Ransomware spreads enormously fast
12. August 2022Ransomware spreads enormously fast
Berlin, 12.8.2022
Insiders no longer speak of a threat but the term explosion is being used more and more frequently. The talk is of ransomware. There are hundreds of marketplaces on the dark web offering professional ransomware products and services.
Researchers from Venafi and Forensic Pathways discovered around 35 million URLs on the dark web between November 2021 and March 2022 – including forums and marketplaces, In addition, there are 475 websites offering ransomware strains, ransomware source code, build and custom development services, and full-fledged ransomware-as-a-service (RaaS) offerings.
What’s interesting is the prices at which they trade. A customized version of DarkSide – the ransomware used in the Colonial Pipeline attack – was on sale for $1,262, while some variants were available for as little as $0.99. The source code for the Babuk ransomware was listed at $950, while the source code for the Paradise variant sold for $593.
The success that threat actors have had with variants like Babuk, which was used in an attack on the Washington, D.C., Police Department last year, makes the source code even more attractive.
Venafi researchers found that in many cases, the tools and services available on these marketplaces – including step-by-step instructions – are designed to allow attackers with minimal technical knowledge and experience to launch ransomware attacks against victims of their choosing.
Other reports indicated that ransomware actors are increasingly using initial access services to gain a foothold in a target network. Initial access brokers (IABs) are threat actors that sell other threat actors access to an already compromised network.
A study by Intel471 earlier this year found a growing link between ransomware actors and IABs. The most active players in this space include Jupiter, a threat actor that offered access to 1,195 compromised networks in the first quarter of the year, and Neptune, which offered more than 1,300 credentials for sale during the same period.
Ransomware operators Intel471 detected using these services include Avaddon, Pysa/Mespinoza and BlackCat.
Access is often granted via compromised Citrix, Microsoft Remote Desktop and Pulse Secure VPN credentials. Trustwave’s SpiderLabs, which monitors prices for various products and services on the dark web, describes VPN credentials as the most expensive posts on underground forums. According to the provider, prices for VPN access can be as high as $5,000.
Researchers from Venafi and Forensic Pathways discovered some 35 million URLs on the dark web – including forums and marketplaces – between November 2021 and March 2022, In addition, there are 475 websites offering ransomware strains, ransomware source code, build and custom development services, and full-fledged ransomware-as-a-service (RaaS) offerings.
What’s interesting is the prices at which they trade. A customized version of DarkSide – the ransomware used in the Colonial Pipeline attack – was on sale for $1,262, while some variants were available for as little as $0.99. The source code for the Babuk ransomware was listed at $950, while the source code for the Paradise variant sold for $593.
The success that threat actors have had with variants like Babuk, which was used in an attack on the Washington, D.C., Police Department last year, makes the source code even more attractive.
Venafi researchers found that in many cases, the tools and services available on these marketplaces – including step-by-step instructions – are designed to allow attackers with minimal technical knowledge and experience to launch ransomware attacks against victims of their choosing.
Other reports indicated that ransomware actors are increasingly using initial access services to gain a foothold in a target network. Initial access brokers (IABs) are threat actors that sell other threat actors access to an already compromised network.
A study by Intel471 earlier this year found a growing link between ransomware actors and IABs. The most active actors in this space include Jupiter, a threat actor that offered access to 1,195 compromised networks in the first quarter of the year, and Neptune, which offered more than 1,300 credentials for sale during the same period.
Ransomware operators that Intel471 detected using these services include Avaddon, Pysa/Mespinoza, and BlackCat.
Access is often granted via compromised Citrix, Microsoft Remote Desktop and Pulse Secure VPN credentials. Trustwave’s SpiderLabs, which monitors prices for various products and services on the dark web, describes VPN credentials as the most expensive posts on underground forums. According to the provider, prices for VPN access can be as high as $5,000.
According to security specialist Check-Point, “ there is much to suggest that, contrary to some assumptions, the ransomware landscape is not dominated by a few large groups, but is actually a fragmented ecosystem with several smaller players that are not as well known as the larger groups,“ according to a recent report.
CheckPoint – like Venafi – called ransomware the biggest risk to -enterprise security, as it has in previous years. The security vendor’s report highlights campaigns such as Conti Group’s ransomware attacks on Costa Rica (and later Peru) earlier this year as examples of how much threat actors have broadened their targeting to achieve financial gain.
Some of the larger ransomware groups are now so large that they employ hundreds of hackers, have revenues in the hundreds of millions of dollars, and are able to invest in things like research and development teams, quality assurance programs, and specialized negotiators. Check Point warns that larger ransomware groups are increasingly acquiring the capabilities of nation-state actors.
At the same time, the significant attention such groups receive from governments and law enforcement is likely to encourage them to maintain a legal profile, Check Point said. For example, the U.S. government has offered a $10 million reward for information leading to the identification and/or apprehension of Conti members and $5 million for groups using Conti. This reward is believed to have contributed to the Conti group shutting down its activities earlier this year.
„The Conti ransomware group will also be taught a lesson,“ Check Point’s report said. „Its size and power attracted too much attention and became its undoing. We believe that in the future, there will be many small to mid-sized groups instead of a few large ones, making it easier for them to slip under the radar.“
