Ransomware gangs are using a variety of businesslike tactics to increase their profits, making it more difficult for defenders to distinguish between different groups, speculates a new report from WithSecure.
WithSecure’s senior threat intelligence analyst Stephen Robinson said the move to reflect legitimate business practices means that tactics, techniques and procedures (TTPs) have become blurred. , mentioned in Sphere23.
For example, the recent decline in ransomware gangs such as Conti and Hive is a positive result, but since then more groups using TTPs like Conti have increased. This indicates that the techniques used by these gangs have been imitated and copied by other attackers.
Underground marketplaces currently include organizations such as Ransomware as a Service (RaaS) groups, Initial Access Brokers (IAB), Encryption as a Service (CaaS), Cryptojackers, and Malware as a Service (MaaS) groups. is included. And the actors of the nation-state.
Robinson pointed out that nation-states use tools available on underground markets to access networks and systems without detection.
Ultimately, this trend of specialization makes the expertise and resources to attack an organization available to less skilled or resource-poor attackers.
Read more: AI used to create malware, observed by WithSecure
Robinson noted that the IAB industrializes exploitation through its mass activities.
During his presentation, Robinson highlighted an incident that WithSecure investigated. In this incident, a single organization was found to have been compromised by his five different actors, each with a different purpose and representing a different type of cybercriminal service.
• Monti ransomware group
• Qakbot MaaS
• A cryptojacking group known as the 8220 Gang (also tracked as Returned Libra)
• Unnamed IAB
• A subset of the Lazarus group, an advanced persistent threat associated with North Korea’s Foreign Intelligence and Reconnaissance Directorate.
value creates demand
Despite this, Robinson noted that it is becoming increasingly difficult to distinguish between groups. This impacts traditional detection techniques and requires a new way of thinking on the part of defenders.
“We have to treat them all as similar threats, and we have to be prepared for every threat,” he said. Information security. “If someone breaks into your network, you have very little chance of catching up, so you really need to be prepared before it happens.
“If you’re a valuable company, someone happens to break in and just wants to run cryptojacking software on your edge servers, and they find out you’re some kind of high turnover company. , they think, maybe sell that access to someone else who wants to do something with you.”
He said there was evidence of activity on the dark web posting access requests to companies with $100 million in sales.
“They don’t care who it is, they care how much it’s worth,” Robinson said.
According to WithSecure’s analysis of over 3,000 data breaches by multipoint extortion ransomware groups, organizations in the United States are the most common victims of these attacks, followed by organizations in Canada, the United Kingdom, Germany, France, and Australia.
Together, organizations in these countries accounted for three-quarters of the breaches included in our analysis.
The construction industry appeared to be the hardest hit, accounting for 19% of data breaches. Auto companies, on the other hand, accounted for only about 6%.
Due to the different distribution of victims of ransomware groups, many other industries sit between the two, with some families targeting one or more industries disproportionately to others. I was doing it.
