It seems innocent enough: a little-known Canadian company that offers an array of tech and consulting services. But a certificate from that company—a sort of signature that can be tacked onto malware—showed up in two pieces of ransomware last month and leading experts told The Daily Beast they believe the small company is actually a front for at least two Russian ransomware gangs.
The company—cheerily named “SpiffyTech”—has a number of red flags. For one, if you want to look at SpiffyTech’s leadership team, you’re out of luck. They don’t exist.
The site does list four top staffers next to their stylish headshots. But the SpiffyTech operators appear to have stolen each and every photo.
A reverse image search on Google shows the headshots come from a professional photographer’s website. The photographer, Kirill Tigai, confirmed the photos in question were part of a shoot for a different company and said he did not give SpiffyTech permission to use them.
“I think… this website SpiffyTech is a fraud,” Tigai told The Daily Beast. “They just use photos that I made for my clients under different names.”
Another reason experts believe “SpiffyTech” is a front is far more technical.
Hackers frequently steal certificates from actual businesses in order to help their attacks fly under the radar and trick computers into thinking their malware is legitimate. And while it’s possible the hackers did the same here—or tricked a real company into sharing a legitimate “cert”—the shadiness of the site, and its apparent connection to ransomware, leads cybersecurity analysts to believe SpiffyTech is a disguise for something more sinister.
“It’s possible that cert could have been stolen,” said Allan Liska, an intelligence analyst at Recorded Future. “But then when you start looking at the company itself and realizing that they’re not real, then it starts to get suspicious.”
The way the certs have been used likewise suggests SpiffyTech is up to no good. The only use of the certs known to date are exclusively in malware, Juan Andrés Guerrero-Saade, principal threat researcher at SentinelOne, told The Daily Beast. He came to this conclusion from analyzing files on VirusTotal, a repository security pros use to check if files are malicious or benign.
DigiCert, the authority that issued the certificate, told The Daily Beast it has revoked it since the company’s terms don’t allow for illegal activity, like ransomware, which could indicate DigiCert deems the operators aren’t legit.
Efforts to contact SpiffyTech went unanswered—emails bounced back and the phone is disconnected.
House of Mirrors
It’s not entirely clear who is behind the site or company, and the ownership appears to get shuffled around quite a bit. A man named Daniel Stanfill of Texas has been listed as the site’s owner, according to domain registration information. But other owners through the years have cropped up, including an India-based company, Moksha Designs Pvt Ltd and, more recently, a Canadian company, K3P Consulting, according to WHOIS records.
Stanfill confirmed he has indeed owned the site—and he said he was under the impression he hadn’t let others buy the domain, and thought he still was in control of it. Stanfill told The Daily Beast he doesn’t know what SpiffyTech is.
“I haven’t really tried to do anything but let it sit since I retired… That was my business website,” Stanfill said, adding that the site had been idle for years. “It could be somebody that is using the website sort of by proxy… it may have been maliciously gotten ahold of.”
According to the latest records, the site is registered to K3P. But attempts to reach K3P failed. GoDaddy, the registrar for the site, declined to comment about who really owns the site.
The mystery continues from there.
Canadian government records show a man named Diltaj Singh Jatana runs SpiffyTech. Jatana claims on his LinkedIn to work for a construction company, RB Excavating. And SpiffyTech and RB Excavating both claim the same address, according to government records. According to Google Maps, however, the address isn’t an office or even an office building; it’s a house.
There are some signs more recent ownership of the site may be linked—almost all of the more recent names were added to the records on the same date in January of 2016, according to WHOIS records. In other words, it’s possible that whoever controls the site now could have planned for it to look like the site was changing hands, when it really wasn’t, analysts said, in order to mask their involvement.
“In that case the person either changed the information in the WHOIS record but the ownership itself didn’t change,” said Alexandre Francois, threat researcher at WhoisXML API, adding that it’s still possible the site really did change hands.
But through the years, an actual transfer of the site ownership was prohibited, according to WHOIS records.
Attempts to reach the manager of Moksha Designs Pvt Ltd, Satish Reddy, and Jatana went unanswered. The FBI, Canadian law enforcement, and the Canada Revenue Agency declined to comment.
The two ransomware groups connected to SpiffyTech are Hive and BlackMatter, as the SpiffyTech cert was buried in two pieces of their ransomware last month, analysts told The Daily Beast.
By using a company that’s been registered so many times, these analysts said the hackers involved in Hive and BlackMatter could be trying to stump law enforcement or trick the certificate authority into approving them without a second glance.
“One of the things that some malicious actors like to do is… use domain names that have a long history of being registered,” Liska said. “They like having domains that have been around for a while because it shows it basically can [give] some confusion” and send investigations into a tailspin.
The identities of ransomware hackers are notoriously difficult to unearth. Sometimes investigations into the individuals behind attacks take years, and ransomware gangs are constantly splintering and regrouping, making tracing them even trickier.
BlackMatter itself has announced it had merged together several ransomware gangs, including DarkSide and REvil—the same gangs the U.S. government has been trying to catch red-handed for months after their attacks hit Colonial Pipeline, meat supplier JBS, and thousands of other companies. The U.S. government wants to nail them down so badly the State Department announced it’s offering $10 million for information that leads to their identities.
It wouldn’t be the first time hackers used a front company to gain a semblance of legitimacy. A hacking gang called FIN7 has used multiple front companies to recruit hackers before, while another group has relied on a fake company in Italy.
Hive and BlackMatter don’t have a known history of working together, cybersecurity analysts told The Daily Beast. But researchers said what’s more likely is that an affiliate hacker, who happens to work for both gangs, was looking for a way to hide their operations and hijacked a company domain name that’s changed hands so many times that authorities wouldn’t bat an eye.
Hive and BlackMatter—both of which began earlier this year to attack targets, including hospitals—are believed to have affiliates, according to an FBI alert and an alert from the Department of Homeland Security.
Greg Otto, a security researcher at Intel471, said it was a distinct possibility affiliates were swapping notes.
“The affiliate networks for ransomware as a service… don’t operate in vacuums,” Otto told The Daily Beast. “Because this has repeated across different variants, it shows that either the people working for the affiliates [are] talking with one another, or that affiliates are working for different gangs.”