This week... Top 5 malware of March 2021
View web version  
19 May 2021
SC Media | The CyberSecurity Source
Ransomware 2021: criminal business models and payment realities
In part one of this ransomware special, Davey Winder talks to experts about the rise of criminal cooperation, how this has propelled ransomware to the top of the attack tree and analyses how organisations should respond…
Continue on to see the top five malware of March 2021

The Colonial Pipeline attack and another which severely disrupted the Irish Health Service have one thing in common (beyond being despicable): they were both the result of ransomware-as-a-service (RaaS) operations.

This area of criminal cooperation has become the norm for threat actors, but what are the business mechanics at play? How does it change the risk to business? And can it survive these high-profile attacks on critical infrastructure?

Four years to the week after WannaCry caused major disruption to the NHS, the Irish Health Service had to cancel outpatient appointments as a ransomware attack caused the Health Service Executive IT network to close down.

This came just a week after another ransomware attack, on Colonial Pipeline, severely disrupted fuel supplies in parts of the US.

Unlike WannaCry, no ‘spray and pay’ tactics were behind these attacks, no worm capability to spread the infection: these were highly targeted from partners of the Conti and DarkSide RaaS operations respectively.

What is RaaS?
The RaaS business model consists of the cybercriminal organisation that develops both the malware code itself and the back-end infrastructure it runs on, along with a management system and the affiliates who employ it in attacks.

These affiliates, usually recruited through dark web crime forums, take responsibility for infiltrating a target network and installing the ransomware code. "Once the ransomware is successfully delivered into the victim’s environment, it will often auto-execute,” James Weston, principal consultant of cyber and digital at Gemserv, explains. 

"At this point, the affiliate may have access to a control server or dashboard allowing them to monitor the attack in progress as well as interact with the victim through encrypted messaging channels, emails, or chat functions."

Are you wearing a wire?
There is a fair degree of vetting involved when it comes to taking on ransomware affiliates, not only in an attempt to prevent law enforcement infiltration, but also to ensure the highest financial returns.

"Ransomware operators are looking for the best affiliates who can provide the most lucrative accesses while affiliates are looking to use the most effective ransomware," Tim Mitchell, senior security researcher at Secureworks, told SC Media UK.

"All RaaS operations split the profits of a successful ransom according to a pre-arranged share," he says, with the division of proceeds usually depending on "the affiliate’s experience, the type of access they have provided, the revenue of the victim organisation and, ultimately, the size of the payout”.

DarkSide, for example, had a sliding scale of payments: 25% for ransom payments of $500,000 or below and 10% for $5 million or more, the rest is somewhere between. Being a business model, affiliate shares vary according to market conditions. "In February 2021, the Avaddon group announced a temporary increase in its affiliate share from 25-40% to 80% following the production of a decryptor for its ransomware that would clearly have undermined its profitability," Mitchell says.

Outsourcing ransomware risk
Think of RaaS as being, in effect, the outsourcing of the most risky part of the whole process: the attack itself and the ransom extortion that goes with it.

"It shows that the RaaS sellers are more than willing to outsource the hacking of computers," Corey Nachreiner, chief security officer at WatchGuard Technologies, says. "That is what will definitely get you in jail if a criminal is caught. But, making and supplying ransomware to others, though possibly a crime in some countries, is less risky than actually infecting computers with it."

In this sense, Nachreiner doesn't see the business model as one of cooperation, but rather "the affiliates are used as the sheep or mules doing the dangerous work, while the ransomware seller is just gathering profit”.

That said, the cooperative, profit-sharing model does get distributed down the line. Affiliates will purchase the credentials or exploits needed to access a targeted network from an initial access broker. “These brokers collect victims in large numbers and skim the most valuable ones to resell to ransomware affiliates,” says Chet Wisniewski, principal research scientist at Sophos.

"Affiliates take over from there. They will exfiltrate sensitive data, move laterally and map out all the assets, backups, admins, databases and ultimately trigger the ransomware itself."

And the cooperation doesn’t end there, once a ransom has been paid, other criminals are often employed to launder the cryptocurrency in return for a cut.

Enterprise mitigation?
So, does this model change anything when it comes to risk to businesses or the defensive reality of ransomware mitigation?

“It means a would-be cyber criminal doesn't need to have technical skills to launch a ransomware attack, just the will and the funds to procure the capabilities," says Jen Ellis, VP of community and public Affairs at Rapid7 and co-chair of the Ransomware Task Force.

Ellis argues that the odds are already stacked against defenders, so you could say more attacks makes those odds worse, but RaaS does not necessarily increase the breadth or complexity of attacker trends. "If an organisation is already taking appropriate steps to protect themselves those mitigations should be sufficient against RaaS attacks."

Wisniewski says: "A more diverse set of skills among those attackers means some go after smaller, weaker victims for lower ransom amounts, while the more skilled can go big game hunting."

The mitigation remains the same, David Cummins, VP of EMEA at Tenable, says. "When you look at the attack path of ransomware, the majority of attacks target a handful of known and patched vulnerabilities.

“User awareness, malware detection, system back-ups, and strong vulnerability management can all significantly reduce the likelihood of harm from a ransomware attack."
Join Akamai's Security Summit
Discover the latest trends, tools, and strategies you need to turn change into your competitive edge.
SC Congress
Who is attending the Annual Digital Congress?
Join these leading organisations at the SC Annual Digital Congress for the opportunity to connect with and learn from senior cybersecurity leaders and innovators.

Secure your FREE pass to gain insight on cybersecurity on a national scale & emerging threats & trends, as well as an understanding of the mind of cyber criminals so that you can better protect yourself and your business.

SC Media UK needs your help
Fill out our short survey, in collaboration with WatchGuard, to share what you think the biggest cyber threats are to your business and we will:

(1) Give the first 100 qualifying entrants a £10 Amazon voucher

(2) Put all qualified entrants into a prize draw for a £250 Amazon voucher

(3) Share the findings with you
Quote of the week…
“We're very clear we will not be paying any ransom or engaging in any of that sort of stuff.”

Irish PM Michael Martin on the ransomware attack on the Irish Health Service.
Top five malware: March 2021
> Shlayer A downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertising posing as a fake Adobe Flash updater.
> CoinMiner A cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network.
> ZeuS A modular banking trojan that uses keystroke logging to compromise victim credentials when the user visits a banking website.
> Agent Tesla A remote access Trojan (RAT) that exfiltrates credentials, logs keystrokes, and captures screenshots from an infected computer.
> Jupyter An infostealer downloaded by masquerading as legitimate software. It primarily targets browser data in browsers such as Chrome, Chromium, and Firefox and has full backdoor functionality.
Source: Center for Internet Security
© 2021 Haymarket Media Group
Bridge House, 69 London Road, Twickenham , TW1 3SP
This bulletin has been sent to