Connect with us

Hi, what are you looking for?

HEADLINES

Kaspersky sheds light on ransomware ecosystem

To help organizations understand how the ransomware ecosystem operates and how to fight it, the latest report by Kaspersky researchers dug into darknet forums, took a deep look at REvil and Babuk gangs and beyond and debunked some of the myths about ransomware. And when you dig into this underworld, you have to expect that it has many faces.

Photo by Blake Connally from Unsplash.com

Ransomware is on the tip of everyone’s tongue every time businesses discuss cyberthreats they are likely to face in 2021. Attackers have built their brands and are bold in their advances like never before, with the news about organizations being hit with ransomware consistently on newspaper front pages. But by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem.

To help organizations understand how the ransomware ecosystem operates and how to fight it, the latest report by Kaspersky researchers dug into darknet forums, took a deep look at REvil and Babuk gangs and beyond and debunked some of the myths about ransomware. And when you dig into this underworld, you have to expect that it has many faces.

Like any industry, the ransomware ecosystem comprises many players that take on various roles. Contrary to the belief that ransomware gang are actually gangs – tight, have been through it all together, Godfather-style groups, the reality is more akin to the world of Guy Ritchie’s “The Gentlemen”, with a significant number of different actors – developers, botmasters, access sellers, ransomware operators – involved in most attacks, supplying services to each other through dark web marketplaces.

These actors meet on specialized darknet forums where one can find regularly updated ads offering services and partnerships. Prominent big-game players that operate on their own do not frequent such sites, however, well-known groups such as REvil that have increasingly targeted organizations in the past few quarters, publicize their offers and news on a regular basis using affiliate programs. This type of involvement presumes a partnership between the ransomware group operator and the affiliate with the ransomware operator taking a profit share ranging from 20-40%, while the remaining 60-80% stays with the affiliate.

Advertisement. Scroll to continue reading.

REvil announces a new capability to organize calls to the media and target’s partners to assert additional pressure on paying the ransom

Examples of offers listing payment conditions in the partner programs

Selection of such partners is a finely-tuned process with ground rules set by the ransomware operators from the start – including geographical restrictions and even political views. At the same time, ransomware victims are selected opportunistically. 

As the people who infect organizations and the ones who actually operate ransomware are different groups, only formed by the desire to profit, the organizations infected most are often low-hanging fruit – essentially, the ones that the attackers were able to gain easier access to. It could be both actors that work within the affiliate programs and independent operators that later sell access – in an auction form or as a fix, starting as low as 50 USD. These attackers, more often than not, are botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, and access sellers on the lookout for publicly disclosed vulnerabilities in internet facing software, such as VPN appliances or email gateways, which they can use to infiltrate organizations.

An example of an offer to sell access to an organization’s RDP

Ransomware forums are home to other types of offers too. Some ransomware operators sell malware samples and ransomware builders for anything from 300 to 4,000 USD, others offer Ransomware-as-a-Service – the sale of ransomware with continued support from its developers, which can range from 120 USD per month to 1,900 USD per year packages.

“The ransomware ecosystem is a complex one with many interests at stake. It is a fluid market with many players, some quite opportunistic, some – very professional and advanced. They do not pick specific targets, they may go after any organization – an enterprise or a small business, as long as they can gain access to them. Moreover, their business is flourishing, it is not going away anytime soon,” comments Dmitry Galov, security researcher at Kaspersky’s Global Research and Analysis Team. 

“The good news is that even rather simple security measures can drive the attackers away from organizations, so standard practices such as regular software updates and isolated backups do help and there is much more that organizations can do to secure themselves,” adds Galov.

Advertisement. Scroll to continue reading.

“Effective actions against the ransomware ecosystem can only be decided once its underpinnings are truly understood. With this report, we hope to shine a light on the way ransomware attacks are truly organized, so that the community can set up adequate countermeasures,” comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research and Analysis Team.

Kaspersky encourages organizations to follow these best practices to help safeguard their businesses against ransomware:

  • Always keep software updated on all the devices you use, to prevent attackers from infiltrating your network by exploiting vulnerabilities. 
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections. Set up offline backups that intruders cannot tamper with. Make sure you can quickly access them in an emergency when needed. 
  • Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions. 
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

ELECTRONICS

Philips EasyKey partnered with Megaworld and equipped their world-class properties with only the best-in-class smart locks we have on offer, the Philips EasyKey 9300.

HEADLINES

The PLDT wireless unit is also calling on customers to report these messages to Smart’s HULISCAM portal for further action.

HEADLINES

Here are some tips from Sophos for staying secure online during the cybersecurity awareness month.

HEADLINES

While only 21% of hackers believed that AI technologies enhance the value of hacking in 2023, 71% reported it to have value in 2024....

HEADLINES

Kaspersky has enhanced its Kaspersky Industrial CyberSecurity (KICS), a native XDR Platform for industrial enterprises, and streamlined Managed Detection and Response (MDR) for Industrial...

White Papers

One in three industrial companies encounter regular network problems, with 45% of businesses experiencing them a few times a month, while only 12% of...

HEADLINES

Smart has received reports about unscrupulous individuals pretending to be company executives or representatives of organizations asking for donations for made-up or nonexistent relief...

HEADLINES

Located in the Kaspersky office, the new facility will provide the company’s stakeholders with services ranging from an overview of Kaspersky’s practices, to a...

Advertisement