Ransomware attacks continue to grow in both sophistication and volume. There are already more ransomware attacks involving data exfiltration and extortion in 2023 than he did in all of 2022, and this trend is expected to continue.
This article explores the ransomware group’s business model and the complex cybercriminal ecosystem that has sprung up around it.
The Rise of Triple Extortion Ransomware
Ransomware is traditionally associated with attackers who use encryption to lock down corporate data, systems, and IT infrastructure. However, in recent years ransomware group In addition to encrypting data, it has also evolved tactics to steal data, making it a double-edged weapon for extortion.
This new approach allows them to not only deny access to their data and hold organizations hostage, but also threaten to leak or sell stolen information if ransom demands are not met.
This change in strategy has proven to be very beneficial for ransomware groups. This is because organizations are often willing to pay significant fees to prevent exposure of sensitive data. This allows the group to profit from the victim, even if the victim had effective backups and data. recovery system.
If victims don’t pay, groups often auction the data, offering another way to monetize their work.
Both the number of active groups and the number of ransomwares increased dramatically at the same time as the rise of data extortion ransomware. attack against the organization. Data extortion was originally added to the arsenal of ransomware groups as a double extortion technique used in addition to encryption.
However, recently many groups have resorted to: triple blackmail In some cases, in addition to encrypting and exfiltrating data, they can also blackmail individual employees, harass victim third-party organizations, and even DDoSing websites.
Ransomware Groups, Affiliates, and Triple Extortion
Ransomware groups do not operate in isolation. They often have a network of affiliates to help carry out attacks and distribute ransomware. These affiliates may specialize in various aspects of attacks such as initial access, data exfiltration, and negotiation.
Affiliate programs allow groups to focus on developing new variants, negotiations, or other aspects of their attacks, thus enabling role specialization and increasing the number of attacks over time.
And it’s paying off. Flare has already detected more ransomware data disclosures in 2023 than he did in 2022 overall, indicating a sharp increase in the number of attacks.
Additionally, as we review disclosures, we may only have identified a minority of all attacks against organizations.
As the ecosystem grows, we see ransomware groups becoming more and more aggressive. Groups like Karakurt have been documented not only stealing data, but harassing individual employees and even third parties within the organization.
Triple Extortion Ransomware in Context: The Broader Cybercrime Ecosystem
The broader cybercriminal ecosystem is also a key enabler for ransomware groups by offering services such as bulletproof hosting, money laundering, initial access to environments, and employee credentials via stealer logs. works.
Here are some of the primary ways the broader cybercriminal ecosystem intersects with ransomware groups.
Ransomware groups and initial access brokers
Initial Access Brokers (IABs) are usually active on dark web forums. exploit and XSS. The IAB works to compromise the company’s IT infrastructure and auction it off on certain dark web forums. They often have a starting price, a step price, a “blitz” or a buy now price.
On many occasions, we have seen access brokers advertise that they have access to the victim’s backup and recovery systems, or that the victim has no backup and recovery capabilities. This is further evidence that the IAB expects its list to be used for ransomware.
Stealer Logs: An Important Vector of Ransomware
Stealer logs can be another important source of initial access to your IT environment by ransomware groups. Stealer logs occur as a result of an infostealer malware infection.
These logs contain valuable information such as usernames, passwords, and other credentials that can be used to gain unauthorized access to your system.
Ransomware groups may obtain these logs from Telegram channels, dark web forums, or marketplaces, allowing them to evade traditional methods of accessing victims’ networks.
A recent Flare analysis uncovered over 50,000 stealer logs containing credentials to corporate single sign-on applications. Stealer logs also contain active session cookies that can be used to bypass MFA authentication controls.
Zero-day and dark web marketplaces
Ransomware group CL0P exploited zero-day MOVEit to make huge profits, causing hundreds of victims and billions of dollars in damage.
Zero-days are believed to be one of the least common forms of access used by ransomware groups. This is due to the technical sophistication required to find and exploit zero-days and the fact that there are much easier ways to promote infection.
However, numerous dark web marketplaces, forums, and Telegram channels promote the sale of alleged zero-day exploits.
More sophisticated ransomware groups may also source their own vulnerabilities rather than buying existing ones.
Ransomware on the rise
Data extortion ransomware schemes continue to explode in popularity, with new groups popping up every month and dozens of new victim organizations every week.
Build an effective ongoing threat exposure management process to address stealer logs, ransom blogs, illegal telegram channel monitoring other cybercrime forums has never been more important.
Ransomware detection and remediation with Flare
Flare is currently monitoring over 50 ransomware groups actively involved in double and triple extortion schemes. Flare’s easy-to-use SaaS platform automates enterprise-specific threat detection across the clear and dark web and illicit Telegram channels.
please sign up for free trial Learn more about how Flare strengthens your security program’s cybercrime surveillance capabilities in 30 minutes.
sponsor and author flare