Ransomware as a Service (RaaS) – The Business of Ransomware

EASTER · Jul 28, 2021

And one thing very evident stretching all the way back to CoolWebSearch on Windows 98.

Russians who by the way FIRST achieved and mastered orbital satellite tech (Sputnik) are inherently very BRIGHT minds.

Doubt there is little that they can't advance in when it comes to tech. And these days Microsoft is generously given them plenty of toys to play with and master again. Fact of life.

And China is NO MATCH for them, not even close though they may think otherwise.

guest · Aug 2, 2021

Ransomware operators love them: Key trends in the Initial Access Broker space
In a threat actor's mind, take out the legwork, reap the proceeds of blackmail.
August 2, 2021
https://www.zdnet.com/article/ranso...ey-trends-in-the-initial-access-broker-space/

The Initial Access Broker market continues to expand, with fees a drop in the ocean in comparison to the potential rewards of a successful ransomware attack.

Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities.
Click to expand...

On Monday, cybersecurity firm KELA published a report exploring the Initial Access Broker market and found that the average cost of network access was $5,400, while the median price was $1,000.
The team examined over a thousand listings in dark web underground forums from July 1, 2020, to June 30, 2021, and found that initial access ads included a range of network and compromised account-based offerings [...]
In total, 25% of the listings were posted by brokers.

Unsurprisingly, the most valuable offers -- and, therefore, earning the top prices -- were initial access services offering domain-level privileges in companies boasting hundreds of millions of dollars in revenue.
Access to small companies may cost as little as $200.
Click to expand...

KELA: All Access Pass: Five Trends with Initial Access Brokers

Key research takeaways include:

KELA explored over 1000 access listings offered for sale over the last year. The average price for network access during this period was 5,400 USD, while the median price was 1,000 USD. The top affected countries included the US, France, UK, Australia, Canada, Italy, Brazil, Spain, Germany, and UAE.

IABs built a pricing model for initial access. The most valuable offers include domain admin privileges on a computer within a company with hundreds of millions in revenue.

With RDP and VPN-based access being the most common offer, IABs find new attack vectors and accommodate the changing software targets of ransomware gangs, including network management software and virtual servers.

Successful IABs find regular customers, some of which are ransomware affiliates, and move most of their operations to private conversations. However, new actors continually enter the scene.

Click to expand...

Some IABs adopted ethics that were introduced by some ransomware gangs. Namely, there is a certain criticism against actors trading access to healthcare companies, though it’s still an initiative of a few actors and not a typical attitude.

IABs are eager to monetize their access and are using all means to do so. Some IABs were seen stealing data from the affected company to gain profits even if the access is not bought.

IABs have become professional participants of the RaaS economy. They constantly find new initial access vectors, expanding the attack surface, and follow their customers’ demands. It requires network defenders to track IABs activities and all other actors who have formed around ransomware.

Click to expand...

guest · Aug 4, 2021

LockBit ransomware recruiting insiders to breach corporate networks
August 4, 2021
https://www.bleepingcomputer.com/ne...uiting-insiders-to-breach-corporate-networks/

The LockBit 2.0 ransomware gang is actively recruiting corporate insiders to help them breach and encrypt networks. In return, the insider is promised million-dollar payouts.

Many ransomware gangs operate as a Ransomware-as-a-Service, which consists of a core group of developers, who maintain the ransomware and payment sites, and recruited affiliates who breach victims' networks and encrypt devices.

However, in many cases, the affiliates purchase access to networks from other third-party pentesters rather than breaching the company themselves.
With LockBit 2.0, the ransomware gang is trying to remove the middle-man and instead recruit insiders to provide them access to a corporate network.
Click to expand...

LockBit 2.0 promises millions of dollars to insiders
In June, the LockBit ransomware operation announced the launch of their new LockBit 2.0 ransomware-as-a-service.
With this relaunch, LockBit has also changed the Windows wallpaper placed on encrypted devices to offer "millions of dollars" for corporate insiders who provide access to networks where they have an account.

The ransomware gang also says they will send the insider a "virus" that should be executed on a computer, likely to give the ransomware gang remote access to the network.
Click to expand...

While this tactic may sound far-fetched, it is not the first time threat actors attempted to recruit an employee to encrypt their company's network.
Click to expand...

guest · Aug 10, 2021

Ransomware-as-a-Service
August 10, 2021
https://www.professionalsecurity.co.uk/products/cyber/ransomware-as-a-service/

When computers and the internet were undergoing development in the 1970s and 1980s, computer security threats were not much of a problem.
Fast forward 50 years to today; there is a prolific underground of malicious actors that leverage dozens of different techniques to invade networks and exfiltrate critical value data, writes Chris Pogue, pictured, Head of Strategic Alliances at software firm Nuix.

This specific species of the malware family has evolved into a prescription service known as Ransomware-as-a Service (RaaS). RaaS enables cybercriminals that are unfamiliar with malware development to outsource this skill to those that can.
Click to expand...

