Extortionists began to work together more often and conclude franchise deals

Source: https://cobaltstrike.net/2022/03/18/extortionists-began-to-work-together-more-often-and-conclude-franchise-deals/

Over the past year, many “franchise” deals and new partnerships have appeared in the Ransomware-as-a-Service (RaaS) industry. To date, RaaS has become one of the most numerous and dangerous threats to the security of enterprises. Cybercriminals make a big profit from renting out their ransomware programs, especially if they are used against large companies that are able to pay a lot of money to decrypt their data.

In recent years, the industry has evolved and now includes other roles – malware developers, native speakers for negotiation and entry-level brokers who offer network access to the target system, thereby speeding up RaaS operations.

Data leak sites have become commonplace. When a group of ransomware attacks a victim, they can steal confidential corporate information before encrypting systems. Cybercriminals will then threaten to publish this data if the ransom payment is not made.

KELA specialists have published a report on the general trends of ransomware operators for 2021. The number of large organizations that have become victims of cyber attacks has increased from 1,460 to 2,860. A total of 65% of the leak sites tracked last year were managed by new cybercriminals. Most of the victims are in developed countries, including the USA, Canada, Germany, Australia, Japan and France.

Manufacturing enterprises, industrial and technology companies are at the greatest risk of attacks by ransomware operators. According to KELA, approximately 40 organizations compromised in 2020, last year again fell victim to a cyberattack, but with the participation of another group. Presumably, the hackers used the same initial access.

While some hacks may be unrelated, it seems that “franchise” businesses are emerging. Trend Micro previously linked the Astro Team and Xing Team groupings, which were allowed to use the Mount Locker ransomware under their trademarks. Some of the victims were repeatedly mentioned on the Astro/Xing Team and Mount Locker data leak sites. In addition, in 2021, 14 affected organizations were mentioned in the blogs of Quantum, Marketo and Snatch.

Start a discussion …