We are at a point in time when cyber criminals including ransomware gangs have established themselves as organised, illicit businesses rather than a one-person hacking operation. More and more ransomware groups have emerged and existing ones continue to prosper in terms of repeatedly attaining success with breaching prominent organisations.
The increased success of ransomware gangs, extortion groups, and DDoS attackers is by no means accidental. Behind a fancy group name is an organised structure comprising threat actors at different layers working in synchrony to fulfil the end goal, with each getting their cut.
With evolving cyber attacks employing newer tactics and techniques, what is there to say the key roles assumed by cyber criminals? Below are some key roles assumed by threat actors that have evolved over time.
Initial access brokers (IABs)
Initial access brokers (IABs) refer to the class of threat actors who sell access to enterprise networks to a viable buyer. This is done through data breach marketplaces, forums, or closed messaging app channels and chat groups.
IABs, however, do not necessarily perform subsequent damaging activities such as data exfiltration, encryption, and deletion. It is for the buyer to decide how they plan on abusing this access — whether to steal trade secrets, deploy ransomware, install spyware, or leak data.
“In the past, initial access brokers (IABs) mainly used to sell company access to criminals intending to destroy a company’s data, or steal IPs, or financial data from the compromised companies,” said Ben Richardson, senior software engineer at Cloud RADIUS, a passwordless authentication provider for cloud.
“They weren’t in such high demand back then, mainly because the volume of attacks was low. They were normally hired by business competitors for espionage and theft.”
Richardson states that the ransomware era has caused an “exponential increase” in the demand for IABs. These brokers now find new business through ransomware gangs hiring IABs to compromise target companies so the gang can begin encrypting sensitive files and destroying back-ups.
In the current context, the term “x-as-a-service” often materialises as ransomware as a service (RaaS) or malware as a service (MaaS) platforms that constitute a relatively newer business model. Much like the software-as-a-service (SaaS) model, RaaS is a method of providing ransomware tools, phishing kits, and IT infrastructure for a fee to “affiliates” looking to conduct attacks.
“In this model, these providers may remain legally safe, since as providers they aren’t responsible for how their service is used,” added Logan Gilbert, global solutions architect at Deep Instinct.
Being a service provider, these groups may earn a cut regardless of success of customer attacks. “They are truly a service provider, and realising operational value is up to their customers.”
In the past, conducting a full-scale attack operation warranted cyber criminals to be skilled hackers, but x-as-a-service models have loosened such barriers to entry. “Initially, cyber criminals were skilled hackers who generally conducted full-scale operations on their own,” said David Kuder, senior cyber threat intelligence analyst at CriticalStart.
“This was very resource intensive and came with a lot of risk. In recent years, cyber criminals have turned to ‘big game hunting,’ targeting large organisations and raking in huge profits.
"As this strategy began to catch on, more cyber criminals moved into the x-as-a-service space to include initial access brokers, ransomware as a service, and malware as a service to name a few. The increase in x as a service made it possible for a cyber criminal to be skilled in only one domain, while leveraging the services of all other groups.”
Ransomware affiliates can be seen as versatile “contractors” hired by ransomware groups to perform operational tasks: from buying initial access into networks from IABs or simply procuring stolen credentials and data dumps that could aid in reconnaissance, to executing the attack.
After executing a successful attack and extortion, ransomware affiliates earn a commission from the ransom amount paid by the victim to the larger ransomware operation. To speed up their attacks, affiliates may rent RaaS platforms to encrypt files with “rented ransomware,” and intensively employ any and all existing tools, services and exploits at their discretion.
“For a low fee, affiliates gain access to a product and service that otherwise they would have to develop and manage themselves," said DeepInstinct’s Gilbert.
"Additionally, affiliates have access to IABs and already compromised organisations available at a price. This significantly lowers the barrier to entry for an affiliate. Affiliates now can focus on operational aspects of extorting an organisation."
Malware and exploit developers
This class of threat actors create exploits for zero-day or known vulnerabilities that go beyond just proof-of-concept (PoC) exercises. These actors may also develop malware that packs exploits for multiple vulnerabilities within, as we have seen with Gitpaste-12 packing anywhere from 12 to over 30 exploits.
Many ransomware attacks may also begin with the attackers deploying code to target popular access appliances, applications, VPNs, and individual software components, such as Log4j, embedded deep within applications.
In earlier days, malware and exploit developers may have ranged from “script kiddies” to sophisticated hackers, but over time as collaboration between threat actors increased, much of the sophisticated malware development happens within development teams, with software development lifecycles and documentation, as one would expect to see from a legitimate software business, said Gilbert.
Gilbert’s take is further substantiated by recent leaks that throw spotlight on the inner workings of ransomware groups. Last year, a disgruntled Conti (Ryuk) gang affiliate leaked the group’s proprietary data including pen-testing tools, manuals written in Russian, training material, and documents that are reportedly provided to the ransomware group’s affiliates.
Similarly, a purported Babuk ransomware admin also leaked the group’s Visual Studio project files and source code that, with regards to their organisation, reflect the structure followed by legitimate software companies.
