Tracing Ransomware Threat Actors Through Stylometric Analysis and Chat Log Examination
The Conceptualization
I stumbled upon an intriguing concept presented by Will Thomas (BushidoToken) in his blog post titled “Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz.” This concept revolves around utilizing stylometry to identify potential modifications in new ransomware variants based on existing popular strains. If you’re interested, you can read the blog post here. (Notably, Will Thomas also appeared on Dark Net Diaries, discussing his tracking of the Revil ransomware.)
Connection to Ransomware Negotiation Logs:
Upon reading this, I recalled encountering a new project related to ransomware negotiation logs. Ransomware negotiation is typically an obscure area where visibility is limited. Valéry Marchive, co-founder of LeMagIT, recently shared a substantial collection of these logs, which can be found on GitHub here.
The Hypothesis
Building on these observations, I hypothesize that distinct writing styles and consistent linguistic patterns can be identified within ransomware negotiation logs. By applying stylometric analysis to these logs, I aim to attribute specific ransomware attacks to individual operators or groups that consistently appear in these chat exchanges, thus potentially unmasking the identities of the threat actors behind different ransomware strains.
Understanding Stylometric Analysis:
For those unfamiliar with stylometric analysis, it is a technique that explores patterns and characteristics within written text to determine authorship or stylistic traits. Linguistic features such as vocabulary, syntax, and punctuation are analyzed to identify consistent patterns and distinct writing styles.
The Methodology
All data including tracking could be found on this Github Repo I created: https://github.com/hokman0414/RansomwareChatLog-Stylometric-Analysis
Tracking Process:
To delve deeper into this concept, I created a tracking sheet that includes various ransomware families. Each log entry is color-coded to correspond with its respective family provided by the git repository.
Analysis:
To facilitate the analysis, I utilized Copyleaks, an AI-based plagiarism detection tool, to compare multiple logs. Any identified similarities were documented in the tracking sheet. However, it was essential to ensure that only the chat logs of ransomware operators were included, while excluding those of the victims.
To achieve this, I automatically cloned the git directory and employed Python code to parse only the ransomware operator chat logs. Each parsed log was then saved into separate files. With a curated set of ransomware operator chat logs, I proceeded with the comparative analysis.
Now After uploading the files to copyleaks, I’m not gonna lie, I was very nervous whether I’d get any hits, I first started comparing the chatlogs by itself (ie Lockbit logs to Lockbit logs comparison).
Excitingly, notable results were obtained, yielding a significant 79% similarity score. To further investigate, the corresponding document was retrieved for thorough analysis. Shocked by this discovery, I proceeded to apply the same comparative analysis to the remaining ransomware chat logs in the dataset.
Key Findings: Identifying Persistent Perpetrators
Conducting an in-depth examination of the available data, I delved into the chat logs that exhibited similarity scores, generally exceeding 10% when compared to each other. This meticulous analysis enabled the identification of several key members who consistently participated in these chat exchanges. Additionally, I used apply magic sauce (created by researchers at University of Cambridge) to potentially create psychological profiles of the actors. However, it is important to exercise caution when interpreting these findings, as the dataset at my disposal was limited in scope. It is crucial to note that while I possess a keen interest in threat intelligence, my expertise lies more in the realm of a hobbyist rather than a professional specializing in stylometric analysis.
Finding #1 — The Seasoned Operator (Focused Affiliate of LockBit):
During the examination of the LockBit chatlog named “colonialgeneral_com.json,” a striking discovery emerged. Multiple LockBit chatlogs exhibited an intriguing similarity score of over 40%. This similarity primarily stemmed from the initial interaction phase, where the perpetrator urges the victim to make the payment. Notably, variations were observed in the order of specific phrases, such as the use of “soon” preceding “we.” To validate the prevalence of this introductory pattern, an extensive review of LockBit 3.0 chatlogs was conducted. Surprisingly, this particular introduction was found to be relatively uncommon in other logs, suggesting that an individual has been employing this template, possibly due to a tendency for convenience. Given the insights gained from the logs, the labeled actor demonstrates a level of expertise, evident in their ability to discern ransomware negotiators and their familiarity with ransom negotiation services. This suggests a significant level of experience and a prolonged involvement in such activities.
