-cyber-crime-group
6. https://www.crowdstrike.com/en-us/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
7. https://web.archive.org/web/20241004104429/https:/www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate
8. https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243
9. https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates
10. https://x.com/msftsecintel/status/1812932754947911780
11. https://www.microsoft.com/en-gb/security/security-insider/manatee-tempest
12. https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
13. https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf
14. https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
15. https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html

The BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to be a treasure trove of intelligence on the cybercrime enterprise. The BlackBasta gang consists of former Conti ransomware members and it should come as no surprise that their operations are similar in nature and structure.

Ransomware researchers have several valuable resources to conduct investigations with nowadays. This includes ransomware.live, which contains several resources including ransomch.at, a collection of negotiation chats between ransomware gangs and their victims, as well as the ransomware tool matrix and ransomware vulnerability matrix. These resources allow to deeply understand the capabilities and motivations of these ransomware gangs. However, leaked chat logs are the final missing piece of the puzzle and offer a deeper understanding from the cybercriminal’s very own perspective and organisational structure.

Active since April 2022, BlackBasta is one of the top-tier ransomware gangs and one of the largest cybercrime enterprises in the world. According to the US Cybersecurity Infrastructure and Security Agency (CISA), BlackBasta impacted up to 500 different businesses and critical infrastructure in North America, Europe, and Australia as of May 2024.

The importance of the Ascension Health incident

This blog shall dive deep into the Ascension Health attack by BlackBasta. It is a step-by-step extraction of the conversation between the BlackBasta members while they decide how to handle the attack.

The new insights around how BlackBasta and other ransomware gangs perceive being involved with incidents at healthcare sector victim should prove useful for incident responders, law enforcement, and governments that have to resolve these types of attacks on the healthcare sector on an alarmingly regularly basis.

Background

On 9 May 2024, mainstream news organisations in the US reported about a cyberattack and significant disruption of services of Ascension Health, one of the largest healthcare providers in the country. On 11 May 2024, BleepingComputer reported that BlackBasta was to blame for the attack on Ascension Health and that ambulances had been disrupted and patients were being redirected to other hospitals.

How the Incident Began

The BlackBasta attack on Ascension Health began many months before the ransomware was deployed on their network. Reconnaissance of Ascension Health by members of BlackBasta began around 3 November 2023. They shared 14 email addresses of Ascension Health employees, which we can only assume were used for phishing or password guessing. Ransomware gangs often used Zoominfo to profile their targets to determine whether it is worth it for them to attack and get a ransom from them.

The ransomware gang themselves wrote in their Matrix chat that CBS News had written about a cyberattack on Ascension Health on 9 May 2024 and exclaimed that “it looks like one of the largest attacks of the year.”

Another BlackBasta member “gg” confirmed in the chat that it was them and appeared to be surprised that the news was writing about it.

Later, “gg” appeared to feel bad about the attack and concerned that cancer patients were suffering. However, at this stage it is hard to tell if they are serious or being sarcastic.

One member of BlackBasta who used the moniker “tinker” then stated that he wanted to be the negotiator for the BlackBasta team and began to strategize how to extract a ransom payment.

“gg” says they encrypted Ascension Health’s network using the Windows Safe Mode Boot technique, which is a function that BlackBasta is well-known to do.

The negotiator, “tinker” begins to weigh up their options. He states he believes the FBI and CISA will be involved, as well as Mandiant and begins to compare the incident to the Change Healthcare attack by ALPHV/BlackCat (and later RansomHub) who received a 22 million USD ransom payment.

“gg” shares that all the stolen data was put on a server named “ftp8” and tagged as “ALBIR_DS” and says to “tinker” that he should “look at the folder name, everything we downloaded from them is there."

The operator, “gg” also shared a summary of the target environment of Ascension Health. This includes number of servers being over 12,000, what security tools they use such as Cylance, Tanium, and McAfee. Plus, “gg” said they downloaded over 1.4TB of data to "ftp8" and used BlackBasta ransomware version 4.0 and attacked them on 8 May 2024.