Recent reports have shown that companies around the UK and globally are admittedly unprepared for cyber threats, but especially those attacks leveraging RaaS. The cyber age has transformed this threat into one that is orders of magnitude dangerous, leaving companies scrambling to adapt to new security strategies and prepare for oncoming attacks.
Meanwhile, governments have begun to look at how they can protect and advise their nation’s organisations on how to respond to ransom demands by attackers.
Click to expand...

guest · Aug 10, 2021

10 Initial Access Broker Trends: Cybercrime Service Evolves
$5,400 Is the Average Price for Access to Hacked Networks, Kela Reports
August 10, 2021
https://www.databreachtoday.com/10-initial-access-broker-trends-cybercrime-service-evolves-a-17249

The rise of ransomware as a moneymaking powerhouse for online attackers parallels the services being offered by initial access brokers. Such brokers sell access as a service to others, saving them the time, effort and expense of gaining a toehold in an organization's network.

Initial access brokers gain first access to victims' networks in a variety of ways - often via weak remote desktop protocol or remote management software to which they've gained brute-force access. Sometimes, attackers exploit an unpatched vulnerability in a system. Whatever the approach, once they have access, brokers can resell it to others, sometimes more than once (see: Ransomware's Helper: Initial Access Brokers Flourish).
Click to expand...

As cybersecurity firm CrowdStrike has noted: "When criminal malware operators purchase access, it eliminates the need to spend time identifying targets and gaining access, allowing for increased and quicker deployments as well as higher potential for monetization."

What's the current state of the initial access market today? Israeli threat-intelligence firm Kela reviewed 1,000 access listings offered for sale on publicly accessible cybercrime forums over the past year, of which at least 262 were allegedly confirmed to have sold.
Based on those listings, here are 10 trends it found:
Click to expand...

1. Affordable Access
For the period from July 1, 2020, through June 30, Kela reports that the average price for remote access to a network was $5,400, while the median was $1,000.

2. RDP and VPN Credentials Rule
Remote desktop protocol and VPN credentials were the most common types of access being listed. But other types of access also get offered - for example, via remote management software, which many managed service providers will install on the endpoints they manage for customers.

3. Active Directory Credentials: Extra Valuable
"The most valuable offers include domain admin privileges on a computer within a company with hundreds of millions of dollars in revenue," Kivilevich writes in the report.

4. Top Target: U.S. Organizations
The greatest number of remote access credentials being listed, Kela found, were for targets in the United States, which accounted for 28% of all listings, followed by France, the U.K., Australia, Canada, Italy, Brazil, Spain, Germany and United Arab Emirates.

5. Access to Manufacturing Leads Offerings
Organizations in the manufacturing sector were most listed, followed by education, IT, financial services, government and healthcare.

6. One Buyer Often Preferred
Some brokers will list a sample of the access they have for sale and tell buyers to contact them for more details.
"These brokers generally are interested in getting one buyer for all the accesses being sold and sometimes go as far as to request a percentage of the ransom if an attack is successful," Kivilevich says.

7. Multiple Monetization Strategies
Some network-access brokers appear to sell not just access but also data from victims' environments.

8. Brokers React to White House Moves
In recent months, ransomware has become a political hot potato.
In response, some cybercrime forums - including the Russian-language Exploit and XSS forums - have announced bans on ransomware, although security experts say such prohibitions are not always heavily enforced.

9. Private Communications Still Happening
But such sales may well still be occurring behind the scenes.
But understanding how many organizations have been hit can be difficult, because not all types of access get posted on cybercrime forums. And even when they do, brokers will often obscure the victim's identity, because, of course, they wouldn't want to see them get tipped off.

10. Dominant Groups Foster Relationships
Many established brokers appear to form relationships with specific crime groups or affiliates of ransomware operations, leading to them no longer listing their "accesses" for sale on public cybercrime forums, but rather sharing them via private conversations, Kivilevich says.

guest · Aug 18, 2021

LockBit 2.0 Ransomware Proliferates Globally
...promising millions of dollars in exchange for valid account credentials for initial access
August 17, 2021
https://threatpost.com/lockbit-ransomware-proliferates-globally/168746/

The LockBit ransomware-as-a-service (RaaS) gang has ramped up its targeted attacks, researchers said, with attempts against organizations in Chile, Italy, Taiwan and the U.K. using version 2.0 of its malware.

Attacks in July and August have employed LockBit 2.0, according to a Trend Micro analysis released on Monday, featuring a souped-up encryption method.

“In contrast to LockBit’s attacks and features in 2019, this version includes automatic encryption of devices across Windows domains by abusing Active Directory (AD) group policies, prompting the group behind it to claim that it’s one of the fastest ransomware variants in the market today,” according to the report.
The attacks also feature an effort to recruit insider threats from within targeted companies, Trend Micro noted. [...] with guaranteed payouts of millions of dollars and anonymity in exchange for credentials and access, according to the report.
Click to expand...

The fresh spate of attacks are employing the tactic “seemingly to remove middlemen (of other threat actor groups) and to enable faster attacks by providing valid credentials and access to corporate networks,” according to the researchers.
But that’s not all: “LockBit 2.0 also abuses legitimate tools such as Process Hacker and PC Hunter to terminate processes and services in the victim system.”

