Who Will Bend the Knee in RaaS Game of Thrones in 2022?

McAfee Enterprise and FireEye recently released their threat forecasts for 2022. In this blog, we dive deeper into the power struggle of Game of Thrones among bad players of ransomware as a service in 2022.

Outlook: Independent cybercrime groups will change the balance of power within RaaS’s ecological kingdom.

For several years, ransomware attacks have made headlines as the most influential cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened up the career path in cybercrime to less skilled criminals, which eventually led to more violations and higher criminal gains.

For a long time, RaaS managers and developers were given priority as the top targets, and often neglected the partners, as they were perceived as less skilled. This, combined with the lack of disruptions in RaaS’s ecosystem, created an atmosphere where those less skilled partners could thrive and grow into highly talented cybercriminals, eventually with their own brains.

In response to the Colonial Pipeline attack, popular cybercrime forums have banned ransomware players from posting. Now, RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer loyalty, check their binaries by administrators or settle disputes. The invisibility makes it difficult for RaaS groups to establish or maintain credibility and will make it difficult for RaaS developers to maintain their current top-level position in the underground.

These events undermined their credible position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before more people who believe they are not getting their fair share, will be miserable.

The first signs of this happening are already visible as described in our blog about Groove gang, a gang of cybercriminals that branched out from the classic RaaS to specialize in computer network exploitation (CNE), extract sensitive data and if it pays off, partner with a ransomware software team to encrypt the network. McAfee Enterprise ATR believes, with great confidence, that the Groove gang is affiliated with the Babuk gang, whether former silver or sub-group. These cybercriminals are happy to put aside the previous hierarchies of ransomware as a service to focus on the profits gained from controlling the victim’s networks, rather than the previous approach that gave priority to controlling the ransomware itself.

Belief in some things remains important even among underground cybercriminals, like keeping your word and paying people what they deserve. Cybercriminals are not immune from feeling like employees whose contribution is not properly rewarded. When this happens, these bad players cause problems within the organization. Ransomware has generated billions of dollars in recent years and with such revenues, it was inevitable that some people who believe they are not getting their fair share become miserable and will notify the world of cybercrime.

Recently, a former Conti partner was not happy with their financial part and decided to reveal Conti’s full attack book and their Cobalt Strike infrastructure online. In the past, McAfee ATR has been approached by people identified with certain RaaS groups who express resentment towards other RaaS members and executives, claiming that they were not paid on time or that some were disproportionate to the amount of work they invested. .

By 2022, more independent cybercrime groups are expected to rise and shift the balance of power within RaaS’s ecological climate from those who control the ransomware to those who control the victim’s networks.

Less skilled operators will not have to bend the knee in RaaS Power Shift

The Ransomware-as-a-Service ecosystem has evolved with the use of partners, brokers and women who work with developers for some of the profits. While this structure has been honed during the growth of GandCrab, we are witnessing potential abysses in what makes a not-so-perfect union.

Historically, ransomware developers have held the cards, thanks to their ability to selectively determine partners in their activities, and even conduct “job interviews” to establish technical expertise. Using the CTB locker as an example, prominence was placed on partners who would produce enough installations using a bot network, exploit kits or stolen credentials. But recently partners who have taken on the role and demonstrated the ability to infiltrate and compromise an entire network using a variety of malicious and non-malicious tools have actually changed the typical affiliate profile towards a highly skilled pen tester / administrator.

The hierarchy of a conventional organized crime group is often described as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs have been organized in this way. However, due to the specialization and further specialization of the logistics involved in committing a crime, groups have evolved into more opportunistic network-based groups that will work together in a more fluid way, according to their current needs.

While criminal collaborators in the cybercrime world are not new, the RaaS group’s hierarchy has been more rigid compared to other forms of cybercrime, due to the imbalance of forces between developers / group managers and partners. But things are changing. RaaS executives and developers were given priority as the top targets, but often neglected the partners they perceived as less skilled. This, combined with the lack of disruptions in RaaS’s ecosystem, created an atmosphere in which those less skilled partners could thrive and grow up to be highly talented cybercriminals.

As ransomware players enter the market, we suspect that the most talented partners are now able to sell their services for auction for a larger portion of the profits, and perhaps demand wider expression in the activity. For example, inserting an Active Directory count within the DarkSide ransomware could be designed to remove the dependence on affiliate technical expertise. These changes signal a potential migration back to the early days of ransomware, with less skilled operators growing in demand using the expertise coded by ransomware developers.

Will it work? To be honest, it will be challenging to recreate the technical expertise of a skilled intrusion tester, and perhaps – just maybe – the impact will not be as severe as recent cases.

Source

McAfee Enterprise and FireEye recently released their threat forecasts for 2022. In this blog, we dive deeper into the power struggle of Game of Thrones among bad players of ransomware as a service in 2022.

Outlook: Independent cybercrime groups will change the balance of power within RaaS’s ecological kingdom.

