Microsoft is spotlighting ransomware (RaaS) as a service. This is a criminal corporate style that relies on gig workers, is structured around profit sharing, and reduces the risk borne by a single actor.
Microsoft’s security team tracks over 35 unique ransomware families and 250 threat actors across nations, ransomware, and criminal activity. RaaS is said to be a gig economy involving multiple parties around the three main pillars.
“Just as our traditional economy has shifted to gig workers for efficiency, criminals rent or sell tools for some of their profits rather than carrying out attacks themselves. By doing so, we are learning to work and reduce risk. ” Microsoft Security states in a blog post..
“This industrialization of the cybercrime economy has made it easier for attackers to carry out attacks using off-the-shelf penetration testing and other tools,” he said.
RaaS has made Microsoft look at attacks differently. This is not one attacker, but many attackers. In other words, identifying the ransomware family itself does not give the defender a complete picture of the threats on the network.
For example, stealing data from a target may be performed by one group for double blackmail, while another group is responsible for developing the ransomware payload and another RaaS affiliate is responsible for the specific ransomware payload. May be expanded. In other words, knowing that you’ve been the victim of some type of ransomware gives you only half the picture. Defenders waste time chasing the wrong signal.
“Payload-based attribution is due to the’Conti Group’, many of the activities that led to the deployment of Conti ransomware, even though many affiliates had very different tradecraft, skills, and reporting structures. It meant doing, “says Microsoft.
“Some Conti affiliates used tools provided by RaaS to perform small intrusions, while others used proprietary techniques and tools to include data theft and blackmail for weeks. You have performed an operation over. ”
Researcher at security company Intel 471 Recently details Working with members of the Conti Group and LockBit 2.0, Maze, and Ryuk gangs, we will improve cryptographic algorithms and ransom notes, and contract with developers from other groups to build new ransomware.
Broadly speaking, the key actors in RaaS include operators who develop and maintain ransomware payloads and payment portals to communicate with victims. An access broker that puts your network at risk and sells access to RaaS affiliates. A RaaS affiliate that performs ransomware attacks, steals data, moves laterally over compromised networks, and survives on the system.
Ransomware is really dangerous in the “hands-on-keyboard phase”. “Once the attack reaches the active attack stage of deleting backups or shadow copies, the attack ends within minutes of deploying the ransomware,” Microsoft said.
By this stage, attackers may have stolen data, and defenders prioritize investigating alerts and detecting tools such as Cobalt Strike to contain human enemies before deploying ransomware. In order to do so, you need to start the Incident Response (IR) procedure quickly.
Other parties in this economy may handle leak sites to share fragments of data stolen from victims. Other extortion services include leak site hosting, decryption negotiation, payment processing, and cryptocurrency transaction services.
Microsoft estimates that if an access broker puts 2,500 potential victims at risk, about 60 victims will encounter activities related to known ransomware attackers. Approximately 20 of these victims have been successfully compromised, and one of these organizations has confirmed that the actual ransomware payload is deployed on the network.
Microsoft has rated Trickbot, which it has been tracking as DEV-0193 since October 2020, as today’s “most prolific” ransomware group. Responsible for the development, distribution and maintenance of Trickbot, Bazaloader, and Anchor DNS payloads. The group also managed the Ryuk RaaS program before shutting down in June 2021 and also managed Ryuk’s successor, Conti. According to Microsoft, DEV-0193 also employs developers from Emotet, Qakbot, and IcedID.
Microsoft’s report also includes ELBRUS (also known as FIN7), which collects payment card information using point-of-sale (POS) and ATM malware. We introduced MAZE and REvil RaaS in 2020, but after that we developed Dark Side as our own RaaS ecosystem, abolished it in May 2021, replaced it with Black Matter in July, and abolished it in November.
“The tendency to report ransomware incidents based on payload and attribute them to monolithic gangs often obscures the true relationship between attackers. This is very accurate for DarkSideRaaS. “Microsoft says.
Microsoft has never seen ELBRUS running a RaaS program today, but states that it is “very aggressive in endangering organizations through phishing campaigns” that leads to JSSLoader and Griffon malware. Microsoft has also seen groups exploit CVE-2021-31207 (a low-privilege ProxyShell bug) in Exchange to be promoted to high system-level privileges in victims’ organizations in April 2022.
The BlackCat Ransomware Gang is another notable RaaS affiliate actor. It appeared in November 2021 and was created by an “access broker” that previously sold access to multiple RaaS groups, including BlackMatter. According to Cisco Talos researchers..
The group that Microsoft is tracking as DEV-0504 is currently deploying BlackCat, but previously deployed Ryuk, Revil, Lockbit 2.0, BlackMatter, and Conti. Microsoft says that if one RaaS program shuts down, it will move to another RaaS program.
Most of these RaaS groups are believed to operate in Russia, but Microsoft has created its own DEV-0401.Based in China Recently, VMWare Horizon’s Log4j2 CVE-2021-44228 has begun to target a “lonely wolf has become a LockBit 2.0 affiliate.”
“DEV-0401 maintains its own ransomware payload and is frequently rebranded, so it appears as a different group in payload-driven reports, avoiding detection and action against them,” Microsoft said.
Microsoft’s greatest advice to organizations is to protect their credentials.
“More than malware, attackers need credentials to succeed. In almost every successful ransomware deployment, the attacker has a consistent domain administrator-level account or local throughout the environment. I was able to access the administrator password, “says Microsoft.
Attackers can deploy ransomware through Group Policy or tools such as PsExec (or clones such as PAExec, CSExec, WinExeSvc), but multiple ransomware without the credentials to provide administrative access on the network. It is much more difficult to spread to the system of.
“Because compromised credentials are so important to these attacks, when cybercriminals sell unauthorized access to the network, the price often includes the first guaranteed administrator account. “Microsoft says.