Executive Summary
Binary Defense regularly monitors Darknet sites, criminal forums and other sources to find threats that may affect our clients. When our analysts found someone offering to sell backdoor access to a Managed Services Provider (MSP), we coordinated with the FBI to discover the identity of the MSP and preserve evidence. We also found that the person who sold access to the MSP was also involved in several other criminal schemes, including development of a new ransomware threat. The evidence helped the FBI identify and arrest of the person responsible, putting a stop to several more ongoing criminal schemes.
Backdoor Access to MSP for Sale
In late September 2019, members of our Intelligence Operations team took notice of a cybercriminal calling themselves W0zniak who claimed to have backdoor access to a Managed Services Provider (MSP) which they were willing to sell for $600 USD. The team immediately recognized the risk to not only the MSP but also their clients. A plan was quickly and carefully put together to attempt to identify the MSP and to gather as much information on W0zniak as possible to provide evidence to law enforcement. Members of the Intelligence Operations team began reviewing W0zniak’s online activity and determined the best approach to reach out and elicit as much identifying information as possible.
During this planning phase, the team worked closely with local FBI contacts to ensure that important data was being preserved to aid the FBI in prosecution while also conducting the research in a legal manner. After initial conversations with W0zniak, the identity of the MSP was not apparent. The team discussed with the FBI and determined that purchasing the access would serve to both protect the victim and build a strong case against W0zniak. The U.S. Attorney’s Office approved the purchase, and the team was able to negotiate with W0zniak to purchase access for $450. They used Bitcoin, paid for by the FBI. After purchasing the login credentials, the Binary Defense team immediately passed the information to the FBI and did not access, or attempt to test, the credentials. Thanks to the quick work of the Binary Defense team, the FBI was able to identify the MSP and provide them with valuable information about how the criminal was accessing their systems. This allowed the MSP to take immediate corrective action to stop the unauthorized access.
At the same time that Binary Defense was gathering information to notify the MSP and help investigators build a case, other researchers at Huntress Labs, Datto, and ConnectWise independently took steps to combat the threat from W0zniak. All three worked to identify and contact the MSP which W0zniak was attempting to sell access to so that they could quickly investigate the compromise and determine the best course of remediation.
Through their conversations with W0zniak, the Intelligence Operations team recognized that W0zniak was clearly someone who had aspirations of growing their status as a cybercriminal. The team went to work continuing to build their rapport with W0zniak to more easily leverage any future opportunities to gather information for law enforcement on W0zniak and protect the public from the threat he posed.
Ransomware Threat
In early October 2019, W0zniak posted on a criminal forum that he was interested in creating and selling ransomware. In early December he indicated that he was hoping to release it within the “first 60 days of [2020],” but ultimately stopped development because another criminal scheme took higher priority. W0zniak now had “access to a large tax company” and was willing to sell that access for the price of $3,500 USD. Alternatively, he was willing to sell copies of clients’ past returns in batches of 100 tax returns for $1,000 USD. Once again, the Binary Defense Intelligence Operations team coordinated quickly with the FBI to ensure the defense of those affected by W0zniak’s activities. The team communicated with W0zniak through their alias accounts attempting to elicit as much information as possible, which was then shared with the FBI.
Based on the information provided by Binary Defense, the FBI was able to follow the evidence to identify and arrest Marquavious D. Britt, a former employee of the MSP, on January 17, 2020. Britt was charged with accessing a protected computer without authorization. Just prior to Britt’s arrest, the team was able to confirm through communication with W0zniak (aka Britt) that the ransomware was not yet complete.
Throughout this operation it was Binary Defense’s primary goal to ensure that that any victims of W0zniak’s activities were identified and notified as quickly as possible, while also preserving evidence for law enforcement. All interactions with threat actors in the course of ongoing operations help to bolster Binary Defense’s knowledge of threat actor tactics and trends which allow us to ensure that Binary Defense remains ready to defend our customers effectively and efficiently.