DEF CON 33 Recon Village - Inside the Shadows Tracking RaaS Groups, Cyber Threats - John Dilgen
Description
John Dilgen from ReliaQuest explores techniques for tracking Ransomware-as-a-Service (RaaS) groups through dark web intelligence, communication leaks, and telemetry. The presentation details the organizational structures and evolving tactics of major threat actors like Black Basta and Dragon Force to build proactive defenses.
Inside the Shadows: Tracking RaaS Groups and Evolving Cyber Threats
Introduction
In the high-stakes world of modern cybersecurity, ransomware is no longer just a technical hurdle—it is a billion-dollar industry. With annual exposure costs for US organizations reaching a staggering $124 billion, the Ransomware-as-a-Service (RaaS) model has professionalized cybercrime to an unprecedented degree. For security professionals, simply reacting to alerts is no longer enough; we must move 'inside the shadows' to track these groups at their source. This blog post explores the research presented by John Dilgen at DEF CON 33, diving into the organizational structures, market dynamics, and technical shifts of the world's most dangerous ransomware collectives.
You will learn how analysts use dark web intelligence and internal leaks to deconstruct groups like Black Basta and Dragon Force, how phishing is evolving beyond the inbox into platforms like Microsoft Teams, and how sophisticated social engineering can bypass even robust MFA implementations. This guide is intended for CTI analysts, incident responders, and security architects looking to build a proactive, intelligence-led defense.
Background & Context
The RaaS landscape is characterized by extreme volatility. Groups emerge, dominate, disband, and rebrand with startling speed. This 'brand-shifting' often hides a consistent core of affiliates and tools that move from one banner to another. Understanding this ecosystem requires more than just looking at file hashes; it requires analyzing data leak sites (DLS), dark web forums like XSS and Exploit, and the internal communications of the actors themselves.
Recent years have seen a shift from purely technical exploitation to 'identity-centric' attacks. While technical vulnerabilities remain relevant, the path of least resistance for many RaaS groups is the human element. By understanding the commercial motivations and internal structures of these groups—such as their use of specialized 'intrusion specialists' and 'negotiators'—defenders can better predict their movements and prioritize their defensive investments.
Technical Deep Dive
Understanding the RaaS Hierarchy
Internal chat leaks, such as the massive February 2025 Black Basta leak, have provided a rare blueprint of how these organizations function. They are not loosely organized gangs; they are structured like enterprises.
- The Leader: Controls finances and final say on ransom amounts.
- Intrusion Specialists: Lower-paid members focused on the 'grunt work' of initial access.
- R&D Department: Specialists focused solely on defeating EDR and AV solutions.
- Negotiators: Sophisticated actors who analyze a victim’s financial data (using tools like
Zoom Info) to ensure the ransom demand is the maximum the company can afford to pay.
The Anatomy of an Email Spam Bomb
One of the most effective tactics observed is the 'email spam bomb.' The goal isn't necessarily to deliver a payload via email, but to overwhelm the victim's inbox with thousands of messages. This creates a state of 'technical distress' for the user. While the user is struggling with their unusable inbox, the attacker follows up on Microsoft Teams, masquerading as the 'IT Help Desk.'
Because the user is already experiencing a real technical issue, they are highly susceptible to the social engineering lure. The attacker then provides a 'fix'—usually a malicious file or a request for remote control—that grants initial access. Research into dark web forums shows these spam-bomb services are incredibly cheap, sometimes costing as little as $9 for a single attack, making them a high-ROI tool for RaaS affiliates.
Advanced Telemetry and Lateral Movement
Once initial access is achieved, the TTPs evolve rapidly. Recent investigations show a sequence of sophisticated moves:
- Persistence: Using the
QMU hypervisororTelegrambeacons for Command and Control (C2). - Privilege Escalation: DLL side-loading is frequently used to bypass security controls.
- Exfiltration: Data is moved out using legitimate tools like
R-Clone,WinSCP, andFileZillato blend in with normal administrative traffic.
Case Study: The Scattered Spider MFA Bypass
A notable kill chain involving a manufacturing sector CFO demonstrates the limitations of MFA when faced with sophisticated social engineering. The attacker made three distinct calls to the help desk:
- Call 1: Impersonated the CFO to reset credentials.
- Call 2: When stopped by MFA, they called the help desk again to reset the MFA device to a device they controlled.
- Call 3: Once they had CFO access, they identified a Domain Admin and social engineered a third reset for higher privileges. This attack succeeded because the help desk failed to follow verification procedures, proving that the human link is often the weakest point in the chain.
