Security Market Segment LS
Thursday, 03 December 2020 07:32

Windows ransomware attackers teaming up with those selling access: claim Featured

Windows ransomware attackers teaming up with those selling access: claim Image by Gerd Altmann from Pixabay

Security firm Intel 471 claims to have discovered a pattern in ransomware attacks over the past 18 months, with a growing inter-dependence between the actual attackers and those who sell access to compromised systems.

In a blog post, the company said criminals in underground forums would advertise that they had access to various companies. The credentials on offer would then be sold to the highest bidder or a deal would be struck with a ransomware affiliate to share in any profits from a successful attack.

"These partnerships have resulted in a flourishing sub-market, where access to corporate networks is sold for six-figure sums directly or via a partnership and cut of paid ransoms," the post said.

Compromised credentials were claimed to come from people exploiting common flaws that had not been patched, either in operating systems like Windows, or else in other common software like VPNs or RDP endpoints.

"Additionally, credential information can come from logs tied to infostealer malware, password spraying or other credential marketplaces in the criminal underground," Intel 471 said.

"Instances show that anywhere from one week to six months after access is obtained and advertised, other known actors on various underground forums look to use or purchase that access to launch ransomware attacks.

"The targets run the gamut of regions and economic sectors, with the pattern playing out in ransomware attacks on every continent."

The company said one of most well-known attacks to fit this pattern was an attack on Mexican state-run oil company Pemex in November 2019. In this case, the attackers used the Windows DoppelPaymer ransomware and demanded a ransom of US$4.5 million (A$6.1 million).

The company said it had discovered that, beginning in June 2019, a separate actor was advertising access to 1500 Pemex servers and personal computers, as well as administrator privileges to the company’s domains, for US$150,000.

"That transaction was facilitated through a third-party escrow service, which allows criminals to move money in order to shield themselves from making direct contact with the actors who are carrying out the crimes," Intel 471 claimed.

Citing another case, the company said another actor it had been tracking had begun making inquiries about access to ransomware-as-a-service operators, saying that the use of ransomware would yield much better returns than just selling access.

"Days after this, Intel 471 learned the actor obtained and modified a version of Thanos, and allegedly deployed it against US businesses," the company said, without specifying when this alleged incident had taken place.

"Over the last three months, this actor has frequently tried to sell access to compromised organisations, which range in location, size, and economic sector."

One more aspect of this method was that such tie-ups were not exclusive. "Data from Intel 471 shows this pattern following attacks carried out with popular ransomware variants, such as DoppelPaymer, Maze, NetWalker, Ryuk and REvil, as well as lesser-known variants like LockBit, Nefilim, Pysa and Thanos," the company said.

It claimed the sharp rise in ransom payments had helped those who were selling access no end. "In years past, a large ransom payout would earn attackers somewhere between five- and six-figure sums. Now, it’s becoming increasingly common for attackers to demand seven- and eight-figure ransoms, partly due to the need to pay off actors that have helped them obtain access to the victim’s system.

"One such attack drives home this point: Intel 471 obtained a chat log from a ransomware attack launched last month [November] where a company — a US-based healthcare provider — offered to pay a ransom of just under US$400,000.

"Despite the company’s quick response, the ransomware crew was insulted by the offer and threatened to dump the entire cache of stolen documents unless the figure was pushed several million dollars higher. With their backs against the wall, the company eventually settled to pay $2 million in bitcoin."

Whether this pattern would continue indefinitely was not predictable, Intel 471 said. "...[we have] observed actions in underground marketplaces that show RaaS groups are beginning to undercut access merchants, by either purchasing their own credential-stealing malware or recruiting teams that specialise in obtaining access. Use of access merchants may not disappear completely, but the extent of their popularity could diminish."

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous