Ransomware attacks are like a multi-level marketing scheme run by criminals whose loyalties change in response to shifting incentives involving cost and profit, according to a cybersecurity expert who has published a report on ransomware gangs.
Initial access agents sell back doors that provide a foothold within networks to ransomware gangs that hold data and systems until victims pay. Several gangs are based on a ransomware-as-a-service model in which malicious software developers share a portion of victims’ payments with affiliates who implement attacks.
Chad Anderson, a researcher at cybersecurity firm DomainTools, released a new report mapping ransomware bands in hopes that network advocates better understand what they are up against.
“DomainTools researchers feel it is important to remind readers that all of these groups make alliances, share tools, and sell access to each other,” Anderson wrote in the report. “Nothing in this space is static, and although there is a single piece of software behind a set of intrusions, it is likely that there are several different operators using that same piece of ransomware that will adjust its operation to their designs.”
The three ransomware families responsible for the highest number of victims, according to the report, are Conti; Labyrinth and Egregor; and REvil, which is also known as Sodinokibi.
Conti was first observed in December 2019. What makes it unique is the speed of its attacks, DomainTools said. When network defenders notice a Conti infection on any machine, it’s too late to fight back, Anderson said.
Two months ago, the FBI issued an alert saying it observed 16 attacks of Conti ransomware “targeting US first aid and medical care networks.” During the previous year. Of the more than 400 organizations affected by Conti, 290 were in the United States, the FBI said.
The Maze ransomware group infected so many systems that its victim count still ranks in the top 10 infections of all time despite the gang announcing their “retirement” in November 2020, according to Anderson’s report. Many of the Maze affiliates moved into a ransomware group called Egregor.
REvil recently made headlines when the FBI blamed the cyberattack on top meat producer JBS. Anderson’s report noted that REvil’s software hides its work to make analysis difficult for reverse engineers and noted that its malware is “particularly sinister.”
Given the difficulty of fighting a ransomware attack once it has started, Anderson urged network advocates to focus on the vulnerabilities exposed by initial access agent attacks.
“The problematic space to search for a robust defense solution is not necessarily the ransomware itself, but the initial access methods through spam email campaigns, brute force attacks, and vulnerability management,” Anderson said. “Seldom are the affiliates behind the ransomware infection actually the same entity that acquires the initial access.”
While ransomware gangs are rampant, the US remains the nation best positioned to respond and is in a league of its own in the cyber arena, according to the International Institute for Strategic Studies. The think tank analysis on cyber capabilities and national power released this week placed the US at a higher tier, followed by a second tier that includes a host of allies and adversaries, including the UK, Australia, Canada, Russia, China, France and Israel.
The analysis measured the cyber capabilities of nations across several categories involving strategy, cyber offense and defense, intelligence capabilities, and governance. The United States maintains world-leading strengths in all categories.
Ransomware gangs operating from the US are likely to be caught by law enforcement. If other countries take a tougher line against the groups, finding the criminals would be much less difficult, he said.
“In general, ransomware, and in particular the type where it exfiltrates a large amount of data that it then uses for double extortion, is extremely noisy,” Anderson told The Washington Times. “You have to configure an infrastructure to carry that, you have to configure an infrastructure that can store all that data. And once the infrastructure starts to be phased out or those servers are found and they can be duplicated, people will be able to see where you’re coming from very quickly. ”