Interestingly, “gg” appears to have also recommended to bluff to the victim that they stole more than 1.5TB and say to the victim that they stole 3TB instead.

Negotiation Strategizing

After having established the details of the incident, Tinker (the negotiator) began to wonder about the likelihood of getting a ransom payment as well as estimate how much Ascension Health is likely losing per day.

Tinker (negotiator) then explains to the rest of the BlackBasta members involved in the attack what course of action they should take to get the ransom from Ascension Health. Tinker says they would normally set a 3% of the annual revenue and negotiate from there. They note that there are clear problems with the victim being a hospital and that this attack followed the Change Health attack by ALPHV/BlackCat. They also noted that they are worried as they believe the US National Security Agency (NSA) attacked TrickBot's servers four years ago and that the FBI took down Qakbot more recently. Tinker is  also worried that one of Ascension Health’s patients will die and they will be blamed and labelled as a terrorist attack.

Tinker also noted that when BlackSuit attacked Octapharma that it was labelled by the news as "hostile actions by Russia" and they warned that Conti was already under sanctions and that because they are tied to Conti they may not get paid.

Tinker, ransomware negotiator for BlackBasta, ultimately recommended giving the decryptor for free to Ascension Health and resorting to data theft extortion. This is notable, as it is a similar situation to the Irish HSE ransomware attack by Conti, who also provided the decryptor for free.

One of the challenges with investigating cybercrime is the infrastructure the adversaries leverage to conduct attacks. Cybercriminal infrastructure has evolved drastically over the last 25 years, which now involves hijacking web services, content distribution networks (CDNs), residential proxies, fast flux DNS, domain generation algorithms (DGAs), botnets of IoT devices, the Tor network, and all sorts of nested services.

This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service.

The year-on-year growing number of CobaltStrike C2 servers hosted on BitLaunch’s services could be an indicator of tacit collusion with cybercriminals through the facilitation of cheap and quick to procurement of VPSs that end up being used to launch ransomware attacks on all sorts of victims, including hospitals, schools, governments, companies, and charities.

The concept of aiding and abetting criminal activity in law is essentially when an individual or an organisation intentionally assists, facilitates, or encourages a crime. In this case, it would be aiding and abetting the creation of cybercriminal infrastructure. If a hosting provider ignores clear red flags (e.g., cryptocurrency payments from known illicit sources or use of servers for illegal activities), they might still be held criminally liable under wilful blindness under certain laws.

In the past, authorities have taken down bulletproof hosting (BPH) providers that knowingly support cybercrime, such as CyberBunker and LolekHost. In February 2025, the UK government also sanctioned a Russia-based BPH known as ZSERVERS (aka XHOST) for facilitating LockBit attacks.

A podcast version of the blog is available here.

Update: This blog was updated with a statement from BitLaunch (see the end of this blog).

Who is BitLaunch aka BL Networks aka BLNWX?

Active since at least 2017, BitLaunch (also known as BL Networks or BLNWX) is a virtual private server (VPS) reseller whose autonomous system number (ASN) is AS399629. Up to 48 IPv4 networks belong to BitLaunch which are used to "instantly launch a Linux or Windows VPS” where customers can “pay hourly with Bitcoin, Litecoin, and Ethereum, with no firm commitments." BitLaunch also supports their customers via a command-line (CLI) tool and a Python library. BitLaunch has another name, however, in their legal terms and conditions they go by Liber Systems and have their own separate website.

Why focus on BitLaunch?

BitLaunch is quite interesting as they present themselves as a UK-based company run by two local UK businessmen. Their “anonymous Bitcoin VPS” service is regularly abused for all sorts of cybercriminal activities. What triggered this research was the fact that their nickname “BLNWX” was regularly reappearing in cyber threat intelligence (CTI) vendor reports on ransomware and other cybercriminal campaigns. It is also worth highlighting that while BitLaunch own their own IP networks, they are a VPS reseller as well who works with DigitalOcean, Linode, and Vultr, as shown from their website below.

