Researchers from Venafi and Forensic Pathways analyzed some 35 million Dark Web URLs — including forums and marketplaces — between November 2021 and March 2022 and uncovered 475 webpages filled with listings for ransomware strains, ransomware source code, build and custom-development services, and full- fledged ransomware-as-a-service (RaaS) offerings.
A Plethora of Ransomware Tools
The researchers identified 30 different ransomware families listed for sale on the pages, and found ads for well-known variants such as DarkSide/BlackCat, Babuk, Egregor, and GoldenEye that previously have been associated with attacks on high-profile targets. The prices for these proven attack tools tended to be significantly higher than lesser-known variants.
For instance, a customized version of DarkSide — the ransomware used in the Colonial Pipeline attack — was priced at $1,262, compared with some variants that were available for as low $0.99. The source code for Babuk ransomware, meanwhile, was listed at $950, while that for the Paradise variant sold for $593.
“It’s likely that other hackers will be buying ransomware source code to modify it and create their own variations, in a similar way to a developer using an open source solution and modifying it to suit their company’s needs,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
The success that threat actors have had with variants such as Babuk, which was used in an attack on the Washington, DC, police department last year, make the source code more appealing, Bocek says. “So you can see why a threat actor would want to use the strain as the foundation for developing their own ransomware variant.”
No Experience Necessary
Venafi researchers found that in many instances, the tools and services available through these marketplaces — including step-by-step tutorials — are designed to allow attackers with minimal technical skills and experience to launch ransomware attacks against victims of their choice.
“The research found that ransomware strains can be purchased outright on the Dark Web, but also that some ‘vendors’ offer additional services like tech support and paid add-ons such as unkillable processes for ransomware attacks, as well as tutorials,” Bocek says .
Other vendors have reported on the growing use among ransomware actors of initial access services, for gaining a foothold on a target network. Initial access brokers (IABs) are threat actors that sell access to a previously compromised network to other threat actors.
Initial Access Brokers Thrive in the Underground Economy
A study by Intel471 earlier this year found a growing nexus between ransomware actors and IABs. Among the most active players in this space are Jupiter, a threat actor that was seen offering access to as many as 1,195 compromised networks in the first quarter of the year; and Neptune, which listed more than 1,300 access credentials for sale in the same time frame.
Ransomware operators that Intel471 spotted using these services included Avaddon, Pysa/Mespinoza, and BlackCat.
Often the access is provided via compromised Citrix, Microsoft Remote Desktop, and Pulse Secure VPN credentials. Trustwave’s SpiderLabs, which keeps tabs on prices for various products and services on the Dark Web, describes VPN credentials as the most expensive records in underground forums. According to the vendor, prices for VPN access can go as high as $5,000 — and even higher — depending on the kind of organization and access it provides.
“I expect to see a ransomware rampage carry on as it has done for the last few years,” Bocek says. “The abuse of machine identities will also see ransomware move from infecting individual systems, to taking over entire services, such as a cloud service or a network of IoT devices.”
A Fragmented Landscape
Meanwhile, another study released this week — a midyear threat report by Check Point — shows the ransomware landscape is littered with considerably more players than generally perceived. Check Point researchers analyzed data from the company’s incident response engagements and found that while some ransomware variants — such as Conti, Hive, and Phobos — were more common than other variants, they did not account for a majority of attacks. In fact, 72% of the ransomware incidents that Check Point engineers responded to involved a variant they had encountered only once previously.
“This suggests that contrary to some assumptions, the ransomware landscape is not dominated by only a few large groups, but is actually a fragmented ecosystem with multiple smaller players that are not as well-publicized as the larger groups,” according to the report.
Check Point — like Venafi — characterized ransomware as continuing to present the biggest risk to enterprise data security, as it has for the past several years. The security vendor’s report highlighted campaigns like Conti group’s ransomware attacks on Costa Rica (and subsequently on Peru) earlier this year as examples of how significantly threat actors have broadened their targeting, in pursuit of financial gain.
Big Ransomware Fish May Go Belly Up
Several of the larger ransomware groups have grown to a point where they employ hundreds of hackers, have revenues in the hundreds of millions of dollars, and are able to invest in things like R&D teams, quality assurance programs, and specialist negotiators. Increasingly, larger ransomware groups have begun to acquire nation-state actor capabilities, Check Point warns.
At the same time, the widespread attention that such groups have begun to garner from governments and law enforcement will likely encourage them to maintain a law profile, Check Point says. The US government, for example, has offered a $10 million reward for information leading to Conti members being identified and/or approved, and $5 million for groups caught using Conti. The heat is thought to have contributed to a Conti group decision earlier this year to cease operations.
“There will be a lesson learned from the Conti ransomware group,” Check Point says in its report. “Its size and power garnered too much attention and became its downfall. Going forward, we believe there will be many small-medium groups instead of a few large ones, so that they can go under the radar more easily.”