Welcome to the VB2021 conference!

How CARBON SPIDER embraced ransomware

Eric Loui (CrowdStrike) & Joshua Reynolds (CrowdStrike)
live only
17:45 UTC on Day 1
In April 2020, CARBON SPIDER (a.k.a. FIN7 and Carbanak) abruptly shifted away from targeting POS systems to broad, opportunistic ransomware operations. These campaigns initially delivered REvil, but in August 2020 the adversary introduced their own ransomware, Darkside. In November 2020, the Darkside Ransomware-as-a-Service (RaaS) program was opened, but CARBON SPIDER continued to conduct ransomware campaigns directly. These campaigns included encryption of VMware ESXi servers using a variant of Darkside specifically designed for ESXi. In May 2021, a Darkside ransomware affiliate was involved in an attack against Colonial Pipeline, which led to the shutdown of the Darkside RaaS. In July 2021, CARBON SPIDER re-emerged with the creation of the BlackMatter RaaS.

This case study will provide an overview of the transition of CARBON SPIDER (a.k.a. FIN7 and Carbanak) from the targeting of POS systems for credit card data to indiscriminate ransomware operations. This will include details of largely unknown downloaders and backdoors, a relationship with a Zloader operator for initial access not previously discussed in public reporting, and TTPs observed throughout these operations for credential access, lateral movement and ransomware deployment. Notable post-initial access TTPs include a particularly wide range of credential access techniques to achieve privileged context, enabling lateral movement and eventually Darkside ransomware deployment. While CARBON SPIDER makes heavy use of Cobalt Strike for lateral movement, the adversary has also used legitimate tools such as Plink, GoToAssist and TightVNC. In addition to deploying ransomware, CARBON SPIDER exfiltrates files from victims, primarily using the MEGASync client for hosting provider MEGA.

We will also provide details of the group’s deployments of REvil and how we attributed the creation of the Darkside ransomware to CARBON SPIDER. The presentation will conclude with a discussion of CARBON SPIDER’s operations in the wake of the Colonial Pipeline attack and how the adversary regrouped to ultimately continue ransomware campaigns using the new BlackMatter ransomware.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speakers later, contact Eric Loui by email on [email protected] or contact the speakers on Twitter at @JershMagersh and @invoke_eric.
Eric Loui

Eric Loui is a senior intelligence analyst at CrowdStrike. He has been working in cyber threat intelligence for over eight years, and currently specializes in tracking eCrime threats. Prior to CrowdStrike, Eric was a CTI analyst at the U.S. Department of State. He has presented at the SANS CTI summit, Fal.Con, and ACoD on threat intelligence. In addition to multiple information security certifications, he has an M.A. from American University and recently earned a graduate certificate from California State University Fullerton in data science.

Joshua Reynolds

Joshua Reynolds is a senior security researcher with CrowdStrike, where he performs malware reverse engineering and intelligence analysis. Joshua has presented at multiple BSides events, DEF CON and RSAC, focusing on ransomware, malicious document analysis and cryptojacking malware. He is also the co-author of the SAIT Polytechnic Information Systems Security diploma malware analysis course.