Cyber chatter flowed on Twitter today after a researcher, who goes by the handle @pancak3lullz, posted about claims from ransomware gang REvil that EvilCorp and Maze are actually one group operated by eight people with ties to the Russia government.
While interesting, should rank-and-file security pros even care about this kind of talk?
Probably not in terms of defense tactics, said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, who agreed that while defining attribution to prominent ransomware groups is as intriguing as it is challenging, for the majority of enterprise defenders, it’s largely a distraction.
“Your defenses don’t dramatically change whether you are up against a traditional cybercriminal or state-affiliated one,” Holland said. “Patching known vulnerabilities, enabling multi-factor authentication, and disabling macros will go a long way no matter the threat de jour.”
Joe Slowick, senior security researcher at DomainTools, warned that until substantiated, claims of a link between the two groups should be treated with extreme skepticism.
“Overall, short of having direct access to adversary infrastructure communications, or operational planning, it’s very difficult to ‘pinpoint’ such groups, especially as ransomware operations increasingly break down into multiple ‘teams’ selling access, services, and tools to each other,” he said.
Just as some question the validity of supposed ties between the groups, or association with Russia’s Federal Counterintelligence Service, some see the claims as a potential red herring.
“Personally, I think it’s all a ploy to create distraction from legitimate investigative work on the topic and more darknet drama around an already anxiety-fueled darknet commodity,” said Mark Turnage, CEO of DarkOwl.
Open source reporting from December 2019 linke ..