Researchers from Venafi and Forensic Pathways analyzed nearly 35 million dark web URLs – including forums and marketplaces – between November 2021 and March 2022 and discovered 475 web pages filled with lists of ransomware strains, ransomware source code, custom build and development services, and ransomware offers. as a service (RaaS).
A large number of ransomware tools
The researchers identified 30 different families of ransomware listed for sale on the pages, and found advertisements for well-known variants such as DarkSide/BlackCat, Babuk, Egregor and GoldenEye that had previously been linked to attacks on high-profile targets. The prices for these proven attack tools tend to be much higher than the lesser known variants.
For example, a custom version of DarkSide – the ransomware used in the Colonial Pipeline attack – was priced at $1,262, compared to some variants that were available for a low $0.99. Meanwhile, the Babuk ransomware source code was listed at $950, while the Paradise variant source code sold for $593.
says Kevin Busick, Vice President of Security Strategy and Threat Intelligence at Venafi.
Bocek says the success that threat actors have had with variants like Babuk, which was used in an attack on the Washington, D.C. Police Department last year, has made the source code more attractive. “So you can see why threat actors would want to use stress as a basis for developing their ransomware variant.”
Experience is not necessary
Venafi researchers found that in many cases, the tools and services available through these marketplaces — including step-by-step tutorials — are designed to allow attackers with minimal technical skills and experience to launch ransomware attacks against victims of their choosing.
“Research found that ransomware strains can be purchased directly on the Dark Web, but some ‘vendors’ also offer additional services such as technical support and paid add-ons, such as non-kill processes for ransomware attacks, as well as tutorials,” says Bocek.
Other vendors have reported increasing use among ransomware actors for primary access services, to gain a foothold on the target network. Initial Access Intermediaries (IABs) are threat actors who sell access to a previously compromised network to other threat actors.
Primary access brokers thrive in the underground economy
A study conducted by Intel471 earlier this year found a growing correlation between ransomware actors and IABs. Among the most active players in this space is Jupiter, a threatening actor seen providing access to as many as 1,195 compromised networks in the first quarter of the year; and Neptune, which listed more than 1,300 access credentials for sale in the same time frame.
Avaddon, Pysa/Mespinoza, and BlackCat are among the ransomware operators spotted by Intel471 using these services.
Access is often provided via the hacked Citrix, Microsoft Remote Desktop and Pulse Secure VPN credentials. Trustwave’s SpiderLabs, which monitors prices for various products and services on the dark web, describes VPN credentials as the most expensive records on secret forums. According to the seller, VPN access prices can run as high as $5,000 – and even higher – depending on the type of organization and access you provide.
Bocek says, “I expect to see a ransomware revolution continue as it has done over the past few years. Abuse of device identities will also cause ransomware to move from infecting individual systems to taking over entire services, such as a cloud service or a network of IoT devices.”
Meanwhile, another study released this week – a mid-year threat report by Check Point – shows that the ransomware scene is significantly littered with more players than is generally perceived. Check Point researchers analyzed data from the company’s incident response correlations and found that while some ransomware variants – such as Conti, Hive and Phobos – were more common than others, they were not responsible for the majority of attacks. In fact, 72% of the ransomware incidents that Check Point engineers responded to involved a variant they had encountered only once previously.
“This suggests that, contrary to some assumptions, the ransomware landscape is not dominated by a few large groups, but is in fact a fragmented ecosystem of many smaller players that are not as well advertised as larger groups,” according to the report.
Check Point – like Venafi – has described ransomware as continuing to present the greatest risk to enterprise data security, as it has in the past several years. The security vendor’s report highlighted campaigns such as the Conti group’s ransomware attacks on Costa Rica (and later on Peru) earlier this year as examples of how threat actors have expanded their targeting, seeking financial gain.
A large fish ransomware may go to the upper abdomen
Many large ransomware groups have grown to the point where they employ hundreds of hackers, have hundreds of millions of dollars in revenue, and can invest in things like research and development teams, quality assurance programs, and specialized negotiators. Increasingly, larger groups of ransomware are beginning to gain the capabilities of nation-state actors, Check Point warns.
At the same time, the widespread interest that such groups are beginning to gain from governments and law enforcement is likely to encourage them to maintain a legal profile, Check Point says. For example, the US government offered a reward of $10 million for information leading to the identification and/or capture of Conte’s members, and $5 million for groups busted using Conte. The heat is believed to have contributed to the Conte Group’s decision earlier this year to cease operations.
“There will be a lesson learned from the Conti ransomware suite,” Check Point says in its report. “Its size and strength have gotten a lot of attention and are getting floundering. Going forward, we think there will be many small and medium groups rather than a few large ones, so that they can more easily succumb to the radar.”