December 9, 2022
Next-Generation Technologies & Secure Development , Threat Hunting , Threat Intelligence Kremez Excelled at Unraveling Cybercrime Tactics, Including Ransomware Groups Mathew J. Schwartz (euroinfosec) • November 3, 2022     Vitali Kremez in the ISMG studio at RSA 2022 in San Francisco Tributes are pouring in for Vitali Kremez, a renowned threat intelligence expert who…

Next-Generation Technologies & Secure Development , Threat Hunting , Threat Intelligence

Kremez Excelled at Unraveling Cybercrime Tactics, Including Ransomware Groups Mathew J. Schwartz (euroinfosec) • November 3, 2022     Vitali Kremez in the ISMG studio at RSA 2022 in San Francisco

Tributes are pouring in for Vitali Kremez, a renowned threat intelligence expert who died at the age of 36 in a suspected scuba-diving accident.

See Also: OnDemand | API Protection – The Strategy of Protecting Your APIs

Kremez went missing Sunday morning after being last seen diving near a beach in Miami “wearing a black wetsuit and scuba tank,” the U.S. Coast Guard reported. His body was recovered Wednesday on a beach between Fort Lauderdale and Miami Beach.

Kremez grew up in Belarus, then immigrated to the United States after dropping out of college.

As recounted in the recently released book “The Ransomware Hunting Team” written by Renee Dudley and Daniel Golden, there “he worked construction jobs and played guitar in bars before joining the Manhattan district attorney’s office as a cyber analyst.”

As an analyst, he brought to bear a skill set that included technical knowledge, as well as fluency in Belarusian and English and proficiency in Russian, Ukrainian and Polish. He was an advocate for tracking attackers not just based on the tools they use, but how they think. Kremez infiltrated cybercrime groups through their online haunts, gathering clues on their targets, tactics, techniques and procedures.

He joined New York-based threat intelligence Flashpoint as a cybercrime researcher. Having followed his research, it was a joy to meet him in person for the first time at the RSA 2017 conference in San Francisco, where we spoke about cybercrime trends. He told me that “pseudo-anti-Americanism” was a big driver for many Eastern European cybercriminals (see: What Drives Eastern European Cybercriminals?).

“They don’t necessarily think about damaging people, they think that America has a lot of corporations that are evil, and they think – conveniently – essentially that allows them to [claim] plausible deniability, and they’ll start attacking huge corporations in the U.S.,” he said at the time.

In 2019, he joined anti-malware firm SentinelOne, and was a founding member of its SentinelLabs threat-intelligence team.

He left to launch a boutique firm, New York-based Advanced Intelligence – aka AdvIntel – which tracked advanced threat actors and their tactics.

Kremez actively combated cybercrime, including ransomware. As “The Ransomware Hunting Team” recounts, Kremez in 2020 was invited to join that eponymous team, which is an ad hoc, low-profile group of researchers that came together in May 2016, and which continues to track ransomware operations, find vulnerabilities in their malware and assist victims.

Kremez continued to track various cybercrime groups, tracing not just their attack techniques, but also cryptocurrency flows, to better identify the groups and individuals behind specific operations and attacks.

At the RSA 2022 conference in June, I sat down with Kremez to discuss one of the biggest ransomware stories of the year: the Conti group having retired its brand name, after its disastrous decision to publicly back Russia’s February invasion of Ukraine (see: Conti Ransomware Group Explores Post-Encryption Future).

Kremez had cut himself on the chin shaving, just before the interview, and was wearing a white shirt that had already picked up spots of blood. We cooked up a Jason Bourne-type cover story: if anyone asked, he’d suffered the flesh wound while battling cybercriminals in the streets of San Francisco.

As we explored during the interview, Kremez and his AdvIntel colleagues had been monitoring Conti’s activities, including tracking its attempt to spin up multiple new groups – Quantum, Hive, Alphv, aka BlackCat, and more – before announcing their supposed retirement. Beyond ransomware, he said some of the spinoffs were exploring outright extortion by simply stealing files, rather than also encrypting them, and squeezing victims for a promise to not sell or leak the stolen data.

Ransomware groups might come and go, but so many of the players seem to remain the same. So I asked him: Do ransomware-wielding attackers ever decide they’ve made enough money, and try to go legit or retire?

“I guess this lifestyle that they have, it affords lots of luxuries, especially specifically, if you live like in Eastern Europe, you can afford Lamborghinis, you can drive around the city and … like oligarchs, literally live the lifestyle of the richest of the rich,” and all seemingly without having to work too hard, he said.

“Once they get hooked into this business, it’s hard to get away,” he added. “The only ways we’ve seen them get away from this business is when Russian intelligence or law enforcement used to recruit them for their own operations. … So some of the most successful ones became forceful employees for Russian intelligence, basically. And that’s the way out.”

After recording our interview, I got to catch up with Kremez, face to face for the first time in several years due to the Covid pandemic. He talked about the joys of living in Florida and getting proper downtime when he wasn’t working, as well as having gotten his private pilot’s license. On the heels of that, he said one of his hobbies had become listening to live air traffic control feeds. He described learning the lingo of flying, and trying predict what instructions ATC would likely issue and when, for example, to pilots of commercial jets as they came in to land, or when they were taxiing. His face lit up as he described his ability to crack that code, and follow the connections.

Source