One website that reviews so-called “offshore services” (offshore[.]cat) has listed BitLaunch as being a “verified” offshore hoster that accepts cryptocurrency, only requires email request confirmation to open an account, and is described as allowing anyone to “create VPSs in seconds, using crypto” making them an attractive hoster for cybercriminals. Their service paired with their CLI tools and Python libraries makes it super easy to stand up C2 servers rapidly.

Command and Control (C2) infrastructure on BLNWX

Significant numbers of CobaltStrike C2s among other hacking tools and malware families have been discovered on BitLaunch. I would like to thank the owner of the C2IntelFeedsBot (@drb_ra) account on X/Twitter who assisted with this research by providing their feed of C2 servers discovered on BitLaunch.

The image below shows a sampling of the known C2 servers hosted with BitLaunch between 2021 and 2025. The most notable part of this diagram is the number of CobaltStrike C2 servers in particular. Cobalt Strike is a well-known C2 framework used by organised cybercriminal groups to launch ransomware attacks. It is also favoured by state-sponsored threat groups as well.

Over the last few years, several dozen C2 servers have been identified by the C2IntelFeedsBot and each year, the number of C2s has continued to grow as more cybercriminals identify BitLaunch as a preferable service to support their ransomware campaigns.

The image below displays the totals calculated between “2021-06-26 12:33:41" and "2025-02-05 18:46:10." It is not a complete picture by any means, but this independently verifiable data gives a decent idea of the rate at which BitLaunch is being used by cybercriminals, with each year since 2022 has trended upwards.

One of the interesting things about CobaltStrike is that it is a commercial offensive security tool (OST). It is issued to legitimate customers through licenses, which have a unique watermark. While there have been several cracked versions of CobaltStrike over the years, it is possible to track certain groups through their usage of the same CobaltStrike versions.

The image below shows the distribution of the CobaltStrike watermarks gathered from BitLaunch. Notably, “0” is the most common. This is often the case when analysing CobaltStrike watermarks as this signifies it is the cracked version.

OSINT collection and analysis of the CobaltStrike watermarks revealed potential connections to several well-known cybercriminal groups using BitLaunch who have a history of conducting ransomware attacks:

1. "426352781” – This watermark is used by ShadowSyndicate, a ransomware affiliate group tracked by Group-IB which is connected to multiple Ransomware-as-a-Serivce (Raas) platforms. This watermark is also historically associated with CobaltStrike Beacons dropped by the Qakbot malware botnet.
2. “206546002” – This watermark is also used by ShadowSyndicate as well as Blister Loader, PLAY ransomware, and FIN7-linked ransomware operators.
3. “1580103824” – This watermark was linked to ShadowSyndicate as well, alongside the Cleo exploitation campaign attributed CL0P ransomware. A threat group tracked by CERT-UA as UAC-0056 has also been observed using this watermark too.
4. ”987654321” – This watermark has been associated with the IcedID malware botnet and the Dagon Locker ransomware gang previously.
5. ”1359593325” – This watermark has been used by CobaltStrike Beacons in campaigns attributed to the Russian Foreign Intelligence Service (SVR)
6. “391144938” and “305419896” – These watermarks have been attributed to campaigns by multiple Chinese cyber-espionage campaigns tracked by SentinelOne, Recorded Future, Zscaler, and Cisco Talos.

C2s on BLNWX attributed to Ransomware Gangs by CTI vendors

There are a number of CTI reports over the last couple years that directly reference BitLaunch Networks (BLNWX) IP addresses as Indicators of Compromise (IOCs) as part of high-profile ransomware campaigns.

