A new report has revealed the intricacies of the internet's ransomware ecosystem, concluding that actors working alongside ransomware groups demand more attention than they're currently getting.
The report details how threat actors are deploying a myriad of extortion techniques – often in tandem – in order to force companies to negotiate and ultimately pay fees to protect and/or retrieve their data.
By understanding the attack vectors that are most commonly used by ransomware groups, businesses can take action to protect themselves. Password managers, for instance, are one way to ensure your business' employees aren't providing an easy way in with weak account credentials.
Ransomware-as-a-Service Is Booming
Tenable's report explains that a key reason behind the recent ransomware boom is “the advent of ransomware‑as‑a‑service (RaaS).”
In essence, RaaS is a service model, just like Software-as-a-Service. Ransomware groups make the software, but then other actors end up breaking into systems and deploying it.
Before this, it was the ransomware groups themselves that would carry out every action in the process, but now, the system is infinitely more complex and there are various stages in which smaller actors can make money.
The Ransomware Ecosystem Explained
Tenable explains that the ransomware ecosystem is, importantly, not just made up of ransomware groups. Ransomware groups are the creators and owners of the “product” and in turn receive much of the attention, but all in all, the company identifies three main ‘roles’ that play a part in most ransomware attacks: IABs, Affiliates and ransomware groups.
Initial Access Brokers (IABs) are a “specialized group of cybercriminals responsible for gaining access to organizations through a variety of means.”
Instead of using their unwarranted access to orchestrate their own ransomware attack, the report explains, IABs “maintain persistence within the networks of victim organizations and sell it to other individuals or groups within the cybercrime ecosystem.”
The market for IABs was worth $1.6 million in 2019, but grew to $7.1 million 2021 (Group-IB). This a much smaller figure than money earned elsewhere in the ransomware chain, simply because there's much less risk.
The market for Initial Access Brokers (IABs) was worth $1.6 million in 2019, but grew to $7.1 million 2021 – Group-IB
After IABs break in, actors known as Affiliates will purchase the access they've mined for anywhere between a few hundred and a few thousand dollars. Alternatively, they'll use attack vectors like brute-forcing remote desktop protocol systems, phishing, system vulnerabilities, or stolen credentials to break into company servers.
The report says these actors work much like affiliate marketers that find leads in normal, legitimate business practices – they infect the system and let the ransomware group “close the deal” and kickstart the negotiation process.
The Affiliates are often under instruction from ransomware groups themselves, helping to test and utilize their creations.
How “Double”, “Triple” and “Quadruple” Extortion Makes Companies Pay Up
Traditionally, ransomware groups would encrypt a company's files and make them pay to decrypt them. But nowadays, most companies have secure file backups, so this method became increasingly ineffective.
Over the past few years, however, “double extortion” has become the standard for many ransomware groups. This consists of “exfiltrating data from victim organizations and publishing teasers” on dark web forums and leak websites. Companies terrified that private and confidential information will be leaked online subsequently pay up.
In 2021, REvil secured an $11 million payment from JBS, despite the company’s system being “fully operational” at the time of payment.
However, this tactic is now several years old, and Tenable says that other techniques are being used in tandem with one another in “triple” or even “quadruple” extortion attempts.
Methods include contacting customers that the stolen data refers to, threatening to sell the stolen data to the highest bidders, and warning victims against contacting law enforcement agencies.
Focus Beyond Ransomware Groups
The report suggests that the crucial role that IABs and affiliates play within the ransomware ecosystem should be given more attention.
Ransomware groups are, in essence, impermanent. The more success they have, the more affiliates want to pivot towards them and use their software, but then, in turn, the more law enforcement agencies attempt to track them down.
Many of the “infamous” ransomware groups making headlines today, like the Conti group, are successors to other ransomware groups. If you started an investigation into a group, it might not even exist a year from now. IABs and affiliates, however, will.
What Can Businesses Do to Protect Themselves?
Tenable offers a number of different mitigative steps businesses can take to ensure they're not the next victims of an extortionate ransomware attack. These include using multi-factor authentication, continuously auditing user permissions for accounts, patching vulnerable assets in your network, hardening remote desktop protocols, and using appropriate antivirus software.
The list also includes strengthening your employees' passwords, and advises that “password requirements include lengthy and non-dictionary words”. One way to ensure that passwords are sufficiently lengthy without having to remember them is to use a password manager, which will also allow your staff to create unique passwords for all the accounts they own rather than reusing them.
With the RaaS market – and the malicious groups that participate in it – showing no signs of slowing, taking the utmost precautions with your data has never been more important.