Attackers have built their brands and are bold in their advances like never before, says a Kaspersky report
Ransomware is the buzzword every time businesses discuss cyberthreats they are likely to face in 2021. To help companies understand how the ransomware ecosystem operates and how to fight it, the latest report by IT security firm Kaspersky researchers dug into darknet forums, took a deep look at REvil and Babuk gangs and beyond and debunked some of the myths about ransomware.
Like any industry, the ransomware ecosystem comprises many players that take on various roles. Contrary to the belief that ransomware gangs are actually gangs—tight, have been through it all together, Godfather-style groups, the reality is more akin to the world of Guy Ritchie’s The Gentlemen, with a significant number of different actors—developers, botmasters, access sellers, ransomware operators—involved in most attacks, supplying services to each other through dark web marketplaces.
- Fitbit’s jewellery-style fitness band Luxe now available in India: Price, features and everything to know
- Windows 365 made available to public by Microsoft, here is how much it will cost in India
- Dell Alienware m15 R5 Ryzen Edition, m15 R6 gaming laptops launched in India, price starts at Rs 1.35 lakh
These actors meet on specialised darknet forums where one can find regularly updated ads offering services and partnerships. Prominent big-game players that operate on their own do not frequent such sites. However, well-known groups such as REvil that have increasingly targeted organisations in the past few quarters, publicise their offers and news on a regular basis using affiliate programs. This type of involvement presumes a partnership between the ransomware group operator and the affiliate with the ransomware operator taking a profit share of 20-40%, while 60-80% stays with the affiliate.
As the people who infect companies and the ones who actually operate ransomware are different groups, only formed by the desire to profit, the companies infected most are often low hanging fruit—essentially, the ones that the attackers were able to gain easier access to. These attackers, more often than not, are botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, and access sellers on the lookout for publicly disclosed vulnerabilities in internet facing software, such as VPN appliances or email gateways, which they can use to infiltrate companies.
“The ransomware ecosystem is a complex one with many interests at stake. It is a fluid market with many players, some quite opportunistic, some very professional and advanced. They do not pick specific targets, they may go after any organisation—an enterprise or a small business, as long as they can gain access to them. Moreover, their business is flourishing, it is not going away anytime soon,” says Dmitry Galov, security researcher at Kaspersky’s Global Research and Analysis Team. “The good news is even rather simple security measures can drive the attackers away from organisations, so standard practices such as regular software updates and isolated backups do help.”