The underground economy is booming, fueled by a growing and evolving ransomware industry. The Dark Web now has hundreds of thriving marketplaces where a wide variety of professional ransomware products and services can be obtained at different prices.
Venafi and Forensic Pathways researchers analyzed some 35 million Dark Web URLs – including forums and marketplaces – between November 2021 and March 2022 and discovered 475 web pages filled with lists of ransomware strains, ransomware source code, custom build and development services, and comprehensive services. full-fledged ransomware-as-a-service (RaaS) offerings.
A plethora of ransomware tools
Researchers identified 30 different ransomware families listed for sale on the pages and found advertisements for well-known variants such as DarkSide/BlackCat, Babuk, Egregor, and GoldenEye that were previously associated with attacks on high-profile targets . Prices for these proven attack tools tended to be significantly higher than lesser-known variants.
For example, a customized version of DarkSide – the ransomware used in the Colonial Pipeline attack – was priced at $1,262, compared to some variants that were available for as low as $0.99. The Babuk ransomware source code, meanwhile, was listed at $950, while that of the Paradise variant sold for $593.
“It is likely that other hackers will buy the ransomware source code to modify it and create their own variants, similar to a developer using an open source solution and modifying it to suit their business needs,” says Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi.
The success threat actors have had with variants such as Babuk, which was used in an attack on the Washington, DC, police department last year, makes the source code more appealing, Bocek says. “So you can understand why a malicious actor would want to use the strain as a base to develop their own ransomware variant.”
No experience necessary
Venafi researchers have found that in many cases, the tools and services available in these marketplaces, including step-by-step tutorials, are designed to allow attackers with minimal technical skills and experience in launching ransomware attacks against victims of their choice.
“Research found that ransomware strains can be purchased directly from the Dark Web, but also that some “vendors” offer additional services like technical support and paid add-ons like unkillable processes for ransomware attacks , as well as tutorials,” Bocek said. .
Other vendors have reported increasing use by ransomware actors of initial access services to gain a foothold on a target network. Initial Access Brokers (IABs) are threat actors who sell access to a previously compromised network to other threat actors.
Initial Access Brokers Thrive in the Underground Economy
A study by Intel471 earlier this year revealed a growing link between ransomware actors and IABs. Among the most active players in this space are Jupiter, a threat actor that was seen providing access to as many as 1,195 compromised networks in the first quarter of the year; and Neptune, which listed over 1,300 access credentials for sale in the same time frame.
Ransomware operators that Intel471 spotted using these services included Avaddon, Pysa/Mespinoza, and BlackCat.
Often, access is provided via compromised Citrix, Microsoft Remote Desktop, and Pulse Secure VPN credentials. Trustwave’s SpiderLabs, which monitors the prices of various products and services on the Dark Web, describes VPN credentials as the most expensive records in underground forums. According to the seller, VPN access prices can go up to $5,000 — and even more — depending on the type of organization and access it offers.
“I expect to see a ransomware rampage continue as it has for the past few years,” Bocek says. “The abuse of machine identities will also see ransomware move from infecting individual systems to taking over entire services, like a cloud service or a network of IoT devices.”
A fragmented landscape
Meanwhile, another study released this week – a mid-year threat report by Check Point – shows that the ransomware landscape is littered with far more gamers than is commonly believed. Check Point researchers analyzed data from the company’s incident response engagements and found that while some ransomware variants – such as Conti, Hive and Phobos – were more common than other variants, they did not represent the majority of attacks. In fact, 72% of ransomware incidents Check Point engineers responded to involved a variant they had only encountered once before.
“This suggests that contrary to some assumptions, the ransomware landscape is not dominated by just a few large groups, but is in fact a fragmented ecosystem with several smaller players who are not as high profile as the larger groups,” according to the report.
Check Point – like Venafi – has characterized ransomware as continuing to pose the greatest risk to corporate data security, as it has for several years. The security vendor’s report highlighted campaigns such as the Conti Group’s ransomware attacks in Costa Rica (and subsequently Peru) earlier this year as examples of how threat actors have broadened their reach. targeting, seeking financial gain.
Large ransomware fish can swell
Many of the largest ransomware groups have grown to such an extent that they employ hundreds of hackers, have revenues of hundreds of millions of dollars, and are able to invest in things like R&D teams, quality assurance programs and specialized negotiators. Increasingly, larger ransomware groups have begun acquiring nation-state actor capabilities, Check Point warns.
At the same time, the widespread attention these groups have begun to receive from governments and law enforcement will likely encourage them to maintain a legal profile, Check Point says. The US government, for example, offered a $10 million reward for information leading to the identification and/or apprehension of Conti members, and $5 million for groups captured using Conti. The heat is believed to have contributed to the Conti Group’s decision earlier this year to cease operations.
“There will be a lesson learned from the Conti ransomware group,” Check Point states in its report. “His size and power have attracted too much attention and become his downfall. In the future, we believe there will be many small and medium groups instead of a few large ones, so that they can pass more easily under the radar.”