SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Ransomware attackers bolder than ever
Tue, 18th May 2021
FYI, this story is more than a year old

Ransomware is on the tip of everyone's tongue every time businesses discuss cyberthreats they are likely to face in 2021.

That's according to cybersecurity firm Kaspersky, who is digging dip into the ransomware ecosystem in a bid to help organisations understand how it operates - and how to fight it.

"Attackers have built their brands and are bold in their advances like never before, with the news about organisations being hit with ransomware consistently on newspaper front pages," Kaspersky says.

"But by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem."

The latest report by Kaspersky researchers dug into darknet forums, took a deep look at REvil and Babuk gangs and debunked some of the myths about ransomware.

"When you dig into this underworld, you have to expect that it has many faces," Kaspersky says.

"Like any industry, the ransomware ecosystem comprises of many players that take on various roles. Contrary to the belief that a ransomware gang are actually gangs – tight, have been through it all together, Godfather-style groups, the reality is more akin to the world of Guy Ritchie's ‘The Gentlemen', with a significant number of different actors – developers, botmasters, access sellers, ransomware operators – involved in most attacks, supplying services to each other through dark web marketplaces." it explains.

These actors meet on specialised darknet forums where one can find regularly updated ads offering services and partnerships. Prominent big-game players that operate on their own do not frequent such sites, however, well-known groups such as REvil that have increasingly targeted organisations in the past few quarters, publicise their offers and news on a regular basis using affiliate programmes.

This type of involvement presumes a partnership between the ransomware group operator and the affiliate with the ransomware operator taking a profit share ranging from 20-40%, while the remaining 60-80% stays with the affiliate.

Dmitry Galov, security researcher at Kaspersky's Global Research and Analysis Team, says the ransomware ecosystem is a complex one with many interests at stake.

"It is a fluid market with many players, some quite opportunistic, some – very professional and advanced," he explains.

"They do not pick specific targets, they may go after any organisation – an enterprise or a small business, as long as they can gain access to them. Moreover, their business is flourishing, it is not going away anytime soon,” Galov says.

“The good news is that even rather simple security measures can drive the attackers away from organisations, so standard practices such as regular software updates and isolated backups do help and there is much more that organisations can do to secure themselves."

According to Kaspersky, as the people who infect organisations and the ones who actually operate ransomware are different groups, only formed by the desire to profit, the organisations infected most are often low hanging fruit – essentially, the ones that the attackers were able to gain easier access to.

"It could be both actors that work within the affiliate programs and independent operators that later sell access – in an auction form or as a fix, starting as low as 50 USD," Kaspersky says.

"These attackers, more often than not, are botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, and access sellers on the lookout for publicly disclosed vulnerabilities in internet facing software, such as VPN appliances or email gateways, which they can use to infiltrate organisations."

Ransomware forums are home to other types of offers too. Some ransomware operators sell malware samples and ransomware builders for anything from 300 to 4,000 USD, others offer Ransomware-as-a-Service – the sale of ransomware with continued support from its developers, which can range from 120 USD per month to 1,900 USD per year packages.

Craig Jones, director of cybercrime at INTERPOL, says that in the past two years, cybercriminals have become bolder in using ransomware.
"Organisations targeted by such attacks are not limited to corporations and governmental organisations – ransomware operators are ready to hit essentially any business regardless of size," he says.

"It is clear that the ransomware industry per se is a complex one involving many different actors with various roles. To fight them, we need to educate ourselves on how they work and fight them as one.

"Anti-Ransomware Day is a good opportunity to highlight this need and remind the public of how important it is to adopt effective security practices," Jones adds.

"INTERPOL's Global Cybercrime Programme, together with our partners, is determined to reduce the global impact of ransomware and protect communities from harm caused by this growing threat."