The subscription economy adopted by the software industry is growing ransomware from what was once a fledgling threat to an IT security crisis as ransomware groups continue to pad their wallets and grow the ransomware-as-a-service economy, according to a new report from Tenable.
According to the Maryland-based vulnerability management software company, that service model is lowering the barrier of entry and creating a massive cybercrime economy that includes ransomware developers, initial access brokers and other affiliates.
In a new report on the growth of the ransomware industry, Tenable says ransomware groups earned a whopping $692 million in 2020 alone, which was good for a 380% increase over the previous six years combined.
With limited visibility into the cryptocurrency wallets used by ransomware groups, Tenable believes those financial figures may be much higher.
“However, these numbers underscore one undeniable fact: ransomware has cemented itself as one the greatest threats to global organizations today — and it has become a lucrative criminal ecosystem in the process,” the company’s report says.
The players in the ransomware economy
Tenable’s report details the ransomware-as-a-service economy, detailing how initial access brokers (IABs) gain access to organizations’ networks and maintain persistence, selling access to other cybercrime groups. These prices are generally affordable, ranging on average from $303 for control panel access to nearly $10,000 for remote desktop protocol (RDP) access.
Ransomware affiliates leverage these actors to help expedite their efforts to infect organizations, reducing their need to find ways into their victim’s networks in the first place. Some of these groups work independently, while others work closely with known ransomware actors.
Affiliates are the entities that compromise organizations by either purchasing access through IABs or conducting their own attacks, such as phishing, brute force or exploiting unpatched vulnerabilities.
According to the Tenable report, affiliates are the operators of the ransomware attack, and are often given a playbook of instructions on how to breach organizations from the ransomware developers. The ransomware-as-a-service model allows affiliates to work independently and deploy multiple ransomware strains.
Ransomware groups, meanwhile, are the creators of the ransomware, as well as the entities that host leak website son the dark web and manage the negotiation process with each victim. They also conduct reverse engineering, administrative work and even human resources and recruitment.
Some currently well-known ransomware groups include Conti, REvil, BlackCat and others, but Tenable notes that these kind of entities often disappear for unknown reasons for law enforcement action, but usually reappear under different names.
Extortion techniques run rampant
While that trend isn’t new, what has propelled the ransomware industry to new highs is the extortion tactics being used to compel victims to pay the ransom. These methods include using DDoS attacks, contacting customers and employees of ransomware victims, threatening release of data if law enforcement is contacted and the ransom isn’t paid and threatening to use a disk wiper to destroy systems.
While phishing, brute force and leveraging vulnerabilities are common tools that any threat group might use to gain initial access to a network, ransomware groups have become known to leverage Active Directory to elevate privileges and more laterally across the victim’s entire network. Tenable’s report says this method typically includes the use of critical bugs such as Zerologon and PetitPotam.
This helps speed up the deployment of the malware, leading to the infection of an entire domain within just a few hours from the initial phishing email.
In its report, Tenable gives includes guidance on how to defend against ransomware, such as common cybersecurity best practices such as using multifactor authentication, strong password policies and a robust patch management program.
However, the company also urges organizations to audit permissions for user accounts, harden RDP, strengthen Active Directory security, training end users and planning for ransomware attacks.
Read the company’s report for more information, including a list of dozens of vulnerabilities commonly exploited by ransomware actors.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!