Security Market Segment LS
Thursday, 03 December 2020 07:32

Windows ransomware attackers teaming up with those selling access: claim Featured

By
Windows ransomware attackers teaming up with those selling access: claim Image by Gerd Altmann from Pixabay

Security firm Intel 471 claims to have discovered a pattern in ransomware attacks over the past 18 months, with a growing inter-dependence between the actual attackers and those who sell access to compromised systems.

In a blog post, the company said criminals in underground forums would advertise that they had access to various companies. The credentials on offer would then be sold to the highest bidder or a deal would be struck with a ransomware affiliate to share in any profits from a successful attack.

"These partnerships have resulted in a flourishing sub-market, where access to corporate networks is sold for six-figure sums directly or via a partnership and cut of paid ransoms," the post said.

Compromised credentials were claimed to come from people exploiting common flaws that had not been patched, either in operating systems like Windows, or else in other common software like VPNs or RDP endpoints.

"Additionally, credential information can come from logs tied to infostealer malware, password spraying or other credential marketplaces in the criminal underground," Intel 471 said.

"Instances show that anywhere from one week to six months after access is obtained and advertised, other known actors on various underground forums look to use or purchase that access to launch ransomware attacks.

"The targets run the gamut of regions and economic sectors, with the pattern playing out in ransomware attacks on every continent."

The company said one of most well-known attacks to fit this pattern was an attack on Mexican state-run oil company Pemex in November 2019. In this case, the attackers used the Windows DoppelPaymer ransomware and demanded a ransom of US$4.5 million (A$6.1 million).

The company said it had discovered that, beginning in June 2019, a separate actor was advertising access to 1500 Pemex servers and personal computers, as well as administrator privileges to the company’s domains, for US$150,000.

"That transaction was facilitated through a third-party escrow service, which allows criminals to move money in order to shield themselves from making direct contact with the actors who are carrying out the crimes," Intel 471 claimed.

Citing another case, the company said another actor it had been tracking had begun making inquiries about access to ransomware-as-a-service operators, saying that the use of ransomware would yield much better returns than just selling access.

"Days after this, Intel 471 learned the actor obtained and modified a version of Thanos, and allegedly deployed it against US businesses," the company said, without specifying when this alleged incident had taken place.

"Over the last three months, this actor has frequently tried to sell access to compromised organisations, which range in location, size, and economic sector."

One more aspect of this method was that such tie-ups were not exclusive. "Data from Intel 471 shows this pattern following attacks carried out with popular ransomware variants, such as DoppelPaymer, Maze, NetWalker, Ryuk and REvil, as well as lesser-known variants like LockBit, Nefilim, Pysa and Thanos," the company said.

It claimed the sharp rise in ransom payments had helped those who were selling access no end. "In years past, a large ransom payout would earn attackers somewhere between five- and six-figure sums. Now, it’s becoming increasingly common for attackers to demand seven- and eight-figure ransoms, partly due to the need to pay off actors that have helped them obtain access to the victim’s system.

"One such attack drives home this point: Intel 471 obtained a chat log from a ransomware attack launched last month [November] where a company — a US-based healthcare provider — offered to pay a ransom of just under US$400,000.

"Despite the company’s quick response, the ransomware crew was insulted by the offer and threatened to dump the entire cache of stolen documents unless the figure was pushed several million dollars higher. With their backs against the wall, the company eventually settled to pay $2 million in bitcoin."

Whether this pattern would continue indefinitely was not predictable, Intel 471 said. "...[we have] observed actions in underground marketplaces that show RaaS groups are beginning to undercut access merchants, by either purchasing their own credential-stealing malware or recruiting teams that specialise in obtaining access. Use of access merchants may not disappear completely, but the extent of their popularity could diminish."


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Web Analytics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments