Some perspectives on the rise of ransomware attacks

Crime as a Service has evolved into Ransomware as a Service (“RaaS”). The rise of ransomware attacks on companies and the way they are escalating both in terms of scale and tactics is something that was in the making for quite some time. I wished to document my own thoughts on why it has been the case.  

"Ransomware"​ by is licensed with CC BY-NC-SA 2.0.

Previously, RaaS was a one stop shop of techniques – the threat actors had to scout, breach, infiltrate, spread, exfiltrate and extort previously. The RaaS scene has evolved into groups that offer specialisation into each of these skill areas. The RaaS players are focused on ensuring their ransomware is fast, has good after encryption support and has low detection instead of doing all these above-mentioned steps. For instance, nowadays, ransomware actors today buy initial access from “Initial Access Brokers” (“IAB”) – pentesters who have already broken into target networks or buy RDP access of compromised networks for as low as USD 5. The IAB Affiliates (or in some cases RaaS groups) use native utilities/ or leverage Living off the Land Binaries (Loll bins) to stay under the radar for extended periods of time. Scouts offer their services on forums like XSS/ dread/ exploit/ raidforums et al. Affiliates with low activity see their reputation go down or their access is shut by RaaS operators.

Since this is effectively a well-oiled industry now, it has led to formation of cartels. The Maze cartel consists of LockBit, Ryuk, Conti, Egregor, Suncrypt, Ragnar Locker to name a few. The RaaS operators also closely coordinate to share techniques and infrastructure. BlackMatter has tried to incorporate techniques from fellow ransomware threat actors LockBit and DarkSide. Groups typically close shop when they attract too much heat or their infrastructure is blown – they then wait, change names and emerge later. Infra wise, for instance once an IP is blacklisted, it becomes very difficult to whitelist it, hence the IP will be circulated from one gang to another since no good enterprise is going to touch it with a 10 feet pole. This makes threat intelligence an increasingly important and viable solution in identifying threats pre-emptively.

This brings us to the other side of the table. The core question – why is this happening and what makes if profitable business for cyber attackers. For this shady business to sustain, you need pseudo-anonymity as a key pillar. Let’s not confuse it with anonymity. Anonymity is when you can’t tell if X or Y was a threat actor. Pseudo-anonymity is when you know X was a threat actor but you don’t know who are the people behind X. This helps create a certain brand, an idea, an agency. Considering honour among thieves, it makes you a good anchor point for like-minded associates.

 “And ideas, are bulletproof

 We know actors, Darkside, REvil, multiple APTs. We know their brand. Their affiliates and customers (ahem.. targets) know it too.

Two, rise of crypto and pseudo-anonymity of crypto transactions have eased the way these gents do business. They don’t have to leverage wire transfers to unknown remote countries. A wallet is fine, payment made is funnelled through mixers to make it harder for forensics analysis. By the way, Crypto (here currency, not cryptography) is not anonymous. Anyone can look crypto addresses, wallets, their balances. That’s how these groups are profiled. True anonymity won’t divulge information like this.

Three, generally bad security posture of organizations. Security has been historically seen as an expense, with undetermined ROI, part of IT operations. Whatever that doesn’t makes money for an organization, automatically gets low priority. Business operations enabled by IT take precedence and security becomes an afterthought. Since ROI for typical dilemma is, if what we are securing is less expensive than the measures to secure it, then there is no point in securing it. These unsecured assets / avenues pileup and collectively become a pile of things too hard to secure. They might even become obvious and things then get swept under the rug. Then all it requires is exploiting one vulnerability, and threat actors are in. Historic analysis of any breach will tell that 99 percent only 1 vulnerability was exploited to gain access to networks.  

Then comes a black swan event. A sophisticated adversary chains vulns to compromise at scale. SolarWinds compromise is a great example. Kaseya, is also a good example of this.

Four, one more enabler is the low complexity required to execute these attacks. Plethora of open-source ransomware are present in GitHub. Plenty of attack frameworks are available for free. Take for instance Pneuma. 

This was released months back and is already cutting edge. It is also free.

Cobalt strike is available for purchase at low prices, it’s cracked versions are already available for free for quite some time. 10 years back, this would have required arcane knowledge of c2, comms, infra, automation for scaling, evasion and what not.

Today it requires a double click (figuratively speaking).

Finally, the dilemma of known knowns, known unknowns and unknown unknowns. I have yet to see a firm that has full view of its assets. If you don’t know what to protect, then you won’t know about it when it gets hacked. Ultimately, you can’t catch what you can’t see.

There are plenty of other minor enablers as well, but they are subsets of the above-mentioned ones.

This can be stopped by being proactive in your defence strategy, leveraging threat intelligence and having visibility of your assets. And additionally, by ensuring your reactive defence strategy is well practiced till it becomes second nature. In any case, this is not the last cyber-attack we have seen, given the risk, skill to reward ratio of executing these. I’d expect more escalations and more sophisticated hacks down the road – and we have just earned front-row seats.


Need to say something ? Spell it out :)