{"id":3042,"date":"2021-08-06T10:27:52","date_gmt":"2021-08-06T08:27:52","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3042"},"modified":"2026-06-08T23:14:46","modified_gmt":"2026-06-08T23:14:46","slug":"inside-ransomware-gang","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/inside-ransomware-gang\/","title":{"rendered":"Inside a Ransomware Gang"},"content":{"rendered":"\n<p style=\"text-align: justify\">Ransomware attacks have reached maximum attention from private entities and public institutions. The <strong>White House<\/strong>, through various channels, has addressed this subject following attacks on <strong>Colonial Pipeline<\/strong> and <strong>Kaseya<\/strong>. In Italy, the attack on the <strong>Lazio region<\/strong> caused the same disruptions observed in similar situations in the U.S.A.<\/p>\n<p style=\"text-align: justify\">Behind these cyber attacks operate well-organized groups, <strong>developers<\/strong> who refine their tools, and <strong>Penetration Testers<\/strong> recruited for infrastructure compromise (also known as Operators).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Criminals seeking collaborators<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/InkedImmagine-2021-08-06-113908_LI-1024x485.jpg\" alt=\"\" class=\"wp-image-3046\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p style=\"text-align: justify\">Criminal actors continuously seek collaborations to expand their operations. In this specific case, a criminal group, through a form of <strong>Job Posting<\/strong>, is recruiting individuals to perform <strong>Penetration Tester<\/strong> activities.<\/p>\n<p style=\"text-align: justify\"><span>The post was followed by a comment from an &#8220;angry&#8221; user affiliated with this group, disclosing critical information about their attacks and organizational structure. The user also shared details on <strong>Command &amp; Control<\/strong> servers and attached a guide documenting all steps followed by the criminals to compromise infrastructure. Examples include procedures for executing <strong>Brute-force<\/strong> attacks, data exfiltration, and disk encryption. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> operations tracked this disclosure across multiple threat forums.<\/span><\/p>\n<p style=\"text-align: justify\"><span>The group appears to be affiliated with the notorious <strong>Conti RaaS<\/strong> operation.<\/span><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/InkedMicrosoftTeams-image_LI-1024x243.jpg\" alt=\"\" class=\"wp-image-3045\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><\/p>\n\n\n\n<p style=\"text-align: justify\">Hours later, the recruitment post containing screenshots and the guide were removed by the forum administrator. The user subsequently created a separate post reposting all materials. Among the comments, a response from a user connected to the LockBit 2.0 RaaS service expressed dissatisfaction.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/08\/InkedImmagine-2021-08-06-114626_LI-1024x218.jpg\" alt=\"\" class=\"wp-image-3048\" loading=\"lazy\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Operational anatomy of a ransomware gang: roles, affiliate program structure, financial distribution and OPSEC practices observed inside leaked communications.<\/p>\n","protected":false},"author":1,"featured_media":3046,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3334,1725,1727,1729,3131,1641,3185,1445,1731,1733,1735,3259],"class_list":["post-3042","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-affiliate-programs","tag-cyber-criminal-it","tag-cybersecurity-it","tag-forum-it","tag-opsec","tag-raas-it","tag-ransomware-operations","tag-threat-it","tag-threat-acotr-it","tag-threat-actor-it","tag-underground-it","tag-underground-economy"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3042"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3042\/revisions"}],"predecessor-version":[{"id":9919,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3042\/revisions\/9919"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}