Ransomware-as-a-Service Floods the Market

The success of ransomware has set in motion a profound shift across the cybercrime industry. Various groups are developing specialized tools that they offer “as-a-service,” flooding the market. Professional cybercrime is taking on a new dimension as a result, and it continues to advance.

Hardly qualified lone wolves and national APT

“Every cybercrime group obviously wants to increase its share of the abundant revenue generated by the ransomware industry. To do so, they buy services from specialized cybercrime vendors. This is the same outsourcing as we know it in the traditional economy. It is simply about increasing their own profits,” explains Rüdiger Trost, cybersecurity consultant at WithSecure. “This range of services and information is being used by more and more threat actors. This ranges from low-skilled lone wolves to national APTs. There was, of course, cybercrime before there was ransomware. But ransomware brings a tremendous additional thrust to the evolution of the industry.”

WithSecure’s report, “The Professionalization of Cyber Crime,” highlights a notable example of this evolution in more detail. In this incident, an organization was compromised by five different threat actors. All attackers had different goals and represented different segments of the cybercrime industry:

• The ransomware group Monti
• Qakbot malware-as-a-service
• The cryptojacking group 8220 Gang (also known as Returned Libra)
• An unnamed initial access broker (IAB)
• A subgroup of the Lazarus Group. Lazarus’ highly professional hackers have been operating for some time and are associated with North Korea’s intelligence service.

Access to expertise and services for attacks

According to the report, this professionalization and diversification of the industry is now giving less skilled threat actors, or those with insufficient resources of their own, access to expertise and services to attack companies. Because of this, WithSecure analysts believe it is likely that both the number of attackers and the size of the cybercrime industry as a whole will continue to grow in the coming years.

“We often talk about the damage ransomware attacks cause to victims. However, we should pay better attention to how ransomware provides attackers with additional resources and how that fuels the trend toward professionalization of the industry described in the report. In the near future, this changing ecosystem is likely to influence the resources and types of attacks defenders face,” Trost added.

Multiple extortion methods at once

Ransomware has been around for decades, but the attack strategy has continually adapted over the years as defenses have improved. One notable development is the current dominance of ransomware groups that use multiple extortion methods simultaneously: They rely on both encryption to prevent access to the data and data theft. By threatening to make the data public, they increase the pressure on victims to pay the demanded ransom.

An analysis of more than 3,000 data leaks by ransomware groups using this strategy found that organizations in the United States were the most frequent victims of the attacks, followed by Canada, the United Kingdom, Germany, France and Australia. Overall, organizations in these countries accounted for three-quarters of the data leaks included in the analysis.

The construction industry was the most affected, accounting for 19 percent of the incidents analyzed. Automotive companies, on the other hand, accounted for only about 6 percent of the leaks. In between is a broad midfield of other industries. One reason for this is that, according to the study, some hacker groups have specialized in individual sectors of the economy.