This includes attribution to the Yanluowang ransomware attack against Cisco, a C2 linked to the JavaScript more_eggs backdoor used by FIN6 (who is connected to ransomware campaigns), a dozen IPs attributed to Rhysida ransomware attacks, and a Rhysida and Interlock ransomware precursor campaign tracked as TAG-124, as well as the PaperCut exploitation campaign which involved both LockBit and CL0P.

The VirusTotal graph is available here.

Additional notable CTI alerts that called out BLNWX include a report on Latrodectus, a ransomware precursor campaign, by Proofpoint; Okta-themed phishing campaigns attributed to Scattered Spider, who has carried out ALPHV/BlackCat and RansomHub attacks, by Intel471; infrastructure used to enable the BlackBasta ransomware gang by QuadrantSec, as well as C2 servers of the IcedID malware botnet that has been used by ransomware gangs for initial access.

Assessment of BitLaunch

As of February 2025, BitLaunch's parent firm Liber Systems Limited is run by two UK-based directors according to UK Companies House. While they are profiting off this Anonymous VPS service they are not taking the appropriate steps to prevent their service from being used by ransomware and malware gangs. Organised cybercrime groups have evidently found and recognised this about BitLaunch and are leveraging the cheap, crypto-accepting service that doesn’t ask too many questions.

To be fair to BitLaunch, they appear to be responsive to takedowns and are noted on Offshore[.]cat as enforcing DMCA requests. The crux of the issue though is that the cybercriminals can use their service to rapidly spin up instances for C2 for a few hours and chuck it away again. This means there often no need to submit a takedown as the cybercriminals has already abandoned the C2 and can spin up another one. Therefore, the cybercriminals can continually leverage BitLaunch without interference.

As a security researcher, and not a police officer, I cannot comment on how cooperative BitLaunch have been with the police and it is probably not something BitLaunch would want to advertise to their customers anyway based on who some of their customers are.

For BitLaunch’s two directors, this works out nicely for them. They can take the cybercriminals money via cryptocurrency and also appear to be ethical and compliant by assisting with law enforcement takedown requests. Currently, they appear to be helping both the criminals and the police, and have been getting away with it for years.

On BitLaunch’s front page advertisement they highlight as the main focus as being able to pay hourly for the use VPS and that customers can pay in “anonymous cryptocurrency.” It is in my opinion, and that of other cybersecurity researchers I have spoken to about this (including red teamers and penetration testers), that this service is perfect for C2 servers and almost nothing else legitimate.

The Broader Issue with Anonymous VPSs

In BitLaunch’s blogs, they say they believe the internet should be "open, free, and devoid of interference by any single government or authority" adding that accept cryptocurrency because "citizens of some countries do not have bank accounts and can use Bitcoin instead" because the local banks have control over who their citizens can send money to. Their blogs also state that they believe internet users should be allowed to run their own virtual private networks (VPNs) for anti-surveillance and privacy reasons. They also provide lots of guides on how to configure private VPNs for this purpose. While this is a legitimate service that is useful for some people in specific situations, having it be abused by ransomware gangs is a situation that needs to be changed.

This issue of selling anonymous VPSs is not specific to this one company. BitLaunch is obviously a small company and proactively combating cybercriminals from registering VPSs on their service is an expensive and multi-pronged challenge for any hoster, which includes preventing abuse while preserving the privacy of their customers.

Hosters such as BitLaunch could use services such as Shodan, Abuse.ch, GreyNoise, OTX Alienvault, and AbuseIPDB to check if their IP addresses are being abused. One interesting example of a hoster trying to tackle this issue is how PQ Hosting (aka Stark Industries Solutions) announced publicly on their blog that they have partnered with Team Cymru, a netflow security intelligence firm. Alternatively, hosters could use a blockchain analytics platform like Chainalysis, TRM Labs, or Arkham Intelligence, to trace cryptocurrency payments from known illicit wallet clusters.

There will, however, always be some threats that slip through the net. It is undoubtedly a difficult challenge for small hosters who do not have funds to sacrifice on network observability tools or CTI platforms. Even some of the world’s largest hosters, such as Cloudflare struggle with this as well and end up having their services abused for cybercrime operations.

The anonymous VPS problem could be compared to issues in other industries such as stolen funds being used to buy gift cards or game keys that are then resold for money laundering. Another platform often abused for a variety of scams and phishing campaigns is Gmail. Is Google being wilfully negligent to cybercrime happening on their platform? That’s a question I shall leave for readers to decide on their own.

Overall, this type of issue is analogous to a hotel offering rooms for the night and organized criminals renting them to commit various types of crimes inside them. Ultimately, the criminals are the ones breaking the law, not the hotel, but if the hotel is being constantly made aware of these activities by bystanders and law enforcement, it is their duty to shut that activity down, to the best of their abilities.

What the UK Could Do About It

In this scenario around BitLaunch, there are three potential ways the UK could help stop these small hosters being taken advantage of by cybercriminal operations.

Firstly, the cybersecurity and hosting industry could launch an initiative through institutions, such as the British Computer Society (BCS) or something, that would work to convince hosting providers that the hassle being investigated by law enforcement agencies, sanctions, or the chance of being arrested is not worth the funds generated from selling C2 servers to cybercriminals.

Secondly, as BitLaunch (or Liber Systems) is registered here, the UK Government Department for Science, Innovation, and Technology (DSIT) could work with them and other small hosters to regulate the industry and provide support to these businesses to warn them of the dangers of offering unregulated VPS services and inform them how they contribute to the damage that ransomware attacks are having on the UK and elsewhere.

Third, providing free network observability services to hosters could also help them proactively shutdown C2 servers before they are weaponised against victims. All UK hosters can sign-up to the free UK government-provided service called MyNCSC, offered by the UK NCSC, which is part of GCHQ. Hosters will then get alerts when MyNCSC detects which IPs are flagged for hosting C2 servers (such as CobaltStrike).

As the UK government’s mandate is to “make the UK the safest place in the world to live and work online” then tackling the issue with these UK-based hosters supporting ransomware should also be one of those priorities.

Indicators of Compromise

Historic Malicious BLNWX IP addresses are available below:

• https://www.virustotal.com/gui/collection/275b81bcec9bdd14ea2908f340343fef1f99ee2dfe9a8bc99761d409c8676013/iocs
• https://otx.alienvault.com/pulse/67af7c32be1268271aad22e7/

Introduction to Infrastructure Pivoting

Pivoting on infrastructure is a handy skill for cyber threat intelligence (CTI) analysts to learn. It can help to reveal the bigger picture when it comes to malware, phishing, or network exploitation campaigns. Infrastructure pivoting essentially is the act of looking for more systems an adversary has created. The main benefit of this pursuit is the identification of additional targets or victims, more tools or malware samples, and ultimately new insights about the adversary’s capabilities.

If done correctly, being able to pivot on adversary infrastructure will be very useful during incident response (IR) engagements. For example, it may lead to being able to attribute the intrusion to a known adversary. This will help others during an IR engagement understand the level of threat posed to the victim organisation.

Receiving Threat Data

To be able to pivot on adversary infrastructure, threat data is needed such as the intelligence shared by threat reports put out by various researchers from public and private sector organisations. This scenario, however, involves relying on the analysis skills of other researchers to explain what the infrastructure is and when they observed it in use.

This blog will examine threat data provided by public sector organisations such as the Computer Emergency Response Team of Ukraine (CERT-UA) as well as cybersecurity vendors such as Deep Instinct, Cyble, and Fortinet. These organisations have shared indicators of compromise (IOCs) uncovered following analysis of adversary intrusion activities or upload to online malware sandboxes, such as VirusTotal, among others.

Introduction to the Ghostwriter Campaign

On 3 June 2024, Fortinet shared a report on malicious XLS macro documents leading to Cobalt Strike Beacons. Analysis of the XLS documents showed that they appeared to be targeting the Ukrainian military and linked to a known Belarusian state-sponsored APT group tracked as Ghostwriter (aka UNC1151, UAC-0057, TA445). On 4 June 2024, Cyble also shared a report on a similar campaign.  

