fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Dozens Of Ransomware Gangs Partner With Hackers To Extort Victims

Dozens Of Ransomware Gangs Partner With Hackers To Extort Victims

Ransomware-as-a-service (RaaS) crews are actively looking for affiliates to split profits obtained in outsourced ransomware attacks targeting high profile public and private organizations.

RaaS services are viewed by some as ransomware renting service where the threat actors who breach the targets’ networks pay a fee to use the RaaS crew’s malware. In reality, only the lowest quality ransomware is rented, or sold, in this manner.

The more well-known ransomware gangs run private affiliate programs where affiliates can submit applications and resumes to apply for membership.

For affiliates that are accepted into the program, the ransomware developers receive a 20-30% cut, and an affiliate gets 70-80% of the ransom payments they generate.

REvil private affiliate program
REvil private affiliate program

To encrypt victims’ systems, affiliates will request the services of a hacker who gains access to the targets’ networks, gets domain admin privileges, harvests and exfiltrates files, and then passes all the info needed to gain access and encrypt data back to the affiliates.

Also Read: By Attending This Event You Agree To Be Photographed

The profits originating out of the paid ransoms following each of the attacks will then be split between the RaaS crew, the hackers who breached the network (compromiser), and the ransomware affiliate, usually in equal shares.

Tiers of ransomware gangs

At the moment, there are over two dozen active ransomware-as-a-service gangs that are actively looking to outsource extortion attacks to ransomware affiliates.

As threat intelligence firm Intel 471 says in a report published earlier today, there are also “known private gangs operating in tight, close-knit criminal circles using direct and private communication channels that we have little visibility into.”

The ransomware gangs Intel 471 observed during the last year can be classified into three different groups (or tiers) based on their notoriety and the time they’ve been active for.

They range “from well-known groups that have become synonymous with ransomware, to newly-formed variants that have risen from the failures of old, to completely new variants that may have the ability to unseat the current top-level cabals.”

TIER 1 ransomware gangs are groups who have successfully raked in hundreds of millions in ransoms over the last years.

The vast majority of them are also using additional extortion schemes such as stealing sensitive information from their victims’ networks and threatening to leak it unless the ransom is paid.

LockBit leak site
LockBit leak site

RaaS crews included in the TIER 1 group are DopplePaymer (used in attacks on Pemex, Bretagne Télécom, Newcastle University, Düsseldorf University), Egregor (Crytek, Ubisoft, Barnes & Noble), Netwalker/Mailto (Equinix, UCSF, Michigan State University, Toll Group), and REvil/Sodinokibi (Travelex, New York airport, Texas local govt).

Ryuk is at the top of the rankings, with its payloads being detected in roughly one in three ransomware attacks during the last year.

The group is also known for delivering their payloads as part of multi-stage attacks using Trickbot, Emotet, and BazarLoader infection vectors for an easy way into their targets’ networks.

Ryuk affiliates have also been behind a huge wave of attacks on the U.S. healthcare system and for pulling in huge ransom payments, having collected $34 million from a single victim earlier this year.

TIER 2 RaaS operations have slowly grown to a larger number of affiliates during 2020 and were involved in several confirmed attacks.

Ransomware groups included in this tier are SunCryptContiClopRagnar Locker, Pysa/Mespinoza, AvaddonDarkSide (believed to be a splinter of REvil), and more.

Just as the TIER 1 ransomware gangs, they are also using the data theft extortion tactic as a secondary extortion method.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

NameDate DiscoveredAttack claimsMarkets SoldLeak blog
AvaddonMarch 2020Under 10ExploitYes
ContiAugust 2020142PrivateYes
ClopMarch 2020Over 10N/AYes
DarkSideAugust 2020Under 5ExploitYes
Pysa/MespinozaAugust 2020Over 40N/AYes
RagnarDecember 2019Over 25ExploitYes
RanzyOctober 20201Exploit & XSSYes
SunCryptOctober 2019Over 20MazafakaYes
ThanosAugust 2020Over 5RaidNo

TIER 3 RaaS crews are offering newly created to affiliates but, according to Intel 471, “there is limited to no information on successful attacks, volume of attacks, payments received or cost of mitigation.”

The groups tagged as emerging TIER 3 gangs include Nemty, Wally, XINOF, Zeoticus, CVartek.u45, Muchlove, Rush, Lolkek, Gothmog, and Exorcist.

NameDate DiscoveredNotable IncidentsMarkets SoldLeak blog
CVartek.u45March 2020NoneTorumNo
ExorcistJuly 2020NoneXSSNo
GothmogJuly 2020NoneExploitNo
LolkekJuly 2020NoneXSSNo
MuchloveApril 2020NoneXSSNo
NemtyFebruary 20201XSSYes
RushJuly 2020NoneXSSNo
WallyFebruary 2020NoneNulledNo
XINOFJuly 2020NonePrivate Telegram channelNo
Zeoticus1.0 Dec. 2019, 2.0 Sept 2020NoneXSS/Private channelsNo

Other active RaaS groups

Besides the ransomware gangs listed by Intel 471 as actively seeking partners, BleepingComputer is also aware of other big and emerging RaaS crews.

For instance, Dharma is a long-running RaaS that has been around since 2017 and known as an offshoot of Crysis ransomware, which started operating in 2016.

Dharma does not use data leak sites and there are not wide reports of data being stolen. The ransoms their affiliates collect can range from thousands to hundreds of thousands of U.S. dollars.

LockBit, another high-profile RaaS operation, surfaced in September 2019 as a private operation targeting enterprises and later observed by Microsoft while used in attacks healthcare and critical services.

The LockBit gang partnered with Maze to create an extortion cartel to share the same data leak platform during attacks, as well as to exchange tactics and intelligence.

LockBit ransomware actors also take as little as five minutes to deploy payloads after gaining access to the victim network.

Other RaaS operations left outside of Intel 471’s tiers are RagnarokCryLockProLockNefilim, and Mount Locker, with all of them known to be active and involved in recent attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us