This main ransomware module goes on to append the “.lockbit” suffix to every encrypted file. Then, it drops a ransom note into every encrypted directory threatening double extortion; i.e., the note warns victims that files are encrypted and may be publicly published if they don’t pay up.
The final step for LockBit 2.0 is changing the victims’ desktop wallpapers into the aforementioned recruitment ad, which also includes instructions on how victims can pay the ransom.
Click to expand...

“We…assume that this group will continue to make a scene for a long time, especially since it’s currently recruiting affiliates and insiders, making it more capable of infecting many companies and industries,” Trend Micro researchers concluded.
Click to expand...

guest · Aug 18, 2021

Ransomware-as-a-service: The future is bright — for cybercriminals
August 18, 2021
https://techtalk.gfi.com/ransomware-as-a-service/

In May, a debilitating ransomware attack crippled the U.S. oil production company Colonial Pipeline.
The attackers were DarkSide, a Russian criminal group. Colonial Pipeline ultimately paid a reported $5 million ransom in bitcoin to DarkSide in return for a decryption key.
DarkSide emerges — and so does ransomware-as-a-service
DarkSide emerged in August 2020 and went on an unprecedented crime spree. It targeted organizations in more than 15 countries and locked the computer files of hundreds of accounts. The act compelled firms to pay large ransoms for decryption keys. DarkSide also threatened victims that they would publish the stolen data online.

DarkSide raked in millions of dollars from their own ransomware attacks and received payments from affiliates using their ransomware. Hence the term, ransomware-as-a-service.
Click to expand...

Ransomware-as-service: Kits for sale
Ransomware-as-a-service is as lucrative, if not more lucrative, than the traditional ransomware business. However, only those with technical skills can build their own kits. Others can buy the kits outright from other criminals. Kits are available on the Dark Web for one-time fees or monthly subscriptions. When you buy a paid plan, you may have access to technical documentation and even customer support.
Click to expand...

EASTER · Aug 18, 2021

Incredible

guest · Aug 24, 2021

FBI sends its first-ever alert about a ‘ransomware affiliate’
August 23, 2021
https://therecord.media/fbi-sends-its-first-ever-alert-about-a-ransomware-affiliate/

The US Federal Bureau of Investigations has published today its first-ever public advisory detailing the modus operandi of a “ransomware affiliate.”

A relatively new term, a ransomware affiliate refers to a person or group who rents access to Ransomware-as-a-Service (RaaS) platforms, orchestrates intrusions into corporate networks, encrypt files with the “rented ransomware,” and then earn a commission from successful extortions.
Going by the name of OnePercent Group, the FBI said today this threat actor has been active since at least November 2020.
Click to expand...

How the OnePercent Group got its name
The FBI said the group gained its name thanks to its well-structured extortion technique, which would go through different stages:

After gaining access to a victim network, the OnePercent Group would leave a ransom note stating the data has been encrypted and exfiltrated to a remote server.

If the victim didn’t follow the instructions in the ransom note and contact the gang, the group would follow up with threats to leak their data. These threats would be made via email or telephone (a known technique).

If victims didn’t pay fast enough, the group would leak 1% of the stolen data as a warning for the victim — hence their name.

If victims still didn’t want to pay, the group would threaten to sell a victim’s data in a section of the REvil leak site dedicated to data auctions.

Click to expand...

OnePercent is a known REvil, Maze, and Egregor affiliate
While the FBI did not specifically name the group as a ransomware affiliate, sources in the cybersecurity industry have told The Record that OnePercent had a long-standing collaboration with the creators and operators of the REvil (Sodinokibi) ransomware and have also worked with the Maze and Egregor operations.

“The attribution was clear,” Bill Siegel, founder and CEO of security firm Coveware, told The Record. “Victims that did not pay ended up on The REvil Happy Blog.”
Click to expand...

These “affiliate” groups often jump from one RaaS platform to another and will often deploy a ransomware strain that’s known to be able to bypass security solutions installed inside a specific corporate network, known to work faster, or the strain from a RaaS platform with the better commissions at a given point in time.
Click to expand...

guest · Aug 25, 2021

mood said: ↑

FBI sends its first-ever alert about a ‘ransomware affiliate’ August 23, 2021
Click to expand...

FBI Releases Indicators of Compromise Associated with OnePercent Group Ransomware
August 25, 2021
https://us-cert.cisa.gov/ncas/curre...cators-compromise-associated-onepercent-group

The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by the OnePercent Group, a cyber-criminal organization known since November 2020 for using Cobalt Strike in phishing attacks against U.S. companies.

CISA encourages users and administrators to review the technical details and IOCs in FBI Flash CU-000149-MW and apply the recommend mitigations.
Click to expand...

Flash Report - (PDF): https://www.ic3.gov/Media/News/2021/210823.pdf

guest · Sep 22, 2021

How REvil May Have Ripped Off Its Own Affiliates
September 22, 2021
https://threatpost.com/how-revil-may-have-ripped-off-its-own-affiliates/174887/

There’s no honor between thieves, but this is beyond rude: Malware specialists have found evidence of how REvil’s leadership may have screwed their own affiliates out of their cut of ransomware payouts.

