This small tech company SpiffyTech could really be a ransomware front group

It seems naive enough: a little-known Canadian company that offers a wide range of consulting and technology services. But a certificate from that company – a type of signature that can be attached to malware – appeared in two ransomware pieces last month, and leading experts told The Daily Beast they believe the company The small company is actually a front for at least two Russian ransomware gangs.

The company – cheerfully named “SpiffyTech” – has some red flags. First, if you want to look at SpiffyTech’s leadership team, you’re out of luck. They don’t exist.

The site lists the top four employees next to their stylish snaps. But the SpiffyTech execs appear to have stolen the photos one by one.

A reverse image search on Google shows top shots coming from a professional photographer’s website. The photographer, Kirill Tigai, confirmed the photos in question were part of a shoot for another company and said he did not give SpiffyTech permission to use them.

“I think… this site SpiffyTech is a scam,” Tigai told The Daily Beast. “They just used the photos that I created for my clients under different names.”

Another reason experts believe “SpiffyTech” is a much more technical front.

Hackers often steal certificates from actual businesses to help their attacks fly under control and trick computers into thinking their malware is legitimate. And while it’s possible that hackers did the same here — or tricked a real company into sharing a legitimate “cert” — the ugliness of the site and its apparent connection to ransomware, put researchers at risk. Cybersecurity analysts believe SpiffyTech is a cover-up for something more sinister.

“It’s possible the cert was stolen,” said Allan Liska, an intelligence analyst at Recorded Future. “But then when you start to look at the company itself and realize that they’re not real, then you start to get suspicious.”

The way the certificates were used similarly shows that SpiffyTech is no good. Juan Andrés Guerrero-Saade, principal threat researcher at SentinelOne, told The Daily Beast the only use of certificates so far has been exclusively in malware. He came to this conclusion from analyzing files on VirusTotal, a repository security experts use to check if files are malicious or benign.

DigiCert, the certificate authority, told The Daily Beast that it revoked it because the company’s terms don’t allow illegal activity, like ransomware, which could indicate DigiCert considers the operators illegal.

Attempts to contact SpiffyTech went unanswered — emails bounced and phones disconnected.

It’s not entirely clear who is behind the site or the company, and ownership seems to be pretty much mixed up. A man named Daniel Stanfill of Texas has been listed as the owner of the site, according to domain registration information. But other owners over the years have cropped up, including an India-based company, Moksha Designs Pvt Ltd and more recently a Canadian firm, K3P Consulting, according to WHOIS filings.

Stanfill confirmed that he actually owned the site — and he said he was under the impression that he didn’t let someone else buy the domain and thought he still had control of it. Stanfill told The Daily Beast he had no idea what SpiffyTech was.

“I haven’t really tried to do anything but leave it alone since I retired… It’s my business website,” says Stanfill, adding that the site hasn’t been active for many years. five. “It is possible that someone is using the site as a proxy… it could have been maliciously concealed.”

According to the latest filings, the site is K3P registered. But the attempt to reach K3P was unsuccessful. GoDaddy, the website’s registrar, declined to comment on who actually owns the site.

The mystery continued from there.

Canadian government records show a man named Diltaj Singh Jatana running SpiffyTech. Jatana claims on her LinkedIn to work for a construction company, RB Excaging. And SpiffyTech and RB Excaging both claim the same address, according to government records. However, according to Google Maps, the address is not an office or even an office building; It is a house.

There are some indications that recent site ownership may be linked — virtually all of the more recent names were added to the record on the same day as January 2016, according to the WHOIS filing. In other words, it’s possible whoever controls the site now may have planned it to look like it’s changed hands, when it really isn’t, the analysts said, to conceal their involvement.

“In that case, the person either changes the information in the WHOIS record but the ownership itself does not change,” said Alexandre Francois, threat researcher at WhoisXML API, adding that there is still the possibility. The site has indeed changed hands.

But over the years, the actual transfer of website ownership has been banned, according to WHOIS records.

Attempts to contact the manager of Moksha Designs Pvt Ltd, Satish Reddy, and Jatana went unanswered. The FBI did not return a request for comment. Canadian law enforcement and the Canada Revenue Agency declined to comment.

The two ransomware groups connected to SpiffyTech are Hive and BlackMatter, as SpiffyTech certificates were buried in two of their ransomware pieces last month, analysts told The Daily Beast.

By using a company that has been registered many times over, these analysts say the hackers associated with Hive and BlackMatter may be trying to fool law enforcement or defraud a certificate authority. just approve them without looking through.

“One of the things some bad guys like to do is… use domain names that have been registered for a long time,” says Liska. “They love having domains that have been around for a while because it shows that it’s basically possible [give] some confusion” and sent the investigations into a spiral.

The identities of ransomware hackers are notoriously difficult to discover. Sometimes investigations into the individuals behind attacks take years, and ransomware gangs constantly separate and regroup, making them even more complicated to track down.

BlackMatter itself also claims to have consolidated several ransomware gangs, including DarkSide and REvil – the very same gangs the US government has been trying to catch for months after their attacks hit Colonial Pipeline, JBS meat supplier and thousands of other companies. The US government wants to beat them badly Foreign Office announced that it is offering 10 million dollars for information leading to their identity.

This is not the first time hackers have used front companies to gain legitimacy. A hacking gang called FIN7 used a lot of front company to recruit former hackers, while another group relied on fake company in Italy.

Cybersecurity analysts told The Daily Beast that Hive and BlackMatter have no history of working together. But researchers say it’s more likely that an affiliated hacker, who happens to work for both gangs, is looking for a way to conceal their activities and take over a company domain that has changed hands many times. so often that the authorities did not notice.

According to a FBI alert and a warning from the Department of Homeland Security.

Greg Otto, a security researcher at Intel471, said there’s a clear possibility that the affiliates are swapping notes.

Otto told The Daily Beast: “The affiliate networks for ransomware as a service… don’t work in vacuum cleaners. “Because this was repeated across different variations, it shows that people who work for affiliates [are] talk to each other or that affiliates are working for different gangs. “ This small tech company SpiffyTech could really be a ransomware front group


Inter Reviewed is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button