Ransomware Gangs Using Data Leaking Sites to Recruit New Affiliates
Ransomware gangs have a new technique for recruiting affiliates – posting ads on their own data-leaking websites. This gives an overview of what is now known as ransomware-as-a-service (RaaS), in which people can pay to automate some of the work for them. This change is due in large part to the fact that two major ransomware forums have banned gangs from promoting their RaaS programs.
Take a look at the types of mail that a few groups are using on their sites to invite attackers.
Boasting and warnings abound
At the end of June, the LockBit Group announced a new version of their ransomware strain on their data breach site. The malware authors announced a new recruiting session at the same time as their LockBit 2.0 announcement.
The gang claimed their product offered “unprecedented benefits [including] encryption speed and auto-propagation function. All an affiliate had to do in an attack was “access the main server, while LockBit 2.0 will do all the rest.” Then the infection would spread to all devices in the domain network, they said.
The Himalayan RaaS gang started looking for new recruits at their data breach site around the same time. The gang claimed that affiliates could keep 70% of the profits they made from their attacks using the authors’ already configured and compiled “FUD.” [Fully UnDetectable]”Malware. The group also imposed limits, saying affiliates were not allowed to target healthcare organizations, nonprofits and public entities.
Digital crime forums aren’t as user-friendly as they used to be
The LockBit and Himalayan groups’ new recruiting tactic reflects a larger shift in the crypto-ransomware threat landscape. This change became evident in mid-May 2021 following a high-profile ransomware infection involving a pipeline company. As reported by KrebsonSecurity, an administrator of the Russian digital crime forum XSS announced that the forum will no longer allow members to post about ransomware programs such as for-profit RaaS programs.
Around the same time, The Exploit digital crime forum also announced that it was banning members from posting ads to hire RaaS recruits.
How to defend against ransomware attacks
As long as it saves them money, ransomware writers will always find new ways to recruit new partners for their cause. This is why it is important for businesses and agencies to constantly review their defenses.
For example, make sure you have multi-factor authentication (MFA) on the accounts of all employees and contractors. This will help prevent ransomware attackers from gaining access to a privileged account. This is true even if they successfully phish and abuse that access to deploy their payload.
Organizations can then balance their MFA scheme by deploying a user behavior analysis solution. This can help alert security teams if and when someone manages to gain access to an authorized account.