Light Dark
September 1, 2021 By David Bisson 2 min read
News

Ransomware gangs have a new technique to recruit affiliates: posting announcements on their own data leaks websites. This provides a look into today’s so-called ransomware-as-a-service (RaaS), in which people can pay to have some of the work automated for them. This shift has come about in large part because two major ransomware forums banned gangs from promoting their RaaS schemes.

Take a look at what types of messaging a few groups are using on their sites to invite attackers in.

Boasting and Warnings Abound

In late June, the LockBit group announced a new version of their ransomware strain on their data leaks site. The malware authors announced a new recruitment session at the same time as their announcement of LockBit 2.0.

The gang claimed their product carried “unparalleled benefits [including] encryption speed and self-spread function.” All an affiliate needed to do in an attack was “get access to the core server, while LockBit 2.0 will do all the rest.” Then, the infection would spread to all devices on the domain network, they stated.

The Himalaya RaaS gang began looking for new recruits on its data leaks site at around the same time. The gang claimed that affiliates could keep 70% of whatever profits they made in their attacks using the authors’ “already configured and compiled FUD [Fully UnDetectable]” malware. The group also imposed limits, saying that affiliates were not allowed to target health care organizations, non-profits and public entities.

Digital Crime Forums Not as Friendly as Before

The LockBit and Himalaya groups’ new recruitment tactic reflects a larger change in the crypto-ransomware threat landscape. This change first became evident in mid-May 2021 following a high-profile ransomware infection involving a pipeline company. As reported by KrebsonSecurity, an admin on the Russian digital crime forum XSS announced that the forum would no longer allow members to post about ransomware programs like for-profit RaaS schemes.

Around that same time, the Exploit digital crime forum also announced that it was banning members from posting ads to hire RaaS recruits.

How to Defend Against Ransomware Attacks

So long as it lets them make money, ransomware authors will always find new ways to recruit new partners to their cause. That’s why it’s important for businesses and agencies to revisit their defenses on an ongoing basis.

For instance, make sure you have multi-factor authentication (MFA) on the accounts of all employees and contractors. Doing this will help to prevent ransomware attackers from gaining access to a privileged account. That’s true even if they pull off a successful phish and misuse that access to deploy their payload.

Organizations can then balance their MFA scheme by deploying a user behavior analytics solution. This can help to alert security teams if and when someone succeeds in getting access to an authorized account.

 |  |  | 
David Bisson
Contributing Editor

More from News
December 16, 2024

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

December 9, 2024

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

December 2, 2024

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature