Ransomware: The rise of Misfortune 500 businesses

Far too many executives and employees think ransomware is a nuisance delivered via an obviously fake phishing email. This misconception leaves companies exposed to attack. Ransomware has become a commodity threat that fosters new tools and technologies; skills and expertise and reputations carrying menacing “street cred.” Unfortunately, technology is sold as a service; skills and expertise are leased across criminal organizations and reputations now ensure victim firms pay six or seven figure ransoms.

We’ve witnessed the rise of “Misfortune 500” organizations in the criminal world. Each organization specializes in various aspects of cyberattacks: creating phishing lures, credential harvesting, initial intrusion, data theft, malware crafting, fencing of stolen information of crypto-laundering, etc. Some operators are small-time independents while others work in loose allegiances. More advanced gangs are funded by nation states and others are ignored with the unspoken understanding that when the time comes, and they are called upon, they will do the bidding of their state.

We know their names: Maze, REvil, Ryuk and so on. According to the CrowdStrike 2020 Global Threat Report, these ransomware gangs earned over $80 million in ransoms. Their success is based on a business model in which these ransomware developers sell access to their technology through a partnership program that splits profits per attack between the developers and the distributors. This business model is not limited to ransomware; it applies to all stages of a cyberattack.

In 2019, another gang, PINCHY SPIDER, advertised its intention to partner with individuals skilled in remote desktop protocol (RDP) and other remote network administration tools and with spammers experienced in corporate networking. The report also highlights the developers of TrickBot, who offer customized modules with government or business themes to identify victims of interest, steal SMS messages containing two-factor authentication (2FA) tokens and broker other exploitation tools.

And this business model is lucrative. A VMware Carbon Black report on global incident responses measures ransomware-as-a-service (RaaS) as a $140 million business. RaaS is growing in popularity because it lowers the entry barriers for prospective cybercrime entrepreneurs. It has the very real potential to increase the “supply” of ransomware operators. The VMware Carbon Black Global Incident Response Threat Report asserts that custom malware is now being used in nearly 50 percent of attacks. This prevalence demonstrates the scale of the dark web malware-as-a-service economy that empowers criminals and other adversaries who lack the sophisticated resources to execute large-scale ransomware attacks.

Recently, the SunCrypt (with allegiances to the Maze cartel) and Netwalker ransomware families joined to create a sustained attack on an education institution. The attack involved multiple entry vectors, remote administrative exploits, diffusion malware and defense deception. While attribution is always challenging, the methodology is remarkably similar to Maze. Initial use (detected and contained) of SunCrypt followed by a pivot to NetWalker could be an attempted demonstration of street credibility for the former group, with a fallback to a trusted and proven RaaS malware: Netwalker.

The evidence of collaboration and revenue sharing is more than anecdotal or circumstantial. They operate with near impunity and have evolved to mimic the business practices of their prey. They collaborate; they specialize and they use best-in-breed technology through a revenue-sharing model and organized channels. The Misfortune 500 trend will only continue to grow in power. Ransomware gangs are now a massive operational threat. Pretending ransomware is still a nuisance is ignoring the risk. In this case, ignorance is not bliss; it’s negligence.