Predators of cyber attackers oppose cunning ransomware gangs


According to a cybersecurity expert who published a report on ransomware gangs, ransomware attacks are like a multi-level marketing plan executed by criminals whose allegiances change in response to changing incentives that involve costs and profits.

Early access brokers sell backdoors that provide a foothold within networks to ransomware gangs that hold data and systems hostage until victims pay. Several gangs rely on the ransomware-as-a-service model, where malware developers share a portion of victims’ payments with affiliates that distribute attacks.

Chad AndersonA researcher at cybersecurity company DomainTools, a new statement mapping ransomware gangs in hopes that network defenders better understand what they’re up against.

“The DomainTools researchers think it’s important to remind readers that all these groups form alliances, share tools, and sell access to each other,” he said. Anderson wrote in the report. “Nothing in this space is static, and even with a single piece of software behind a series of intrusions, there are probably several different operators using the same ransomware and adjusting their operations to their design.”

According to the report, the three ransomware families responsible for the largest number of victims are Conti; Labyrinth and Egregor; and REvil, also known as Sodinokibi.

Conti was first observed in December 2019. DomainTools said what makes Conti unique is the speed of its attacks. Once the network defenders spot a Conti infection on any machine, it’s too late to fight back, Mr. Anderson I said.

Two months ago, the FBI issued a warning saying it had observed 16 Conti ransomware attacks “targeting US healthcare and first responder networks” over the previous year. Of the more than 400 organizations Conti hit, 290 were in the United States, the FBI said.

The Maze ransomware group has infected so many systems that its victim is still counted among the top 10 infections of all time, even though the gang declared it “retired” in November 2020, according to Bay. Anderson‘s report. Many of the Maze affiliates were later reportedly moved to a ransomware group called Egregor.

REvil recently made headlines when the FBI linked the cyberattack on major meat producer JBS to it. Mr Anderson’s report noted that REvil’s software disguised their work to make analysis difficult for reverse engineers, and that the malware was “particularly sinister”.

Given the difficulty of dealing with a ransomware attack once it starts, Mr. Anderson urged network advocates to focus on the vulnerabilities exposed by hacks of early access agents.

“The problem area for looking for a robust defense solution is not necessarily in the ransomware itself, but in first-access methods through spam email campaigns, brute-force attacks, and vulnerability management,” he said. Anderson I said. “The affiliates behind the ransomware infection are essentially the same entity that first gained access.”

With ransomware gangs rampant, the United States remains the country in the best position to respond and is in a league of its own in cyberspace, according to the International Institute for Strategic Studies. think tank analysis Cyber ​​capabilities and national power, released this week, put the US in the top spot, followed by a second place featuring a range of allies and foes, including the UK, Australia, Canada, Russia, China, France and Israel.

The analysis measured nations’ cyber capabilities through a variety of categories, including strategy, cyberattack and defense, intelligence capabilities, and governance. The US retains its world-leading powers in all categories.

Ransomware gangs operating in the US are likely to be caught by law enforcement. If other countries had taken a tougher stance against groups, it would have been much less difficult to find the culprits. he is I said.

“In general, ransomware, and especially the kind where you leak a lot of data that you will later use for double extortion, is extremely noisy,” he said. Anderson He told the Washington Times. “You need to set up infrastructure to pull it, you need to set up an infrastructure that can store all this data. And once that infrastructure starts to collapse or those servers can be found and mirrored, people will be able to see where you’re coming from very quickly.”

Sign up for Daily Newsletters


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *