top of page

The Business of Being Bad 


Historically cyberattacks have been carried out by small groups, lacking major resources and capability. Or by nation state actors, who often determine their targets for political reasons. This has left many organizations in a space where they feel they are too big for small actors, but too small for big actors. This trend is changing. A rise in both Ransomware as a Service (RaaS) and Initial Access Brokers (IABs) heralds a change with threat actors "legitimizing" themselves as both business models, and an entire ecosystem centric around decreasing the speed and cost to compromise organizations. 

Having more specialized groups or "businesses" carry out different components of an attack both increases the speed of an attack as both the access and exploitation method can be purchased. It also decreases attack visibility by making the steps a particular actor may take less predictable. Modern threat actors are continuing to shift away from ransomware deployment through exploitation of trusted software such as ScreenConnect, Windows Management Instrumentation, and BatchPatch through PowerShell and Java scripts which many organizations whitelist by default. With break out times (the time it takes an attacker to move beyond initial access) dropping from 79 minutes in 2022 to 62 minutes in 2023, the need for rapid action and response is at an all-time high. 

Rise of RaaS 

Ransomware as a Service (RaaS) is a business model first appeared in 2009 following the introduction of cryptocurrency. This new form of electronic currency granted criminals near total anonymity when it came to purchasing services from other organizations or extorting a ransom from their victims.

RaaS providers develop a specific tool, or toolkit which can then be purchased or rented by smaller threat groups. This model allows the RaaS provider to essentially function as a software developer, creating an increasingly complex and effective payload for a growing market of small-time cyber criminals looking to get rich quick. RaaS groups took off with large organizations such as LockBit, BlackCat, and Royal ransomware packages being used in attacks across a wide range of business sectors from healthcare to transportation. 

Using RaaS tools allows threat actors to get access to highly complex and advanced means to attack an organization. With a wide range of RaaS actors to choose from, some attackers even chain together different tools to carry out different stages of an attack. These complex tools can be used to defeat security controls such as multi-factor authentication, endpoint detection and response, and intrusion detection/prevention controls. While threat intelligence can be used to identify the indicators of some RaaS toolkits, many of these kits use valid tools to avoid being identified. The RaaS ecosystem has triggered a digital arms race with security vendors being forced to develop newer and more advanced tools in an attempt to counter the increased complexity of modern Live off the Land RaaS tactics. 

Recent increased pressure has seemingly put RaaS providers on the backfoot however with multinational law enforcement efforts significantly disrupting two of the largest RaaS gangs, LockBit and BlackCat. However, members of both groups will inevitably resurface potentially even rebranding to further evade detection. These takedowns follow reports that ransomware attacks are on the decline. Likely due to the fact that organizations are increasingly choosing not to pay the ransom demands to restore an encrypted environment. 

With high profile criminals drawing increased attention from law enforcement many threat groups have instead shifted to exfiltrating data from their victim's environment without encrypting the environment to avoid a large disruption that would draw attention. This allows the attack to better attempt to extort their victims for the return of the data, and in the event that the ransom isn't paid the attacker can sell the data to third parties such as Initial Access Brokers (IABs). 

Pass the Password 

Adding to the rising attack complexity, many attackers are also shifting towards utilization of Initial Access Brokers (IABs) as a means of gaining entry into an organizations network either through a previously identified vulnerability or compromised set of user credentials.

IABs often put organizations at risk through third party compromises as a study carried out by TechReport showed that roughly 13% of users will reuse the same password for every single account both personal and professional. IABs are part of a vast dark web marketplace pawning off everything from email accounts and user credentials to social security numbers and scanned passports. IABs serve as a means of providing access into a previously compromised organization through stolen user credentials or a deployed undetected backdoor. 

While IABs may not directly take any actions against an organization, they provide a means by which anyone can purchase access to an organizations network, thus allowing for a RaaS toolkit to be deployed. The exfiltrated data can then be sold to other brokers in turn. This repeatable cycle of exploitation and exfiltration poses a significant threat to organizations worldwide as it doesn't rely on the technical expertise of the actual attacker to carry out. Additionally, the IAB exploitation cycle poses risk to an organization long after the initial compromise provided the method of access is still viable. 

Mitigation Methodology 

While RaaS vendors and IABs can serve to add complexity into possible attacks there is still hope for defenders. RaaS tactics are typically not customized to a specific environment and instead look to exploit common vulnerabilities such as excessively permissioned service accounts and poor access control. Additionally, while some RaaS attacks seek to utilize scripting tools maliciously they can be countered by limiting script execution and baselining the usage of administrative tools. IABs rely on poor cyber hygiene from users either repeating passwords across multiple sites or not using complex passwords, often stemming from frequent password rotations. 

Implementing best practice access control and least privilege methodologies can help prevent a wide range of attacks against your environment. Additionally, enforcing password complexity paired with MFA will prevent passwords from being easily guessed or exploited in the event that a password does get leaked. Leveraging threat intelligence and staying up to date on the latest security news can help your organization stay one step ahead of attacker trends.

12 views0 comments


bottom of page