A self-imposed ransomware ‘ban’ instituted by several cybercrime sites is not stopping the threat actors that use these forums, according to Digital Shadows.
The threat intelligence vendor wanted to see whether the new rules put in place by popular Russian-language platforms XSS and Exploit were having any impact. The sites’ administrators banned users back in mid-May from advertising ransomware and affiliate partnerships after several high-profile attacks in the US.
Perhaps unsurprisingly, users of the sites have found ways to bend the rules, such as speaking euphemistically about the services they’re looking for.
“Ransomware-linked threat actors are most likely continuing to operate on the forums under different aliases, using coded language and avoiding direct references to ransomware. We’ve noticed many threads in which users advertise ‘pentesting’ vacancies in their’ team.’ Others write that they are looking to purchase ‘access’ to corporate networks for high prices,” Digital Shadows explained.
“In one particularly blatant example, a user advertised for ‘individuals and groups for our partners program [sic],’ including ‘Pentesters with experience in Active Directory networks’ and ‘Access brokers’.”
The vendor also claimed to have seen no decrease in the number of listings for “access” services, which are an increasingly popular way for ransomware groups to launch attacks.
“Some initial access brokers, perhaps aware that they can’t market their wares openly to ransomware groups, are instead offering to provide a regular supply of ‘exotic’ and ‘valuable’ corporate accesses to ‘serious’ buyers,” it explained.
Plenty of other forums plying their trade haven’t put ransomware ‘bans’ in place. Digital Shadows pointed to the success of RAMP, a relative newcomer which appeared in July and amassed a large following before closing registrations as a protective measure.
The bottom line appears to be that ransomware continues to thrive. Without any progress on the geopolitical front, organizations must focus their efforts on best practice cyber-hygiene and rapid detection and response.
According to new Accenture research, ransomware accounted for 38% of intrusions in H1 2021, more than any other threat type.