What to Know About Ransomware Affiliates, Triple Extortion, and the Dark Web Ecosystem

Numerous people equate the dark web with drugs, crime, and leaked credentials, however, in recent years, a complex and interconnected cybercrime ecosystem has formed across Tor and illicit Telegram channels. Examining ransomware groups, ransomware affiliates, and the increasingly complex tactics they use to extort companies exemplifies the tendency. For more than a decade, ransomware has been a major concern for companies, however, one of the more recent trends is that groups are setting up infrastructure but outsourcing actual infection and negotiations to “ransomware affiliates” who are acting effectively as contractors to the Ransomware-as-a-Service (RaaS) group and splitting the profits at the end of a successful attack. It allows for role specialization and the use of the economic notion of “economies of scale.” The “commodification of cybercrime” enables more infection, more victims, and higher payments. Simultaneously, there have been groups that resort to increasingly sophisticated extortion methods. A group that just encrypts companies’ data is now rare (single extortion), with some groups bypassing encryption entirely and focusing instead on data exfiltration and blackmailing employees.

Different Kinds of Ransomware Extortion

There are three kinds of ransomware extortion attacks used by ransomware groups and ransomware affiliates.

Single Extortion – It’s a traditional ransomware attack in which groups will encrypt companies’ data and require payment for the release of data.

Double Extortion – Ransomware groups and ransomware affiliates encrypt companies’ data but exfiltrate data first, which are posted on ransomware blogs on certain dates if victims refuse to pay.

Triple Extortion – Ransomware groups will not only encrypt and exfiltrate data, but will attempt to:

• Target specific employees
• Conduct DDoS attacks on companies
• Notify third parties of companies

or attempt to create extra leverage forcing victims to pay.

How Big Are the Ransomware Attack Threats

In 2022, 2,947 companies had their data leaked on ransomware blogs. Thousands more companies were victims and paid the ransom avoiding data disclosure. In 2023, more than 2,000 data leaks were already on ransomware blogs in the first six months of the year, making 2023 likely a record year for ransomware data disclosure.

How Triple Extortion Ransomware Is Being Used in Cybercrime Ecosystem

The emergence of triple extortion ransomware used by ransomware groups and ransomware affiliates coincides with another key change in the threat landscape: the emergence of infostealer malware. Infostealer variants, including Vidar, Redline, and Raccoon infect individual computers and exfiltrate the browser fingerprint, host data, and all saved credentials in the browser. Ransomware affiliates can simply purchase ransomware through specialized forums and look for initial access through infected device logs posted to public Telegram channels or placed for sale on Russian or Genesis Markets.

What’s in a Stealer Log?

Individual logs can contain credentials for:

• VPNs and business applications
• Online banks
• Retirement accounts
• Email Addresses

There are at least 20 million infected devices for sale on the dark web and Telegram, with a small percentage carrying credentials to companies’ environments.

Triple Extortion Attacks and Stealer Logs

Stealer logs can be used by ransomware groups in triple extortion attacks. Ransomware affiliates use logs to gain initial access to companies’ IT environments and identify previously listed logs after successful attacks related to specific employees that can be exploited to put additional pressure on companies.

Ransomware Affiliates and Initial Access Brokers

There has been a rapid rise in initial access brokers that operate on specific dark web forums and specialize in establishing initial access to companies that are sold in auction-style format with a buy-it-now price. Initial access brokers commoditize the process of infection by allowing threat actors to acquire access to targets prior to ransomware dissemination and do some shopping for the right target.

Because of the rising complexity of the cybercrime ecosystem, an increasing number of inexperienced threat actors can execute sophisticated attacks against companies’ environments. Building a continuous threat exposure monitoring process (CTEM) is the cornerstone of good cybersecurity. Companies that employ CTEM processes will lower the chance of a data breach by 66% by 2026. All cyberattacks require an initial access vector. It can be obtained by traditional methods, including phishing emails and vulnerability exploits, but can be obtained through developers leaking credentials onto public GitHub repositories, infostealer malware infecting employees’ computers, or credential stuffing attacks.

Knowing the information about ransomware affiliates mentioned above will help companies understand the importance of remaining alert to the latest threat landscape, regularly updating their security network infrastructure and keeping data backups of sensitive information. At SpearTip, our certified engineers will examine companies’ security postures to improve the weak points in their networks. Our engineers will engage with companies’ people, processes, and technologies to measure the maturity of the technical environment. For all vulnerabilities uncovered, we provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture. Our ShadowSpear Platform, an integrable managed detection and response tool, integrates with IT and security technology partners to enable the correlation of events from firewalls and network devices on a single pane of glass. Additionally, ShadowSpear exposes sophisticated unknown and advanced threats with comprehensive insights through unparalleled data normalization and visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.