Ransomware threat actors are increasingly getting into organizations by working with criminals who have already penetrated their network, and not through email, according to new research.
In a blog published today, Proofpoint said ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the payout. They may even join as affiliate members of the ransomware developers.
“The result is a robust and lucrative criminal ecosystem, in which different individuals and organizations increasingly specialize to the tune of greater profits for all—except, of course, the victims,” the report said.
It goes on to say that criminals often compromise victim organizations with first-stage malware like The Trick, Dridex, or Buer Loader before tying to sell their access to ransomware operators. Trojans that steal banking credentials – often used as ransomware loaders – represented almost 20 per cent of malware observed in identified campaigns in the first half of 2021, the report says.
Proofpoint has also seen evidence of ransomware deployed via SocGholish, which uses fake updates and website redirects to infect users, and through Keitaro, a traffic distribution system (TDS). Researchers also saw deployments through follow-on exploit kits which operators use to evade detection.
The report says an attack chain leveraging crimianl access brokers could look like this:
- A threat actor sends emails containing a malicious Office document;
- A user downloads the document and enables macros that drops a malware payload;
- The actor leverages the backdoor access to exfiltrate system information;
- At this point, the initial access broker can sell access to another threat actor;
- The actor deploys Cobalt Strike via the malware backdoor access which enables lateral movement within the network;
- The actor obtains full domain compromise via Active Directory;
- The actor deploys ransomware to all domain-joined workstations.
Over the last two years, there’s evidence that the amount of time threat actors spend within an environment before encryption starts is dropping, says the report. Some incidents are reporting two-day infection timelines between initial access and ransomware deployment compared to reported averages of 40 days in 2019.
“Short dwell times, high payouts, and collaboration across cybercriminal ecosystems have led to a perfect storm of cybercrime that the world’s governments are taking seriously. In response to recent high-profile ransomware attacks, the United States government proposed new efforts to combat ransomware, and it was a hot topic at [last week’s] 2021 G7 conference,” indicated the ProofPoint report. “It is possible with new disruptive efforts focused on the threat and growing investments in cyber defense across supply chains, ransomware attacks will decrease in frequency and efficacy.”
Prominent ransomware gang members arrested by police
Proofpoint’s report was published shortly before Ukrainian police announced that they arrested six people alleged to be behind the Clop (sometimes spelled Cl0p) ransomware gang. In addition to creating ransomware, this gang also allowed its website to be used by groups that took advantage of vulnerabilities in the Accellion FTA file transfer application to threaten victims.
Ukrainian police said officers conducted 21 searches in the capital of Kyiv and the surrounding region. Computer equipment, cars and about 5 million hryvnias (equivalent to CDN$225,000) in cash were confiscated. The property of the perpetrators was seized.
“Clop wasn’t the most active group, but the takedown is nonetheless significant and represents a big win for good guys,” said Brett Callow, British Columbia-based threat researcher for Emsisoft. “While previous actions by law enforcement have succeeded in disrupting operations or the arrest of affiliates, it appears that members of a group’s core team may have caught this time. Hopefully, the action will have a knock-on effect. We’ve already seen Darkside, Babuk and Avaddon either head for the hills or change their business model, and hopefully other groups will now decide to do the same thing.”