In the shadowy corners of the dark web, young hackers from the U.S., U.K., and Canada met and teamed up with Russian ransomware hackers, becoming powerful partners in crime.
In the last year, ransomware hackers have targeted hospitals, pharmaceuticals, tech companies, and even Las Vegas' biggest hotels and casinos. Bryan Vorndran, the FBI's top cyber official, called ransomware an "enormous problem," and says no sector, company, or type of organization is off limits to hackers. There are estimates that global losses from ransom payments exceed $1 billion a year.
"Any way you look at the numbers, it's a problem for the global economy, and for the U.S. economy, and for the security of the United States," Vorndran said.
Scattered Spider hackers
A loose-knit group of predominantly native-English speaking hackers, called Scattered Spider by the FBI, are behind some of the recent ransomware attacks, Vorndran said. The group is also known as Star Fraud, UNC3944, and Octo Tempest. Scattered Spider hackers are considered experts in social engineering.
"Part of their success stems from their deep understanding of Western culture. They possess a keen awareness of our societal norms," stated Allison Nixon, the chief research officer at the cybersecurity firm Unit 221B. "They know exactly what to say to manipulate individuals into taking certain actions."
Scattered Spider represents just one faction among numerous illicit hacking collectives within a vast network of online criminals known as "the Community" or simply "the Com," as described by Nixon. She characterizes it as an emerging yet remarkably disruptive online subculture. Members of the Com have breached the security of companies such as Microsoft, Nvidia, and Electronic Arts, among others.
Their numbers have surged since 2018, growing from a mere few hundred to thousands, according to Nixon.
"They congregate online in social spaces where they interact, such as gaming servers," Nixon explained. "It's somewhat akin to the concept of a back alley where delinquent youth gather, but in a digital realm."
The majority of participants are males under 25 years old, although Nixon noted that teenagers as young as 13 have also been implicated in significant cybercrimes.
These individuals communicate through messaging platforms like Telegram, engaging in conversations rife with racism and sexism. They frequently brag about their ill-gotten gains and project an aura of intimidation.
"In certain corners of the internet, young individuals are engaging with criminals and gang members, creating a toxic environment," mentioned Nixon. "This has led to the development of an online subculture that romanticizes criminal activities and measures one's value based on the harm they can inflict on society."
Collaboration Among Hackers
Scattered Spider emerges as a sophisticated faction of the Com group. Their illicit actions have attracted the notice of cybersecurity firms and garnered admiration from fellow criminal hackers. One such group is the infamous Russian ransomware gang, BlackCat, also known as ALPHV, who recognized the potential of the young, English-speaking Westerners as a valuable asset for their ransomware operations.
"Traditionally, Russian cyber criminals were not inclined to collaborate with Western counterparts," Nixon explained. "There were language barriers and a perception of unprofessionalism associated with the Western hackers."
Scattered Spider leverages its language proficiency and social engineering tactics to infiltrate organizations. BlackCat contributes its expertise, infrastructure, and malware, which has been utilized in some of the most impactful ransomware attacks in recent times.
Cybersecurity researchers believe that BlackCat is made up of former members of the Russian cybercriminal hacking group DarkSide/BlackMatter, which was responsible for the 2021 attack on Colonial Pipeline that caused gas shortages up and down the East Coast. And according to an FBI advisory, "Many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/BlackMatter, indicating they have extensive networks and experience with ransomware operations."
"It's called rebranding," said Jon DiMaggio, who is chief security strategist for cybersecurity company Analyst1. DiMaggio investigates ransomware and the relationships between different cybercriminal groups.
"With the ransomware as a service model, you have that core gang that's the service provider that is providing all these resources and attack services to make their job easy. And then you have the hackers who are the contractors that work for them," said DiMaggio.
Long-established Russian gangs, like BlackCat, offer their services — including the latest malware and experience negotiating ransoms and laundering money — to affiliate hacking groups, like Scattered Spider. If a victim pays a ransom, the funds are split.
Ransomware attacks bring companies to knees
Scattered Spider and BlackCat both claimed credit for the September 2023 ransomware attack on MGM Resorts, which cost the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned hotels and casinos on the Las Vegas Strip: including MGM Grand, Aria, Mandalay Bay, New York-New York and the Bellagio.
Anthony Curtis, a well-known figure in the Las Vegas community for publishing the "Las Vegas Advisor," found himself in an MGM property during a recent ransomware attack. The incident left casino-goers bewildered as thousands of slot machines suddenly ceased to function properly.
"So all of a sudden now people are going 'How do I get my money? What's wrong?' And the people were sitting there waiting and couldn't get paid," Curtis recounted.
The cyberattack caused a cascade of issues - elevators malfunctioned, parking gates froze, and digital door keys became useless. With the computers down, reservations became inaccessible, and long queues formed at the front desks.
"Anything that required technology was not working," Curtis emphasized.
MGM Resorts declined requests for interviews following the attack. However, at a conference held a month later, CEO and President Bill Hornbuckle openly acknowledged the severe disruptions caused by the cyber incident.
"For the next four or five days with 36,000 hotel rooms and some regional properties, we were completely in the dark," Hornbuckle admitted during the conference.
The hackers demanded a $30 million ransom to restore MGM's data. Despite the company's refusal to pay, they suffered significant losses - an estimated $100 million in revenue and millions more spent on rebuilding their servers.
Hackers Breach MGM's Network Using Social Engineering Tactics
In a sophisticated cyber attack, hackers managed to infiltrate MGM's network by employing social engineering techniques. The culprits targeted an employee, gathering information from various sources including the dark web and platforms like LinkedIn. Subsequently, a skilled hacker impersonated the employee and contacted the MGM tech help desk, persuading them to reset the password. With this access, the hacker successfully breached MGM's computers and deployed destructive malware.
Analysts likened the incident to a cyber version of the movie "Ocean's Eleven," highlighting the hackers' cunning tactics.
"These hackers executed a well-planned operation," stated a cybersecurity expert. "Despite the robust systems and security measures in place at casinos, these individuals managed to outsmart them."
Following the breach, MGM's major competitor, Caesars, expressed concerns about the escalating ransomware attacks in the industry.
"From an FBI standpoint, we advise against paying ransoms," a representative from the agency stated. "However, we acknowledge the difficult decisions companies face during such crises."
The FBI refrained from disclosing details about potential arrests related to the Las Vegas cyber attacks.
Concerns for the Future
Experts warn that ransomware attacks are becoming increasingly costly and disruptive, with fears of further escalation in the future.
According to cybersecurity researchers, Russian ransomware groups often operate with impunity, finding refuge in the country's laws. As long as these hackers avoid targeting Russian entities, they evade prosecution.
"The situation is concerning, but unfortunately, that's the reality of the current landscape," remarked a cybersecurity analyst.
The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms. The leadership are people in their 30s and 40s. They often have a financial background.
"There are people that specialize in developing malware and ransomware, and they're in very high demand,"
Russian ransomware has become such a threat that the elite cyber warriors at the National Security Agency have joined the fight. Rob Joyce, who was the NSA's director of cybersecurity before retiring last month, said the Colonial Pipeline attack was a wakeup call.
"It caused us to step back and decide that we had to put more resources into this foreign threat," Joyce said. "That's the value NSA can bring is, we can identify people, specific people involved in some of these activities."
The NSA helped identify the Russian hacker responsible for the Colonial Pipeline attack. And in January 2022, after months of negotiations, Russia arrested him and other accomplices. But it all came undone five weeks later.
"Following the Ukraine invasion, those people were let out of jail," Joyce said.
And now, Russian hackers have teamed up with the young native-English speaking hackers of Scattered Spider. The FBI's Vorndran calls it an evolution of cybercrime.
"We are up against a formidable group of adversaries who excel at their craft," he remarked. "Fortunately, we are equally skilled at what we do."
Back in January, a 19-year-old individual named Noah Urban was apprehended by the FBI in Florida for allegedly embezzling $800,000 in cryptocurrency. Urban has maintained his innocence. While cyber investigators have linked him to the group known as Scattered Spider, there is no concrete evidence connecting him to the casino heist. The hackers from Scattered Spider responsible for the MGM breach are still active online, blending in seamlessly with Russian hackers. Nixon views the events in Las Vegas as a warning sign.
"The prevalence of cybercrime has reached a daunting level," she expressed. "Every year it seems to worsen. It's as if, as defenders, we are winning battles but losing the overall war."
