Feature This summer, Abnormal Security discovered that some of its customers’ staff were receiving emails inviting them to install ransomware on a company computer in return for a $1m share of the “profits”.
When Abnormal staff set up a fake persona and contacted the criminals to play along, though, things started to fall apart. While the criminal initially discussed a potential ransom of $2.5m, this figure fell and fell as talks went on, first to $250,000 and then to just $120,000.
They display a multi-tiered service list, ranging from a one-month ‘test’ package for $90, proceeding to ‘standard’ and ‘premium’ offerings, before arriving at the 12-month ‘elite’ subscription package, with all of the bells and whistles, for $1,400…
The would-be attacker also appeared to have very little understanding of normal incident response techniques, says Abnormal, and a rather shaky grasp of the technology they claimed to be using. But thanks to the availability of ransomware-as-a-service (RaaS), this inexperience in itself was no barrier.
RaaS “packages” are available on dark web forums offering scalable, easy-to-use ransomware toolkits. Increasingly, the developers of these packages have become highly professional, offering bulk discounts, 24-hour support, user reviews, discussion forums, and all the other trappings of a legitimate software-as-a-service product.
“The store pages are almost disturbingly corporate,” says Mitch Mellard, principal threat intelligence analyst at Talion. “Using the example of the page for the EGALYTY ransomware-as-a service, they proudly display links to online infosec publications specifically discussing their strain like a badge of honour, like a mundane software store would display positive reviews from tech publications.
“They then display a multi-tiered service list, ranging from a one-month ‘test’ package for $90, proceeding to ‘standard’ and ‘premium’ offerings, before arriving at the 12-month ‘elite’ subscription package, with all of the bells and whistles, for $1,400.”
In many cases, the groups work on an affiliate model, with the developers taking a cut of the ransom on top of the monthly payment, generally to the tune of around 20 to 50 per cent. Affiliates are supported through the process of mounting an attack.
“A lot of people behind ransomware are simple people who have experience in the information security field and decide to try and make money this way,” says Marijus Briedis, CTO at NordVPN. “This trend was accelerated by COVID-19 when people were forced to sit at home.”
However, says Jamie Collier, cyber threat intelligence consultant at FireEye’s Mandiant Threat Intelligence, the move by ransomware developers towards professional corporate structures has brought other changes too.
“What this has led to isn’t necessarily just a load of low-sophisticated actors getting involved, it’s also allowed for a deeper level of specialisation, so the likes of a supply chain compromise or exploiting zero-day vulnerabilities, for instance,” he says.
“Because you’ve got these affiliates and these different entities getting involved, it means you don’t need to master all stages of the attack lifecycle.”
As a result, ransomware groups are hiring experts in every aspect of the business, from pen-testers who can gain initial access to systems to ransom negotiators.
“The RaaS economy follows a well-orchestrated value chain which starts from a vulnerability researcher who identifies and sells zero-day vulnerabilities to developers who create malware to take advantage of the vulnerabilities and to vendors or distributors who do marketing and sales on RaaS offerings on the dark net,” says George Papamargaritis, MSS director at Obrela Security Industries.
“Rogue hosting providers, intermediates who do Bitcoin laundering operations and offer Bitcoin to currency exchangers, are part of the value chain as well.”
And botnet operators are also in demand: researchers from security firm Kela cite one dark net job ad looking for somebody to handle two to three bots per day, promising constant work until the end of the year along with fixed bonuses and 10 per cent of the eventual profit.
Finding the jobseekers
Recruitment, again, is a highly organised affair.
“Often you’ll have to provide some level of proof that you’re genuine, whether you’ve been previously active in the space or are willing to highlight your interests and engagement to get into closed groups,” says Collier.
“So there’s a lot of barriers there to stop anyone getting involved just for the sake of it – or, for that matter, to stop law enforcement getting involved.”
Meanwhile, RaaS groups are starting to find new ways of making money. Rather than simply encrypting data and demanding a ransom for the decryption key, they are exfiltrating the data before encrypting it, and then threatening to leak or publish it – so that even organisations with good back-ups can be threatened.
