Changelog: End times for Ragnar Locker and Trigona?

Mark McGregor / Unsplash

Welcome to Changelog for 10/19/23, published by Synack! README senior editor Nathaniel Mott peering out from the autumn foliage to bring you the week’s top cybersecurity news. 

The payload

There’s more than one way to skin a cat—or disrupt a ransomware gang’s operations.

The more popular way: bringing together a bunch of law enforcement agencies from around the world to seize the domains associated with a ransomware gang’s leak site. That appears to be what’s happened to Ragnar Locker, with TechCrunch reporting today that “an international group of law enforcement agencies have seized the dark web portal” associated with the group, based on an image posted to the portal.

SentinelOne said that the Ragnar Locker ransomware appeared in December 2019 and “typically targets organizations in a variety of industries, including healthcare, government, technology, finance, education, and media.” The FBI said last March that the ransomware had been deployed against “at least 52 entities across 10 critical infrastructure sectors” by January 2022; the number is bound to be higher now.

So this coming together of international law enforcement agencies is one way ransomware gangs are disrupted. But there’s also another way: hacktivism. Trigona, which Trend Micro described as a “highly active” group that first appeared in October 2022, appeared to find that out the hard way earlier this week when its operations were brought to a halt by a hacktivist group called the ​​Ukrainian Cyber Alliance.

The Record reported that the Ukrainian Cyber Alliance claims to have “wiped out 10 of the Trigona gang's servers, defaced its website and exfiltrated data about the cybercrime operation.” This could prove effective in the short term. Trigona could most likely set up new infrastructure following the hacktivist group’s takedown, though it doesn’t appear to have done so several days after the incident.

The week, compiled

It’s no secret that the U.S. views China as the next big cyber threat. Now comments made by members of the Five Eyes intelligence sharing network—which includes the U.S., U.K., Canada, Australia and New Zealand—show that these fears have been exacerbated by the rise of artificial intelligence.

Reuters reported that FBI director Christopher Wray said on Oct. 17 that "we worry about AI as an amplifier for all sorts of misconduct," including hacking campaigns. "If you think about what AI can do to help leverage that data to take what's already the largest hacking program in the world by a country mile, and make it that much more effective - that's what we're worried about.”

It makes sense. (And not just because everyone seems to be talking up the AI threat lately.) Training AI requires access to immense amounts of information—and China has accumulated troves of the stuff. That’s why Wired argued in 2020 that data pilfered from Equifax, the Office of Personnel Management and countless other breaches “will power [China’s] intelligence activities for a generation.”


Mohamed Nohassi / Unsplash

Wading through all of that information would be a slog… if it’s done manually.. But training AI on that data, or using it to identify what kinds of data could prove valuable for a particular campaign, would make it far easier to take advantage of all this stolen information. Of course the U.S. and its allies would be concerned about China using these increasingly powerful tools for that purpose.

Of course, the public discussion of these concerns was also accompanied by the U.S. Department of Commerce announcing that it’s restricting China’s access to semiconductors intended for use with AI. I can’t help but wonder how much Wray’s comments were intended to highlight an actual security concern versus how much they were meant to provide additional justification for these export restrictions.

Now for the week in README:

README: Cl0p’s exploitation of a zero-day vulnerability in MOVEit Transfer—which initially seemed like a banal flaw affecting a limited number of servers—is shaping up to be the most influential hack of 2023. README contributor Robert Lemos’ latest report looked at how threat actors can take advantage of “the dark middle” of popular-but-unexciting software like MOVEit to compromise more organizations than many would expect.

Commit 10_16_2023: The first Commit of the week covered reports that Sandworm hackers have been targeting Ukrainian telecommunications services throughout the year, a UK regulator’s decision to fine Equifax over its infamous 2017 data breach and a suspected ransomware attack forcing Kansas courts to rely on antiquated paper-based systems rather than computer-assisted workflows.

Commit 10_17_2023: The second Commit of the week featured a Proofpoint report that fake browser updates are being used to distribute malware, a ransomware attack on television advertising firm Ampersand and Amazon’s limited rollout of passkeys support, plus a Trellix report suggesting that advanced persistent threats have caught on to Discord’s potential as a command and control center.

Plus some additional stories from around the web:

Ars Technica: Good news! A malicious ad served to people who searched for the open source password manager KeePass on Google is so convincing—thanks to its ability to masquerade as the official website, its use of a valid TLS certificate and the fact that it’s linked to “an advertiser whose identity has been verified by Google”—that it’s hard to see how most people would avoid falling victim to it.