In both reports, if the XLS was opened and the macros were executed by the target, a malicious DLL file was downloaded from an adversary-created domain. In Fortinet’s report, two similar “.shop” domains were mentioned. In Cyble’s report another “.shop” domain was also called out.

Overlapping IOCs

The first pivot on Ghostwriter APT infrastructure that will be demonstrated involves finding indicators of compromise (IOCs) such as domains and IP addresses that appear in multiple threat reports.

The fastest way to realize these overlaps is through continuous collection of reported IOCs into a Threat Intelligence Platform (TIP). This will reveal IOCs that appear in multiple threat reports through tagging and sources of where IOCs come from. Eventually, one domain or IP address will get reported by multiple entities and the connection will make itself apparent.

In Figure 1 (see below) the domain “goudieelectric[.]shop” appeared in both Cyble’s blog and Fortinet’s blog. Analysis of all three domains found that they use the same generic top-level domain (gTLD), registrar, and name servers, as well as have a robots.txt directory configured. These common infrastructure characteristics indicate that all three domains were created by the same adversary.

Figure 1. Three similar domains appearing in two threat reports.

Domain Registration & Hosting Overlaps

When more IOCs are reported in other threat reports it is possible to link them to other known domains, this is due to adversaries reusing the same registrars, name servers, and gTLDs.

In Figure 2 (see below), Deep Instinct reported two more domains that could also be linked to the previous three domains through the mutual use of the PublicDomainsRegistry registrar, Cloudflare name servers, and the robots.txt file.

Figure 2. Five similar domains that appear across three threat reports.

Further, CERT-UA reported three more domains (see Figure 3 below) that could be linked to the infrastructure cluster through this same method as well. This pattern of behaviour is a strong indicator that these domains were created by the same adversary.

Figure 3. Eight similar domains that appear across four threat reports.

Finding Unreported Domains

Since the domains from the above threat reports were collected and linked together through overlapping attributes, it is now possible to use these attributes to find more domains that had gone unreported.

Using a VirusTotal domain attribute query, additional domains can be found by using the following registration pattern:

• Name Servers: CLOUDFLARE
• Registrar: PublicDomainRegistry
• TLD: *.shop

This revealed up to 24 domains that matched this pattern that were likely created by Ghostwriter, a state-sponsored APT group:

• backstagemerch[.]shop
• bryndonovan[.]shop
• chaptercheats[.]shop
• clairedeco[.]shop
• connecticutchildrens[.]shop
• disneyfoodblog[.]shop
• eartheclipse[.]shop
• empoweringparents[.]shop
• foampartyhats[.]shop
• goudieelectric[.]shop
• ikitas[.]shop
• jackbenimblekids[.]shop
• kingarthurbaking[.]shop
• lansdownecentre[.]shop
• lauramcinerney[.]shop
• medicalnewstoday[.]shop
• moonlightmixes[.]shop
• penandthepad[.]shop
• physio-pedia[.]shop
• semanticscholar[.]shop
• simonandschuster[.]shop
• thevegan8[.]shop
• twisterplussize[.]shop
• utahsadventurefamily[.]shop

Note: VirusTotal domain searches are only available to VirusTotal Enterprise users. There are other providers which allow you to search for domain registration patterns such as DomainTools, Validin, and Zetalytics. There also some free OSINT sites such as nslookup.io and viewdns.info that can be useful in certain scenarios.

Finding Related Malware Samples

Using the list of similar domains that were uncovered through the registration pattern search, it is then possible to find additional malware samples communicating with them.

This can be achieved by looking at domains in VirusTotal and checking the Relations tab can show communicating files as shown in Figure 4 below.

Figure 4. Additional malware samples uncovered via the VirusTotal relations tab

Using a VirusTotal graph can help to reveal every communicating file with every domain discovered through the registration pattern search, as shown in Figure 5 below.

