Bad business: the rise of the cybercriminal enterprise

Just as security agencies and vendors collaborate to share intelligence and shore up security defences, ransomware gangs are increasingly cooperating on tailoring attacks by sharing victim data, malicious infrastructure, vulnerabilities and tactics. Ransomware has been regularly plaguing organisations for more than a decade, but as we enter 2024, cyber attackers are taking the logistics of their threat-planning to new levels — and placing their targets at more risk than ever before.

Compared to the second half of 2022, Arctic Wolf reported a 46% increase in ransomware incidents during the first half of 2023, with the vast majority (82%) of victim organisations with data posted to ransomware leak sites being SMBs. The dramatic increase in attacks spells danger for any organisation without a world-class security posture, which most SMBs do not have. But it’s not only the increased frequency of attacks that matters — it’s what attackers and ransomware groups are doing in the meantime.

The past several years have seen the ransomware-as-a-service model explode in popularity with threat actor groups, who can purchase pre-made malware from developers to extort their victims. The profits from those extortions are then distributed between the ransomware developers and attackers themselves, mutually benefiting both parties and encouraging future collaboration between the two entities. Because they’re working together already, developers and different ransomware gangs have graduated to more sophisticated collaborative endeavours like sharing press releases on new malware updates, offering user-friendly tutorials and even having their members switch gangs and re-use tactics.

Threat groups have also begun keeping publicly available ‘leak sites’ that list out organisations who refuse to pay their ransom, essentially naming-and-shaming them while promoting them as a target for other groups to attack. Just this month, negotiators from ransomware gang ALPHV/BlackCat pledged to “make sure mainstream media won’t know about this incident or who you are, and you’ll get a detailed report of how we got into your network … you will get recommendations on how to stop this from happening again,” showing a side of the ransomware business that has not always existed and a side that should be concerning for legislators, who plan to introduce a mandatory ransomware reporting requirement as outlined in the Australian Government’s recently released National Cyber Security Strategy 2023–2030. If ransomware groups could be seen as ‘trustworthy’ enough to help their victims improve their security posture after they’ve extorted them, what reason would the targeted business have for reporting their attack?

These patterns of behaviour are especially concerning because the enhanced coordination between groups could correlate to better-targeted and more effective attacks, leading to higher ransom payments and making life in general more difficult for organisations. An example of this entrepreneurial behaviour between groups was found earlier this year when it was determined that Akira, an upstart ransomware gang using RaaS to extort their victims and keeping a leak site updated, was routing cryptocurrency transactions to addresses affiliated with Conti, a ransomware group that disbanded in mid-2022. The fact that these wallets are still being used shows that members of Conti have since shared their processes with — or outright joined — other ransomware groups, displaying an interconnectedness that the security industry should be wary of.

But just because the bad guys are now working with each other doesn’t mean the good guys can’t. In fact, there are a plethora of threat information-sharing consortiums and programs, offered by both the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and international groups. SMBs may not be as aware of these resources as large corporations who can afford to staff an entire security operations centre, but they can practise the security basics that act as a foundation for a robust security posture to support cyber resilience. This means patching systems and applications regularly, improving security awareness, using identity access management policies like multi-factor authentication or testing out incident response plans. Organisations that practise flexing these security muscles will always have a better security foundation than those who ignore security hygiene in favour of purchasing the latest security tool or technology that catches their eye.

Image credit: iStock.com/AndreyPopov