A new report highlights how “access-as-a-service” providers and ransomware groups have come together to compromise and victimize more targets. Alliances between these types of cybercriminal teams can allow malware to spread further and faster into lucrative targets, most often company networks. A ransomware’s lifespan is fueled by finding new victims, a need that can be fulfilled by the intrusion experts that rent or sell access to different company networks.
A report from the Advanced Intelligence (AdvIntel) security organization shows how the complex underground syndicates and different malware groups can operate together. As AdvIntel details in the report, ransomware groups pursue different strategies to deliver their malware, while network intrusion experts are always looking for ways to monetize their access skills. A partnership between such groups is mutually beneficial.
AdvIntel presents the case of threat actor -TMT- as a successful example. This group offered access to a variety of compromised entities and stolen credentials for administrative accounts. From their report, the list of victims looks quite extensive:
A Latin American house products provider operating in Chile, Bolivia, and Peru
A Taiwanese meta manufacturer
A Colombian financial services provider
An international maritime logistics services provider
A network of U.S. universities and educational institutions
A Danish dairy producer
A Bolivian energy sector company
The prices for access range from US$3,000 to US$20,000. The most expensive “package” the group was selling included full access to a company’s administrative panel, server hosts, and corporate VPN networks. Apparently the group was able to gain access through a variety of techniques, including abusing pentesting tools like Metasploit and Cobalt Strike Beacon.
This level and breadth of access is particularly attractive to ransomware distributors, and AdvIntel reports that -TMT- was working with different ransomware collectives, and REvil (or Sodinokibi) in particular. REvil is a well-known ransomware-for-service and is the successor of GandCrab. After joining with REvil, there was likely a surge in business since, according to security reports, REvil is a particularly lucrative malware which enriches not only the group providing the ransomware but its affiliates as well.
What can we do?
Partnerships between underground criminal groups create more layered and complex threats that deploy expert tools sourced from a variety of places. As malware groups lean on third-party providers to add to their arsenal, businesses and users also have to shore up their defenses. A multilayered security strategy is a necessity in this cybercrime landscape. To face threats such as those detailed above, a solid defense should include next-generation intrusion prevention as well as ransomware solutions and protection. It is important for organizations to implement the following best practices:
All of the organization’s users should back up their data regularly to ensure that data can be retrieved even after a successful ransomware attack.
Users should be wary of suspicious emails; avoid clicking on links or downloading attachments unless the recipient is certain that it came from a legitimate source.
These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).