For several years, ransomware attacks have made headlines as the most influential cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened up the career path in cybercrime to less skilled criminals, which eventually led to more violations and higher criminal gains.

For a long time, RaaS managers and developers were given priority as the top targets, and often neglected the partners, as they were perceived as less skilled. This, combined with the lack of disruptions in RaaS’s ecosystem, created an atmosphere where those less skilled partners could thrive and grow into highly talented cybercriminals, eventually with their own brains.

In response to the Colonial Pipeline attack, popular cybercrime forums have banned ransomware players from posting. Now, RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer loyalty, check their binaries by administrators or settle disputes. The invisibility makes it difficult for RaaS groups to establish or maintain credibility and will make it difficult for RaaS developers to maintain their current top-level position in the underground.

These events undermined their credible position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before more people who believe they are not getting their fair share, will be miserable.

The first signs of this happening are already visible as described in our blog about Groove gang, a gang of cybercriminals that branched out from the classic RaaS to specialize in computer network exploitation (CNE), extract sensitive data and if it pays off, partner with a ransomware software team to encrypt the network. McAfee Enterprise ATR believes, with great confidence, that the Groove gang is affiliated with the Babuk gang, whether former silver or sub-group. These cybercriminals are happy to put aside the previous hierarchies of ransomware as a service to focus on the profits gained from controlling the victim’s networks, rather than the previous approach that gave priority to controlling the ransomware itself.

Belief in some things remains important even among underground cybercriminals, like keeping your word and paying people what they deserve. Cybercriminals are not immune from feeling like employees whose contribution is not properly rewarded. When this happens, these bad players cause problems within the organization. Ransomware has generated billions of dollars in recent years and with such revenues, it was inevitable that some people who believe they are not getting their fair share become miserable and will notify the world of cybercrime.

Recently, a former Conti partner was not happy with their financial part and decided to reveal Conti’s full attack book and their Cobalt Strike infrastructure online. In the past, McAfee ATR has been approached by people identified with certain RaaS groups who express resentment towards other RaaS members and executives, claiming that they were not paid on time or that some were disproportionate to the amount of work they invested. .

By 2022, more independent cybercrime groups are expected to rise and shift the balance of power within RaaS’s ecological climate from those who control the ransomware to those who control the victim’s networks.

Less skilled operators will not have to bend the knee in RaaS Power Shift

The Ransomware-as-a-Service ecosystem has evolved with the use of partners, brokers and women who work with developers for some of the profits. While this structure has been honed during the growth of GandCrab, we are witnessing potential abysses in what makes a not-so-perfect union.

Historically, ransomware developers have held the cards, thanks to their ability to selectively determine partners in their activities, and even conduct “job interviews” to establish technical expertise. Using the CTB locker as an example, prominence was placed on partners who would produce enough installations using a bot network, exploit kits or stolen credentials. But recently partners who have taken on the role and demonstrated the ability to infiltrate and compromise an entire network using a variety of malicious and non-malicious tools have actually changed the typical affiliate profile towards a highly skilled pen tester / administrator.

The hierarchy of a conventional organized crime group is often described as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs have been organized in this way. However, due to the specialization and further specialization of the logistics involved in committing a crime, groups have evolved into more opportunistic network-based groups that will work together in a more fluid way, according to their current needs.

While criminal collaborators in the cybercrime world are not new, the RaaS group’s hierarchy has been more rigid compared to other forms of cybercrime, due to the imbalance of forces between developers / group managers and partners. But things are changing. RaaS executives and developers were given priority as the top targets, but often neglected the partners they perceived as less skilled. This, combined with the lack of disruptions in RaaS’s ecosystem, created an atmosphere in which those less skilled partners could thrive and grow up to be highly talented cybercriminals.

As ransomware players enter the market, we suspect that the most talented partners are now able to sell their services for auction for a larger portion of the profits, and perhaps demand wider expression in the activity. For example, inserting an Active Directory count within the DarkSide ransomware could be designed to remove the dependence on affiliate technical expertise. These changes signal a potential migration back to the early days of ransomware, with less skilled operators growing in demand using the expertise coded by ransomware developers.

Will it work? To be honest, it will be challenging to recreate the technical expertise of a skilled intrusion tester, and perhaps – just maybe – the impact will not be as severe as recent cases.

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

The MOVEit Zero-Day Vulnerability: How to Respond

The zero-day vulnerability in Progress Software's MOVEit Transfer product is being exploited by the Clop ransomware gang and other copycat cybercriminal groups to expedite...

Ivanti zero-day exploited to target Norwegian government (CVE-2023-35078)

A zero-day vulnerability (CVE-2023-35078) affecting Ivanti Endpoint Manager Mobile (EPMM) has been exploited to carry out...

Apple fixed new actively exploited CVE-2023-38606 zero-daySecurity Affairs

Apple released security updates to address an actively exploited zero-day flaw in iOS, iPadOS, macOS, tvOS, watchOS, and Safari. Apple released urgent security updates to...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!