How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing

Victoria Kivilevich, Threat Intelligence Analyst

An average ransomware payment now equals $178,254, which is +60% from Q1 2020. The sum has grown not only because of the continually increasing activity of ransomware operators, but also due to their efforts in finding new ways of monetizing their malicious activities and threatening victims. These new TTPs include:

  • Stealing data and requesting double ransoms;
  • Collaborating with other ransomware gangs;
  • Using stolen data to attack other victims;
  • Selling stolen data on auctions;
  • Notifying media, as well as victims’ partners and clients about leaks;
  • Scraping credit cards.

 

Novel tactics were adopted not only by infamous gangs such as Maze and Sodinokibi (REvil), but also by less-popular runner-ups, such as Netwalker, Ragnar Locker, Ako, and others.

KELA is regularly monitoring these ransomware gangs’ blogs and observes an average of 10-20 new victims each week – implying that the actual number of victims can be much higher since we’re only seeing the victims who did not pay a ransom. In addition, there are those who cooperated with cybercriminals and therefore did not appear in the blogs.

The following piece will focus on how the ransomware operators diversify their schemes and implement so-called “marketing efforts,” related to threatening victims, in order to gain more profits.

Torum is Dead. Long Live CryptBB?

Victoria Kivilevich, Threat Intelligence Analyst

On August 9, 2020, Torum’s administrator announced the forum is shutting down. What was this forum, and will its users find alternatives? KELA explored various darknet sources, as well as Torum itself, to find out. Here is a summary of our findings:

  • Torum was an English-speaking underground forum that posed as a nonprofit cybersecurity website. While both its members and users of other forums agreed Torum was a good place to discuss cybersecurity and learn hacking methods, the site was overwhelmed by newbies and scammers who damaged its reputation.
  • Torum’s administrator announced he is closing the forum because he lost interest in supporting it.
  • Torum was an active, stable community, which will likely be missed by users. The forum has a few alternatives in the darknet, including CryptBB, which recently became public. This post will explore what distinguished Torum and what darknet chatter reveals about possible alternatives.
  • As users struggle to find new forums with a decent community, it is crucial to continue tracking these sources to understand new trends and TTPs, and proactively mitigate potential risks emerging from them.

The Secret Life of an Initial Access Broker

Victoria Kivilevich, Threat Intelligence Analyst and Raveed Laeb, Product Manager

  • Recently, ZDNet exclusively reported a leak posted on a cybercrime community containing details and credentials of over 900 enterprise Secure Pulse servers exploited by threat actors
  • Since this leak represents an ever-growing ransomware risk, KELA delved into both the leak’s content and the actors who were involved in its inception and circulation
  • This short research targets a specific tier of cybercriminal actors – Initial Access Brokers. These are mid-tier actors who specialize in obtaining initial network access from a variety of sources, curating and grooming it into a wider network compromise – and then selling them off to ransomware affiliates
  • With the affiliate ransomware network becoming more and more popular and affecting huge enterprises as well as smaller ones, initial access brokers are rapidly becoming an important part of the affiliate ransomware supply chain
  • The list leak mentioned above seems to have been circulating between several initial access brokers in cybercrime forums, and have been exposed by a LockBit affiliate who regarded the actors as unprofessional
  • This event showcases the breadth of information that’s exchanged on cybercrime communities and, in KELA’s eyes, emphasizes the need for scalable and targeted monitoring of underground communities

Back to School: Why Cybercriminals Continue to Target the Education Sector | Part One

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

Just a few of the major headlines regarding the education sector have looked like this over the last couple of months:

Blackbaud Hack: Universities Lose Data to Ransomware Attack

The University of California Pays $1 Million Ransom Following Cyber Attack

University of York Discloses Data Breach, Staff and Student Records Stolen

The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate.

These statements got us wondering.

  • Are underground threat actors actively looking for and interested in targeting organizations in the education sector?
  • What types of attacks are we seeing affecting the education sector?
  • What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem?
  • Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider?

These are all questions that will be addressed throughout this blogpost.

Back to School: Why Cybercriminals Continue to Target the Education Sector | Part One

Victoria Kivilevich, Threat Intelligence Analyst and Sharon Bitton, Marketing Content Manager

Just a few of the major headlines regarding the education sector have looked like this over the last couple of months:
Blackbaud Hack: Universities Lose Data to Ransomware Attack
The University of California Pays $1 Million Ransom Following Cyber Attack
University of York Discloses Data Breach, Staff and Student Records Stolen
The past year has seen a rise in the amount of education-related institutions that have been affected by cyberattacks. In 2019 alone, the K-12 cyber incident map reported that 348 schools have publicly-disclosed that they’ve been a victim of a cyberattack. That’s just in the United States and doesn’t even take into account the universities and colleges, which would by all means cause those numbers to escalate.
These statements got us wondering.

  • Are underground threat actors actively looking for and interested in targeting organizations in the education sector?
  • What types of attacks are we seeing affecting the education sector?
  • What have been some of the recent attempted attacks that we’ve seen in the underground ecosystem?
  • Are these targeted attacks on the universities themselves or are they stemming from access through a third-party provider?

These are all questions that will be addressed throughout this blogpost.