Mitigation & Defense
To defend against these evolving threats, organizations must adopt a defense-in-depth strategy that addresses both technical and human vulnerabilities:
- Verification: Implement strict bi-directional help desk verification. Users should be able to verify the IT staff's identity, and staff must use out-of-band methods to verify users.
- Detection: Build specific hunts for Teams-based phishing. Look for
chat createdevents where the sender is an external domain and the chat name includes keywords likeIT SupportorHelp Desk. - RMM Control: Use GPO or application control to disable unauthorized Remote Monitoring and Management (RMM) tools.
- Education: Train users specifically on the 'spam bomb' tactic so they know to report the incident rather than engage with 'help' on Teams.
Conclusion & Key Takeaways
Tracking RaaS groups is a game of cat and mouse played in the dark corners of the internet. The primary lesson from the research is that while names like Black Basta or Lockbit may fade, their tactics and affiliates endure. Success in modern defense requires a shift from tracking 'groups' to tracking 'behaviors.' By monitoring for the specific signatures of affiliate activity and hardening the human-centric processes like help desk interactions, organizations can significantly raise the cost of an attack. Stay vigilant, verify everything, and remember that in the world of RaaS, the most dangerous threat often looks like a helping hand from IT.
AI Summary
This presentation, delivered by John Dilgen, a Cyber Threat Intelligence (CTI) analyst at ReliaQuest, provides a comprehensive look at the methods used to track and analyze Ransomware-as-a-Service (RaaS) groups. Dilgen begins by highlighting the massive economic impact of ransomware, which is estimated to cost U.S. organizations $124 billion annually. The core of the talk revolves around collecting data from diverse sources—including dark web data leak sites (DLS), criminal forums, internal communication leaks (like those from Conti and Black Basta), and law enforcement notifications—to build a proactive defense strategy. A significant portion of the session focuses on the Black Basta group, which emerged in April 2022 and is widely considered a successor to the Conti ransomware group. Dilgen analyzes internal chat logs leaked in February 2025 by a disgruntled member. These logs reveal a sophisticated organizational structure that mirrors legitimate tech companies, featuring intrusion specialists, managers, developers, and even an R&D department dedicated to bypassing Endpoint Detection and Response (EDR) solutions. The talk details the group's leadership, specifically 'Trump' (or 'Tramp' in Russian translation), who dictated ransom demands based on an organization's cash flow. Their primary initial access method involves the 'email spam bomb' followed by Microsoft Teams phishing, where attackers pose as IT support to trick users into granting remote access. The speaker also examines the volatility and market dynamics of the RaaS ecosystem. Following the decline of Black Basta, Dilgen tracks where affiliates migrated, noting connections to groups like Cactus, Black Suit (Royal), and Eldorado. The presentation also provides a critical analysis of Lockbit, showing that while law enforcement actions in early 2024 significantly impacted their volume, the group attempted to regain relevance through 'Lockbit 4.0' marketing. Contrastingly, Dragon Force is highlighted for its 'cartel model' and aggressive recruiting tactics, which include defacing the data leak sites of rivals like Ransom Hub to poach affiliates. Technically, the presentation tracks the evolution of phishing tactics from 2024 to 2025, moving from simple spam bombs to more advanced methods like QR code phishing via Teams, DLL side-loading for lateral movement, and using the QMU hypervisor for persistence. A case study on Scattered Spider demonstrates a successful attack on a manufacturing firm's CFO, where the threat actor bypassed MFA not through technical exploits, but by social engineering a help desk into resetting credentials and MFA devices. The talk concludes with actionable defensive measures. Dilgen recommends implementing strict bi-directional help desk verification, educating users on the specific mechanics of email spam bombs, and disabling unauthorized remote monitoring and management (RMM) tools. He emphasizes that tracking the 'shadows' of these groups is not just about attribution, but about understanding the TTPs that persist even after a group's brand name disappears.
More from this Playlist
DEF CON 33 Recon Village - Mapping the Shadow War From Estonia to Ukraine - Evgueni Erchov
DEF CON 33 Recon Village - How to Become One of Them: Deep Cover Ops - Sean Jones, Kaloyan Ivanov
DEF CON 33 Recon Village - Building Local Knowledge Graphs for OSINT - Donald Pellegrino
DEF CON 33 Recon Village - A Playbook for Integration Servers - Ryan Bonner, Guðmundur Karlsson
