Who’s who in the cyber criminal underground | #computerhacking | #hacking

Credit: Dreamstime

We are at a point in time when cyber criminals including ransomware gangs have established themselves as organised, illicit businesses rather than a one-person hacking operation. More and more ransomware groups have emerged and existing ones continue to prosper in terms of repeatedly attaining success with breaching prominent organisations.

The increased success of ransomware gangs, extortion groups, and DDoS attackers is by no means accidental. Behind a fancy group name is an organised structure comprising threat actors at different layers working in synchrony to fulfil the end goal, with each getting their cut.

With evolving cyber attacks employing newer tactics and techniques, what is there to say the key roles assumed by cyber criminals? Below are some key roles assumed by threat actors that have evolved over time.

Initial access brokers (IABs)

Initial access brokers (IABs) refer to the class of threat actors who sell access to enterprise networks to a viable buyer. This is done through data breach marketplaces, forums, or closed messaging app channels and chat groups. 

IABs, however, do not necessarily perform subsequent damaging activities such as data exfiltration, encryption, and deletion. It is for the buyer to decide how they plan on abusing this access — whether to steal trade secrets, deploy ransomware, install spyware, or leak data.

“In the past, initial access brokers (IABs) mainly used to sell company access to criminals intending to destroy a company’s data, or steal IPs, or financial data from the compromised companies,” said Ben Richardson, senior software engineer at Cloud RADIUS, a passwordless authentication provider for cloud. 

“They weren’t in such high demand back then, mainly because the volume of attacks was low. They were normally hired by business competitors for espionage and theft.”

Richardson states that the ransomware era has caused an “exponential increase” in the demand for IABs. These brokers now find new business through ransomware gangs hiring IABs to compromise target companies so the gang can begin encrypting sensitive files and destroying back-ups.


In the current context, the term “x-as-a-service” often materialises as ransomware as a service (RaaS) or malware as a service (MaaS) platforms that constitute a relatively newer business model. Much like the software-as-a-service (SaaS) model, RaaS is a method of providing ransomware tools, phishing kits, and IT infrastructure for a fee to “affiliates” looking to conduct attacks.

“In this model, these providers may remain legally safe, since as providers they aren’t responsible for how their service is used,” added Logan Gilbert, global solutions architect at Deep Instinct. 

Being a service provider, these groups may earn a cut regardless of success of customer attacks. “They are truly a service provider, and realising operational value is up to their customers.”

In the past, conducting a full-scale attack operation warranted cyber criminals to be skilled hackers, but x-as-a-service models have loosened such barriers to entry. “Initially, cyber criminals were skilled hackers who generally conducted full-scale operations on their own,” said David Kuder, senior cyber threat intelligence analyst at CriticalStart. 

“This was very resource intensive and came with a lot of risk. In recent years, cyber criminals have turned to ‘big game hunting,’ targeting large organisations and raking in huge profits. 

“As this strategy began to catch on, more cyber criminals moved into the x-as-a-service space to include initial access brokers, ransomware as a service, and malware as a service to name a few. The increase in x as a service made it possible for a cyber criminal to be skilled in only one domain, while leveraging the services of all other groups.”

Ransomware affiliates

Ransomware affiliates can be seen as versatile “contractors” hired by ransomware groups to perform operational tasks: from buying initial access into networks from IABs or simply procuring stolen credentials and data dumps that could aid in reconnaissance, to executing the attack.

After executing a successful attack and extortion, ransomware affiliates earn a commission from the ransom amount paid by the victim to the larger ransomware operation. To speed up their attacks, affiliates may rent RaaS platforms to encrypt files with “rented ransomware,” and intensively employ any and all existing tools, services and exploits at their discretion.

“For a low fee, affiliates gain access to a product and service that otherwise they would have to develop and manage themselves,” said DeepInstinct’s Gilbert. 

“Additionally, affiliates have access to IABs and already compromised organisations available at a price. This significantly lowers the barrier to entry for an affiliate. Affiliates now can focus on operational aspects of extorting an organisation.”

Malware and exploit developers

This class of threat actors create exploits for zero-day or known vulnerabilities that go beyond just proof-of-concept (PoC) exercises. These actors may also develop malware that packs exploits for multiple vulnerabilities within, as we have seen with Gitpaste-12 packing anywhere from 12 to over 30 exploits.

Many ransomware attacks may also begin with the attackers deploying code to target popular access appliances, applications, VPNs, and individual software components, such as Log4j, embedded deep within applications.

In earlier days, malware and exploit developers may have ranged from “script kiddies” to sophisticated hackers, but over time as collaboration between threat actors increased, much of the sophisticated malware development happens within development teams, with software development lifecycles and documentation, as one would expect to see from a legitimate software business, said Gilbert.

Gilbert’s take is further substantiated by recent leaks that throw spotlight on the inner workings of ransomware groups. Last year, a disgruntled Conti (Ryuk) gang affiliate leaked the group’s proprietary data including pen-testing tools, manuals written in Russian, training material, and documents that are reportedly provided to the ransomware group’s affiliates.

Similarly, a purported Babuk ransomware admin also leaked the group’s Visual Studio project files and source code that, with regards to their organisation, reflect the structure followed by legitimate software companies.

Original Source link

Leave a Reply

Your email address will not be published.

+ seventy six = eighty