KELA Cyber Intelligence CenterThe list of ransomware victims has risen dramatically over the last few years. Due to the adoption of the “double extortion” tactic, companies now pay for data not being released and not only for the sole unlocking of computers. KELA is regularly monitoring ransomware gangs’ blogs where attackers announce their victims and leak data. Some actors are operating similar data leak sites though they do not necessarily use ransomware; they steal data through other means of infiltration and then threaten to release it or sell it to third parties or resell data stolen by other actors. In addition to that, some actors offer old or non-existing leaks and make fake and intimidating claims. These offers have a direct impact on the cybersecurity landscape, generating extensive noise and preventing cyber threat researchers from focusing on real threats. Therefore, it becomes more important to validate sources before starting to follow them closely and accepting everything at face value. In this blog, KELA will share our process of reviewing new sources and assigning a level of threat, addressing sites such as: Amigos Coomingproject Dark Leaks Market Quantum Groove
Victoria Kivilevich, Director of Threat ResearchAccording to recent reports, the operations of REvil ransomware were recently disrupted by a coordinated law enforcement operation (although not formally confirmed), taking their websites offline. Earlier that week, the most recently self-proclaimed representative of the RaaS bid farewells claiming that the servers were compromised – making it effectively the second time this year whereby the REvil (Sodinokibi) ransomware group has disappeared from radars. Does it mean the gang’s story will end? And how will this affect other RaaS programs? KELA summarizes the group’s activities after the notorious Kaseya attack and assesses the possible consequences of its disappearance, considering the fact that ransomware affiliates became a driving power of RaaS (ransomware-as-a-service) operations.
Victoria Kivilevich, Threat Intelligence AnalystIn July 2021, KELA observed threat actors creating multiple threads where they claimed they are ready to buy accesses and described their conditions. Some of them appear to use access for deploying info-stealing malware and carrying out other malicious activities. Others aim to plant ransomware and steal data. KELA explored what is valuable for threat actors buying accesses, especially ransomware attackers, and built a profile of an ideal ransomware victim. Bottom line up front: In July 2021, KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings. 40% of the actors who were looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, or affiliates, or middlemen. Ransomware attackers appear to form “industry standards” defining an ideal victim based on its revenue and geography and excluding certain sectors and countries from the targets list. On average, the actors active in July 2021 aimed to buy access to US companies with revenue of more than 100 million USD. Almost half of them refused to buy access to companies from the healthcare and education industries. Ransomware attackers are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. The most common products (enabling network access) mentioned were Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco. Ransomware attackers are ready to pay for access up to 100,000 USD, with most actors setting the boundaries at half of that price – 56,250 USD. The similarities between ransomware-related actors’ requirements for victims and access listings and conditions for IABs illustrate that RaaS operations act just like corporate enterprises.
Translated and transcribed by KELA Cyber Intelligence CenterOn August 23, 2021, the YouTube channel Russian OSINT published an interview with the LockBit 2.0 ransomware gang in Russian. KELA translated the full interview.
Victoria Kivilevich, Threat Intelligence AnalystFor more than a year, KELA has been tracking Initial Access Brokers and the initial network access listings that they publish for sale on various cybercrime underground forums. Initial Network Access refers to remote access to a computer in a compromised organization. Threat actors selling these accesses are referred to as Initial Access Brokers. Initial Access Brokers play a crucial role in the ransomware-as-a-service (RaaS) economy, as they significantly facilitate network intrusions by selling remote access to a computer in a compromised organization and linking opportunistic campaigns with targeted attackers, often ransomware operators. This research includes an in-depth analysis of Initial Access Brokers and their activity for a full year from July 1, 2020 to June, 30 2021. KELA analyzed IABs’ activities over the last year (when their role became increasingly more popular in the cybercrime underground) and summarized 5 major trends that were observed throughout our analysis.
Victoria Kivilevich, Threat Intelligence AnalystA new Russian-speaking forum called RAMP was launched in July 2021 and received much attention from researchers and cybercrime actors. The forum emerged at the domain that previously hosted the Babuk ransomware data leak site and later the Payload.bin leak site. KELA researched the contents of the new site and assessed its chances to succeed. *All the forum contents are described based on what KELA observed on RAMP until July 27, 2021, when the access became was restricted.
Victoria Kivilevich, Threat Intelligence AnalystThe cybercrime underground ecosystem once housed cybercriminals who would perform attacks from start to finish on their own. This one-man show has nearly completely dissolved though as one of the most prominent trends that emerged instead is the specialization of cybercriminals in different niches. If we take a typical attack, we’ll see that not necessarily every cybercriminal will have the know-how to perform each stage involved in the attack: Code (code or acquire malware with the desired capabilities) Spread (infect targeted victims) Extract (maintain access to infected machines) Monetize (get profits from the attack)
Irina Nesterovsky, Chief Research OfficerIn our first post referencing Slack and the corporate attack surface, we revealed the 12,000+ credentials to Slack workspaces that were available for sale on various cybercrime underground markets, representing the explicit threat for thousands of organizations. However, at the time, examination of both open-source reporting and cybercrime communities didn’t reveal a lot of attacker-interest in the platform. Though a steady interest may still not be apparent, what is clear is that the number of compromised credentials has grown, and another instance in which Slack credentials have been abused appears once again. Now, a year later from the release of Part 1, we have dived back into those same sources to see what exactly has transformed over the last year, and what the dangers of compromised Slack credentials really may be.
Victoria Kivilevich and Sharon BittonThe UAE has gained global attention for the incredible improvements the country has gone through over the last few decades. While the UAE’s economy continues to flourish, cybercriminals will carry on with their efforts of trying to identify where their next worthy targets may be. With the growing success of advancing their economy and technological capabilities, UAE-related entities must continue to push their cybersecurity efforts as well to ensure that their wealth will not be harmed by lucrative cybercriminals operating in the cybercrime underground ecosystem. This research lays out the major underground digital dangers that KELA’s researchers have identified posing a threat to UAE-related entities. The research’s highlights include: During the last six months (December 2020-May 2021), KELA observed numerous compromised network access listings to UAE-related private and public entities offered for sale on cybercrime forums, including one that was possibly used in an attack by the Avaddon ransomware gang. Among these, KELA detected several threat actors specifically targeting UAE entities, by selling data and network access related to UAE companies. KELA discovered that UAE-related email addresses were exposed more than 1.2 million times, with more than 200,000 of them being related to employees of government, educational, academic, and nonprofit entities. KELA also identified more than 68,000 compromised accounts related to UAE users on corporate portals, social media, e-commerce stores, and government websites.
Gilad Shiloach, Threat Intelligence Analyst Unemployment systems have been challenged with responding to millions of unemployment claims over the last year, with thousands of those being fake claims made by cybercriminals. The US Pandemic Unemployment Assistance (PUA) and other assistance programs that were launched in response to the COVID-19 outbreak opened the doors to many cybercriminals searching for further ways to make money. Nearly 36 billion dollars have been taken away from US citizens in unemployment benefits, and that number will continue to rise as cybercriminals are persistent on taking advantage of those benefits. The cybercrime underground ecosystem has become an excellent hub for trading various unemployment fraud services. Many of the services that our research has identified capitalize on identity theft basics and methods that have been circulating in underground platforms for years and therefore welcome cybercriminals who do not necessarily possess advanced technical skills. KELA has been closely tracking criminal actors across the cybercrime underground ecosystem and has identified significant levels of interest in PUA fraud schemes, which arm cybercriminals with the necessary information to illegally obtain US citizens’ unemployment benefits. The top three non-technical services we’ve identified interest for were: 1. Fullz, which are bundles of information that belong to real people and contain personal information that would assist fraudsters in carrying out identity theft. 2. Step-by-step guides (aka “methods” or “sauces”) on how to carry out these attacks. 3. Targeting of the ID.me identity service – used for citizens’ access to digital government services – aiming to bypass it.