Staying ahead of the “professionals”: The service-oriented ransomware crime industry

Ransomware has been a hugely profitable industry for criminal gangs for the last few years. The total amount of ransom paid since 2020 is estimated to be at least $2 billion, and this has both motivated and enabled the groups who are profiting from this activity to become more professional.

These groups are emulating the legitimate tech ecosystem and seeking greater efficiencies and profits: they outsource common, complex problems; they subcontract work; and they employ freelancers via what could be termed a gig economy of operators. The demand for these services has led to criminal service providers springing up to supply these needs, and in an almost virtuous cycle of malice, this supply of cybercrime services enables the entire cybercrime threat landscape.

Actors can now buy malware, infrastructure, and phishing as a service; they can even easily purchase access to victims from initial access brokers (IABs). This maturing marketplace means that any actor with the motivation (and some cryptocurrency) can purchase effective malicious tools and instructions on how to use them.

What does this mean for defenders?

With the existence of a market for access to victims, security incidents can evolve and change rapidly. The initial actor who compromises a network might sell that access to another actor who specifically wants to target that victim, their vertical, or geographic location.

Suppose an attacker reaches the limit of their technical ability and doesn’t manage to escalate privileges on an edge server. In that case, they can still offer that access for sale, and another more capable actor might then come in and take over where the previous actor failed.

As well as the modular nature of a single compromise in this new, professionalized cybercrime ecosystem, it becomes more difficult to identify the attacker’s goals even if there is no resale or handover of access. Effective malware, ready-made infrastructure, and phishing campaigns can be purchased so the tools, infrastructure and TTPs are no longer a reliable identifier of the active attacker in a security incident.

It becomes harder to know the attacker’s goal

The compromise of an edge server could lead to that server being recruited into a mining pool for crypto-jacking or into a phishing or DDOS botnet. This is bad, but it’s not an existential threat for an organization.

However, the actors looking for those quick wins could now be using the exact same tools and persistent methods as leading multipoint of extortion ransomware groups. It is extremely difficult to differentiate between actors until they are very near to achieving their goals, so every security incident needs to be treated as if it is the most severe and dangerous incident that it could be.

It has been repeatedly observed that when a new vulnerability comes out on a commonly used piece of internet-facing software, multiple actors ranging from crypto-jacking gangs to nation-backed APTs leap into action and configure their mass exploitation infrastructure to target and exploit it. By staying aware of the current threat landscape and the threat intelligence that is out there, organizations can react rapidly to the latest threats.

For a security or infrastructure team, it may well be the worst feeling in the world to find that a network has been compromised through the exploitation of a vulnerability that could have been patched. Though I imagine it is even worse to discover that your network has been compromised because you didn’t patch in time.

Opportunities for defenders do arise from this new landscape, however, if multiple actors are using the same tools and methods, and even if it’s because they are effective and efficient, that is an overlap that can be focused upon. Defenders can equip themselves to face the common tools and tactics, detect and recognize the current popular chains of attacker behavior, and act.

You may not know the end goal of a specific actor in a compromise, but you can:

Know your enemies – Use threat intelligence to stay up to date on the popular tools, methods, and goals of attackers. The current big trends are for initial access via phishing or exploitation of externally accessible vulnerable services.

Actions on target are often achieved by living off the land, i.e., abusing already present operating system tools and the use of common commodity post-exploitation frameworks such as Cobalt Strike, Metasploit, and Sliver. Common goals for attackers are info-stealing (IABs partially come under this), fraud, and extortion (i.e., ransomware).

Know your vulnerabilities – What are your external surfaces through which you can be targeted? Unpatched web, email, and application servers have always been big targets. Still, even network infrastructure, such as firewalls from big-name brands, have been found to contain vulnerabilities that have been exploited. What are the attack paths through your estate to your valued assets? Are there controls in place around access to sensitive information, or are you running an open flat network? Are you running any legacy systems, ICS or IoT devices?

Act first – Implement pre-emptive detections and controls for those common tools, methods, and paths, as well as access controls and restrictions around data and functions. Monitor for unusual activity on your estate, implement and pay attention to machine learning-based behavioral detections, or get a managed detection and response (MDR) service to do it for you. Proactively educate your user base and set policies and procedures that make clear their responsibilities and align with your technical controls. Apply security patches as soon as possible.

Have a incident response plan – If you have threat intelligence, self-awareness, controls, and policies, you can devise a plan of action for your organization to follow in the event of an incident.

Unpredictable situations and curve balls will still occur during a security incident, but if you have done the bulk of the work already, you can take action much quicker and then be able to focus on the unpredictable edge cases.