Ransomware-as-a-Service (RaaS), where do we do from here?
Paul J. M.
Executive Decision Support | Creative Force Multiplier | Unconventional Problem Solver | Cyber Nerd | OSINT Enthusiast | Lifelong Learner
Gone are the days when every attacker had to be a seasoned programmer or had to be knowledgeable and be able to handle all aspects of a successful attack. An ecosystem of operators and affiliates has formed, similar to the fatal terrorism triangle of the “willful doer”, the “financier”, and the “knowledge provider”; the illicit cyber arena has been undergoing a significant change over the last few years.?
The current model is divided between:
?
Some may say, So What? Let’s explore each of these roles and how, when combined, they form an end-to-end operational capability.?
It all started with the mainstream introduction of IABs (circa 2020). These mid-tier operators specialize in gaining initial network access (varying types) which they then offer for sale. This is often accomplished by activities ranging from phishing and other direct social engineering attempts, to exploiting system vulnerabilities or misconfigurations, to active insider recruitment.?From Intel471’s research we know there is typically a 13-79 day period from the initial IAB listing to an associated ransomware event.?
In contrast to IABs, RaaS syndicates are generally made up of highly technical individuals who author the malware that ultimately gets leveraged in an attack.?
As if this isn’t worrisome enough, there is also a suite of services offered (at a price) for during-attack or post-extortion support. These supporting operators offer other enabling services such as (but not limited to):?
The combination of IABs, RaaS and the supporting operators represent the equivalent of the “knowledge provider” in the aforementioned fatal terrorism triangle. Affiliates, typically less technically savvy, can leverage this ecosystem to accomplish targeted attacks with the only requirements being financial means to pay for the capabilities, a specific target, and the will to act.
?
In this new ecosystem, the majority of communications occur in more anonymized channels, and sadly there are multiple options/providers. To further complicate things, a move towards closed group forums on Telegram has also been witnessed by specific groups such as Lapsus$ in December of 2021. These points render the historical methodology of combating terrorism somewhat useless without both early warning and constant observation. That said, let’s explore the options:
??????
???? 1) Identify and disrupt the RaaS syndicates?
2) Identify and disrupt IAB operators
???? 3) Identify and disrupt/arrest the other supporting operators
???? 4) Identify and arrest the Affiliates??
Similar to the pyramid of pain, each of these options does not have the same impact on the ecosystem overall, moving up the pyramid gets more challenging with each level, and almost all disruption requires some type of law enforcement involvement with a few notable examples.
?
领英推荐
With this conceptually in frame, let’s review the highlight reel from the last few years. According to Cisco Talos, currently ~8 groups make up ~75% of the posts on data leak sites. With the emergence of new groups on almost a daily basis, and the public leak of highly effective source code, in the future - attribution and disruption are going to become more complex.
Until very recently, I would have said Lockbit 3.0 was in the lead as the most pervasive RaaS syndicate – that statement may have stuck until a former disgruntled developer leaked the group’s source code. As a result, many less technical actors can now build their own variants. This pivot has been witnessed as Bl00dy Gang has already started using the Lockbit 3.0 code in more recent attacks.
?
Behind Lockbit 3.0, 2022 also saw HIVE as a capable malicious operation, collectively extorting more than $100M from over 1,300 companies globally in over 80 countries.
These groups are always looking for new ways to ensure ransom payment from legacy tactics such as public shaming to double extortion and also may resale access post-payment to other groups within the cyber crime ecosystem. HIVE operators have been observed reinfecting victim systems with either HIVE or other ransomware variants specifically. HIVE also presents a good example of the more recent added pressures the intelligence and law enforcement communities have placed on ransomware groups as? encryption keys were attained by the FBI to aid victim recovery efforts. This effort is a great example of how added law enforcement pressure is changing the cyber criminal ecosystem.?
?
An important point, these RaaS syndicates are made up of human beings who have morals, values and specific loyalties. This was illuminated by the Conti Gang’s meltdown due to opposing political views related to Russia’s Ukrainian invasion. The most prolific spin-off of Conti became BlackBasta. Although BlackBasta typically relies on the Qbot trojan and leverages the PrintNightmare vulnerability, in June, they introduced a new file encryptor for Linux systems primarily targeting VMWare ESXi virtual machines.?
Lockbit and HIVE both quickly followed suit by either creating a Linux encryptor variant or by leveraging new ransomware written in cross-platform programming languages. Strains like ALPHV (Blackcat) written in Rust are becoming more common as well as some written in GoLang.?
Other new adaptations seen in the wild include the rise of Intermittent encryption, where only small parts of files are encrypted, making them much more evasive and ultimately still rendering the file corrupted. Proofs of concept have been released for LNK files that no longer require a C2 beacon / response in order to execute the intended malware. More recent claims even include things like the AI-powered malware BlackMamba that generates polymorphic code to evade the more traditional forms of anti-virus software.?
Despite these seemingly more exotic new developments, the FBI’s IC3 confirms that most common attack vectors still include social engineering/phishing, exploiting legacy vulnerabilities in unpatched systems, or Remote Desktop Protocol (RDP) exploitation. This static list remains mostly unchanged for years even with industry best practices harping on the need for phishing-resistant-MFA, getting a handle on vulnerability management, and locking down ports like 3389 altogether or, at a minimum, limiting the access to specific IPs.
Beyond the technical woes, there are also disruption-related challenges that crop up in the form of other organization’s legitimate infrastructure being used to perpetuate an attack or white-listed internal tools getting leveraged in living-of-the-land (LOTL) attacks.?
In LOTL, instead of signature files completing attack-related functions, threat actors leverage tools already present in the environment such as Mimikatz, Windows Management Instrumentation (WMI), or Powershell. Fileless ransomware writes malicious code directly into memory or leverages malicious code embedded in macros or other native scripting languages.?
By the end of 2022, the majority (71% according to CrowdStrike up from 62% the prior year) of detections were malware-free. These types of attacks are becoming more popular due their inherent detection evasion capability but this evolution also creates a larger challenge when considering attribution; if legitimate tools are used (many are whitelisted) and there are no uniquely identifiable signatures. Often this allows threat actors to operate within victim networks unobstructed for extended dwell times.??
With the proliferation of RaaS and the constantly evolving threat tactics as well as the ever-expanding world of technology – this creates a challenge for threat intelligence teams and makes proactive monitoring for early warning critical.
For more threat intelligence-related content, please check out Nisos.com.
Loving Life
1 年Go?