When criminals go corporate: Ransomware-as-a-service, bulk discounts and more

Pen-testers, rogue developers, dodgy hosters, etc. etc.

Feature This summer, Abnormal Security discovered that some of its customers' staff were receiving emails inviting them to install ransomware on a company computer in return for a $1m share of the "profits".

When Abnormal staff set up a fake persona and contacted the criminals to play along, though, things started to fall apart. While the criminal initially discussed a potential ransom of $2.5m, this figure fell and fell as talks went on, first to $250,000 and then to just $120,000.

They display a multi-tiered service list, ranging from a one-month 'test' package for $90, proceeding to 'standard' and 'premium' offerings, before arriving at the 12-month 'elite' subscription package, with all of the bells and whistles, for $1,400...

The would-be attacker also appeared to have very little understanding of normal incident response techniques, says Abnormal, and a rather shaky grasp of the technology they claimed to be using. But thanks to the availability of ransomware-as-a-service (RaaS), this inexperience in itself was no barrier.

RaaS "packages" are available on dark web forums offering scalable, easy-to-use ransomware toolkits. Increasingly, the developers of these packages have become highly professional, offering bulk discounts, 24-hour support, user reviews, discussion forums, and all the other trappings of a legitimate software-as-a-service product.

"The store pages are almost disturbingly corporate," says Mitch Mellard, principal threat intelligence analyst at Talion. "Using the example of the page for the EGALYTY ransomware-as-a service, they proudly display links to online infosec publications specifically discussing their strain like a badge of honour, like a mundane software store would display positive reviews from tech publications.

"They then display a multi-tiered service list, ranging from a one-month 'test' package for $90, proceeding to 'standard' and 'premium' offerings, before arriving at the 12-month 'elite' subscription package, with all of the bells and whistles, for $1,400."

In many cases, the groups work on an affiliate model, with the developers taking a cut of the ransom on top of the monthly payment, generally to the tune of around 20 to 50 per cent. Affiliates are supported through the process of mounting an attack.

"A lot of people behind ransomware are simple people who have experience in the information security field and decide to try and make money this way," says Marijus Briedis, CTO at NordVPN. "This trend was accelerated by COVID-19 when people were forced to sit at home."

However, says Jamie Collier, cyber threat intelligence consultant at FireEye's Mandiant Threat Intelligence, the move by ransomware developers towards professional corporate structures has brought other changes too.

"What this has led to isn't necessarily just a load of low-sophisticated actors getting involved, it's also allowed for a deeper level of specialisation, so the likes of a supply chain compromise or exploiting zero-day vulnerabilities, for instance," he says.

"Because you've got these affiliates and these different entities getting involved, it means you don't need to master all stages of the attack lifecycle."

As a result, ransomware groups are hiring experts in every aspect of the business, from pen-testers who can gain initial access to systems to ransom negotiators.

"The RaaS economy follows a well-orchestrated value chain which starts from a vulnerability researcher who identifies and sells zero-day vulnerabilities to developers who create malware to take advantage of the vulnerabilities and to vendors or distributors who do marketing and sales on RaaS offerings on the dark net," says George Papamargaritis, MSS director at Obrela Security Industries.

"Rogue hosting providers, intermediates who do Bitcoin laundering operations and offer Bitcoin to currency exchangers, are part of the value chain as well."

And botnet operators are also in demand: researchers from security firm Kela cite one dark net job ad looking for somebody to handle two to three bots per day, promising constant work until the end of the year along with fixed bonuses and 10 per cent of the eventual profit.

Finding the jobseekers

Recruitment, again, is a highly organised affair.

"Often you'll have to provide some level of proof that you're genuine, whether you've been previously active in the space or are willing to highlight your interests and engagement to get into closed groups," says Collier.

"So there's a lot of barriers there to stop anyone getting involved just for the sake of it – or, for that matter, to stop law enforcement getting involved."