On a separate note, the rise in cryptocurrency usage and its mainstream adoption have given platform to a “niche” class of exploit developers.
Developers proficient in cryptography with an advanced understanding of blockchain protocols may exploit zero-days and unpatched vulnerabilities in these crypto platforms before these are patched. The practice has become rampant and evident from major cryptocurrency hacks.
In February, Wormhole’s $326 million crypto heist case stemmed from an unpatched vulnerability given away by the project’s GitHub commits visible to anyone.
Poly Network suffered the “largest DeFi hack” last year resulting in $611 million crypto theft by a supposed white hat hacker who wanted to shed light on security vulnerabilities lurking in the platform. This year’s $34 million hack at Crypto.com is another example of more niche exploit developers emerging with evolving times.
Advanced persistent threat groups
The term “advanced persistent threat” (APT) has traditionally described nation-state threat actors or state-backed cyber crime groups with a specific goal — sabotage or political espionage over an extended period of time, if not simply financial gain. Now, tactics used by APTs are being adopted by unaffiliated threat actors as well.
APTs often use custom-designed malware with extensive surveillance and stealth capabilities. One of the most well-known APT attacks of all time is the Stuxnet incident that exploited multiple Windows zero-day vulnerabilities of the time to infect computers, spread itself and cause real-world damage to centrifuges at nuclear power plants.
The “extremely sophisticated computer worm” is believed to have been created by U.S. and Israeli intelligence agencies working in collaboration.
A more recent example of APT targeting industrial control systems is the TRITON malware. Uncovered in 2017, TRITON was caught after it hit a Saudi Arabian petrochemical plant with the possible goal of causing an explosion. Luckily, a bug in the malware code triggered emergency shutdown of critical systems and thwarted the attack.
APTs are by no means limited to exploitation of just physical appliances though, and a most APT campaigns employ spear-phishing attacks to infiltrate the network, silently propagate the payload, exfiltrate data, plant persistent backdoors, and conduct covert surveillance on their victims.
“APT groups have gone from being short-sighted in their goals and objectives to being stealthier and more strategic,” said John Fung, Director of Cybersecurity Operations at MorganFranklin Consulting.
He pointed to the troubling trends of APTs moving to compromise upstream software and source code, as we have seen with the SolarWinds supply chain attack, which after much debate among U.S. government officials, was attributed to Russia-backed hackers.
“Particularly troubling is the trend we are seeing toward moving the compromise further upstream with third-party vendors, and then corrupting ‘legitimate’ software with their own payloads," he added. "I see this as a high-impact, low frequency event that organisations have to guard rail against in different ways based on risk profile and tolerance.”
Data or information brokers
The terms “data broker” or “information broker” (IB) refers to both legitimate class of service providers and illicit actors.
For example, legitimate IBs and data aggregation services may procure data from public sources such as court records, land registries and property sale records, social media profiles, phone directories, business incorporation registers, and marriage records, to compile intel on people and businesses. This information may then be lawfully shared with marketers, researchers, and businesses for a fee.
Malicious data brokers, on the other hand, engage in illegal practices such as selling hacked materials and confidential data dumps on dark web and data breach marketplaces. In fact, Kuder links the practice of data brokerage all the way up to the IAB chain, in what can be described as a unique affiliation arrangement.
IAB professionalisation has been driven by the rapid growth of RaaS model in recent years. Such RaaS offerings are developed by well-established APT groups like Wizard Spider (RYUK RaaS), Gold Southfield (REvil RaaS) and FIN7 (DarkSide RaaS).
“As part of this offering, [such APT/RaaS groups] provide support, portal access, monthly subscriptions to their customers, and often engage in affiliation with customers," Kuder said. "In such affiliation agreements, RaaS groups will take a percentage of the profits any affiliate earns from ransoming a target.
"In addition to ransoming sensitive data, many of these groups also compromise employee/customer information of the organisations they target. Sensitive information is exfiltrated and posted on one of many sites on the dark web. This is referred to as data brokerage. This data can include SSNs, credit card information, purchase history and account credentials, and is sold along with other offerings."
Criminal underground “a natural competitive business environment”
While the cyber crime landscape might have been much simpler to decipher years ago, the different key roles assumed by actors: from IABs to exploit developers to “as-a-service” providers evolved from “opportunities to monetise specific phases of the attack chain,” and limiting the need for actors to be proficient in all aspects of conducting an attack operation, said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security.
Previously attackers would execute an entire attack independently. The task was often time consuming and did not guarantee successful outcomes.
Individuals and groups soon found their niche over time, and “realised that they could exponentially increase their profits by selling one part of the attack chain or selling the same malware (with different configurations) to a wider group of buyers,” said Schmitt. “Through this model they were able to make more money while doing substantially less work.”
Schmitt said as different groups assumed mainstream roles in the criminal underground a natural competitive business environment emerged which led to the creation of competing groups and a series of natural markets.
“As these markets became more robust, the bar to entry for conducting criminal cyber operations was lowered and resulted in less technical actors being able to conduct their own criminal operations.”