Ransomware Groups Refine Shakedown and Monetization ModelsPopular: Using Initial Access Brokers, Mediation as a Service, Healthcare Hits
Ransomware-wielding attackers continue to seek new ways to maximize profits with minimal effort. Some of their top tactics include tapping initial access brokers, working with botnet operators and testing new monetization models.
See Also: 2022 Unit 42 Incident Response Report
A thriving cybercrime-as-a-service ecosystem helps facilitate such efforts - a complex landscape that's difficult for law enforcement to disrupt. Numerous providers offer a variety of services, and if they should get disrupted or arrested, rivals are all too ready to take their place.
Here are some of the top trends being seen by experts as ransomware groups aim to increase profits:
Continuing Use of Initial Access Brokers
Ransomware groups and affiliates often outsource the time-consuming work of gaining access to a victim's network.
One popular cybercrime-as-a-service provider offering remains the initial access broker, who hacks into organizations and offers buyers a menu of ready "accesses." These give buyers a quick, remote way to access a victim's network, typically via remote desktop protocol or VPN connections. Attackers can then attempt to move laterally in the victim's network, gain admin-level access, dump databases, eavesdrop on communications and unleash ransomware.
The cost of any such access is often a small fraction of what an attacker might receive as a ransom payment.
Initial access brokers can be highly skilled at network penetration and very patient, and they can work with multiple ransomware groups. This week, Cisco reported that it had fallen victim to an attack "conducted by an adversary that has been previously identified as an initial access broker with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group and Yanluowang ransomware operators."
The attack was notable because the hacker successfully tricked a Cisco employee into accepting multifactor authentication push notifications that the attacker had initiated, which they were able to parlay into "access to VPN in the context of the targeted user" (see: Cisco Hacked: Firm Traces Intrusion to Initial Access Broker).
From April to June, threat intelligence firm Kela reported seeing more than 550 network access listings, with an average asking price of $1,200 each. On a country-by-country basis, listings for U.S. organizations are most common - accounting for 20% of all listings this year - followed by Brazil, France, the U.K. and Italy.
Seeking Fresh Monetization Models
Ransomware groups continue to test new strategies for making money, including pure data leakage models.
A group called RansomHouse appears to have emerged last December and describes itself as a "professional mediators community" that will "facilitate negotiations" between ransomware groups and victims, "claiming to help both sides to set up a dialogue to make informed decisions," Kela reports.
"It is unclear what are the exact terms of those negotiations and whether the operators receive a share of the ransom payment from their partners," it says, adding that the group may be affiliated with the FIN8 hacking group, aka White Rabbit.
Industrial Spy, which was first spotted in April, runs a marketplace designed to sell stolen data.
Kela reports that its analysis of the service "found that some of the companies listed ... have been previously claimed as victims of various ransomware groups such as Hive, Vice Society, Conti and Xing, and data leak sites such as Marketo." Accordingly, it says, the service appears to facilitate in part last-ditch efforts by ransomware groups to monetize attacks that didn't lead to victims paying a ransom.
In June, the ransomware group Alphv - aka BlackCat - began testing a "collections" feature, offering the ability to search a directory of data stolen from victims.
The feature could be a move to surreptitiously amass more information. "This initiative indicates the group's ambitions to evolve and find new intimidating tactics; it is also interesting to track whether Alphv will collect information that visitors will enter into the search bar of the 'collections,' such as corporate email addresses, and further abuse it," Kela says.
LockBit has reportedly been testing a similar feature (see: Search Here: Ransomware Groups Refine High-Pressure Tactics).
Increased Hacking of Remote Services
Ransomware-wielding attackers typically gain access to victims' networks by hacking into remote services or conducting phishing attacks, and to a lesser extent by exploiting known vulnerabilities, experts say.
In recent months, Kela reports, initial access brokers have been capitalizing on three vulnerabilities in particular, in Microsoft Exchange - CVE-2021-42321, Confluence Server and Data Center - CVE-2022-26134, and VMware Workspace One Access and Identity Manager - CVE-2022-22954.
Corporate risk firm Kroll reports that it's seen a sevenfold increase in online attacks - not just tied to ransomware - that trace to initial access via remote services, meaning RDP or VPN.
Most Popular Initial Access Methods for Deploying Ransomware
Meanwhile, when phishing is used, the firm reports seeing "an uptick in the use of Qakbot malware as a delivery mechanism, particularly for new ransomware groups such as Black Basta."
Qakbot malware has been previously used as part of ransomware attacks. One example: The Emotet malware and botnet was used to drop TrickBot or QakBot, which would then drop Cobalt Strike, which attackers would use to attempt to escalate their privileges and unleash ransomware inside the network (see: Emotet Tactic May Presage More Rapid Ransomware Infections).
Practitioners of this approach have included the now defunct Ryuk group and its spinoff, Conti, which claimed to retire earlier this year. Hence Black Basta using this tactic is perhaps not surprising, since experts believe it's a Conti spinoff or rebrand. Likewise, LockBit administrator LockBitSupp on June 28 declared on the XSS forum that "Black Basta is a rebranding of Conti."
More Secrets and Lies
Ransomware groups also regularly lie to inflate their reputation at rivals' expense. In June, LockBit claimed to have hacked cybersecurity giant Mandiant. But that claim has been widely debunked, and Kela reported that it was simply "a trick to gain attention from the public."
While LockBit leaked two supposedly stolen files from Mandiant, Kela says neither contained "any actual Mandiant-related documents," but rather information pertaining to an attack against the Foxconn Baja California factory. The LockBit leak "also included a screenshot of a correspondence between an affiliate who perpetrated the attack," which used LockBit's ransomware, and the affiliate complained to the operators that "'researchers' tied him to Evil Corp."
That would be unwelcome news for the affiliate because the Evil Corp cybercrime group has been sanctioned by the U.S. As a result, anyone who pays a ransom to the organization will be in violation of U.S. Department of Treasury regulations that get enforced worldwide (see: Don't Pay Ransoms, UK Government and Privacy Watchdog Urge).
Kroll says that based on the incidents it has helped investigate since the beginning of the year, it has seen steady levels of ransomware attacks and email compromise while unauthorized access has surged.
At a sectoral level, meanwhile, it has seen attacks on healthcare nearly double in recent months.
Especially since the COVID-19 pandemic began, many ransomware groups claim to not target the healthcare sector. Oftentimes, this has been an outright lie.
Other groups make no bones about hitting healthcare. Kela reports that so-called "rules" issued by LockBit to affiliates state: "It is allowed to very carefully and selectively attack medical related institutions such as pharmaceutical companies, dental clinics, plastic surgeries …. as well as any other organizations provided that they are private and have rhubarb." The latter term, Kela says, is Russian slang for revenue.
But LockBit adds that "it is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals."
Most-Targeted Industry Sectors
Regardless of whether ransomware groups supposedly steer clear of the healthcare sector or not, their recourse when such attacks inevitably do occur is often to offer a "free" decryptor to such victims, especially if the attack is generating negative publicity. But of course after potentially thousands of systems get crypto-locked and patient care is disrupted, extensive damage has already been done (see: Ransomware Groups Keep Blaming Affiliates for Awkward Hits).