Finding #2 — The “have you made your decision?” Guy (Focused Affiliate of LockBit):
This unidentified actor, referred to as “Have you made your decision?” guy shows a distinct pattern in their communication style by frequently using the word “decision” followed by a question mark in addition to using the same introduction. While analyzing various ransomware logs, it was observed that this actor’s chat messages consistently included this particular phrase. However, it is important to note that this pattern was not found in chats related to ransomware attacks other than LockBit. Although some logs showed minor similarities of around 2–3%, further investigation revealed that these matches were likely false positives. Thus, it is plausible (low confidence) to consider this actor as a focused affiliate associated with the LockBit ransomware group.
Finding #3 - The Iron Wall (Focus Affiliate of Lockbit):
Unknown Actor #3 embodies an impersonal, business-like communication style paired with an unyielding negotiation approach in their exchanges. They maintain an emotional detachment with an overt lack of empathy such as mostly telling victims to solve the issues within the company implying a sense of “not my problem” mentality in addition to focusing solely on transactional details. Their negotiation tactics are characterized by intransigence and dominance such as constantly asking “when will you pay?”. They firmly reject counter-offers, often responding with outright refusal and amplified pressure on their victims. The assertiveness of their demands, combined with strict enforcement of payment deadlines and threats of negative consequences, underscores their unyielding negotiation stance. In essence, Unknown Actor #3’s communication strategy is an effective blend of impersonal professionalism and uncompromising negotiation, which ensures they maintain control and dictate the terms of their interactions, maximizing their likelihood of achieving desired outcomes.
Finding #4 — The Fake Nice (Focused Affiliate of Avvadon):
In analyzing the behavior of the Avvadon operator, It is worth noting that they try to make themselves as professionals and even attribute the security breach to existing vulnerabilities within the victim’s company and even offer advice, such as recommending the hiring of a penetration tester, to prevent future targeting. Essentially, they position themselves as professional consultants, forcefully imposing their services on other companies without their consent and earn their money through ransom or further pressuring of DDOS/Second Impact.
When I started reading the full log specifically on 20210324, I started feeling very bad for the victim. You can read it here. Despite the ransomware operator’s belief that the company would be paying the ransom, it was actually the junior IT specialist who had to shoulder the cost. The company initially offered only 5k for the stolen data, leaving the specialist responsible for the remainder. Upon examining the conversation, the operator provided discounts ranging from 5–10%, amounting to a total of 30k. However, the operator’s support was limited to these discounts and provided no additional assistance, accompanied by remarks suggesting that payment was deserved due to the extensive efforts made in the attack. Meanwhile, the victim, desperate to retain his job, pleaded for leniency.
Intriguing Discoveries: BlackMatter Affiliates to Hive?
A noteworthy observation I saw regarding Hive and BlackMatter is their shared utilization of an identical introduction.
Delving deeper into my research, I discovered that Darkside had, in fact, dissolved due to losing their infrastructures, leading to the emergence of a rebranded entity called BlackMatter in 2021. On November 1st, 2021, a tweet disclosed that BlackMatter was compelled to cease its operations due to intensified pressure from law enforcement agencies.
Subsequently, a report from Bleeping Computer, published two days later, revealed that BlackMatter affiliates were preparing to transition to the LockBit ransomware platform. However, this intriguing revelation also suggests the possibility that certain affiliates might have migrated to Hive.
Conclusion
This research revealed quite promising early findings on using stylometric analysis for ransomware attribution. Initial assumptions suggested individual operators, but patterns indicated possible use of shared scripts among clusters (ie premade responses possibly made via Yandex Translate). Associations observed between organizations like BlackMatter and Hive suggested a probable migration of individuals within these entities. While quite promising, these findings need further corroboration with more robust data and methods.