Malware specialists researching newly available samples from REvil – aka Sodinokibi, a once-major, now sort-of reborn ransomware-as-a-service (RaaS) player – have identified a backdoor that may have enabled the original gang to hijack chats with victims so as to scoop up affiliates’ cut of ransom payments.
Yelisey Boguslavskiy, head of research at the cyber risk prevention firm Advanced Intelligence, said in a LinkedIn update on Monday that the backdoor also enabled REvil operators to decrypt workstations and files.

“By using this backdoor, REvil can hijack victim cases during active negotiations with affiliates and obtain the 70% of ransom payments that are supposed to go to the affiliates,” Boguslavskiy explained.
Click to expand...

AdvIntel had already been aware that REvil has been using double-chats: That’s when two identical chats are open with the victim, one by the affiliate and another by REvil leadership.

Besides the double-chat setup, the backdoor itself may serve the same purpose of affiliate case hijacking, Boguslavskiy said, as it enables secret decryption of files when negotiations are complete.

“This evidence correlates with the underground’s approach to REvil as a talkative and perpetually lying group that should not be trusted by the community or even by its own members,” Boguslavskiy commented.
Click to expand...

guest · Sep 24, 2021

mood said: ↑

How REvil May Have Ripped Off Its Own Affiliates September 22, 2021
Click to expand...

REvil Affiliates Confirm: Leadership Were Cheating
September 23, 2021
https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/

A day after news broke about REvil having screwed their own affiliates out of ransomware payments – by using double chats and a backdoor that let REvil operators hijack ransom payments – those affiliates took to the top Russian-language hacking forum to renew their demands for REvil to fork over their pilfered share of ransom payments.

The way that ransomware-as-a-service (RaaS) operations such as REvil or DarkSide work is that affiliates do all the dirty work of network compromise, in exchange for (in the case of the original REvil RaaS) 70 percent of whatever ransom that victims fork over.
Click to expand...

Ripped-Off Affiliates Fume
Below are screen captures of the actor reiterating the claim from May 2021 on the Exploit criminal forum on Thursday. The threat actor’s reiteration confirmed AdvIntel’s assumption: REvil leadership did indeed create a backdoor that enabled them to cut off ransom negotiations between victims and the gang’s own affiliates, to run a double chat that enabled leadership to pose as victims who threw in the towel mid-negotiation, and to then step in to resume the negotiations, cut the affiliates out of the deal, and pocket the entire ransom payment.

“While repeating this claim, the actor confirmed our assumption about the use of the backdoor, and, most importantly, about the use of double chats,” Boguslavskiy told Threatpost.
Click to expand...

guest · Oct 2, 2021

Buckle up: a novel RaaS group, Ranion, offers 'pay & go' malware
a new ransomware-as-a-service (RaaS) group just made cyber extortion easier
October 1, 2021
https://cybernews.com/security/buckle-up-a-novel-raas-group-ranion-offers-pay-go-malware/

Major ransomware cartels like REvil, Conti, or DarkSide usually charge their affiliates a hefty 30% fee per ransom payment. The cartels provide the malware, whereas threat actors carry out the attacks.

However, a new RaaS group that is calling itself Ranion adopts an entirely different payment structure. The group only asks for an upfront payment for its malware without additional service fees.
The Ranion malware uses AES 256 encryption and is almost fully undetectable, with only one enterprise antivirus solution able to detect it, a development that might turn a disastrous year worse.

From threat actors' point of view, Ranion might seem like a more viable malware option since a single fixed payment doesn't require to return the malware provider a third of the cut.
Click to expand...

Different Ranion malware packages are offered from $150 to $1,900, a shockingly low price compared with corporate ransomware losses of several million dollars per attack. The pricier offers are said to guarantee fully undetectable (FUD) status.

To offer threat actors a greater range of inflicting damage, Ranion added a functionality, creating a delay between infection and encrypter execution. The malware, however, only works on Windows, offering some respite for users of different operating systems.
Somewhat shockingly, for a completely illegal business venture, the RaaS groups also offer real-time customer support services for their clients.
Click to expand...

Fortinet threat research:
Ranion Ransomware - Quiet and Persistent RaaS

In this blog, FortiGuard Labs will explain how Ranion RaaS works.
Click to expand...

guest · Oct 11, 2021

When criminals go corporate: Ransomware-as-a-service, bulk discounts and more
Pen-testers, rogue developers, dodgy hosters, etc. etc.
October 11, 2021
https://www.theregister.com/2021/10/11/ransomware_as_a_service/

RaaS "packages" are available on dark web forums offering scalable, easy-to-use ransomware toolkits. Increasingly, the developers of these packages have become highly professional, offering bulk discounts, 24-hour support, user reviews, discussion forums, and all the other trappings of a legitimate software-as-a-service product.

"The store pages are almost disturbingly corporate," says Mitch Mellard, principal threat intelligence analyst at Talion. "Using the example of the page for the EGALYTY ransomware-as-a service, they proudly display links to online infosec publications specifically discussing their strain like a badge of honour, like a mundane software store would display positive reviews from tech publications.

"They then display a multi-tiered service list, ranging from a one-month 'test' package for $90, proceeding to 'standard' and 'premium' offerings, before arriving at the 12-month 'elite' subscription package, with all of the bells and whistles, for $1,400."
Click to expand...

