The Proofpoint threat research team recently released new findings detailing how ransomware threat actors are operating today. What they've uncovered is a process of buying and selling access to targets for financial gain.
Ransomware attacks still use email, but not in the way you might think. Ransomware operators now buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains.
Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of greater profits for all—except, of course, the victims.
Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, spoke to TickerTV in Australia and shared that “we've seen increasing professionalization and we've also seen a sort of segmentation. For most organizations, there's only going to be three ways that ransomware gets in and the number one way is still email phishing. What we have seen is that about 10 different groups that we track closely have really started to formalize their operations, where they have a multistage process to compromising an organization and then monetizing that access often either directly or through a ransomware-as-a-service operator to then unfortunately execute very damaging cyber attacks.”
How do ransomware affiliate networks operate?
Ransomware-as-a-service operators, or affiliates, develop software much like Microsoft, Salesforce, or many of the large development organizations we all rely on. As such, they recruit a wide range of people around the world who can either launch a phishing attack, find a vulnerable device, or steal a simple password combination that is their way in.
The largest operations tend to send millions of phishing emails, thereby acquiring a wide range of targets that they can then hold to ransom through data theft and encrypting their data. This is an interesting development in the market because it changes the threat profile for most larger organizations.
Ransomware threat actors currently carry out “big game hunting,” conducting open-source surveillance to identify high-value organizations, susceptible targets, and companies’ likely willingness to pay a ransom. Working with initial access brokers, ransomware threat actors can leverage existing malware backdoors to enable lateral movement and full domain compromise before successful encryption.
An attack chain leveraging initial access brokers could look like this:
- A threat actor sends emails containing a malicious Office document
- A user downloads the document and enables macros which drops a malware payload
- The actor leverages the backdoor access to exfiltrate system information
- At this point, the initial access broker can sell access to another threat actor
- The actor deploys Cobalt Strike via the malware backdoor access, which enables lateral movement within the network
- The actor obtains full domain compromise via Active Directory
- The actor deploys ransomware to all domain-joined workstations
What can companies do to prevent ransomware infections?
These attackers are not doing anything innovative from a technical perspective.
“If you get an email with an attachment, that attachment has a spreadsheet, that spreadsheet asks you to do what is called enabling macros, that little yellow bar at the top, please, please, please do not click on that,” offers Kalember.
If you are a large organization, you certainly want to train your people to recognize these sorts of threats, which at their core are down to the simple exploitation of human vulnerability. With email remaining the dominant threat for ransomware getting into most organizations, it is about investing in technical means to stop malicious email. But it is also important to invest in the human side of things through security awareness training, to make employees more resilient when resisting the social engineering lures that fuel these attacks.
For more on Proofpoint’s Targeted Attack Protection, visit: