Ransomware Special Reports


Special Report

RaaS also affords criminals the luxury of anonymity: hackers can rotate between renting numerous strains of malware, making it harder to pinpoint who they are as there’s no longer a signature methodology. Prolific oper- ators include Lockbit, Blackcat, Hive, Clop and – until recently – Conti. The Russia-based operator – whose victims have ranged from clothing retailers such as Fat Face to the gov - ernment of Costa Rica – wound down in May this year, although is reported to be rebranding as several new ran - somware groups. Conti’s decision to regroup follows a huge leak of internal documents that revealed details about the inner workings of one of the world’s biggest ransomware groups. The messages revealed that Conti op - erated much like a regular company, with salaried workers, annual leave, bonuses, performance reviews and even employees of the month. Whichever the operator, what RaaS has served to do is to lower the entry point for other individuals or groups to perform ransomware attacks, says Jason Illingworth, principal analyst at NormCyber. “By using tools developed and sold by the main groups, they’re able to take a portion of the paid ransom, allow - ing more cybercriminals to launch ransomware attacks and increasing the scope of companies targeted. The main groups can focus more time on developing new tools while those that have paid for the tools carry out the attacks,” Illingworth adds. It’s a trade-off that suits everyone: RaaS also poses less of a risk for mal - ware authors, as they’re not the ones carrying out the actual attacks while, Steven Furnell, IEEE senior member and professor of cyber security at the University of Nottingham notes, by using RaaS, would-be cyber criminals are also paying for a tried and tested malware – rather than risk of devising their own solution. The Big Tech-level of efficiency with which these organisations are run, helps explain the reason why ransom - ware attacks are currently soaring. And to hyper charge operations further, there’s also been a trend over

the last two years for collaboration and partnerships between differ - ent ransomware operators: sharing knowledge, stolen data, leaked infor - mation and other resources to exhort victims, enhance their capabilities and improve their success rate. One of the most notable cartels over the last two years has been the Maze-Ragnar Locker- SunCrypt cartel. According to reports, Maze grew so big that it couldn’t handle all available field operations and invited other operations such as SunCrypt into the fold on a revenue share basis to help handle attacks. Forums Platforms where ransomware tools and newly discovered vulnerabilities in software are discussed, include Exploit, Dread, Nulled and Cracked.

research at Forescout. The dark web is not the only place where ransomware is traded. Ac - cording to Hugh Raynor, senior cyber security consultant at SureCloud, apps such as Telegram and Signal are also being used to trade ransomware “which is perhaps not surprising giv - en their end-to-end encryption”. There have also been reports of malware being traded on app Discord – which lacks encryption and is said to actively work with the authorities. However, Raynor explains: “The ease of marketing Discord servers to users of the platform and the huge market of potential buyers for these services has clearly tempted some groups.” As a case in point, researchers at cyber firm Avast recently discovered an online community of children using dedicated Discord servers to build, exchange and sell malware. Criminal groups lure in by advertising access to different malware builders and toolkits that can be used to code malware without much technical experience. But how much damage can inexperi - enced “script kiddies” inflict by pur- chasing malware or software tooling from forums and indiscriminately targeting various systems and organi - sations to learn and ‘play around’ with their tools? Paul Baird, chief technical security officer UK at Qualys puts it this way: “You could describe an experienced hacker as a smart weapon with precision accuracy, while the novice hacker is like cluster ordinance that creates unimaginable damage over a wide area without any thought for the future.”

Jason Illingworth, principal analyst at NormCyber Others, such as Russian speaking forum XSS have banned all topics relating to ransomware in order not to draw attention to themselves. This followed a raid on RaidForums – a popular English language forum which was taken down by law en - forcement agencies in April. Because forums are now a police tar - get, most active and well-known RaaS gangs communicate directly via their leak sites on the dark web, according to Daniel Dos Santos, head of security


Powered by