How middlemen are giving ransomware gangs more attack options

Written by

The last six months have seen damaging ransomware attacks on two multibillion-dollar IT firms, Conduent and Cognizant, with clients all over the world. The incidents locked computers across the companies, cut into revenue and required days, if not weeks, of clean up.

A report published Monday by consulting giant Accenture warns that the kind of criminal groups behind those attacks have more options than ever for accessing corporate networks thanks to a thriving market for outsourced hacking.

Accenture researchers are tracking more the 25 regular “network access sellers,” or people who specialize in breaching an organization’s networks and handing off that access to the highest bidder. The access sellers have frequented the same underground forums as the people involved with prolific strains of ransomware like NetWalker and Maze, the latter which was used against Cognizant.

“Network access selling has progressed from a niche underground offering throughout 2017 to a central pillar of criminal underground activity in 2020,” Accenture researchers Thomas Willkan and Paul Mansfield wrote in a blog post.

The study makes the case that such mercenaries are increasingly interacting with ransomware gangs. But the criminal operatives of such forums rarely spell that out.

“We observed one rare occasion when an access seller named their victim on a forum, and several months later the same victim appeared on the NetWalker victim name-and-shame website,” Mansfield told CyberScoop in an email.

Help wanted, in multiple ways

The findings are a window into a bustling underground economy that has bedeviled corporate security officers and law enforcement alike. Despite a series of takedowns by the FBI and other agencies of dark-web markets, forums selling hacking tools and network access continue to flourish, according to Mansfield.

Market forces are always at play on the underground forums as participants see what’s selling and what’s not.

Willkan and Mansfield found one case of a Russian-speaking advertiser hawking a zero-day exploit for an email server for $250,000. But they decided to use the exploit themselves, and then sell the network access to various corporations because it likely made more financial sense.

In some cases, there have also been broad “help wanted”-style calls for new cybercriminal recruits.

Last December, an administrator on the Russian-speaking XSS forum announced a “competition” funded by people affiliated with the Sodinokibi ransomware, according to Digital Shadows, another firm that tracks criminal forums.

“The competition winner was allegedly offered an opportunity to ‘work with’ the Sodinokibi team under “mutually beneficial conditions,’” said Kacey Clark, threat research team lead at Digital Shadows.

Another dominant market force — the coronavirus pandemic — has led some underground forum-goers to slash prices on hacking tools. It has also changed what’s traded on the forums. Forum denizens are increasingly touting access to virtual private networking software as companies rely on those products for telework, according to Accenture.

Asked if the network access sellers’ customers are generally happy with their purchases, Mansfield said, “it’s a mixed bag.”

“As with all congested marketplaces there are a few who rise to the top and receive consistently positive feedback, but many who either are after attention, are selling a substandard product or are trying to scam the buyer,” he added.