Ransomware Special Reports


Special Report

through the criminal underworld – turning a cottage industry into a multimillion-dollar criminal racket with software-as-a-service offer- ings similar to most legitimate tech businesses. Conversely, because it’s never been easier for the have-a-go-cyber- criminal to don a hoodie and inflict some serious damage, to some ex - tent this stereotype persists – albeit one that now operates within a much more complex framework. According to Roger Grimes, a data driven defence evangelist at Know -

bundled in together) can be accessed cheaply and anonymously on the dark web. A recent HP Wolf Security Report analysed 35m hidden dark web sites, noting that cybercrime is being supercharged through ‘plug and play’ malware kits that are making it “eas - ier than ever” to launch an attack. As a result, only 2-to-3% of today’s criminals are high coders Tools of the trade On the dark web marketplace, exploit kits, remote desktop protocol (RSP) server access, and attacks that flood a server with internet traffic to block paying customers to have access (DDoS-for-hire) are the most in-de- mand cyber products and services on marketplaces, according to Smith from S-RM. A data-stealing Trojan is one of the most popular tools - stealing pass- words, cookies and credit card infor - mation, it can be bought for as a little as $50-150, according to Jamie Smith, head of cyber at S-RM. “A ransomware kit can cost from $40 to several thousand dollars a month, depending on the malware strain and whether affiliates share profits with operators,” says Smith, adding that “there are also sophisticated malware sellers who offer customers free updates, customer support, and in-depth tutorials.” Additionally, some RaaS groups provide tools and tutorials directly to their affiliates and will trust to receive a split profit of the attack. Whilst cybercriminals will purchase tools, code, and tutorials to hack into organisations, they can also often simply purchase verified credentials for compromised organisations which could be used as an access point to the organisations network. The ubiquity of RaaS Modern ransomware attacks are likely to be deployed by orchestrated businesses or organisations – some - times even nation states – operating all core elements of a legitimate busi - ness, including HR. Different roles up for outsourcing parts of a ransomware attack include initial access to the organisation; lat -

Credentials from target organisations being sold on the dark web. Fig from Searchlight Security eral movement through the network and privilege escalation; data exfiltra- tion and clean-up as well as develop- ers to work on bugs or new features for the malware. As Robert Fitzsimons, a threat intelli - gence engineer at Searchlight Secu - rity explains, these functions might be coupled with “middle management roles, criminals in charge of the PR campaigns to promote the attack, and a negotiator to handle the communi - cation with the victim”. He adds: “The most sophisticated groups manage internal user inter - faces and messaging channels so that they can rapidly fire off multiple attacks and thus increase the chances of securing a ransom payment from one of the victims.” The evolution of distinct roles with a ransomware attack has been shaped by the emergence of the Ransom - ware-as-a-Service model. RaaS is growing for the very same reasons that software-as-a-service is growing – convenience and access to application functionality without hav - ing to install, maintain or even under - stand the technology itself in order to to use it, alongside the advantages brought by scale. As Alexandra Willsher, senior sales engineer at Forcepoint, notes: “Crim - inals now build once and resell many times over.”

A user selling credentials relating to a UK-based energy company. Figure from Searchlight Security Be4, today’s ransomware criminals run the gamut from lone individuals to criminal gangs, cartels and nation state sponsored attackers. Most operate via the dark web – that encrypted alcove of the internet which is not indexed by search en - gines and requires a specific config- uration or authorisation to access – over a peer-to-peer connection, or by using an overlay network such as the Tor browser. While this anonymous part of the internet can be used by people who require privacy for legal reasons – the exchange of proprietary business data or for political activism for instance – these networks have con - tributed to the dark web’s reputation as a hotbed for criminal activity. Technology, training and ransom - ware-as-a-service kits (or all three


Powered by