Cybercrime gangs have a harder time recruiting partners for affiliate programs that fuel ransomware attacks.

Image: iStockphoto / nicescene

The best way to stop the ever-growing wave of ransomware attacks is to remove the financial incentive behind these cybercrimes. Responding to the Colonial Pipeline ransomware attack may be the first step in getting there. Governments and hacker forums have made it more difficult for ransomware gangs to use the ransomware-as-a-service (RaaS) model. This scalable business model requires multiple groups: engineers to write encryption software, network penetration experts to find and compromise targets, and professional negotiators to ensure maximum payout.

Bryan Oliver, senior analyst at Flashpoint, said governments’ response to the colonial pipeline attack made it harder for ransomware groups to recruit partners.

“The main result of the government’s action has been the ban on recruiting ransomware groups into leading Russian underground forums,” Oliver said.

Oliver said this change won’t end ransomware attacks anytime soon, but it’s a big step because it makes the ransomware-as-a-service model less profitable.

“The Exploit and XSS forums were the recruiting grounds for these ransomware groups, and losing access to them means losing access to new partners,” he said.

Oliver said the administrators of these forums also banned the DarkSide collective in mid-May and distributed their approximately $ 1 million deposit to DarkSide “partners” who claimed they were not paid by. DarkSide.

“They have also since deleted their forums posts related to ransomware recruiting,” he said.

Amit Serper, vice president of research at Guardicore for North America, said he hopes to see a shift in ransomware attacks with the United States and other national governments stepping up their fight against bad actors .

“The fact that the US government managed to seize some of the funds paid by Colonial sets an interesting precedent,” he said. “If governments are able to ‘de-anonymize’ cryptocurrency transactions and seize stolen funds, ransomware attacks suddenly become financially unsustainable. ”

SEE: The Many Ways a Ransomware Attack Can Harm Your Organization (TechRepublic)

Thomas Olofsson, CTO of FYEO, said the ransomware organizations seemed a bit more self-sufficient, also due to the response to the colonial pipeline attack.

Several groups have said, ‘We don’t want to target healthcare, especially during a pandemic, so you won’t get our license to install ransomware on those targets,’ he said.

FYEO monitors around 13 groups that are major players in the ransomware arena. Olofsson also said that ransomware groups now control targets before launching an attack in response to what happened to the DarkSide ransomware group after the Colonial Pipeline attack.

“These ransomware groups don’t want to be the next target,” he said. “They want to be seen as the Robin Hoods who are just attacking banks and big business.”

Olofsson said the DarkSide Group believed it was hitting a major oil company and did not consider how the attack would affect end users.

“If you hit the little guy it doesn’t look good because you become the target yourself,” he said.

Flashpoint’s Oliver said some ransomware groups, such as REvil, responded to this by claiming they would operate in “private mode” as opposed to RaaS, but others may have called for a shutdown.

“Other groups have also emerged since then, such as Grief and Prometheus, but without the ability to recruit from a group of highly skilled actors in a relatively secure environment, ransomware will likely be less dynamic and effective,” he said. -he declares.

Oloffson said bad actors have also shifted their most common targets from being fruit on hand to more selective about who to attack.

“It used to be a botnet infecting random hosts, but now the bad actors are doing more of the effort, such as setting up fake domains to enter a thread and infect people through trusted channels. “, did he declare.

Olofsson said cyber defenses have been stronger over the past year, but attackers are still ahead of the game.

“It is increasingly common for groups to attack backups and also target core infrastructure,” he said. “They start with the backup, then encrypt the host.”

Olofsson said businesses should use a layered approach to defend against attacks, such as using multiple gateways and not having everything connected to the same network. He has also seen attacks come through VPN concentrators.

“Security teams need to monitor what is accessible on the Internet and make sure you don’t have VPN concentrators or objects accessible from the Internet, because everything connected is scanned at least 10 times a day,” did he declare.

Also look


Previous

Benchmark Space Systems unveils space mobility activity as a service

Next

Charleston County Economic Development Provides Comprehensive Business Support> Charleston Business Journal

Check Also