McAfee and Microsoft Analysts Review ‘Ransomware as a Service’ Trends
Microsoft’s Diana Kelley speaks with ISMG’s Tom Field at RSA 2020.
Targeted ransomware attacks against enterprises and government agencies are likely to surge in the coming months as ransomware-as-a-service continues to evolve into a lucrative model for cybercriminals, security experts interviewed at RSA 2020 warn.
The spike in demand for ransomware-as-a-service tools in underground forums, coupled with the anonymity offered by the dark web, is likely to lead to a surge in these types of cyberthreats over the coming years, the experts say. Cybercriminals also are continuing to scour underground sites for new tools.
“A lot of actors are feeling safe in the underground and have good means to make a profit by building trust – and you see that it has become almost … a regular business,” says John Fokker, McAfee’s head of investigations.
Fokker, who participated in a recent crackdown on the operator behind the Rubella toolkit, adds that cybercriminals are continuing to increase their arsenals to enable more attacks.
Many RaaS developers are maintaining symbiotic relationships with a number of cybercriminals or affiliates, who get about 60 percent of the ransom payments, while the developers get the remainder, security researchers say. RaaS groups such as Sodinokibi and Grandcrab have used this model to launch targeted attacks (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
The increased role of service providers or middlemen in the ransomware infection chain is paving the way for more attacks, experts say.
McAfee’s John Fokker
“When the ransom is much higher, it breeds an influx and higher demand for targeted networks. This, in turn, creates a chain reaction for higher demand for the macro builder and crypto services,” Fokker says. “So all the adjacent services that form the chain to commit cybercrime grow from this trend.”
Fokker says some high-tier underground cybercriminals are using Remote Desktop Protocol tools for brute force attacks. “They buy up thousands of logs and they use search tools to go through the logs to find a managed service provider and any specific corporate logins to have a foothold in the network and eventually hold that target for ransom,” he says.
Dutch National Police recently arrested a 20-year-old Dutch man who they allege created, distributed and marketed the Rubella Macro Builder to cybercriminals and other attackers across various underground websites and darknet forums.
Distractionware and Destructionware
Diana Kelley, cybersecurity field CTO at Microsoft, says some ransomware gangs are launching new types of attacks.
These include the use of “distractionware” – malware designed to grab enterprises’ attention to one area of the network, while continuing the attack in the background, she says. Another tool is “destructionware,” which attackers use to attempt to cause widespread damage in the IT infrastructure.
“The attackers are landing the malware, but they are using it to destroy the evidence of the group’s activity from the affected system,” Kelley says.