Underground Intrusion Specialists Team Up With Ransomware Groups

underground intrusion ransomware groups advintelA new report highlights how “access-as-a-service” providers and ransomware groups have come together to compromise and victimize more targets. Alliances between these types of cybercriminal teams can allow malware to spread further and faster into lucrative targets, most often company networks. A ransomware’s lifespan is fueled by finding new victims, a need that can be fulfilled by the intrusion experts that rent or sell access to different company networks.

A report from the Advanced Intelligence (AdvIntel) security organization shows how the complex underground syndicates and different malware groups can operate together. As AdvIntel details in the report, ransomware groups pursue different strategies to deliver their malware, while network intrusion experts are always looking for ways to monetize their access skills. A partnership between such groups is mutually beneficial.    

AdvIntel presents the case of threat actor -TMT- as a successful example. This group offered access to a variety of compromised entities and stolen credentials for administrative accounts. From their report, the list of victims looks quite extensive: 

  • A Latin American house products provider operating in Chile, Bolivia, and Peru
  • A Taiwanese meta manufacturer
  • A Colombian financial services provider
  • An international maritime logistics services provider
  • A network of U.S. universities and educational institutions
  • A Danish dairy producer
  • A Bolivian energy sector company

The prices for access range from US$3,000 to US$20,000. The most expensive “package” the group was selling included full access to a company’s administrative panel, server hosts, and corporate VPN networks. Apparently the group was able to gain access through a variety of techniques, including abusing pentesting tools like Metasploit and Cobalt Strike Beacon.

This level and breadth of access is particularly attractive to ransomware distributors, and AdvIntel reports that -TMT- was working with different ransomware collectives, and REvil (or Sodinokibi) in particular. REvil is a well-known ransomware-for-service and is the successor of GandCrab. After joining with REvil, there was likely a surge in business since, according to security reports, REvil is a particularly lucrative malware which enriches not only the group providing the ransomware but its affiliates as well.

What can we do?

Partnerships between underground criminal groups create more layered and complex threats that deploy expert tools sourced from a variety of places. As malware groups lean on third-party providers to add to their arsenal, businesses and users also have to shore up their defenses. A multilayered security strategy is a necessity in this cybercrime landscape. To face threats such as those detailed above, a solid defense should include next-generation intrusion prevention as well as ransomware solutions and protection. It is important for organizations to implement the following best practices:

  • All of the organization’s users should back up their data regularly to ensure that data can be retrieved even after a successful ransomware attack.
  • Users should be wary of suspicious emails; avoid clicking on links or downloading attachments unless the recipient is certain that it came from a legitimate source.
  • Restrict the use of system administration tools to IT personnel or employees who need access.

Trend Micro Ransomware Solutions

Enterprises can benefit from a multilayered approach to best mitigate the risks brought by ransomware. At the endpoint level, Trend Micro™ Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery™ Inspector detects and blocks ransomware on networks, while the Trend Micro Deep Security™ solution stops ransomware from reaching enterprise servers — whether physical, virtual, or in the cloud.  Trend Micro Deep SecurityVulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that exploit unpatched vulnerabilities to deliver ransomware.

Email and web gateway solutions such as Trend Micro Deep Discovery Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Trend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud services by using cutting-edge sandbox malware analysis for ransomware and other advanced threats.

These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.