When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Numerous people equate the dark web with drugs, crime, and leaked credentials, however, in recent years, a complex and interconnected cybercrime ecosystem has formed across Tor and illicit Telegram channels. Examining ransomware groups, ransomware affiliates, and the increasingly complex tactics they use to extort companies exemplifies the tendency. For more than a decade, ransomware has been a major concern for companies, however, one of the more recent trends is that groups are setting up infrastructure but outsourcing actual infection and negotiations to “ransomware affiliates” who are acting effectively as contractors to the Ransomware-as-a-Service (RaaS) group and splitting the profits at the end of a successful attack. It allows for role specialization and the use of the economic notion of “economies of scale.” The “commodification of cybercrime” enables more infection, more victims, and higher payments. Simultaneously, there have been groups that resort to increasingly sophisticated extortion methods. A group that just encrypts companies’ data is now rare (single extortion), with some groups bypassing encryption entirely and focusing instead on data exfiltration and blackmailing employees.
There are three kinds of ransomware extortion attacks used by ransomware groups and ransomware affiliates.
Single Extortion – It’s a traditional ransomware attack in which groups will encrypt companies’ data and require payment for the release of data.
Double Extortion – Ransomware groups and ransomware affiliates encrypt companies’ data but exfiltrate data first, which are posted on ransomware blogs on certain dates if victims refuse to pay.
Triple Extortion – Ransomware groups will not only encrypt and exfiltrate data, but will attempt to:
or attempt to create extra leverage forcing victims to pay.
In 2022, 2,947 companies had their data leaked on ransomware blogs. Thousands more companies were victims and paid the ransom avoiding data disclosure. In 2023, more than 2,000 data leaks were already on ransomware blogs in the first six months of the year, making 2023 likely a record year for ransomware data disclosure.
The emergence of triple extortion ransomware used by ransomware groups and ransomware affiliates coincides with another key change in the threat landscape: the emergence of infostealer malware. Infostealer variants, including Vidar, Redline, and Raccoon infect individual computers and exfiltrate the browser fingerprint, host data, and all saved credentials in the browser. Ransomware affiliates can simply purchase ransomware through specialized forums and look for initial access through infected device logs posted to public Telegram channels or placed for sale on Russian or Genesis Markets.
Individual logs can contain credentials for:
There are at least 20 million infected devices for sale on the dark web and Telegram, with a small percentage carrying credentials to companies’ environments.
Stealer logs can be used by ransomware groups in triple extortion attacks. Ransomware affiliates use logs to gain initial access to companies’ IT environments and identify previously listed logs after successful attacks related to specific employees that can be exploited to put additional pressure on companies.
There has been a rapid rise in initial access brokers that operate on specific dark web forums and specialize in establishing initial access to companies that are sold in auction-style format with a buy-it-now price. Initial access brokers commoditize the process of infection by allowing threat actors to acquire access to targets prior to ransomware dissemination and do some shopping for the right target.
Because of the rising complexity of the cybercrime ecosystem, an increasing number of inexperienced threat actors can execute sophisticated attacks against companies’ environments. Building a continuous threat exposure monitoring process (CTEM) is the cornerstone of good cybersecurity. Companies that employ CTEM processes will lower the chance of a data breach by 66% by 2026. All cyberattacks require an initial access vector. It can be obtained by traditional methods, including phishing emails and vulnerability exploits, but can be obtained through developers leaking credentials onto public GitHub repositories, infostealer malware infecting employees’ computers, or credential stuffing attacks.
Knowing the information about ransomware affiliates mentioned above will help companies understand the importance of remaining alert to the latest threat landscape, regularly updating their security network infrastructure and keeping data backups of sensitive information. At SpearTip, our certified engineers will examine companies’ security postures to improve the weak points in their networks. Our engineers will engage with companies’ people, processes, and technologies to measure the maturity of the technical environment. For all vulnerabilities uncovered, we provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture. Our ShadowSpear Platform, an integrable managed detection and response tool, integrates with IT and security technology partners to enable the correlation of events from firewalls and network devices on a single pane of glass. Additionally, ShadowSpear exposes sophisticated unknown and advanced threats with comprehensive insights through unparalleled data normalization and visualizations.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.