Ransomware gangs are increasingly turning to specialists to complete their capers on corporations, according to a Dark Net intelligence provider.
A report issued Friday by Tel Aviv-based Kela noted that the days when lone wolves conducted cyberattacks from start to finish has become nearly extinct.
The one-man show has nearly completely dissolved, giving way to specialization, maintained the report written by Kela Threat Intelligence Analyst Victoria Kivilevich.
Kivilevich identified four areas of specialization:
- Providing or acquiring code for the attack;
- Infecting and spreading an attack;
- Maintaining access to and harvesting data from infected systems; and
- Monetizing the fruits of the attack.
Ransomware actors have also begun expanding their methods for intimidating victims, such as the use of DDoS attacks and spam calls, the report revealed.
“The ransomware ecosystem therefore more and more resembles a corporation with diversified roles inside the company and multiple outsourcing activities,” it noted.
Rise of the Negotiator
The report also revealed the emergence of a new role in the ransomware ecosystem: the negotiator.
Initially, it explained, most ransomware operators communicated with victims via email. As ransomware-as-a-service grew and became more prominent and business-like, many actors started establishing their own portals through which all communications were held.
The ransomware developers or affiliates were determining the ransom sum, offering discounts, and discussing conditions of payment, the report continued. “However,” it noted, “now this part of the attack also seems to be an outsourced activity — at least for some affiliates and/or developers.”
One possible reason cybercriminals have begun enlisting negotiators is that victims began using them. “Ransom actors had to up their game as well in order to make good margins,” the report reasoned.
Another motive could be related to the cybercriminals themselves. “As most ransom actors probably are not native English speakers, more delicate negotiations — specifically around very high budgets and surrounding complex business situations — required better English,” the report hypothesized.
It noted that negotiators were typically asking 10 to 20 percent of a ransom as payment for their services.
“The English language negotiators are there to put a ‘customer service’ face on the transaction,” observed AJ King, CISO at BreachQuest, an incident response company in Dallas.
“Depending on the type of compromise, using nuances of language can mean the difference between getting an extra 10 percent out of your target versus not,” he told TechNewsWorld.
“If you can’t communicate properly, you won’t be successful in the long run and in larger cases,” he said. “Cybercriminals have taken notice.”
Drivers Behind Specialization
Oliver Tavakoli, CTO of Vectra AI, a provider of automated threat management solutions in San Jose, Calif. maintained ransomware actors have begun specializing for the same reasons any large business specializes.
“It is easier to be good at a small number of things than a large number of things,
it pays better to work at things you are good at, and organizations trying to orchestrate an entire attack chain don’t want to rely on individuals who are not expert at something for a critical step in the attack,” he told TechNewsWorld.
Scale may also be contributing to the need to specialize, added Purandar Das,
CEO and co-founder of Sotero, a data protection company in Burlington, Mass.
“The attacks now have become so big that what was probably viewed as a part of the attack now require the same services at scale,” he told TechNewsWorld.
“Each of these are capabilities that require specialized skills,” he said. “Whether it is intrusion, access or negotiating, the business is run at such a scale they each demand their own specializations.”
Brandon Hoffman, chief security officer at Intel 471, a cybercrime intelligence provider in Dallas, added that ransomware-as-a-service providers need specialists because they usually only offer encryption software and a way to monetize the attack.
“It is important to keep in mind that ransomware is essentially at the end of an attack chain,” he told TechNewsWorld. “In order to get ransomware loaded, they need initial access, lateral movement, and privilege escalation before the encryption can be effective and widespread enough to cripple the organization.”
Premium Rates for Admin Rights
The Kela report also noted that ransomware actors were willing to pay a premium for domain administrator access to a compromised computer.
“If ransomware attackers start a lateral movement from a machine of domain admin, they have better chances to successfully deploy ransomware in a compromised network,” the report explained.
“However,” it continued, “if all they have is user access, then they need to escalate privileges by themselves — or call for the help of skilled fellows.”
That help can be expensive. According to the report, intrusion specialists receive from 10 to 30 percent of a ransom for escalating privileges to the domain level.
Tavakoli explained that intrusion and escalation is the part of a ransomware attack which requires a high level of technical proficiency and generally cannot be automated.
“This step takes existing tools and techniques and has to adapt them to the particulars of the environment encountered inside a target organization,” he continued. “Given that this step requires skill and is manual, the demand — in terms of total number of individuals needed — is relatively high.”
Garret Grajek, CEO of YouAttest, an identity auditing company in Irvine, Calif. added that the key takeaway from the findings is the reminder of how important administrative rights are to hackers.
“The study shows that hackers are paying up to 10 times the value for admin compromised credentials as they are paying for those of regular users,” he told TechNewsWorld.
“To compensate for the cost, hackers are also buying inexpensive stolen user credentials, and then using paid for hacks to escalate the privileges on those user accounts,” he added.
Double Dipping Hackers
Once ransomware actors penetrate a system, they usually act in one of two ways, or in some cases, both.
“Cybercriminals are encrypting data to obtain ransoms in line with classical ransomware techniques,” observed Allie Mellen, a security and risk analyst at
“Compounding this,” she told TechNewsWorld, “they are also taking a new approach — stealing business data and then threatening to release it unless the organization pays up.”
“This double punch of ransom and extortion lets ransomware gangs get paid double what they would get traditionally, which can have an even more negative impact on a business hit with ransomware,” she said.
How can organizations protect themselves from ransomware attacks? King has these recommendations:
- Implement a strong identity and access management program.
- Limit local administrative privileges for standard users.
- Require multifactor authentication for all internet-facing portals.
- Segment your network, which can limit lateral movement by an intruder.
- Have a strong security operations center either outsourced or in-house with the proper training, tooling, and staffing levels to catch an event early when the inevitable intrusion does happen.