A Ransomware Explosion Fosters Thriving Dark Web Ecosystem

0 25

The underground economy is booming – fueled by a growing and evolving ransomware sector. The Dark Web now has hundreds of thriving marketplaces where a wide variety of professional ransomware products and services are available at a variety of price points.

Researchers from Venafi and Forensic Pathways analyzed around 35 million Dark Web URLs – including forums and marketplaces – between November 2021 and March 2022 and uncovered 475 web pages filled with lists of ransomware strains, ransomware source code, build and custom development services, and full-fledged ransomware-as-a-service (RaaS) offering.

A multitude of ransomware tools

The researchers identified 30 different ransomware families listed for sale on the sites and found ads for well-known variants such as DarkSide/BlackCat, Babuk, Egregor and GoldenEye that have previously been linked to attacks on high-profile targets. Prices for these proven attack tools tended to be significantly higher than lesser-known variants.

For example, a customized version of DarkSide — the ransomware used in the Colonial Pipeline attack — was priced at $1,262, compared to some variants available for as low as $0.99. The source code for the Babuk ransomware, meanwhile, was listed for $950, while that for the Paradise variant sold for $593.

“It is likely that other hackers will purchase ransomware source code to modify it and create their own variations, similar to a developer using an open source solution and modifying it to suit their company’s needs,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

The success threat actors have had with variants like Babuk, used in an attack on the Washington, DC, police department last year, makes the source code more appealing, Bocek says. “So you can see why a threat actor would want to use the trunk as the basis for developing their own ransomware variant.”

No experience necessary

Venafi researchers found that the tools and services available through these marketplaces – including step-by-step guides – are in many cases designed to allow attackers with minimal technical skills and experience to launch ransomware attacks against victims at will choice.

“The study found that ransomware strains can be purchased directly on the Dark Web, but also that some ‘vendors’ offer additional services such as technical support and paid add-ons such as immortal processes for ransomware attacks, as well as tutorials,” says Bocek.

Other vendors have reported the growing use by ransomware actors of initial access services to gain a foothold on a target network. Initial access brokers (IABs) are threat actors who sell access to a previously compromised network to other threat actors.

Initial Access Brokers thrive in the underground economy

An investigation by Intel471 earlier this year found a growing connection between ransomware actors and IABs. Among the most active players in this space are Jupiter, a threat actor seen offering access to as many as 1,195 compromised networks in the first quarter of the year; and Neptune, which listed more than 1,300 credentials for sale in the same time frame.

Ransomware operators that Intel471 discovered using these services included Avaddon, Pysa/Mespinoza, and BlackCat.

Often access is provided via compromised Citrix, Microsoft Remote Desktop and Pulse Secure VPN credentials. Trustwave’s SpiderLabs, which keeps track of prices for various products and services on the Dark Web, describes VPN credentials as the most expensive items in underground forums. According to the vendor, prices for VPN access can go as high as $5,000 – and even higher – depending on the type of organization and access it provides.

“I expect to see a ransomware rampage continue as it has for the past few years,” says Bocek. “The abuse of machine identities will also see ransomware move from infecting individual systems to taking over entire services, such as a cloud service or a network of IoT devices.”

A Fragmented Landscape

Meanwhile, another study released this week — a mid-year threat report from Check Point — shows that the ransomware landscape is filled with significantly more players than commonly believed. Check Point researchers analyzed data from the company’s incident response engagements and found that while some ransomware variants—such as Conti, Hive, and Phobos—were more common than other variants, they did not account for the majority of attacks. In fact, 72% of the ransomware incidents that Check Point’s engineers responded to involved a variant they had encountered only once before.

“This suggests that, contrary to some assumptions, the ransomware landscape is not just dominated by a few large groups, but is actually a fragmented ecosystem with several smaller players that are not as well-known as the larger groups,” according to the report.

Check Point – like Venafi – characterized ransomware as continuing to pose the biggest risk to corporate data security, as it has for the past several years. The security vendor’s report highlighted campaigns such as the Conti group’s ransomware attack on Costa Rica (and subsequently Peru) earlier this year as examples of how significantly threat actors have expanded their targeting in pursuit of financial gain.

Big Ransomware Fish can go belly up

Several of the larger ransomware groups have grown to the point where they employ hundreds of hackers, have revenues in the hundreds of millions of dollars, and are able to invest in things like R&D teams, quality assurance programs, and specialist vendors. Increasingly, larger ransomware groups have begun to acquire the capabilities of nation-state actors, Check Point warns.

At the same time, the widespread attention such groups are beginning to receive from governments and law enforcement is likely to encourage them to maintain a law-enforcement profile, Check Point says. The US government, for example, has offered a $10 million reward for information leading to the identification and/or apprehension of Conti members, and $5 million for groups caught in Conti. The heat is believed to have contributed to a Conti group decision earlier this year to cease operations.

“There will be a lesson learned from the Conti ransomware group,” Check Point said in its report. “Its size and power attracted too much attention and became its downfall. Going forward, we think there will be many small-medium groups instead of a few large ones, so they can more easily go under the radar.”

Leave A Reply

Your email address will not be published.