Security Market Segment LS
Thursday, 03 December 2020 07:32

Windows ransomware attackers teaming up with those selling access: claim Featured

Windows ransomware attackers teaming up with those selling access: claim Image by Gerd Altmann from Pixabay

Security firm Intel 471 claims to have discovered a pattern in ransomware attacks over the past 18 months, with a growing inter-dependence between the actual attackers and those who sell access to compromised systems.

In a blog post, the company said criminals in underground forums would advertise that they had access to various companies. The credentials on offer would then be sold to the highest bidder or a deal would be struck with a ransomware affiliate to share in any profits from a successful attack.

"These partnerships have resulted in a flourishing sub-market, where access to corporate networks is sold for six-figure sums directly or via a partnership and cut of paid ransoms," the post said.

Compromised credentials were claimed to come from people exploiting common flaws that had not been patched, either in operating systems like Windows, or else in other common software like VPNs or RDP endpoints.

"Additionally, credential information can come from logs tied to infostealer malware, password spraying or other credential marketplaces in the criminal underground," Intel 471 said.

"Instances show that anywhere from one week to six months after access is obtained and advertised, other known actors on various underground forums look to use or purchase that access to launch ransomware attacks.

"The targets run the gamut of regions and economic sectors, with the pattern playing out in ransomware attacks on every continent."

The company said one of most well-known attacks to fit this pattern was an attack on Mexican state-run oil company Pemex in November 2019. In this case, the attackers used the Windows DoppelPaymer ransomware and demanded a ransom of US$4.5 million (A$6.1 million).

The company said it had discovered that, beginning in June 2019, a separate actor was advertising access to 1500 Pemex servers and personal computers, as well as administrator privileges to the company’s domains, for US$150,000.

"That transaction was facilitated through a third-party escrow service, which allows criminals to move money in order to shield themselves from making direct contact with the actors who are carrying out the crimes," Intel 471 claimed.

Citing another case, the company said another actor it had been tracking had begun making inquiries about access to ransomware-as-a-service operators, saying that the use of ransomware would yield much better returns than just selling access.

"Days after this, Intel 471 learned the actor obtained and modified a version of Thanos, and allegedly deployed it against US businesses," the company said, without specifying when this alleged incident had taken place.

"Over the last three months, this actor has frequently tried to sell access to compromised organisations, which range in location, size, and economic sector."

One more aspect of this method was that such tie-ups were not exclusive. "Data from Intel 471 shows this pattern following attacks carried out with popular ransomware variants, such as DoppelPaymer, Maze, NetWalker, Ryuk and REvil, as well as lesser-known variants like LockBit, Nefilim, Pysa and Thanos," the company said.

It claimed the sharp rise in ransom payments had helped those who were selling access no end. "In years past, a large ransom payout would earn attackers somewhere between five- and six-figure sums. Now, it’s becoming increasingly common for attackers to demand seven- and eight-figure ransoms, partly due to the need to pay off actors that have helped them obtain access to the victim’s system.

"One such attack drives home this point: Intel 471 obtained a chat log from a ransomware attack launched last month [November] where a company — a US-based healthcare provider — offered to pay a ransom of just under US$400,000.

"Despite the company’s quick response, the ransomware crew was insulted by the offer and threatened to dump the entire cache of stolen documents unless the figure was pushed several million dollars higher. With their backs against the wall, the company eventually settled to pay $2 million in bitcoin."

Whether this pattern would continue indefinitely was not predictable, Intel 471 said. "...[we have] observed actions in underground marketplaces that show RaaS groups are beginning to undercut access merchants, by either purchasing their own credential-stealing malware or recruiting teams that specialise in obtaining access. Use of access merchants may not disappear completely, but the extent of their popularity could diminish."

Read 2310 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News