In many cases, the groups work on an affiliate model, with the developers taking a cut of the ransom on top of the monthly payment, generally to the tune of around 20 to 50 per cent. Affiliates are supported through the process of mounting an attack.

"A lot of people behind ransomware are simple people who have experience in the information security field and decide to try and make money this way," says Marijus Briedis, CTO at NordVPN. "This trend was accelerated by COVID-19 when people were forced to sit at home."
As a result, ransomware groups are hiring experts in every aspect of the business, from pen-testers who can gain initial access to systems to ransom negotiators.
Click to expand...

NormanF · Oct 11, 2021

Its a high gain, low risk crime and the payoff is better for criminals than bank robbery since its untraceable. Fighting cybercrime like ransomware is a challenge unlikely to be squashed anytime soon.

guest · Nov 3, 2021

CERT-France: Lockean ransomware group behind attacks on French companies
November 3, 2021
https://therecord.media/cert-france-lockean-ransomware-group-behind-attacks-on-french-companies/

French cybersecurity officials have identified today for the first time a ransomware “affiliate group” that is responsible for a long list of attacks against French companies over the past two years.

Identified as Lockean, the group’s activities and modus operandi were detailed today in a comprehensive report published by France’s Computer Emergency Response Team (CERT-FR), a division of ANSSI, the country’s national cybersecurity agency.
Click to expand...

According to French officials, the group has been active since June 2020 and “has a propensity to target French entities,” having been linked to attacks on at least seven French companies, such as transportation logistics firm Gefco, pharmaceutical groups Fareva and Pierre Fabre, and local newspaper Ouest-France.
Lockean operators used different ransomware strains
CERT-FR officials said the group would typically rent access to corporate networks that had been previously infected via Emotet phishing emails, where they would deploy the QakBot malware and later the CobaltStrike post-exploitation framework.

According to CERT-FR officials, who investigated several of these intrusions, the Lockean group used different ransomware strains across the years, such as DoppelPaymer, Maze, Egregor, REvil (Sodinokibi), and ProLock.
Click to expand...

Second ransomware affiliate group identified
Because Lockean used different ransomware strains, officials believe the group is what security researchers call a “ransomware affiliate,” a term that refers to criminal groups who sign up on Ransomware-as-a-Service (RaaS) platforms.

If victims refused to pay, data from these companies would be published on so-called “leak sites” operated by the RaaS platforms, where victims would often be listed in order to ramp up public pressure on the hacked companies.
Click to expand...

Lockean is now the second ransomware affiliate group that has been publicly identified by law enforcement agencies after the FBI exposed the OnePercent group in August.
Click to expand...

guest · Nov 5, 2021

BlackBerry report highlights initial access broker providing entry to StrongPity APT, MountLocker and Phobos ransomware gangs
November 5, 2021
https://www.zdnet.com/article/black...-apt-mountlocker-and-phobos-ransomware-gangs/

A new report from BlackBerry has uncovered an initial access broker called "Zebra2104" that has connections to three malicious cybercriminal groups, some of which are involved in ransomware and phishing.

The BlackBerry Research & Intelligence team found that Zebra2104 provided entry points to ransomware groups like MountLocker and Phobos as well as the StrongPity APT. The access was provided to a number of companies in Australia and Turkey that had been compromised.
BlackBerry said that from their research, they believe the access broker "has a lot of manpower or they've set up some large 'hidden in plain sight' traps across the internet."
Click to expand...

"While it might seem implausible for criminal groups to be sharing resources, we found these groups had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB). There is undoubtedly a veritable cornucopia of threat groups working in cahoots, far beyond those mentioned in this blog," the researchers said, noting that they discovered the group while conducting research for a book about cyber threat intelligence.
The BlackBerry Research & Intelligence team then used WHOIS registrant information and other data that led them to discover ties between the Phobos ransomware and MountLocker.

"This new information presented a bit of a conundrum. If MountLocker owned the infrastructure, then there would be a slim chance of another ransomware operator also working from it (although it has happened before)
Click to expand...

Many IABs base their price on the annual revenue that the victim organization generates, creating a bidding system that allows any group to deploy whatever they want.

"This can be anything from ransomware to infostealers, and everything in between. We believe that our three threat actors -- MountLocker, Phobos and StrongPity, in this instance – sourced their access through these means," The BlackBerry Research & Intelligence team explained.
Click to expand...

guest · Nov 11, 2021

Scale of crime-as-a-service economy a growing concern, say researchers
November 11, 2021
https://www.computerweekly.com/news...ice-economy-a-growing-concern-say-researchers

Researchers at cyber security companies Sophos and Trend Micro have been sharing fresh intelligence on the activities of the cyber underground, revealing how the sheer scale of the criminal economy is increasingly giving rise to various cyber criminal groups offering their talents on an as-a-service basis.

The rise of ransomware-as-a-service is probably the most widely known of these offerings, and this is the subject of a new Sophos report assessing how the “gravitational force” of the ransomware black hole is pulling in other types of threat to form a massive, interconnected system dedicated to servicing the ransomware economy. It said this was likely to have significant implications for IT security in 2022.

