Next-Generation Technologies & Secure Development , Threat Hunting , Threat Intelligence
Remembering Vitali Kremez, Threat Intelligence Researcher
Kremez Excelled at Unraveling Cybercrime Tactics, Including Ransomware GroupsTributes are pouring in for Vitali Kremez, a renowned threat intelligence expert who died at the age of 34 in a suspected scuba-diving accident.
Kremez went missing Sunday morning after being last seen diving near a beach in Miami "wearing a black wetsuit and scuba tank," the U.S. Coast Guard reported. His body was recovered Wednesday on a beach between Fort Lauderdale and Miami Beach.
Kremez grew up in Belarus, where he was a leader in the pro-democracy movement Malady Front ("youth front") and performed with a pro-democracy rock and roll band called Excalibur. As an act of protest, he anglicized his first name as Vitali, which is more consistent with the Belarusian language, rather than the more Russian Vitaly or Vitaliy.
Immigrating to the United States, he landed in Connecticut, where he did construction work and played guitar in bars, also performing in a flamenco band called El Duende. He earned a degree in economics - including studying fraud and digital forensics - from John Jay College of Criminal Justice. New York was his home for nearly 10 years; his favorite museum was The Rubin. While he considered going to law school, instead he became a cyber analyst for the Manhattan district attorney's office.
As an analyst, he brought to bear a skill set that included technical knowledge, as well as fluency in Belarusian and English and proficiency in Russian, Ukrainian and Polish. He was an advocate for tracking attackers not just based on the tools they use, but how they think. Kremez infiltrated cybercrime groups through their online haunts, gathering clues on their targets, tactics, techniques and procedures.
He joined New York-based threat intelligence Flashpoint as a cybercrime researcher. Having followed his research, it was a joy to meet him in person for the first time at the RSA 2017 conference in San Francisco, where we spoke about cybercrime trends. He told me that "pseudo-anti-Americanism" was a big driver for many Eastern European cybercriminals (see: What Drives Eastern European Cybercriminals?).
"They don't necessarily think about damaging people, they think that America has a lot of corporations that are evil, and they think - conveniently - essentially that allows them to [claim] plausible deniability, and they'll start attacking huge corporations in the U.S.," he said at the time.
In 2019, he joined anti-malware firm SentinelOne, and was a founding member of its SentinelLabs threat-intelligence team.
He left to launch a boutique firm, New York-based Advanced Intelligence - aka AdvIntel - which tracked advanced threat actors and their tactics.
Kremez actively combated cybercrime, including ransomware, as recounted in the recently released book "The Ransomware Hunting Team" written by Renee Dudley and Daniel Golden. Kremez in 2020 was invited to join that eponymously named team, which is an ad hoc, low-profile group of researchers that came together in May 2016, and which continues to track ransomware operations, find vulnerabilities in their malware and assist victims.
Kremez continued to track various cybercrime groups, tracing not just their attack techniques, but also cryptocurrency flows, to better identify the groups and individuals behind specific operations and attacks.
At the RSA 2022 conference in June, I sat down with Kremez to discuss one of the biggest ransomware stories of the year: the Conti group having retired its brand name, after its disastrous decision to publicly back Russia's February invasion of Ukraine (see: Conti Ransomware Group Explores Post-Encryption Future).
Kremez had cut himself on the chin shaving, just before the interview, and was wearing a white shirt that had already picked up spots of blood. We cooked up a Jason Bourne-type cover story: if anyone asked, he'd suffered the flesh wound while battling cybercriminals in the streets of San Francisco.
As we explored during the interview, Kremez and his AdvIntel colleagues had been monitoring Conti's activities, including tracking its attempt to spin up multiple new groups - Quantum, Hive, Alphv aka BlackCat, and more - before announcing their supposed retirement. Beyond ransomware, he said some of the spinoffs were exploring outright extortion by simply stealing files, rather than also encrypting them, and squeezing victims for a promise to not sell or leak the stolen data.
Ransomware groups might come and go, but so many of the players seem to remain the same. So I asked him: Do ransomware-wielding attackers ever decide they've made enough money, and try to go legit or retire?
"I guess this lifestyle that they have, it affords lots of luxuries, especially specifically, if you live like in Eastern Europe, you can afford Lamborghinis, you can drive around the city and … like oligarchs, literally live the lifestyle of the richest of the rich," and all seemingly without having to work too hard, he said.
"Once they get hooked into this business, it's hard to get away," he added. "The only ways we've seen them get away from this business is when Russian intelligence or law enforcement used to recruit them for their own operations. … So some of the most successful ones became forceful employees for Russian intelligence, basically. And that's the way out."
After recording our interview, I got to catch up with Kremez, face to face for the first time in several years due to the Covid pandemic. He talked about the joys of his life in Florida and getting proper downtime when he wasn't working, as well as having gotten his private pilot's license. On the heels of that, he said one of his hobbies had become listening to live air traffic control feeds. He described learning the lingo of flying, and trying to predict what instructions ATC would likely issue and when, for example, to pilots of commercial jets as they came in to land, or when they were taxiing. His face lit up as he described his ability to crack that code, and follow the connections.
Nov. 4, 2022 12:30 UTC: This piece has been updated with additional biographical details.