Cybercrime: Ransomware Hits and Initial Access Listings GrowBut If Hydra Takedown Is a Guide, Fresh Disruptions May Take Big Bite Out of Market
The cybercrime economy is alive and well, if counts of known ransomware victims and initial access sales are good gauges of its health.
Compared to the first quarter of 2022, the first three months of this year featured a 30% increase in known ransomware victims, totaling 900 organizations, threat intelligence firm Kela reported.
What gets counted: victims who come to light publicly - for example, via ransomware groups' data leak sites or when a victim issues a public alert. How many victims pay a ransom to avoid being "named and shamed" and publicly outed by attackers is unclear. Also, not all groups run data leak sites. Even when they do, not every nonpaying victim gets listed, for reasons only clear to the extortionists themselves.
Common sources of access to victims' networks remain dedicated stolen-credential marketplaces and initial access brokers. Both continue to be cornerstones of the cybercrime economy.
Kela counted during the first quarter more than 600 initial access listings for victims. Not all such listings can be tracked, since some vendors don't advertise what they have for sale on cybercrime forums, but only share them privately. Some brokers also have exclusive arrangements or give right of first refusal to business partners, such as ransomware groups.
A purported member of the Royal ransomware group, using the handle "Baddie," has been advertising for brokers who can offer network access to victims that have $20 million or more in revenue, Kela reported (see: Fake Data Theft Proof Leads to Royal Ransomware Outbreak).
Compared to the first quarter of 2022, the number of listings increased by 15%, while the average price of an access plummeted from $2,900 to $1,100, although the median price - $400 - remained constant, Kela found, adding that stolen or brute-forced remote desktop protocol credentials were the most common type of access for sale.
Taking a Bite Out of Cybercrime
The utility of initial access markets and brokers for cybercrime, including groups specializing in ransomware and fraud, makes them top targets for police.
Law enforcement last week pulled off a high-profile disruption of Genesis Market, which since 2018 offered access to more than 1.5 million compromised computers around the world containing more than 80 million account credentials.
Genesis "was one of the most prominent initial access brokers … which are a key service which enable hosts in the various activity across the cyber landscape, including but not limited to fraud and ransomware," said a senior FBI official speaking with reporters last week on condition of anonymity. "I cannot emphasize enough the importance of initial access brokers as a key enabler of cybercrime as a service."
The operation, dubbed "Operation Cookie Monster," resulted in more than 100 arrests. It followed shortly after a similar takedown of BreachForums, another major initial access market.
"There's an entire ecosystem which enables the activities of cybercriminals - from BEC to elder fraud to ransomware and illicit conduct by foreign nation-states," the FBI official said. "Without the services, those activities are even more difficult to engage in. As such, this is part of our continued effort to use all available tools, domestic and international, to put pressure on the criminal services, which enable that activity."
Stay tuned to see if these efforts do blunt more cybercrime, or if the criminals will simply take their goods and services elsewhere.
Already there are signs that affiliates of the disrupted ransomware-as-a-service group Hive are again active. The FBI seized its servers as part of a multinational takedown, but just days after the disruption was announced on Jan. 26, Kela spotted a former Hive affiliate advertising services on a cybercrime forum. "The actor claimed that they have experience in gaining access and performing ransomware attacks against victims from North America, Asia and Europe, with revenue between $5 million and $2 billion," the firm reported.
Still, if the April 2022 takedown of Russia's Hydra market is anything to go by, criminals could well be disrupted for some time to come.
Threat intelligence firm Flashpoint, backed by data gathered by blockchain analytics firm TRM Labs, reported that one year later, the five markets vying for market share - Mega, Blacksprut, Solaris, Kraken and OMG!OMG!, aka OMGOMG - have yet to collectively reach Hydra's size.
"New markets have aggressively vied to take Hydra's place - but U.S. government sanctions have so far prevented any from reaching its level in terms of breadth, reputation and trust," Flashpoint reports. "As a result, threat actors have migrated elsewhere, including to forums like 'RuTor,' decentralized Telegram-based shops and even switching to offline transactions for physical commodities like narcotics."
Cybercrime practitioners continue to be find innovative new ways of turning a profit. But various law enforcement efforts do appear, finally, to be better blunting such strategies.