“This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies and negotiators,” he said.
Click to expand...

Meanwhile, Trend Micro has been tracking a gang of cyber mercenaries focused on making money from breaking into email and social media accounts and selling on the personal and financial data it obtains to other malicious actors.

“Cyber mercenaries are an unfortunate consequence of today’s vast cyber crime economy,” said Feike Hacquebord, senior threat researcher for Trend Micro.
Click to expand...

Sophos: Ransomware-as-a-Service has changed the landscape – find out the impact of this shift

The most significant change Sophos has observed is a shift from bad actors who make their own bespoke ransomware and carry out their own attacks to a model in which one group builds the ransomware and then leases it out to breaking-and-entering, hands-on-keyboard experts. This has changed the threat landscape in many ways.
Click to expand...

guest · Nov 16, 2021

Ransomware gangs are now rich enough to buy zero-day flaws, say researchers
Zero-day cybersecurity vulnerabilities have traditionally been the area of nation-states
November 16, 2021
https://www.zdnet.com/article/ranso...enough-to-buy-zero-day-flaws-say-researchers/

Cyber criminals are becoming more advanced as they continue to find new ways to deliver attacks, and some are now willing to buy zero-day vulnerabilities, something more traditionally associated with nation-states.

Knowledge about vulnerabilities and exploits can command a high price on underground forums, because being able to take advantage of them can be very profitable for cyber criminals.
Click to expand...

Zero-day vulnerabilities are usually deployed by well-resourced, nation-state backed hacking operations – but analysis by cybersecurity researchers at Digital Shadows details how there's increasingly chatter on dark web message boards about the criminal market for zero-days.

"This market is an extremely expensive and competitive one, and it's usually been a prerogative of state-sponsored threat groups. However, certain high-profile cybercriminal groups (read: ransomware gangs) have amassed incredible fortunes in the past years and can now compete with the traditional buyers of zero-day exploits," said Digital Shadows.
Vulnerabilities like this can cost even millions of dollars, but that's a price that could be affordable for a successful ransomware group which makes millions from every successful ransomware attack - and they could easily make what they spend back if the vulnerability works as intended by providing a reliable means of infiltrating networks.
Click to expand...

But there's another method of making money from vulnerabilities being explored, and it's one which could place them into the hands of less-sophisticated cyber criminals - something known as "exploit-as-a-service".

Instead of selling the vulnerability outright, the cyber criminal who discovered it can lease this out to others. It potentially starts making them money quicker than it would if they went through the complex process to sell it, and they could continue to make money from it for a long time. They also have the option of eventually selling the zero-day if they tire of leasing it.

"This model enables zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer. Additionally, with this model, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis," said the report.
Click to expand...

Digital Shadows: Vulnerability Intelligence: What’s The Word In Dark Web Forums?

As part of our investigation, we gathered extensive primary source evidence from cybercriminal markets and forums to better comprehend how the vulnerability criminal industry looks.
THE RISE OF THE EXPLOIT-AS-A-SERVICE MODEL?
Feel like a multi-million dollar price tag may be a bit too much for your pockets? No worries, the cybercriminal community doesn’t leave anyone behind to miss out on all the zero-day fun! During our investigation for this research piece we’ve noticed cybercriminals discussing ideas for an Exploit-as-a-Service business model that would inevitably lower the barrier for accessing sophisticated exploits.
Click to expand...

guest · Nov 17, 2021

mood said: ↑

Russian-Speaking Forum ‘RAMP’ Fostering New RaaS Launches and Affiliates
July 28, 2021
https://www.technadu.com/russian-speaking-forum-ramp-fostering-new-raas-launches-affiliates/292147/

KELA: New Russian-Speaking Forum – A New Place for RaaS?
Click to expand...

Russian ransomware gangs start collaborating with Chinese hackers
November 17, 2021
https://www.bleepingcomputer.com/ne...ngs-start-collaborating-with-chinese-hackers/

There's some unusual activity brewing on Russian-speaking cybercrime forums, where hackers appear to be reaching out to Chinese counterparts for collaboration.

These attempts to enlist Chinese threat actors are mainly seen on the RAMP hacking forum, which is encouraging Mandarin-speaking actors to participate in conversations, share tips, and collaborate on attacks.
Click to expand...

Chinese users in Russian forums
According to a new report by Flashpoint, high-ranking users and RAMP administrators are now actively attempting to communicate with new forum members in machine-translated Chinese.
The forum has reportedly had at least thirty new user registrations that appear to come from China, so this could be the beginning of something notable.

A threat analyst told BleepingComputer earlier this month that this initiative was started by a RAMP admin known as Kajit, who claims to have recently spent some time in China and can speak the language.
Click to expand...

However, Russian hackers attempting to collaborate with Chinese threat actors is not limited to the RAMP hacking forum as Flashpoint has also seen similar collaboration on the XSS hacking forum.

"In the screenshot below, XSS user "hoffman" greets two forum members who revealed themselves as Chinese," explains the new research by Flashpoint.
Click to expand...

Intel471: RAMP Ransomware’s Apparent Overture to Chinese Threat Actors

RAMP forum returns—but to what end?
Flashpoint has observed an increase in recent weeks of Mandarin and Chinese-speaking threat actors on RAMP as well as other illicit communities across the deep and dark web.