The dark web is just like Wall Street. The higher the damages the sold data can inflict, the more expensive it is…
“Groups like REvil and Maze have been wildly successful at monetising data exfiltrated from their victims,” says Dean Ferrando, lead systems engineer (EMEA) at Tripwire. “These groups, which initially operated only by locking people out of their files, have found that it can be even more lucrative to extort a ransom in exchange for not publishing leaked data.”
And this “double extortion” sometimes develops into triple extortion, he says: “In some cases, the groups claim to have organised sales to interested third parties when the original data owners refused to pay.”
And, now, the next step is starting to evolve: referred to by some as quadruple extortion. Both the Grief Corp gang – believed by the US Department of the Treasury to be connected to Russia-based Evil Corp – and the Ragnar Locker ransomware group have started warning victims that they will leak stolen data from victims who contact law enforcement.
“Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie,” Ragnar Locker threatened victims this summer. “Dear clients if you want to resolve all issues smoothly, don’t ask the police to do this for you. We will find out and punish with all our efforts.”
And when stolen data is leaked, it’s again being sold in a corporate way.
“Cybercriminals even have loyalty programs and discount systems in place ranging from 5 per cent to 30 per cent off for bulk purchases,” says Briedis. “The dark web is just like Wall Street. The higher the damages the sold data can inflict, the more expensive it is.”
The REvil group – which earlier this year leaked 2.4GB of Lady Gaga’s legal documents – has even organised auctions to get the best price for its stolen data.
Another novel technique being used by ransomware attackers is to add distributed denial-of-service (DDoS) attacks into the mix, threatening to carry on indefinitely until a ransom is paid. This type of attack was first reported late last year from the SunCrypt and Ragnar Locker groups, with Avaddon following suit early this year.
And a growing trend, according to Collier, is the targeting of customers, media and others to tell them that an organisation has been hacked.
“For example, we’ve seen ransomware groups call and harass employees of an organisation. We’ve seen them reach out to business partners and suppliers, third parties, to drum up additional pressure,” he says.
“You’ve got ransomware groups now interacting with the press more proactively; they’re being very experimental, looking outside the box and exploring new ways to impose pressure on victims.”
It’s no secret that the number of ransomware attacks has been rocketing. According to Positive Technologies’ Cybersecurity Threatscape for Q2 2021, they jumped 45 per cent in April alone, and now account for nearly seven in ten malware attacks – a 30 per cent rise compared with the same quarter last year.
And with RaaS turning out to be such a successful business model, says Group-IB, it now accounts for nearly two-thirds of ransomware attacks.
New kid in town
Right now, ransomware groups appear to be in an extraordinary state of flux. After increasing heat from law enforcement following the Colonial Pipeline attack in May, DarkSide appeared to vanish; so too did REvil after a high-profile attack on IT management software provider Kaseya. Soon after, a new group called BlackMatter appeared, which security researchers reckon has connections with both groups.
BlackMatter appears to use a similar financial structure and ransomware strains to REvil, and has been recruiting affiliates all summer. It’s been posting ads offering between $3,000 and $100,000 for access to high-value corporate networks of companies with revenues of at least $100m a year in the US, the UK, Canada or Australia.
Meanwhile, a group called AvosLocker also started up over the summer, recruiting affiliates on dark web discussion forums. At the same time, a double-extortion ransomware group called Hive Ransomware began operations, hitting 28 organisations, including a European airline, within weeks. Ominously, unlike other ransomware groups, it has actively been targeting hospitals.
As well as making it harder for law enforcement to deal with these groups, such changes leave organisations more vulnerable as they scramble to keep up.
“It’s a very dynamic and agile environment, it’s a very fluid environment where threat actors will very quickly form and disband,” says Collier.
“There is a need to serve up threat intelligence much more quickly on these groups because they are only going to be around for a short time – but it also potentially means that the information shared about these groups expires much more quickly as well.” ®