The sophistication of underground eCrime laid bare

Param Singh, vice president of Falcon OverWatch at CrowdStrike explores the sophisticated and complex world of underground eCrime

Posted 14 July 2022 by Christine Horton

Supply chain attacks, ransomware, and data extortion threats are more prolific and sophisticated than ever. ECrime has seen sustained growth in recent years, and many organized crime groups rival the business world for careful planning, collaboration, adaptability and strategic direction. Independent research observed that 66 percent of businesses had suffered a ransomware attack in 2021, compared to 56 percent in 2020. This continued increase is a stark reminder that the eCrime ecosystem is thriving more than almost any other sector.

The persistent threat of ransomware

Over the last two years, COVID-19 has resulted in many changes for organisations around the globe. But one thing that has remained constant is the persistent danger posed by ransomware attacks. The days of believing that these cyber criminals are amateur groups scattered across basements around the world are long gone. These adversaries are organised, vigilant and will stop at nothing to infiltrate any enterprise.

Ransomware has been the most commercially successful type of cyberattack in recent history. And, with constant changes to how we work, cybersecurity teams are still adjusting and, in some cases, struggling to set up and secure hybrid working environments for the future. Therefore, it stands to reason that those perpetrating these attacks will continue to see high levels of success. A 2021 survey of senior IT professionals revealed that almost two-thirds (66 percent) of organisations had experienced a ransomware attack in the preceding 12 months. Perhaps the most concerning statistic is the fact that 33 percent of these organisations had suffered more than one attack in that period.

eCrime is only getting worse

As noted above, organised eCrime groups continue to evolve their tactics and tooling both to evade defenses and to increase the profitability of their enterprise. New ransomware families are discovered regularly, some more recent discoveries include ransomware written in less prevalent programming languages in a likely attempt to evade detection. Other prominent themes include the rise of access brokers — specialised adversary groups who gain access to victim organisations to on-sell to the highest bidder — as well as the rapid rise of data extortion which includes threats to leak and sell sensitive data. It is clear that the eCrime ecosystem is expanding. Not only that, the value of ransoms paid have increased by nearly 63 percent. In 2020, on average, respondents’ organisations were forced into paying £870,000, whereas, in 2021, the average ransomware payment is now £1.42 million.

The sophistication of the eCrime underworld

Organized eCrime has developed to the point that it is effectively its own ecosystem. Nowhere is this more apparent than in the emergence of the Ransomware as a Service (RaaS) business model.

RaaS is so named due to its parallels with the software as a service (SaaS) business model. These RaaS kits allow adversaries who may lack the skill or time to develop their own ransomware variant to still partake in an efficient and affordable way. The truly frightening aspect is that these tools and software are straightforward to find on the dark web. In fact, they are advertised in the same way that normal products are advertised on the legitimate web. RaaS kits are so advanced that they also include 24/7 support, user reviews, forums and many other useful features. The price of this software can range from as little as £30 per month to several thousand pounds. These are, of course, trivial amounts, considering the average ransom payment mentioned above.

Another marker of the sophistication of eCrime groups is their propensity to target large, high-value or high-profile organisations in an approach known as Big Game Hunting (BGH). The criminals will specifically research and choose their victims based on their perceived ability to pay a ransom, as well as the likelihood that they will do so in order to resume business operations or avoid public scrutiny. This typically includes large corporations, utilities providers, hospitals, government agencies, and financial institutions. For example, DarkSide which is operated under a RaaS model and believed to be the attack vehicle leveraged in the high-profile Colonial Pipeline attack.

Combating the ever-evolving eCrime threat

While this information may make eCrime and ransomware seem like somewhat of an inevitability, there are a wealth of measures that organisations can take to reduce their risk of becoming the victim of a successful attack. ECrime adversaries are, predominantly, opportunistic and will default to low-hanging fruit — the least protected organisations.  A significant amount of eCrime activity could be stopped in its tracks by basic security hygiene. Organisations should heed well-worn security advice such as rolling out proper training for employees to recognize threats, employing strong password policies, using multi factor authentication, and applying security patches in a timely way.

With the basics in place, organisations should also invest in next-generation antivirus and cloud security solutions. The most effective solutions use machine learning intelligence and data analysis to detect patterns of behavior used by threat actors, which means that unknown threats can be anticipated and prevented. Finally, no security solution is complete without a proactive human-driven element. Innovation is rife among eCrime adversaries, and the power of human ingenuity is crucial to stay a step ahead. It is strongly recommended that organisations invest in a dedicated and round-the-clock threat hunting function to detect hidden attacks and new techniques designed to evade automated detection technologies.

eCrime threat actors are constantly changing. Organisations that remain at a standstill and refuse to keep up with the times will continue to fall victim to these ever-evolving attacks. However, organisations that focus on the proper training and implement the necessary cybersecurity strategy stand the greatest chance of mitigating these criminals.