There are indications that the Russian-language ransomware forum is warming to English- and Mandarin-speaking threat actors. However, these clues, outlined below, may represent a social engineering experiment aimed at manipulating the media, à la Groove.
Click to expand...

RAMP is now in multiple languages
In October, RAMP administrators made changes to the forum’s interface that make it more accessible to Chinese-speaking and English-speaking threat actors. Forum sections are now in Russian, English, and Mandarin; the main administrator is addressing members in English more often than before; and there is noticeably more English content and comments—and even coming from some Russian-speaking actors.

Furthermore, the RAMP authorization form (for account verification) now includes a domain for a Chinese forum among the others.
[/quote9
Click to expand...

guest · Nov 18, 2021

Conti gang has made at least $25.5 million since July 2021
November 18, 2021
https://therecord.media/conti-gang-has-made-at-least-25-5-million-since-july-2021/

Blockchain analysis of 113 Conti ransomware wallets shows the group has made $25.5 million since July this year.

Over $6.2 million have been put asside in a "consolidation wallet," researchers from Prodaft and Elliptic said.

The Conti gang launched in August 2020 and has become one of the most active ransomware operations today.

Click to expand...

The operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since July 2021, Swiss security firm Prodaft said in a report today.

The company said it worked with blockchain analysis firm Elliptic to track more than 500 bitcoin the Conti gang had collected over the past five months in 113 cryptocurrency addresses.
Prodaft and Elliptic said they identified several transactions that split $6.2 million of the Conti profits and sent them to what they called a “consolidation wallet.”
Click to expand...

In addition, researchers said they also tracked ransom payments as the Conti gang distributed the profits to its partners. Known as “affiliates,” these are criminal groups who perform intrusions into companies, install the Conti ransomware, and then get a cut from the ransom payment at the end.

“One cluster was identified which has received payments from both Conti and DarkSide, which may indicate that an individual has worked as an affiliate for both of these groups,” the researchers said, confirming other past reports highlighting that some affiliates jump ship from one ransomware program to another when drawn with larger cuts or better encryption tools.
Click to expand...

First-ever Conti estimates
But the estimated $25.5 million earnings are just that, an estimation, and the Conti gang is believed to have earned much more over this period, and its history, dating back to August 2020.

However, the figure is also the first and only estimation of Conti’s profits made until today.
Click to expand...

Prodaft: [Conti] Ransomware Group In-Depth Analysis

Providing a detailed perspective towards different fundamental aspects of Conti's Operation, our report approaches this case through different angles such as "Business Model", "Conti Attack Kill Chain", "Management Panel" and "Money Operation".

We strongly believe that this report will serve as an important medium for understanding inner workings of high-profile ransomware groups such as Conti, especially for the purpose of creating more efficient cooperation and remediation strategies by all authorized public and private officials.
Click to expand...

guest · Dec 6, 2021

Yanluowang ransomware operation matures with experienced affiliates
November 30, 2021

An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage.

Based on observed tactics, techniques, and procedures, the threat actor is experienced with ransomware-as-a-service (RaaS) operations and may be linked with the Fivehands group.
Fivehands ransomware connection
Researchers at Symantec, a division of Broadcom Software, note that the actor has been hitting higher-profile targets in the U.S. since at least August.
While its interest is in financial institutions, the Yanluowang ransomware affiliate has also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors.
Click to expand...

Fivehands ransomware itself is relatively new on the scene, becoming known in April - first in a report from Mandiant, who is tracking its developer as UNC2447, and then in an alert from CISA.

Symantec notes that the link found between recent Yanluowang attacks and older ones with Thieflock is tentative [...]

“This link begs the question of whether Yanluowang was developed by Canthroid [a.k.a. Fivehands]. However, analysis of Yanluowang and Thieflock does not provide any evidence of shared authorship. Instead, the most likely hypothesis is that these Yanluowang attacks may be carried out by a former Thieflock affiliate,” the researchers say.
Click to expand...

The Yanluowang threat actor enables the remote desktop service (RDP) from the registry and installs the ConnectWise tool for remote access.
The researchers say that the affiliate discovers systems of interest with the AdFind tool - to query the Active Directory, and SoftPerfect Network Scanner - to find hostnames and network services.

Today's report on the Yanluowang affiliate includes indicators of compromise for the tools and malware used in the attack.
Click to expand...

guest · Dec 6, 2021

FBI seized $2.2M from affiliate of REvil, Gandcrab ransomware gangs
November 30, 2021

The FBI seized $2.2 million in August from a well-known REvil and GandCrab ransomware affiliate, according to court documents seen by BleepingComputer.

In a complaint unsealed today, the FBI seized 39.89138522 bitcoins worth approximately $2.2 million from an Exodus wallet on August 3rd, 2021.

"The United States of America files this verified complaint in rem against 39.89138522 Bitcoin Seized From Exodus Wallet ("the Defendant Property") that is now located and in the custody and management of the Federal Bureau of Investigation ("FBI") Dallas Division, One Justice Way, Dallas Texas," reads the United States' Complaint for Forfeiture.
Click to expand...