Figure 5. All communicating files with every additional domain identified.

URL to the VirusTotal Graph: https://www.virustotal.com/graph/embed/gd2c04407d9ba4b75b2ce73d6155d166d3ef75eaf29894ff5ac287c90400072bc?theme=dark

URL to the VirusTotal Collection: https://www.virustotal.com/gui/collection/2aa6b36a717be8bc49f7925434ca40f3ecb9f628414b491da3e985677508ca08/iocs

Lessons Learned

In conclusion, it is important for CTI analysts to closer inspect the attributes of the IOCs they come across. It is not uncommon for state-sponsored APT groups to make such mistakes when creating their infrastructure to launch attacks from. By exploiting this fact, CTI analysts can learn much more about the adversary’s targets, capabilities, and the behaviours of the humans themselves behind such campaigns.

The importance of this type of work was demonstrated in December 2023 when the US Treasury sanctioned members of the Russian APT group known as Callisto (aka Star Blizzard, BlueCharlie, COLDRIVER, GOSSAMER BEAR). The real world identity of Andrey Korinets was revealed after he was sanctioned for fraudulently creating and registering malicious domain infrastructure for Russian federal security service (FSB) spear phishing campaigns.

The scourge of ransomware continues primarily because of three main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.

• RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.
• Cryptocurrency enables cybercriminals to receive funds from victims around the world without the option to freeze or refund them due to the immutable nature of the virtual funds.
• Safe havens are countries that permit cybercriminals to launch attacks without immediate fear of arrest, enabling them to earn vast fortunes through ransomware campaigns.

With these three challenges in mind, law enforcement and governments have a very difficult job to do when it comes to fighting ransomware but fight it they must. In this blog we shall recall what counter-ransomware activities took place in 2024, analyse their effectiveness, and assess how the landscape shall evolve as a result.

A podcast version of this blog is also available here.

Ransomware Operator Arrests and Sanctions

During 2024, there were significant disruption operations by law enforcement and financial authorities targeting individuals behind ransomware campaigns (see the Table below). The main focus of 2024 for Western law enforcement was squarely on the LockBit RaaS and its affiliates as it was the largest and highest earning ransomware operation to date.

Several key players of the ransomware ecosystem were arrested, including the main developer of LockBit ransomware. Interestingly, Russian law enforcement also decided to arrest ransomware threat actors located in Moscow and Kaliningrad as well.

The ransomware ecosystem has fragmented due to the law enforcement disruptions of the largest players, such as ALPHV/BlackCat and LockBit. In the case of ALPHV/BlackCat, the operators staged a law enforcement takedown as they put up a fake seizure notice as part of an exit scam in March 2024 after the attack on UnitedHealth.

Following these disruptions, some affiliates have migrated to less effective strains or launched their own strains. This includes Akira and RansomHub at the top of the list as well as Hunters International and PLAY.

Cryptocurrency Exchanges Disrupted

During 2024, law enforcement seized funds from and sanctioned a number of cryptocurrency exchanges and individuals running payment processors using cryptocurrency (see the Table below).

One of the most interesting disclosures this year came from the UK National Crime Agency (NCA) around Operation Destablise. The NCA linked payments to ransomware gangs to money laundering networks used by Russian oligarchs to covertly purchase property and Russia Today, the state-run media organization, to covertly fund pro-Russia foreign entities.

Another notable investigation in 2024 was when the US Treasury sanctioned more Russian cryptocurrency exchanges, such as PM2BTC and Cryptex, that led to money launderers that facilitate the cashing out of ransom payments being arrested by Russian law enforcement.

Safe Havens Enabling Ransomware

While ransomware is a global problem, there are only a few countries that are to blame for this rapid expansion of the ransomware ecosystem. The state that is blamed the most for preventing many ransomware operators from facing justice is Russia. There are explicit rules posted to Russian-speaking cybercrime forums that state as long as members avoid targeting Russia and the Commonwealth of Independent States (CIS), they are free to operate.