BleepingComputer: Google’s Threat Analysis Group said this week that Russia and China-linked threat actors have been exploiting a vulnerability in WinRAR, a file archive tool for which essentially nobody has ever purchased a license, that was revealed in August. The exploitation was reportedly part of campaigns targeting Ukrainian organizations (on the Russian side) and Papua New Guinea (on the Chinese side).

TechCrunch: The hacker who compromised the 23andMe genetic testing firm has published 4 million additional records, including data related to “the wealthiest people living in the U.S. and Western Europe,” to a cybercrime forum. “There are still a lot of unanswered questions about this incident,” TechCrunch reported, including “how much user data was stolen” and “what the hackers intend to do with it.”

A message from Synack

How companies approach security testing is in need of a makeover. Traditional pentesting satisfied compliance requirements, but that doesn’t stop critical vulnerabilities from affecting the business. With a strategic testing approach, companies can discover the vulnerabilities that matter most, manage remediation more quickly and see security posture improvement in real time with essential analytics. Learn how to start your journey to strategic testing.

Flash memory

“Sesame Street” is supposed to be educational. Viewers can learn about the alphabet, basic math and, for 22 minutes on Oct. 16, 2017, what it looks like when people are paid to have sex on camera.

PCWorld reported at the time that the show’s YouTube channel “was attacked by a hacker Sunday who deleted all videos from the channel, modified its design, and posted graphic porn to it.” The defacers, “MREDXWX” and “MRSUICIDER91,” also replaced the channel’s description with a screed about not allowing “Sesame Street” to reclaim the channel so they could “MAKE ALL THE AMERICA HAPPY!” 

Those monikers belong to actual YouTubers, one of whom denied any involvement with the hack, so the rant was probably just meant to sow further chaos. Fortunately it didn’t take long for YouTube to notice the hack and remove the not-safe-for-work content, although The Next Web reported that “search results [NSFW] for Sesame Street on YouTube [revealed] the occasional graphic thumbnail” for a while.

I hope the hack’s brevity limited the number of children exposed to videos they aren’t supposed to watch until they’re after 18—and that Big Bird learned a little something about cybersecurity in the process.

Local files

PCMag: The FBI said on Oct. 17 that cybercriminals are targeting “plastic surgery offices, surgeons thereof, and patients to harvest personally identifiable information and sensitive medical records, to include sensitive photographs in some instances.” PCMag said this approach dates back to at least 2017, so it’s not a new problem, but perhaps the FBI’s warning will prompt more practices to take it seriously.

YLE: Charges have been filed against Aleksanteri Kivimäki, who according to YLE News stands accused of “hacking a patient record database belonging to the psychotherapy centre Vastaamo” and “stealing the sensitive personal data of more than 33,000 of the therapy centre's clients and then posting them on the dark web” in 2018 as part of an attempted blackmail scheme. Kivimäki faces up to seven years in prison.

BBC: A cybersecurity researcher took advantage of a flaw in the platform formerly known as Twitter to redirect would-be informants from the CIA’s official Telegram channel to a channel he controlled. The issue was reportedly caused by the way ex-Twitter handles external links; the researcher set up the dummy channel to ensure “a country like Russia, China or North Korea” couldn’t exploit the flaw themselves.


You couldn’t pay me to be in charge of any kind of content moderation for a social platform. I helped moderate a fairly popular forum in my teens—back when a lot of the people who wanted to be horrible on the internet restricted themselves to sites like 4chan—and that was enough to convince me that being responsible for someone else’s online behavior is an absolutely miserable way to spend my time.

That decision was reaffirmed when the folks at Techdirt released “Trust & Safety Tycoon,” a browser-based game devoted to “simulating what it’s like to run a trust & safety team at a fictitious, rapidly scaling social media company called Yapper” on Oct. 17. It’s a fun game! It also demonstrates many of the difficulties associated with creating a global platform that relies on user-created content.


Jakayla Toney / Unsplash

I didn’t even do that poorly—I made it through with a final score of 1,929 and a four-star rating. But having to deal with media companies issuing ridiculous DMCA requests, governments around the world demanding access to user data without following due process, being accused of bias towards one group or the other for enforcing sensible policies… all that was stressful even though I was only playing a game.

Trust & Safety Tycoon.” If you’re at all curious about why seemingly every social media platform fails to moderate itself in ways that keep everyone happy, you should take the hour or so required to play through this game. Some folks are even playing it several times over to achieve that elusive five-star rating. As for me? Suffice it to say that my confidence in these platforms wasn’t exactly improved via this experience.