Ransomware operators buy access to compromised networks from intermediaries
Nowadays, ransomware operators looking for victims are increasingly turning to intermediaries - brokers who sell access to hacked networks of various organizations on the darknet. According to a report by cybersecurity company Digital Shadows, over the past two years, the demand for such services has significantly increased due to the growing popularity of the ransomware-as-a-service (RaaS) business model. A big spike in RaaS calls to brokers selling access to hacked networks has been observed over the past six months.
The brokers' task is to provide all the conditions necessary for carrying out a cyber attack and to optimize the process so that the operator can successfully introduce its ransomware program into the attacked network.
“Ransomware partners face the daunting task of continually finding victims for them in order to generate a stream of profits. If a partner does not meet the developer's requirements, he is excluded from the partner program, and he loses money, "- said Alec Alvarado, head of research group Digital Shadows.
The process begins by identifying vulnerable targets. As a rule, brokers simply indiscriminately scan the Net using Shodan or Masscan looking for open ports. They can also use vulnerability scanners to detect potential entry points.
In many cases, brokers will identify victims with open Remote Desktop Protocol (RDP) ports. In addition, they offer access to the networks of targeted organizations through Citrix gateways and domain controllers. Access through gateways is provided using a brute-force attack and the subsequent exploitation of known vulnerabilities in Citrix products.
Once entrenched in a compromised network, brokers scrutinize it. They can either escalate their privileges or use lateral movement across the network to determine what data they have access to. The resulting information is then structured, packaged into a presentable product, evaluated and put up for sale.
The cost of each such product varies from $ 500 to $ 10 thousand. The higher the income of the attacked organization, the more expensive is access to its networks. At the same time, the higher the income, the greater the amount of the required ransom.
Network buyers can do much more than simply deploy ransomware. They can engage in industrial espionage, steal important developments, intellectual property and other confidential data, increase their privileges on the network, move and remain in it for a long time using legitimate tools at hand.