Researcher finds Russia-based ransomware network with foothold in U.S.
Image: Christian Wiediger
Jonathan Greig July 25, 2022

Researcher finds Russia-based ransomware network with foothold in U.S.

Researcher finds Russia-based ransomware network with foothold in U.S.

A Russia-based ransomware command and control network has been found to have a foothold in at least one U.S. network, according to researchers from attack surface management firm Censys.

Matt Lembright, director of federal applications at Censys, told The Record that he was scanning millions of hosts based in Russia in late June when he discovered two hosts containing a Rapid7 exploitation tool, Metasploit, and a command and control (C2) tool called Deimos C2. One of these hosts also possessed the PoshC2 tool.

After even more digging, Lembright discovered that the hosts had connections to the MedusaLocker ransomware as well as the Karma ransomware.

“Censys located a host in Ohio also possessing the Deimos C2 tool discovered on the initial Russian host and, leveraging historical analysis, discovered that the Ohio host possessed a malware package with software similarities to the Russian ransomware hosts possessing PoshC2 mentioned above, in October 2021,” Lembright said, noting that the host in Ohio had ties to the Karma ransomware.

Lembright noted that the discovery was particularly novel because most ransomware incidents are discovered after an attack, and this was the rare instance of researchers finding evidence of groups setting the stage for an attack. 

“[Attacks] usually originate from wherever that attacker is accessing the internet and then they usually try to leverage some sort of proxy or intermediary to hide their access and involvement in attacks,” he said. 

“It gives them an economy of scale. If they have four or five other hosts that they can leverage to attack a certain victim. Certain exploits have to be laid on a victim before they’re able to control those hosts. What we discovered here seems to match that pattern.”

Two of the hosts found have malware and two other hosts are connected to Bitcoin, according to Lembright, who said the hosts allowed the group to infect and exploit a victim via ransomware and then a method to be paid. 

Recorded Future ransomware expert Allan Liska explained that ransomware groups can’t launch an attack from Russian infrastructure because they will get blocked.

To get around this, gangs typically compromise hosts in the U.S. 

“They usually look for large data center providers, universities or other places where there are lots of servers with different levels of security. Those compromised servers are used as redirects,” he said. 

Part of how Censys was able to tie the hosts to MedusaLocker was from a Cybersecurity and Infrastructure Security Agency (CISA) report released three weeks ago that spotlighted the ransomware group and provided email addresses, IP addresses and TOR addresses that the group uses. 

CISA noted at the time that they have seen MedusaLocker attacks as recently as May 2022.

Lembright was unsure of whether other ransomware groups were using the hosts but noted that the Karma ransomware group was tangentially connected to some of the other hosts discovered. 

He reported his findings to the FBI and is working with them to confirm if the two hosts were used during attacks on a hospital and a library last year. 

He added that his methodology is laid out in a report released by Censys this week and that he hopes other researchers take the initiative to use the tool to potentially discover other malicious hosts connected to ransomware organizations. 

“People can see what we’ve done and exchange whatever their needs or perceived threat actors. If they know their primary attacker leverages another type of tool or software, they can search for those specifically and get even more pointed in their discovery,” Lembright said. 

“I hope that folks that recognize these hosts or have seen these patterns before can give us a call or work with us to inform some of these folks if this is a predecessor to a larger attack in the near future or if these folks that own these hosts are in danger of being attacked themselves.”

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.