The Russian ransomware safe haven theory was further proven following sanctions levied against Evil Corp by the UK, US, and Australia. One of the sanctioned men connected to Evil Corp was Eduard Benderskiy, a former Russian federal security service (FSB) official. Benderskiy is reportedly the father-in-law of Maksim Yakubets, the leader of Evil Corp, an organized cybercrime group responsible for multiple ransomware strains including BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker. In total, Evil Corp has reportedly extorted at least $300 million from victims globally, according to the UK NCA. It is now clear that Evil Corp has protection from a highly connected Russian FSB official who has also been involved in multiple overseas assassinations on behalf of the Kremlin, according to Bellingcat investigators.

While a number of ransomware operators were arrested in 2024 and some were extradited to the US, the work done by law enforcement specializing in cybercrime was put in the spotlight during the August 2024 prisoner swap. Multiple countries decided to release cybercriminals, spies and an assassin as part of a historic prisoner exchange with Russia at an airport in Ankara, Turkey. The US negotiated the release of 16 people from Russia, including five Germans as well as seven Russian citizens who were political prisoners in their own country.

Notably, from a cybercrime intelligence perspective, the Russian nationals released from the West included the infamous cybercriminals Roman Seleznev and Vladislav Klyushin. The latter, Klyushin, was sentenced in 2023 to nine years in US prison after he was caught in a $93 million stock market cheating scheme that involved hacking into US companies for insider knowledge. The other cybercriminal, Seleznev, was sentenced to 27 years in prison in 2017 for stealing and selling millions of credit card numbers from 500 businesses using point-of-sale (POS) malware and causing more than $169 million in damage to small businesses and financial institutions, including those in the US.

In 2024, we saw several more Russian nationals get extradited to the US after being arrested by law enforcement in the country they were residing in. This includes the Phobos operator living in South Korea and the LockBit developer living in Israel. This follows others arrested in previous years such as a TrickBot developer arrested in South Korea as well as the two LockBit affiliates extradited to the US. There is a potential that these Russian nationals involved in ransomware could be used in prisoner exchanges in the future.

Further, another curious trend in 2024 was that some Russians inside Russia, which is firmly considered a safe haven for ransomware gang, did get arrested. This includes the SugarLocker operators arrested in Moscow and the LockBit affiliate Wazawaka who was arrested in Kaliningrad. This is alongside the money launderers arrested around Russia linked to the Cryptex exchange.

The arrests of Russian nationals in Russia for ransomware activities appear to be more symbolic than a true crackdown on this type of activity. This is because there are several dozen Russian-speaking ransomware gangs that continue to operate, as well as a plethora of other types of cybercrime in the Russian-speaking underground.

Outlook

In 2024, there was lots of significant action by law enforcement to shake up the ransomware economy. One of the main successes of the notable Operation Cronos action taken against LockBit was the sowing of distrust and disharmony in the ransomware ecosystem. Despite the admins of LockBit trying to recover, their reputation and army of affiliates have been smashed.

Many of Russian law enforcement activities could all be related to the costs of the Russian invasion of Ukraine. Russian authorities seizing funds of the illicit cryptocurrency exchanges could be to pay for the war in Ukraine and they could be recruiting arresting cybercriminals for offensive cyber operations related to the war in Ukraine. The true motivations of Russian law enforcement arresting these specific ransomware operators but allowing others to operate are unclear. The cybercriminals could also simply have not paid their protection money or lack connections in the FSB like Evil Corp has.

Due to the fall of LockBit and ALPHV/BlackCat in 2024, there has been a rise of other ransomware groups like RansomHub and Akira to fill the vacuum. However, the rate of attacks by these emerging groups is still noticeably lower than when LockBit was operating at full force. This should be perceived as a success for law enforcement operations in 2024 due to the overall number of ransomware attacks lowering, which we should all be thankful for.