Ransomware operators now outsource network access exploits to speed up attacks
Ransomware operators are now turning to network access sellers in their droves to cut out a difficult step in the infection process.
On Monday, Accenture’s Cyber Threat Intelligence (CTI) team released new research on emerging cybersecurity trends, including an investigation into the nature of relationships between ransomware operators and exploit sellers.
According to Accenture senior security analysts Thomas Willkan and Paul Mansfield, buying network access points and already compromised ways to infiltrate a target system are rising in popularity, including the purchase of stolen credentials and vulnerabilities.
During attacks, ransomware operators must first find an entry point into a network. Compromised employee accounts, misconfigurations in public-facing systems, and vulnerable endpoints may all be used to deploy this particular family of malicious code, leading to the encryption of files, disks, and a demand for payment in return for a decryption key.
It is hard to estimate how many successful ransomware attacks have taken place this year. Europol believes that these specific attacks often go unreported, with only major incidents — such as the recent death of a woman in need of urgent care who was forced to divert from Duesseldorf hospital due to a ransomware infection — becoming public knowledge.
Paying a ransom these days can reach six-figure sums, or more, depending on the target and their estimated worth. Now, ransomware groups are seeking to cut out the initial access stage of an attack, speeding up the process — and potentially the opportunity for illicit revenue.
Network access sellers typically develop an initial vulnerability and then sell their work in underground forums for anywhere between $300 and $10,000.
The majority of network access offerings in the underground will include the target by industry and the type of access, ranging from Citrix to Remote Desktop Protocol (RDP), and may also document the number of machines detected on the network.
“Since the start of 2020 and the emergence of the now-popular “ransomware with data theft and extortion” tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise,” the researchers say. “A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups.”
As of September this year, Accenture has tracked over 25 persistent network access sellers — alongside the occasional one-off — and more are entering the market on a “weekly basis.”
Many of the sellers are active on the same underground forums haunted by ransomware groups including Maze, NetWalker, Sodinokibi, Lockbit, and Avaddon.
Sellers have now begun touting their offerings on single forum threads, rather than separate posts, and RDP remains a popular option for network access. In an interesting twist, rather than sell-off a zero-day vulnerability to one seller, some traders are using these unpatched bugs to exploit numerous corporate networks and sell access to threat actors in separate bundles to generate additional revenue.
Citrix and Pulse Secure VPN clients are also being mentioned in adverts.
“Network access sellers are taking advantage of remote working tools as more of the workforce works from home as a result of the COVID-19 pandemic,” Accenture says. “This symbiotic relationship [sellers and cyberattackers] facilitates continuous targeting of government and corporate entities and streamlines the network compromise process, allowing cyber criminals to act quicker and more efficiently.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0