We’ve seen a disturbing trend take shape in the cyber-criminal landscape – threat actors are operating more and more like professional businesses. Their organized approaches and collaboration with other groups make them more akin to tech startups than the lone hackers they are often portrayed as. This has resulted in attacks that have bypassed the most advanced security teams and government defense operations. Additionally, the financial impact is only increasing – according to recent IBM research, the average cost of a ransomware attack in 2022 was $4.35m, up 2.6% from 2021 and almost 13% since 2020, when it was $3.86m. Let’s look at how cyber-criminals are mimicking the nature of today’s modern businesses.
The Use of Ransomware-as-a-Service
Ransomware groups are now adopting traditional business models to scale and function in a highly productive manner. Ransomware-as-a-Service (RaaS), just like Software-as-a-Service, allows ransomware affiliates with less skill to buy tools with a subscription-based payment method. Not only does this help them expand operations, but it provides a new way for revenue generation, unifying what was once fragmented and one-off attacks. By outsourcing ransomware tools, RaaS operators can also focus on their niche market area, iterating improvements on their specific area of expertise to continue making their particular product more robust.
The RaaS approach is almost identical to today’s modern businesses, which seek to hire the best talent across different functions. Through public-facing data leak sites (DLS), telegram channels or direct recruitment of targets as insider threats, cyber-criminals advertise job openings, promoting pay, benefits and other perks. In fact, the LAPSUS$ ransomware group has been advertising job openings since November 2021, targeting employees at large technology firms such as AT&T and Verizon to lure employees to perform insider jobs in exchange for high pay (up to $20,000 a week). The landscape for cyber-criminal jobs is competitive, with new ransomware groups and data leak sites popping up constantly. Recent research revealed that 12 new data leak sites emerged in Q3 2022 alone. And total ransomware revenue in 2020 was $20bn, up from $11.5bn in the year prior.
Adoption of Emerging Technologies
For today’s agile startups, new programming languages offer alternative ways of building and securing code. Rust is a language rising in popularity with developers because it contains plenty of built-in safeguards that prevent them from compiling code with common vulnerabilities. This layer of protection addresses some of the long-standing issues within languages, such as C and C++, that have led to many buffer overflow vulnerabilities and use-after-free (UAF) vulnerabilities over the years. Unfortunately, these same benefits have also caught the attention of threat actors. In recent months, ransomware groups such as BlackCat, Hive and Agenda have used Rust because of how easy the cross-platform language makes it for the groups to tailor their malware to different operating systems. Rust variants used by these stealthy threat actors also allow for intermittent encryption – when ransomware only partially encrypts a victim’s files, alternating between sections of a file so they can slip through undetected.
Recently, we have seen cyber-criminals shift away from distributing their malware through macro-enabled files to distributing it through alternative file types to prepare for the end of Microsoft’s “on-by-default macros” feature. Threat actors have long used macros to distribute malicious content after users download a Word document. Last year, Microsoft began blocking macros to stop malware, resulting in a 66% drop in malicious macros identified from October 2021 to June 2022, according to research from Proofpoint. Quickly pivoting in response to these defenses, cyber-criminals shifted to other file types, such as ISO and RAR attachments, to distribute their malicious code.
Today’s cyber-criminals are persistent – quick to demand more money after a ransom is already received with the threat of again leaking sensitive data. These double, triple and even quadruple extortion efforts allow an attacker to extract as much value from their attacks as possible and are even targeting non-paying third-party vendors connected to the victim, such as the recent case with BlackCat (a.k.a. ALPHV). This pattern is more complex to prevent. Attackers may be unsuccessful in encrypting data, but they can still profit from threatening to leak data, sell information or go after customers as secondary victims, ensuring a higher likelihood of ROI.
The Threat of Automated Chatbots
Cyber-criminals are also future-proofing their ‘organizations’ with generative AI, empowering them to scale beyond what used to be one-off attacks. It’s been well documented that ChatGPT’s code-writing is often error-prone or incomplete, so there is still a need for humans with significant skills to work alongside it. However, security researchers have already had success in leveraging the APIs for these tools to quickly assist in reverse engineering legitimate software. In January 2023, Juan Andres Guerrero Saade leveraged ChatGPT to augment students’ work in a reverse engineering class. Building on this idea, Nate Warfield presented at BlueHat 2023 and discussed how he used the same principles to enable a team to decrypt 4,000 pieces of firmware in about an hour’s worth of time. All of this points to one clear fact: generative AI models like ChatGPT will be augmenting researchers on both attack and defense.
ChatGPT’s developers have intentionally set guardrails to prevent users from using it for fraud; however, security researchers have shown us how easy it is to rephrase a question to avoid triggering these boundaries. Despite some of the technology’s current limitations, it shouldn’t be overlooked as irrelevant in the hands of today’s relentless criminals. Many social engineering campaigns are very destructive, and AI chatbots have the potential to scale these campaigns.
Security teams should be alert to this growing modernization of cyber-criminal activity. Today’s organizations need to know how malicious actors are transforming their operations or risk being blindsided by an attack.