Ransomware brokers and their enterprise models
The ransomware threat is only expanding, and experts suggest we’re only getting started. That is to say, we’ll see it balloon in 2022 and onward. But there’s more to ransomware expansion than meets the eye. True, while profitable and frighteningly easy to deploy by even the most inexperienced of hackers, these aren’t the only reasons for its widespread success. One, and perhaps leading reason, is the nature of ransomware transforming into a business model. If you follow Bytagig, you’re readily aware that ransomware “agencies” sell packages and services. But it’s growing beyond just a dark web sale.
The key to battling ransomware is more than just good defense measures. Understanding its mindsets and mechanisms will be critical in the oncoming years.
There’s a concentrated effort by ransomware gangs, for instance, to select targets based on types of criteria. Said criteria plays a fundamental role in selecting a target (or targets).
Criteria were based on several factors, including geography, sectors to avoid, revenue (as in what the expected gains would be), and even countries to avoid.
This information was gathered, thanks to the diligent efforts of KELA. They acquired this intel by monitoring dark web forum conversations of ransomware entities. From those discoveries, the criteria had specific breakdowns. The United States was discussed as an ideal for a majority of attacks, while other countries – such as South American and Russian speaking ones – were dismissed on the premise of either not enough profit or the notion gangs would be “left alone.”
It proves consistent, given that major recent attacks were lobbed at the United States, such as the Colonial Pipeline attack and SolarWinds hack.
The “philosophy” of ransomware business
The takeaways essentially paint a picture of gangs, their motives, and their criteria. They seek out ideal targets and discuss optimal strategies for maximum profit. It’s a primary reason why entities like the FBI have heavily targeted gangs like REvil.
According to KELA, discussions on dark forums were based on purchasing majority “access” to targets, access meaning pathways to finding intrusion points on networks (or ways to do it, such as SQL injection methods). In these discussions, hackers could speak with an IAB, or “Initial Access Brokers.” In that transaction, an IAB could provide the packs and tools needed to compromise a target’s security.
And, even within the framework of these discussions, and IAB would explain the methodology for breaching a network, much like customer support for a legitimate business. So pronounced is this service for threat actors, KELA found at least 40 percent of ransomware gangs relied on an IAB in some capacity.
Observing ransomware gangs as a business model
It’s critical to approach the fight against ransomware gangs – and protection against them – by looking at them as an enterprise. When we understand and observe them as a professional organization, versus rag-tag groups of angry hackers, we take the problem far more seriously. The “product,” RaaS, is growing more diverse, too, with greater yields of information on specific targets.
The factors listed above, and other details about targets too also influence an IAB’s price specifications, among things. By all accounts, ransomware gangs see themselves as professional enterprises selling services/products, and the sooner we recognize that, the faster we can take appropriate measures. Ultimately, the reality is thus: on the ransomware side, demand is growing for better services, tools, and kits. It’s why the future ahead is increasingly dangerous, and protecting networks and systems against ransomware is important.
Concerned for the future? You can get help from an MSP today by contacting us at Bytagig.