Ransomware gangs have a new technique to recruit affiliates: posting announcements on their own data leaks websites. This provides a look into today’s so-called ransomware-as-a-service (RaaS), in which people can pay to have some of the work automated for them. This shift has come about in large part because two major ransomware forums banned gangs from promoting their RaaS schemes.
Take a look at what types of messaging a few groups are using on their sites to invite attackers in.
Boasting and Warnings Abound
In late June, the LockBit group announced a new version of their ransomware strain on their data leaks site. The malware authors announced a new recruitment session at the same time as their announcement of LockBit 2.0.
The gang claimed their product carried “unparalleled benefits [including] encryption speed and self-spread function.” All an affiliate needed to do in an attack was “get access to the core server, while LockBit 2.0 will do all the rest.” Then, the infection would spread to all devices on the domain network, they stated.
The Himalaya RaaS gang began looking for new recruits on its data leaks site at around the same time. The gang claimed that affiliates could keep 70% of whatever profits they made in their attacks using the authors’ “already configured and compiled FUD [Fully UnDetectable]” malware. The group also imposed limits, saying that affiliates were not allowed to target health care organizations, non-profits and public entities.
Digital Crime Forums Not as Friendly as Before
The LockBit and Himalaya groups’ new recruitment tactic reflects a larger change in the crypto-ransomware threat landscape. This change first became evident in mid-May 2021 following a high-profile ransomware infection involving a pipeline company. As reported by KrebsonSecurity, an admin on the Russian digital crime forum XSS announced that the forum would no longer allow members to post about ransomware programs like for-profit RaaS schemes.
Around that same time, the Exploit digital crime forum also announced that it was banning members from posting ads to hire RaaS recruits.
How to Defend Against Ransomware Attacks
So long as it lets them make money, ransomware authors will always find new ways to recruit new partners to their cause. That’s why it’s important for businesses and agencies to revisit their defenses on an ongoing basis.
For instance, make sure you have multi-factor authentication (MFA) on the accounts of all employees and contractors. Doing this will help to prevent ransomware attackers from gaining access to a privileged account. That’s true even if they pull off a successful phish and misuse that access to deploy their payload.
Organizations can then balance their MFA scheme by deploying a user behavior analytics solution. This can help to alert security teams if and when someone succeeds in getting access to an authorized account.