September 1, 2021 By David Bisson 2 min read

Ransomware gangs have a new technique to recruit affiliates: posting announcements on their own data leaks websites. This provides a look into today’s so-called ransomware-as-a-service (RaaS), in which people can pay to have some of the work automated for them. This shift has come about in large part because two major ransomware forums banned gangs from promoting their RaaS schemes.

Take a look at what types of messaging a few groups are using on their sites to invite attackers in.

Boasting and Warnings Abound

In late June, the LockBit group announced a new version of their ransomware strain on their data leaks site. The malware authors announced a new recruitment session at the same time as their announcement of LockBit 2.0.

The gang claimed their product carried “unparalleled benefits [including] encryption speed and self-spread function.” All an affiliate needed to do in an attack was “get access to the core server, while LockBit 2.0 will do all the rest.” Then, the infection would spread to all devices on the domain network, they stated.

The Himalaya RaaS gang began looking for new recruits on its data leaks site at around the same time. The gang claimed that affiliates could keep 70% of whatever profits they made in their attacks using the authors’ “already configured and compiled FUD [Fully UnDetectable]” malware. The group also imposed limits, saying that affiliates were not allowed to target health care organizations, non-profits and public entities.

Digital Crime Forums Not as Friendly as Before

The LockBit and Himalaya groups’ new recruitment tactic reflects a larger change in the crypto-ransomware threat landscape. This change first became evident in mid-May 2021 following a high-profile ransomware infection involving a pipeline company. As reported by KrebsonSecurity, an admin on the Russian digital crime forum XSS announced that the forum would no longer allow members to post about ransomware programs like for-profit RaaS schemes.

Around that same time, the Exploit digital crime forum also announced that it was banning members from posting ads to hire RaaS recruits.

How to Defend Against Ransomware Attacks

So long as it lets them make money, ransomware authors will always find new ways to recruit new partners to their cause. That’s why it’s important for businesses and agencies to revisit their defenses on an ongoing basis.

For instance, make sure you have multi-factor authentication (MFA) on the accounts of all employees and contractors. Doing this will help to prevent ransomware attackers from gaining access to a privileged account. That’s true even if they pull off a successful phish and misuse that access to deploy their payload.

Organizations can then balance their MFA scheme by deploying a user behavior analytics solution. This can help to alert security teams if and when someone succeeds in getting access to an authorized account.

More from News

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today