When Criminals Get Started: Ransomware-as-a-service • The Register


Characteristic This summer, Abnormal Security discovered that some of its customers’ staff were receiving emails asking them to install ransomware on a company computer in exchange for a $ 1 million share of the “profits.”

When the Abnormal staff created a fake character and contacted the criminals to play the game, things started to fall apart. While the criminal first discussed a potential ransom of $ 2.5 million, that figure plummeted as talks progressed, first to $ 250,000 and then to just $ 120,000.

They display a list of services at several levels, ranging from a one-month “test” package for $ 90, moving to “standard” and “premium” offers, before arriving at the “elite” subscription package. 12 months, with all the bells and whistles, for $ 1,400 …

The potential attacker also appeared to have very little understanding of normal incident response techniques, Abnormal says, and a rather fragile understanding of the technology they claimed to be using. But thanks to the availability of ransomware-as-a-service (RaaS), that inexperience in itself was not a hindrance.

RaaS “packages” are available on dark web forums offering scalable and easy-to-use ransomware toolkits. More and more, the developers of these packages have become very professional, offering wholesale discounts, 24 hour support, user reviews, discussion forums and all the other attributes of a software product as that legitimate service.

“Store pages are almost worrying for businesses,” says Mitch Mellard, senior threat intelligence analyst at Talion. “Using the example of the EGALYTY ransomware-as-a-service page, they proudly display links to infosec posts online that specifically treat their strain as a badge of honor, like a mundane software store would display positive reviews of tech publications.

They then display a list of tiered services, ranging from a one-month ‘test’ package for $ 90, moving to ‘standard’ and ‘premium’ offers, before arriving at the ‘elite’ subscription package. “12 months old, with all bells and whistles, for $ 1,400.”

In many cases, groups operate on an affiliate model, with the developers taking a share of the ransom in addition to the monthly payment, typically in the range of 20-50%. Affiliates are supported throughout the process of mounting an attack.

“A lot of the people behind ransomware are simple people who have information security background and decide to try and make money that way,” says Marijus Briedis, CTO at NordVPN . “This trend was accelerated by COVID-19 when people were forced to sit at home.”

However, according to Jamie Collier, a cyber threat intelligence consultant at FireEye’s Mandiant Threat Intelligence, the evolution of ransomware developers to professional corporate structures has also brought other changes.

“What this has led to is not necessarily just a load of unsophisticated actors involved, it has also allowed for a deeper level of specialization, such as a supply chain compromise or the exploitation of zero-vulnerabilities. day, for example, “he says.

“Because these affiliates and different entities are involved, it means that you don’t need to be on top of every stage of the attack lifecycle. “

As a result, ransomware groups hire experts in all aspects of the business, from pen-testers who can gain initial access to systems to ransom negotiators.

“The RaaS economy follows a well-orchestrated value chain that starts from a vulnerability researcher who identifies and sells zero-day vulnerabilities to developers who create malware to take advantage of vulnerabilities and to vendors or distributors who market and sales on RaaS offerings on the darknet, ”says George Papamargaritis, MSS Director at Obrela Security Industries.

“Dishonest web hosts, the middlemen who carry out Bitcoin laundering operations and offer Bitcoin to currency exchangers, are also part of the value chain.”

And botnet operators are also in demand: Researchers at security firm Kela cite a job posting on the darknet looking for someone to run two to three bots a day, promising constant work until the end of the day. end of the year with fixed bonuses and 10% of any profit.

Find job seekers

Recruitment, again, is a very organized affair.

“Often times you will need to provide some level of proof that you are genuine, have been active in space before, or want to showcase your interests and commitment to entering closed groups,” says Collier.

“So there are a lot of barriers to preventing anyone from getting involved just for the fun of it – or, for that matter, to preventing law enforcement from getting involved.”

Meanwhile, RaaS groups are starting to find new ways to make money. Rather than just encrypting the data and demanding a ransom for the decryption key, they exfiltrate the data before encrypting it and then threaten to disclose or publish it, so that even organizations with good backups can be threatened.

The dark web is like Wall Street. The greater the damage that the data sold can inflict, the more expensive it is …

“Groups like REvil and Maze have been very successful in monetizing the exfiltrated data of their victims,” says Dean Ferrando, chief systems engineer (EMEA) at Tripwire. “These groups, which initially operated only by excluding people from their files, have discovered that it can be even more lucrative to extort a ransom in exchange for not publishing the leaked data.”

And this “double extortion” sometimes turns into a triple extortion, he says: “In some cases, groups claim to have organized sales to interested third parties when the original owners of the data refused to pay.

And, now the next step begins to evolve: called by some quadruple extortion. The Grief Corp gang – which the US Treasury Department considers connected at Russia-based Evil Corp and ransomware group Ragnar Locker have started warning victims that they will disclose stolen data to victims who contact law enforcement.

“Please do not think that negotiators can deceive us, we have enough experience and many ways to recognize such a lie,” Ragnar Locker threatened to victims this summer. “Dear customers, if you want to solve all problems smoothly, don’t ask the police to do it for you. We will find out and punish us with all our efforts.”

And when stolen data gets leaked, it’s sold back to a business.

“Cybercriminals have even set up loyalty programs and discount systems ranging from 5 to 30% on wholesale purchases,” says Briedis. “The dark web is like Wall Street. The greater the damage that data sold can inflict, the more expensive it is.”

The REvil group – which earlier this year leaked 2.4 GB of Lady Gaga’s legal documents – even held auctions to get the best price for its stolen data.

Another new technique used by ransomware attackers is to add Distributed Denial of Service (DDoS) attacks to the mix, threatening to continue indefinitely until a ransom is paid. This type of attack was first reported late last year by groups SunCrypt and Ragnar Locker, with Avaddon following suit earlier this year.

And a growing trend, according to Collier, is targeting customers, the media and others to tell them an organization has been hacked.

“For example, we’ve seen ransomware groups calling and harassing employees in an organization. We’ve seen them reaching out to business partners and suppliers, third parties, to put additional pressure on them, ”he says.

“Ransomware groups are now interacting more proactively with the press; they are very experimental, think outside the box and explore new ways of exerting pressure on victims. “

It’s no secret that the number of ransomware attacks has skyrocketed. According to positive technologies Cyber ​​security threat landscape for the second quarter of 2021, they jumped 45% in April alone and now account for nearly seven in ten malware attacks, a 30% increase from the same quarter last year.

And with RaaS proving to be such a successful business model, Group-IB says, it now accounts for almost two-thirds of ransomware attacks.

New kid in town

Right now, the ransomware groups appear to be in an extraordinary state of flux. After the law enforcement heat increased following the colonial pipeline attack in May, DarkSide appeared to disappear; The same is true for REvil after a high-profile attack on IT management software vendor Kaseya. Soon after, a new group called BlackMatter emerged, which security researchers say has ties to both groups.

BlackMatter appears to use a financial structure and ransomware strains similar to REvil, and has been recruiting affiliates all summer. It has posted ads offering between $ 3,000 and $ 100,000 for access to high-value corporate networks with revenues of at least $ 100 million per year in the US, UK, Canada or Australia.

Meanwhile, a group called AvosLocker also kicked off over the summer, recruiting affiliates on dark web chat rooms. At the same time, a double-extortion ransomware group called Hive Ransomware began operations, hitting 28 organizations, including a European airline, within weeks. Worryingly, unlike other ransomware groups, it actively targets hospitals.

Besides making it harder for law enforcement to deal with these groups, such changes make organizations more vulnerable as they scramble to keep pace.

“It’s a very dynamic and agile environment, it’s a very fluid environment where the threat actors will very quickly form and dissolve,” explains Collier.

“There is a need to deliver threat intelligence to these groups much faster, because they will only be present for a short time – but it also potentially means that information shared about these groups expires much faster as well. “®

Leave A Reply

Your email address will not be published.