The complaint goes on to say that the wallet contained REvil ransom payments belonging to an affiliate identified as "Aleksandr Sikerin, a/k/a Alexander Sikerin, a/k/a Oleksandr Sikerin" with an email address of 'engfog1337@gmail.com.'

While the FBI does not indicate the online alias of the threat actor, the name 'engfog' in the email address is tied to a well-known GandCrab and REvil/Sodinokibi affiliate known as 'Lalartu.'
Click to expand...

Targeting affiliates
The GandCrab and REvil organizations operated as Ransomware-as-a-Service (RaaS), where core operators partner with third-party hackers, known as affiliates.

As part of this arrangement, the core operators will develop and manage the encryption/decryption software, payment portal, and data leak sites. The affiliates are tasked with hacking corporate networks, stealing data, and deploying ransomware to encrypt devices.
In a REvil report by McAfee, researchers followed the money trail for a well-known threat actor known as 'Lalartu,' an affiliate for the GandCrab and REvil ransomware operations.
Click to expand...

guest · Jul 21, 2022

New Redeemer ransomware version promoted on hacker forums
Redeemer 2.0 Being Distributed Via Affiliate Program
July 21, 2022

A threat actor is promoting a new version of their free-to-use 'Redeemer' ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks.

According to its author, the new version 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11, featuring multi-threaded performance and a medium AV detection rate.
Click to expand...

Unlike many Ransomware-as-a-Service (RaaS) operations, anyone can download and use the Redeemer ransomware builder to launch their own attacks. However, when a victim decides to pay the ransom, the author receives 20% of the fees and shares the master key to be combined with the private build key held by the affiliate for decryption.

Also, the new version features a new graphical user interface for the affiliate to build the ransomware executable and decryption tool, while all instructions on how to use it are enclosed in the ZIP.
Redeemer 2.0 details
The new ransomware builder version features several additions like support for Windows 11, GUI tools, and more communication options such as XMPP and Tox Chat.
Click to expand...

Because the ransom amount is set during the building of the executable and corresponds to a specific ID, the affiliate cannot make arbitrary claims to the author, so the latter’s 20% cut is guaranteed.
The author has created a page on the dark web site Dread for the affiliates to acquire the kit, establish communication, access instructions, and receive support.
Click to expand...

Cyble: Redeemer Ransomware Back Action

Redeemer 2.0 Being Distributed Via Affiliate Program
Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.

As specified by the developer, the ransomware is free to use. However, the TA using the Redeemer ransomware is required to share 20% of the victim’s total ransom amount (collected in Monero).
Earlier this month, the author of Redeemer ransomware released their new version – Redeemer 2.0 – with updated features.
Click to expand...

guest · Jul 25, 2022

Lockbit 3.0 and the ransomware business model
July 25, 2022

“Make Ransomware Great Again!”
With this proclamation, the notorious LockBit ransomware group released its latest ransomware-as-a-service offering, LockBit 3.0 (or Lockbit Black, as it has deemed it).
Notably, the new offering focuses on data exfiltration, as opposed to the encryption of files on a victim’s machine.

The group also published a set of “Affiliate Rules” and announced what cybercrime experts say is a first for the dark web: a bug bounty program. This purportedly offers a $1 million payout for those who reveal personally identifiable information (PII) on high-profile individuals, as well as any web security exploits.

“We invite all security researchers, ethical and unethical hackers on the planet,” the group posted upon the release of LockBit 3.0.
Click to expand...

“Ransomware-as-a-service has increased the speed at which gangs can develop effective new code bases and business models,” said Darren Williams, Ph.D., CEO and founder of cybersecurity company BlackFog. “This underground network of gangs works closely together and shares knowledge to maximize profits.”
Ransomware-as-a-service: A new economy
RaaS is a criminal take on the popular software-as-a-service (SaaS) enterprise model. Through subscription, affiliates can use ransomware tools developed by expert coders to carry out ransomwar
Click to expand...

Ultimately, LockBit “continues to be at the forefront of the threat landscape and the most prominent threat actor,” according to a monthly report from IT security company NCC Group.

Most notably, LockBit 3.0 is pioneering a new ransomware concept of extorting victims directly and not – at least initially – publicly disclosing an attack, explained Williams. The group gives victims various choices requiring a fee: extending time given to pay by 24 hours, wiping extracted data immediately, or downloading data.

“This unique approach maximizes the potential ransom that can be extracted from each victim,” said Williams. It also adds “even more expediency” to LockBit’s extortion mechanism.
Click to expand...

Meanwhile, according to LockBit’s “Affiliate Rules,” critical infrastructure cannot be encrypted, but data can still be stolen. This explicitly calls out that “it’s not the encryption of the files, just data theft,” said Schmitt. “You can’t encrypt it, but you can steal all the data you want.”

This is particularly interesting, he said, because up until now, there has been no delineation between encrypting information systems associated with critical infrastructure and stealing data associated with critical infrastructure.
Click to expand...

Log in or Sign up

Ransomware as a Service (RaaS) – The Business of Ransomware

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

NormanF Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Ransomware as a Service (RaaS) – The Business of Ransomware

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

EASTER Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

NormanF Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches