Why RaaS Has Become Easier to Launch
Straight from the researchers at Intel 471 comes this pro tip for cybersecurity teams inside organizations: Being proactive about what the cybercriminal underground is learning and how it’s behaving can help you pinpoint solutions for your security needs.
“What makes it so easy for criminals to launch attacks is a combination of something we see in the everyday world: A growing base of people with technological know-how and a fine-tuned business model,” the researchers noted. “The cybercriminal underground is filled with people who have honed their skills in a short amount of time, studied where security gaps are and learned what needs to be done in order to maximize profits.”
If only the cybersecurity industry could train people so quickly and thoroughly–we wouldn’t have a skilled labor shortage with a gap that grows wider almost daily.
The first method, the reuse of ransomware code, mimics what goes on in the legit software development world, letting developers build from past versions to make new, improved versions that operate more efficiently and effectively. One recent example, the researchers said, is Babuk, a ransomware-as-a-service (RaaS) variant that was seen to generate pairs of encryption and decryption tools that target Microsoft Windows systems, VMware ESXi hypervisors and network-attached storage (NAS) units from Intel x86 and ARM architectures. Lower-level actors jumped on it, “launching their own ransomware campaign outside of the Babuk affiliate program,” the researchers said. In less than a month, “an operator using info-stealing malware Vidar issued ‘download and execute’ tasks to bots, aimed to install the Babuk ransomware variant generated by the builder.”
Intel 471 also uncovered multiple similarities in the code between Conti ransomware and BazarLoader, which gives an infected Windows host backdoor access.
A second method that bolsters the success of ransomware will come as surprise to exactly no one—cybercriminals exploit common vulnerabilities and exposures (CVEs). “Cybercriminals pay attention to CVEs as much as anyone else, knowing that organizations drag their feet in closing vulnerabilities that give criminals the access they need to carry out attacks with little struggle,” the researchers said, pointing to the FiveHands ransomware crew using “vulnerabilities like a SonicWall buffer overflow vulnerability that wasn’t patched correctly the first time it was uncovered, a remote code execution vulnerability in VMware’s vSphere Client that was pushed in May 2021 and the two vulnerabilities attached to Microsoft’s PrintNightmare problem that are still causing issues for organizations across the world.”
Rounding out the trio of methods is criminals selling their ransomware-as-a-service. “Now attackers are looking to cause more problems via double extortion attacks, name-and-shame blogs, or DDoS attacks directed toward any public-facing assets that haven’t been locked up by the initial ransomware attack,” the researchers said. “In order for that to happen, RaaS gangs are working with other ‘experts’ in the cybercrime underground that specialize in various methods that can extend the life of a ransomware attack.”
In one case, an actor worked “alongside the DarkSide ransomware gang until it shut down following its attack on the Colonial Pipeline Co. in the United States,” they said. “The actor claimed to have launched DDoS attacks against DarkSide’s victims for six weeks before the gang’s shutdown. The actor also claimed that 10 to 20 targets were under DDoS at any given time, with attacks lasting from one to 21 days.”
The actor claimed to earn $500 to $7,000 each time a victim paid a ransom. “What’s novel about this actor is they are unlikely to be a veteran of the cybercrime underground,” first emerging in a cybercrime forum last January and within six months building “enough reputation to latch onto one of the most notorious ransomware gangs in operation, profiting off the million-dollar ransoms DarkSide pulled in before disappearing.”
Intel 471 CISO Brandon Hoffman said, “A strong focus on cyber hygiene can prevent many of these attacks and also reduce the damage from a successful attack.” He suggested reducing the attack surface and avoid becoming low-hanging fruit by focusing on:
- Backups
- Updating software and operating systems
- Monitor for and patch CVEs
- Logging and alerting suspicious events
- User permissions
- Strong email filters
- Strong password policy
- Use of 2FA or other devices (Yubikeys)
- Third-party monitoring
- Block/blacklist indicators of compromise (IOCs)
While government and the public sector play a role in setting policy and supporting victims of attack, Hoffman added that the role of public and private sector is complicated. “Simply providing a policy that paying a ransom is illegal doesn’t help the companies that are in the middle of a ransomware situation,” he said. “Some of the recent policy steps the government has taken in regards to foreign affairs are good, but more needs to be done to put pressure on countries that harbor cybercriminals.”
The government can take “a more aggressive stance” in investigating and potentially taking down ransomware organizations. “That is a challenging scenario politically, and as such, might not be as simple as typing that it needs to be done,” Hoffman said. “[The] [p]rivate sector needs to continue to work together, sharing information and learning from each other to understand what has worked and what has not. The time of being shamed for falling victim to a breach is (hopefully) in the past. Until such a time as we can come together in a transparent mode, the necessary learnings to prevent future attacks will remain elusive.”