Researchers at cyber security companies Sophos and Trend Micro have been sharing fresh intelligence on the activities of the cyber underground, revealing how the sheer scale of the criminal economy is increasingly giving rise to various cyber criminal groups offering their talents on an as-a-service basis.
The rise of ransomware-as-a-service is probably the most widely known of these offerings, and this is the subject of a new Sophos report assessing how the “gravitational force” of the ransomware black hole is pulling in other types of threat to form a massive, interconnected system dedicated to servicing the ransomware economy. It said this was likely to have significant implications for IT security in 2022.
Sophos predicts that in 2022, the ransomware landscape will become both more modular, and at the same time more uniform, with various groups of specialists offering themselves as hired guns, and providing playbooks with tools and techniques that enable different threat groups to implement attacks that seem, on the surface, to be very similar.
This will, to some extent, be the natural evolution of the trend towards ransomware-as-a-service (RaaS) observed pretty much across the board during 2021.
“Ransomware thrives because of its ability to adapt and innovate,” said Chester Wisniewski, principal research scientist at Sophos. “For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers.
“This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies and negotiators,” he said.
“They’re now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered cryptocurrencies,” said Wisniewski. “This is distorting the cyber threat landscape, and common threats, such as loaders, droppers, and Initial Access Brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.”
Meanwhile, Trend Micro has been tracking a gang of cyber mercenaries focused on making money from breaking into email and social media accounts and selling on the personal and financial data it obtains to other malicious actors.
The group has been active since 2018 and recruits its affiliates through Russian-language cyber forums, where it also has a slew of unanimously positive reviews. It self-identifies as Rockethack, but Trend Micro researchers have dubbed the gang Void Balaur – a balaur being a many-headed dragon, akin to a hydra, in Romanian folklore, which appears in some versions of the St George and the Dragon myth.
“Cyber mercenaries are an unfortunate consequence of today’s vast cyber crime economy,” said Feike Hacquebord, senior threat researcher for Trend Micro.
“Given the insatiable demand for their services and harbouring of some actors by nation states, they’re unlikely to go away anytime soon. The best form of defence is to raise industry awareness of the threat in reports like this one and encourage best practice cyber security to help thwart their efforts.”
Charges for activities
The gang’s charges for its activities range from about $20 (£15/€17.40) for stolen credit card histories, to $69 for traffic camera shots, and $800 for call histories with cellular tower locations.
The firm’s analysts say Void Balaur may have targeted close to 4,000 organisations and individual targets, including activists, cryptocurrency enthusiasts, doctors, journalists, scientists, and even IT and telco staff.
More recently, it has been branching out and becoming bolder, targeting the former head of an intelligence agency, active government ministers and over a dozen members of various European parliaments.
Known business targets include telecoms companies, ATM machine suppliers, financial services companies, medical insurers and even IVF clinics.
The researchers noted that some of its targets also seem to overlap with those of the Russian state-backed advanced persistent threat group tracked variously as Pawn Storm, APT28 or Fancy Bear. This may not necessarily indicate a clear link, but many in the threat intel community are more vocally expressing the theory that the Russian government leans on financially motivated cyber crime groups to handle some of its cyber activities from what might be termed a safe distance.
Trend Micro said there were thousands of indicators of compromise associated with Void Balaur – which are available to customers – but it most commonly accesses its targets through phishing campaigns, often including information-stealing malwares including Z*Stealer and DroidWatcher.