For ransomware actors, innovation is a key to success, as crime gangs look for new ways to dupe people and make crypto-locking malware even more lucrative. Some hacking groups have started cold-calling victims to inform them that their systems have been hit by ransomware and request a ransom to resolve the situation. An old, yet tried and true use of chicanery. Sometime old schemes become new schemes. This is just the latest in a long line of shakedown tactics, which include not just using crypto-locking malware but leaking data to increase the psychological pressure on victims to pay. The Egregor ransomware group has been taking over business printers and printing out their demands for all employees to read. Another devious trick.
Cyber threat experts explain the quantity of ransomware attacks and amount of ransom payments are on the rise. This may be due to the so-called human-operated ransomware, referring to gangs that do not only rely on malware and opportunistic infections, rather they bring advanced network penetration and other skills to perpetrate attacks. This is actually very clever. Many such operations also appear to have focused more on ‘big-game hunting,’ meaning attempting to take down larger targets to demand much larger ransoms for every given attack. Investigators are reporting that these gangs are writing business plans and analyzing exactly how much they can demand as the ransom payment. Criminals are smart too.
Let’s look at a new scheme, Extortion-as-a-Service (EaaS). Following the practices of legitimate business practices, ransomware groups are looking to expand their prospects and seek to attempt transforming as many of their tactics into extorting victims, sometimes via lengthy negotiations. These ‘new’ tactics are classic sales and marketing initiatives. How to convert more prospects or as in this example, victims into paying a ransom, multiple gangs appear to have been outsourcing these efforts to one or more call centers.
Ransomware operations have been cold-calling victims since August 2020, when Maze contacted an organization it had compromised. In September 2020, the operators behind the Conti ransomware group telephoned Galstan & Ward Family and Cosmetic Dentistry, a dental practice in Georgia, to tell them they had been victims of a ransomware attack and to demand the ransom amount to be paid.
A list of gangs known to have used this tactic includes Ryuk and its successor, Conti. Maze's successor, Egregor has additionally used this tactic, in addition their hijacking of company printers. Based on comments made by Maze members, "it appears that they are using a third-party team to do those calls," states the IR firm Arete. "Based on voicemail recordings, the messages appear to be very scripted and it sounds like a person reading the pre-written message." "We think it's the same outsourced call center group that is working for all the [ransomware gangs], as the templates and scripts are basically the same across the variants," reports the CEO of Coveware.
Sekhmet may have been the first ransomware operation to rely on this tactic. "We can't say for sure but we think that we are the first group that tries to contact the companies by phone as soon as possible after the incident," the operators behind Sekhmet posted to their leaks site. The use of call centers demonstrates some ransomware operators' increasing business understanding. "The segmentation and specialization that is implied by the use of call centers to handle victim negotiations demonstrates the evolution and maturity of the cyber extortion industry," says Coveware. "Some of these groups have staffing and budgets akin to a midsized company," he adds. "They have the same problems, as well, with miscommunications, poor training and vendor and staff turnover that impact their operations."
Outsourcing hacking operations to threaten victims is just the most recent in myriad of innovations that ransomware gangs have been using to maximize their returns. Others include:
- Leak sites: In November 2019, the Maze gang pioneered the practice of exfiltrating data and then leaking samples of it. Since then, more than a dozen gangs have created name-and-shame sites where they leak victim names and data samples or threaten to auction stolen data to the highest bidder.
- Data-deletion promises: As more organizations have put better defenses in place, ransomware gangs have shifted from requiring a ransom in exchange for the promise of a decryption tool to falsely promising to delete stolen data if victims pay.
- Ransomware-as-a-service affiliate programs: In RaaS programs, ransomware operators provide malware to affiliates, who share in the profits whenever a victim pays. Such programs help maximize the returns for both parties, and they have been thriving.
- Recruiting specialists: Driven in part by RaaS, as well as the lure of big-game hunting profits, more gangs have been recruiting specialists across numerous disciplines, ranging from network penetration and encryption to negotiations and working with cloud-based data.
- Easier access to victims: As part of the burgeoning cybercrime-as-a-service ecosystem, there has been a surge in initial access brokers who sell ready-to-use, remote access into penetrated corporate networks, typically gathered by brute-forcing remote desktop protocol connections. Buying such access means ransomware-wielding gangs do not have to focus on amassing victims themselves but can move immediately to trying to steal data, infect organizations' systems and then extort organizations.
The increased use of these criminal tactics, sometimes in combination, means that ransomware attacks can leave victims not just having to recover from a crypto-locking malware outbreak but, oftentimes, having to investigate a suspected data breach, which can trigger a host of unexpected government notification rules.
Red Sky Alliance has been tracking cyber criminals for years. Throughout our research we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of malware, like ransomware, are bought and sold and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941