Ransomware gangs are using a variety of business-like practices to boost profits, making it more difficult for defenders to differentiate various groups, a new report by WithSecure has surmised.
This move towards mirroring legitimate businesses practices means that tactics, techniques and procedures (TTPs) are blurring, Stephen Robinson, senior threat intelligence analyst at WithSecure said during Sphere23.
For example, while the recent fall of ransomware gangs like Conti and Hive are positive, more groups have sprung up since then using Conti-like TTPs. This shows that methods used by these gangs are imitated and copied by other actors.
The underground marketplace now includes entities including ransomware-as-a-service (RaaS) groups, initial access brokers (IAB), crypter-as-a-service (CaaS), cryptojackers, malware-as-a-service (MaaS) groups and nation-state actors.
Robinson noted that nation-states use tools available on the underground market to gain access to networks and systems without being detected.
Ultimately, this trend towards professionalization makes the expertise and resources to attack organizations accessible to lesser-skilled or poorly resourced threat actors.
Robinson noted IABs are industrializing exploitation though their high volume of activity.
During a presentation, Robinson highlighted an incident investigated by WithSecure, which found that a single organization was compromised by five different threat actors, each with different objectives and representing a different type of cybercrime service:
• The Monti ransomware group
• Qakbot MaaS
• A cryptojacking group known as the 8220 Gang (also tracked as Returned Libra)
• An unnamed IAB
• A subset of Lazarus Group, an advanced persistent threat associated with North Korea’s Foreign Intelligence and Reconnaissance General Bureau.
Value Breeds Demand
Robinson noted that despite this, it is becoming more difficult to differentiate groups. This will affect traditional detection techniques and there needs to be a new way of thinking for defenders.
“You’ve got to treat them all as a similar threat and you’ve got to be prepared for any of them,” he told Infosecurity. “You’ve really got to be prepared before it happens because you don’t really have a chance to catch up if someone gets into your network.
“If you’re a valuable company, then if someone happens to break in and all they want to do is run some crypto jacking software on your edge server, but they find out that you’re a high turnover company of some kind, they might sell that access to somebody else who does want to do something with you.”
He noted that there has been evidence of activity on the dark web where entities have been posting requests for access to companies with $100m turnover.
“They don’t care who it is, they care about how valuable it is,” Robinson said.
According to WithSecure’s analysis of over 3000 data leaks by multi-point extortion ransomware groups, organizations in the US were the most common victims of these attacks, followed by Canada, the UK, Germany, France and Australia.
Together, organizations in these countries accounted for three-quarters of the leaks included in the analysis.
The construction industry seemed to be the most impacted and accounted for 19% of the data leaks. Automotive companies, on the other hand, only accounted for about 6%.
A number of other industries sat between the two due to ransomware groups having different victim distributions, with some families targeting one or more industry disproportionately to others.