Meanwhile, RaaS groups are starting to find new ways of making money. Rather than simply encrypting data and demanding a ransom for the decryption key, they are exfiltrating the data before encrypting it, and then threatening to leak or publish it – so that even organisations with good back-ups can be threatened.

The dark web is just like Wall Street. The higher the damages the sold data can inflict, the more expensive it is...

"Groups like REvil and Maze have been wildly successful at monetising data exfiltrated from their victims," says Dean Ferrando, lead systems engineer (EMEA) at Tripwire. "These groups, which initially operated only by locking people out of their files, have found that it can be even more lucrative to extort a ransom in exchange for not publishing leaked data."

And this "double extortion" sometimes develops into triple extortion, he says: "In some cases, the groups claim to have organised sales to interested third parties when the original data owners refused to pay."

And, now, the next step is starting to evolve: referred to by some as quadruple extortion. Both the Grief Corp gang – believed by the US Department of the Treasury to be connected to Russia-based Evil Corp – and the Ragnar Locker ransomware group have started warning victims that they will leak stolen data from victims who contact law enforcement.

"Don't think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie," Ragnar Locker threatened victims this summer. "Dear clients if you want to resolve all issues smoothly, don't ask the police to do this for you. We will find out and punish with all our efforts."

And when stolen data is leaked, it's again being sold in a corporate way.

"Cybercriminals even have loyalty programs and discount systems in place ranging from 5 per cent to 30 per cent off for bulk purchases," says Briedis. "The dark web is just like Wall Street. The higher the damages the sold data can inflict, the more expensive it is."

The REvil group – which earlier this year leaked 2.4GB of Lady Gaga's legal documents – has even organised auctions to get the best price for its stolen data.

Another novel technique being used by ransomware attackers is to add distributed denial-of-service (DDoS) attacks into the mix, threatening to carry on indefinitely until a ransom is paid. This type of attack was first reported late last year from the SunCrypt and Ragnar Locker groups, with Avaddon following suit early this year.

And a growing trend, according to Collier, is the targeting of customers, media and others to tell them that an organisation has been hacked.

"For example, we've seen ransomware groups call and harass employees of an organisation. We've seen them reach out to business partners and suppliers, third parties, to drum up additional pressure," he says.

"You've got ransomware groups now interacting with the press more proactively; they're being very experimental, looking outside the box and exploring new ways to impose pressure on victims."

It's no secret that the number of ransomware attacks has been rocketing. According to Positive Technologies' Cybersecurity Threatscape for Q2 2021, they jumped 45 per cent in April alone, and now account for nearly seven in ten malware attacks – a 30 per cent rise compared with the same quarter last year.

And with RaaS turning out to be such a successful business model, says Group-IB, it now accounts for nearly two-thirds of ransomware attacks.

New kid in town

Right now, ransomware groups appear to be in an extraordinary state of flux. After increasing heat from law enforcement following the Colonial Pipeline attack in May, DarkSide appeared to vanish; so too did REvil after a high-profile attack on IT management software provider Kaseya. Soon after, a new group called BlackMatter appeared, which security researchers reckon has connections with both groups.

BlackMatter appears to use a similar financial structure and ransomware strains to REvil, and has been recruiting affiliates all summer. It's been posting ads offering between $3,000 and $100,000 for access to high-value corporate networks of companies with revenues of at least $100m a year in the US, the UK, Canada or Australia.

Meanwhile, a group called AvosLocker also started up over the summer, recruiting affiliates on dark web discussion forums. At the same time, a double-extortion ransomware group called Hive Ransomware began operations, hitting 28 organisations, including a European airline, within weeks. Ominously, unlike other ransomware groups, it has actively been targeting hospitals.

As well as making it harder for law enforcement to deal with these groups, such changes leave organisations more vulnerable as they scramble to keep up.

"It's a very dynamic and agile environment, it's a very fluid environment where threat actors will very quickly form and disband," says Collier.

"There is a need to serve up threat intelligence much more quickly on these groups because they are only going to be around for a short time – but it also potentially means that the information shared about these groups expires much more quickly as well." ®

Broader topics

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022