In the Real Estate business, the most sought after properties have location, location and location as their attraction. Thinking as a criminal what is on their “Wish List?” How do they rate the ideal ransomware target? Cyber threat investigators calim the following attributes add up to the best targets: revenue, size, geography and level of access help determine sale price for access. The most sought-after type of victim for ransomware-wielding attackers is a large, U.S. based business with at least $100 million in revenue, not operating in the healthcare or education sector, for which remote access is available via remote desktop protocol or VPN credentials.
These are factors that the Israeli threat intelligence firm Kela listed in a recent report. The report summed up dozens of active discussion threads it tracked on cybercrime forums during July 2021 that were devoted to buying initial access to networks. About half of the threads it found had been created the same month, suggesting that the market for supplying such access continues to thrive, it says. "We buy VPN, RDP, Citrix accesses, with domain admin rights."
On cybercrime forums and markets, initial access brokers continue to sell what gets referred to as "accesses." For buyers, the upside of buying access is that it saves them from having to breach potential victims themselves. Instead, they can choose from a menu of options, which allows them to spend more time infecting more victims with ransomware and other malware, stealing data, or otherwise monetizing such efforts.
When dealing with initial access brokers, the access being sold may include network access, but most often refers to the ability to buy working RDP or VPN credentials, writes Victoria Kivilevich, a threat intelligence analyst at Kela who authored the new report. Based on the forum posts Kela reviewed, she says other most-desired products for facilitating access include:
- Cisco;
- Citrix;
- Fortinet;
- Palo Alto Networks - including GlobalProtect VPN;
- VMware, including ESXi.
The average minimum price a buyer will pay for access is $1,600 and the average maximum is $56,250, Kela reports, although in some cases, initial access brokers will instead accept a cut of any ransom a victim pays, with the going rate for a broker typically being about 10% of any ransom payment.
For ransomware-wielding attackers who want to buy access, which types of victims are hot and which ones are not? Geographically, 47% of all buyers said they wanted U.S. victims; 37% said they wanted Canadian or Australian victims; and 32% sought victims in Europe, Kivilevich says, noting that "most of the advertisements included a call for multiple countries."
From a revenue standpoint, the average desired annual revenue for a victim was $100 million, although sometimes this demand was based on location, Kivilevich says. "For example, one of the actors described the following formula: Revenue should be more than $5 million for U.S. victims, more than $20 million for European victims and more than $40 million for 'the third world' countries," she says. In general, more ransomware operations have been targeting larger organizations in search of bigger ransoms, per what's known as big game hunting.
As a representative of the LockBit 2.0 operation who goes by LockBitSupp said in a recent interview, the focus on the U.S. and EU is simply because "the largest number of the world's wealthiest companies is concentrated there," and because those regions also have "more developed" cyber insurance practices, which can help them pay larger ransoms.
Perhaps predictably, Russia and other Commonwealth of Independent States countries - Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine tend to be on buyers' blacklists, Kela reports. Interesting point, could attacks on firms in these countries cause the attackers problems at “home?”
Additional market segments on buyers' blacklists: organizations in the healthcare and education sectors, for 47% of all buyers; government agencies for 37% of buyers; and nonprofit organizations for 26% of buyers, Kela says. Avoiding healthcare appears to be due to an attacker's moral code, it says, whereas government entities are avoided to try and escape unwanted police attention, while education and nonprofits are perceived to pay too little to be worth the effort, it says.
Such research carries caveats. For starters, not all accesses for sale get listed on forums where they can be publicly tracked. In some cases, initial access brokers will have exclusive arrangements with a particular ransomware-as-a-service operation, or might at least give it a right of first refusal on all new accesses. In addition, some brokers list general accesses for sale, but will only message prospective clients directly. For example, via Telegraph or Jabber messaging tools - to share a full list of what's for sale as well as to negotiate prices.
What should network defenders do with the above information? Clearly, keeping RDP and VPN access locked down should be a top priority, as should enabling two-factor authentication wherever possible, but especially for admin-level access to Active Directory and other key systems attackers regularly target.
Maintaining complete lists of all internal assets, and ensuring that they are being properly defended, as well as kept updated with all security patches installed remains essential. While this might sound obvious, cybersecurity agencies in the U.S. and U.K. continue to warn that too many organizations have been failing to patch their devices, especially Citrix, Fortinet, Pulse Secure and Palo Alto VPN appliances, and Microsoft Exchange Servers to eliminate known vulnerabilities, and that attackers continue to keep exploiting them en masse to gain access.
Finally, while the above study looked at ransomware-wielding attackers' access proclivities, of course, they're not the only type of attacker shopping for access. As Kela's Kivilevich says: "It is crucial to remember that access to a company in the wrong hands may be exploited not only for deploying ransomware and stealing data but also for other malicious campaigns."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments