{
	"id": "3f519378-87cf-4e9f-895f-20802a5e28f9",
	"created_at": "2026-04-06T00:12:20.492667Z",
	"updated_at": "2026-04-10T03:20:04.15425Z",
	"deleted_at": null,
	"sha1_hash": "70e9dbcb32be2c595f9591761d0eb5cc69f74ba9",
	"title": "Meeting a Russian Ransomware Cell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 319554,
	"plain_text": "Meeting a Russian Ransomware Cell\r\nPublished: 2019-11-12 · Archived: 2026-04-05 13:57:27 UTC\r\nRansomware is one of the most notorious and effective types of cyberattacks in the last decade. And I had the\r\nopportunity to go inside the minds that operate a real-world ransomware cell.\r\nIt starts with the young leader — nicknamed “Twig” — of a Russian ransomware cell. After two weeks of chatting\r\nthrough a secure channel, what I found was very interesting.\r\nOn social media, some cybersecurity firms like to portray him in black hoodies with leather gloves and a backdrop\r\nof matrix-style digits. They namedrop buzzwords like advanced-generation V attacks and other trumped up terms,\r\nwhich could be more fitting for nation-state attacks, but this isn’t the case with most hacking groups.\r\nCarrying out successful ransomware attacks typically only requires a mixture of scripts, common vulnerabilities,\r\nbrute-force efforts, bad IT policies at target organizations, and generations of frustration between eastern and\r\nwestern politics.\r\nOn-Demand Webinar: My Two-Week Conversation with a Ransomware Cell\r\nJoin SonicWall security expert Brook Chelmo as he gives you an inside look into the human-side of a modern\r\nransomware cell, their advice on how to stop them from infiltrating your organization, encrypting your endpoints,\r\nand spreading to other drives and segments of your network.\r\nWATCH NOW\r\nHow does a ransomware attack work?\r\nThe number of organizations and verticals targeted each week, including the demands they make on the\r\ncompromised device(s), are all private. Twig, however, is open to saying that their attack style is generally through\r\nspear-fishing and port-scanning for common vulnerabilities.\r\nTwig’s favorite ports are “5900 and 5901 which are open and unpassworded.” Together, these two ports rank as\r\nthe 19th most scanned port. These ports are used by virtual network computing (VNC) for desktop-sharing and\r\nremote-control application for Linux and Windows machines.\r\nOver the years, several vulnerabilities related to these ports have allowed attackers to bypass authentication and\r\ngain access to the system. If Twig can get in, then your participation isn’t even required to activate the\r\nransomware script (e.g., enable macros on a malicious Word document received in email). In fact, SonicWall\r\nhttps://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/\r\nPage 1 of 4\n\nresearch shows that anywhere between 17% and 20% of all malware attacks come through non-standard ports.\r\nWhile Twigs scripts are pinging a range of IP addresses for vulnerabilities, he runs a PHP script alongside\r\nunnamed services that spam targets to gain remote access to their systems.\r\nHILDACRYPT, for example, uses file extensions that are not normally scanned, such as .vbox, to evade inspection\r\nand detection by firewalls or email security services. Once access has been granted, he will log in after-hours and\r\nrun a batch file through PsExec throughout the entire network to make it “go boom.”\r\nOr, in less dramatic words, to “make Hilda run on the entire network.” It’s the same headache caused by the likes\r\nof WannaCry, NotPetya and SamSam ransomware strands, the infamous attack wave from three years ago. Since\r\nadmins tend to have access to multiple drives — and sometimes read/write ability on endpoints via access\r\nmanager roles — exploiting them is critical to mission success.\r\n“If Twig can get in, then your participation isn’t even required to activate the ransomware script.”\r\nOnce systems are compromised, they don’t exfiltrate the files and sell the data like some do. They just set the\r\ndemand and wait.\r\nInitially, they asked victims to watch the Hilda series on Netflix (yes, really), join their Discord server for support,\r\nthen pay the stated ransom amount in bitcoin (a popular way to couch the demand).\r\nhttps://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/\r\nPage 2 of 4\n\nWhat can you do to stop ransomware attacks?\r\nFirst of all, Twig says to “use proper passwords” for ransomware protection. He said many passwords are either\r\nwritten by the ‘crazy or the lazy.’ Most of them are too simple and are often guessed by his scripts. His favorite\r\nstory was when he found a password to be two quotation marks. I guess the administrator thought it was too\r\nsimple to guess. Well, he was wrong and had to pay for it.