Ransomware Gangs Outsource Network Access to Drive Success

Written by

Ransomware groups are increasingly purchasing network access on underground forums to simplify and accelerate their attacks, Accenture has warned.

The consulting giant’s iDefense threat intelligence business claimed in a new report that the outsourcing trend overlaps that of the relatively recent emergence of ransomware-plus-data-theft.

As developing and maintaining stable network access comes with a high risk of detection and requires significant time and effort, ransomware authors are increasingly seeking third-party help.

“As of September 2020, we actively track more than 25 persistent network access sellers as well as the occasional one-off seller, with more entering the scene on a weekly basis. Network access sellers operate on the same forums as actors associated with the ransomware gangs Maze, Lockbit, Avaddon, Exorcist, NetWalker, Sodinokibi and others,” Accenture wrote.

“We assess with high confidence that this ecosystem will continue to thrive, so long as reputable, invite-only dark web forums provide the platform on which network access sellers and ransomware gangs can securely exchange goods and services.”

Increasingly, such sellers are using zero-day exploits to compromise the networks of individual victim organizations and sell access rather than selling the exploit itself, presumably to drive up profits. One vendor, Frankknox, advertised access to 36 companies for between $2000 and $20,000, according to Accenture.

Another trend is exploitation of VPN infrastructure as more users work from home, although RDP remains the most popular attack vector. Accenture also claimed that an increasing number of network access sellers are advertising breached companies on a single thread by industry, country, access-level, price and other elements, in order to streamline the sales process.

The market for network access was pioneered by “Fxmsp,” an infamous threat actor thought to have made millions over the past few years. Although indicted by the US, he is thought to be currently living in Kazakhstan, which has no extradition treaty with Washington.

What’s hot on Infosecurity Magazine?