Ransomware group runs help public wanted ads for skilled hackers

Ransomware firm advertisesYou know how cyber training warns you to look for poor English to avoid getting ransomware in a phishing email?

How about looking for poor English on a jobs page?

Cybersecurity jobs, to be specific.

A company calling itself Bastion Secure advertised for a Reverse Engineer, a System Administrator, and programmers experienced in PHP, Python, and C++. But Bastion Secure is a front for a Ransomware-as-a-Service group called Fin7, according to Recorded Future.

“Payment: -Based on the results of the interview, it depends on the experience of the applicant” is one example of poor English grammar on an archived job posting page.

An archived Bastion Secure home page Recorded Future linked to claims to offer “specialised Public Sector cyber security services” and lists penetration testing, consulting and compliance, managed security services, and CSaaS (Cloud Security as a Service) as its offerings. It claims to be based in Britain (hence the spelling.)

There is a real Bastion Security company in Britain. The Wall Street Journal said one of its executives, Tom Deevy, is listed as an officer with the fake company. But Deevy told the WSJ his company deals in physical security – it builds “panic rooms and other armored enclosures” and has never done business in cyber security.

Deevy also told the WSJ that the address used by Bastion Secure is one his company occupied seven years ago – but not now – and that the Bastion Secure website quoting him is “completely fake.”

So who is Fin7? Microsoft executives who spoke at a recent cyber defense summit said they are the group that produced the ransomware used in the Colonial Pipeline hack. Focused initially on stealing credit card information, Fin7 now operates as a Ransomware-as-a-Service vendor, offering ransomware “brands” such as Ryuk and REvil, and marketing itself as Darkside and Dark Matter.

Recorded Future said a partner went through a three-stage job application process to learn more.  After a remote interview over Telegram and some test assignments, the group told  job applicants to do a penetration test against a Bastion Secure “customer.”

Recorded Future said the software tools provided for the assignment had been used in prior ransomware attacks.

So why are the crooks trying to go public with hiring? According to Recorded Future, while criminal hacking partners tend to want a percentage cut of the ransomware proceeds, a Russian “security researcher” hired this way would cost Fin7 only $800-$1,200 a month.


Scroll to Top