\r\nSecond, he said “write your programs in a real programing language.” He said that real programmers write in C or\r\nC++, and that Java or PHP is for the lazy and stupid (an opinion not shared by all professional programmers).\r\nWhen he sees programs written in Java, he feels he is dealing with a non-qualified individual and, therefore, an\r\neasy target. It is also worth noting that some security professionals advise not to program in C when it comes to\r\nsecurity.\r\nThird, he casts shade on Americans and tech workers over the age of 35 either because of his belief in their lack of\r\nmodern skills or energy to do the job properly. He says organizations should hire qualified people who can both\r\ncode and understand security. If he was in charge of hiring at your company, and didn’t discriminate by age or\r\nnationality, he would hire people who hold qualifications in C or C++ and have the energy to follow security best\r\npractices.\r\nMisconfigured firewalls leave doors open for ransomware attacks\r\nFinally, Twig points out that misconfigured firewalls are his best friend. In fact, he has strong opinions for some\r\nfirewall makers that enable him “to uninstall from the computer.” In the case of network firewalls,\r\nmisconfigurations are easily done and can be one’s downfall. It happens more than you think.\r\nIn the case of endpoint firewalls, end-users should be under the principle of least privilege (POLP), which means\r\nthey will have just enough rights to do their job and without the ability to modify their endpoints. In 2016,\r\nMicrosoft reported that 94% of critical vulnerabilities can be mitigated by removing administrative rights from\r\nusers.\r\nhttps://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/\r\nPage 3 of 4\n\nFour ways SonicWall stops ransomware attacks\r\nStopping ransomware attacks isn’t always easy. A conversation with Twig makes that apparent. But he also\r\nhighlights that if you follow best practices and implement security across different layers, ransomware attacks\r\nwon’t be nearly as successful. Leverage the four key ways SonicWall helps organizations block ransomware\r\nattacks — automatically and in real time.\r\nDeploy a firewall and keep security services active. Firewall vendors like SonicWall are now security\r\nplatform providers that protect the traffic to and from branches (SD-WAN), and examine traffic through the\r\nfirewall with gateway antivirus to stop known versions of malware. It’s also smart to leverage Intrusion\r\nPrevention Services (IPS) to identify known communication patterns within malware and stop what it\r\nwants to do, like travel laterally to other drives or networks. The combination of gateway security and IPS\r\nwas critical in stopping WannaCry ransomware attacks for SonicWall customers on Day 1.\r\nBlock unknown ransomware with a sandbox. However, all of the updated versions of the strain that\r\ncame after Version 1 were blocked automatically by the Capture Advanced Threat Protection (ATP)\r\nsandbox (if the other ransomware variants were found by a customer before SonicWall could create a\r\ndefinition/signature to block it on firewalls and email security).\r\nProtect your inbox. To make it even more difficult to attack your network or users, use secure email\r\nsolutions to block spoofed emails and examine attachments within all email to look for malware. Email is\r\nstill highly effective at getting malware exploits onto your network.\r\nSecure your endpoints. Finally, protect your endpoints with a next-generation anti-virus (NGAV) For\r\nexample, Capture Client will help stop intrusions and ransomware attacks from initiating. Even if a\r\nransomware strain did execute, Capture Client would give the administrator the ability to roll back the\r\ndamage to a previously known clean state.\r\nFor the full story on my chats with Twig, I urge you to attend my upcoming webinar, “Mindhunter: My Two-Week\r\nConversation with a Ransomware Cell.”\r\nSource: https://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/\r\nhttps://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sonicwall.com/en-us/2019/11/mindhunter-meeting-a-russian-ransomware-cell/"
	],
	"report_names": [
		"mindhunter-meeting-a-russian-ransomware-cell"
	],
	"threat_actors": [],
	"ts_created_at": 1775434340,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70e9dbcb32be2c595f9591761d0eb5cc69f74ba9.pdf",
		"text": "https://archive.orkl.eu/70e9dbcb32be2c595f9591761d0eb5cc69f74ba9.txt",
		"img": "https://archive.orkl.eu/70e9dbcb32be2c595f9591761d0eb5cc69f74ba9.jpg"
	}
}