Stock Markets
Daily Stock Markets News

Crypto

Trends in ransomware-as-a-service and cryptocurrency to monitor

By Street Asset 0 0


In January, law enforcement officials disrupted the operations of the Hive cybercriminal group, which profited off a ransomware-as-a-service (RaaS) business model. Hive is widely believed to be affiliated with the Conti ransomware group, joining a list of other groups associated with former Conti operators, including Royal, Black Basta, and Quantum.

cryptocurrency ransomware payments

RaaS affiliates are all over the globe, and so are their victims. These affiliates use a myriad of different tactics and techniques. In this article, I’ll cover what the Hive case tells us about RaaS trends, how it relates to cryptocurrency, and how to defend against similar groups.

Hive’s modus operandi

Hive, like other RaaS providers, wrote a ransomware encryptor, created a dark web domain, advertised their services to affiliates and forums, and then allowed users to purchase a license (for their services) to configure a ransomware payload and receive extortion funds.

RaaS providers typically take a cut of the ill-gotten proceeds – it’s usually a 75/25, 80/20, or 85/15 split (Hive was 80/20).

Hive, and every other ransomware group, still uses cryptocurrency for ransomware payments because it is borderless and almost instant. There are no conversions or bank approvals; it’s an anonymous system of transferring and instantly sending funds around the globe. Cryptocurrency also makes it easy to split the money extorted from victims with other users.

Priced high or low, cryptocurrency is the best and most effective avenue for ransomware operators to elicit funds from victims. The price of cryptocurrency follows the path of Bitcoin (BTC). If BTC goes up, most others go up as well. Conversely, if its price goes down, everything else follows.

To account for its often-volatile value, when attackers breach a victim and demand a ransom, they simply alter the amount of cryptocurrency they ask for based on the current price of the token used. In other words, operators base the ransom on the conversion price, not the token price. For example, if a ransomware group wants to ransom a business for $50,000, they will convert that into the current token price and ask for that much.

While most cryptocurrency is traceable, many ransomware operators perform their misdeeds from countries with governments who tend to look the other way, especially if the attacks don’t target the country they are operating from. For example, many ransomware operators from Eastern Europe and Russia put logic in their malware’s code to geolocate a victim’s machine. The malware will terminate if it is in a country that is part of the Commonwealth of Independent States (CIS), allowing ransomware operators in these countries to deploy ransomware without worrying as much about being arrested (Hive is an example of this). But to try and protect themselves from being traced, attackers still use mixers and privacy coins to mask their tracks.

The Hive case is unique in that a global, joint operation of federal authorities from several countries worked together to take down the infrastructure of a ransomware group. This was primarily possible because the Hive group’s infrastructure (servers) was in the United States, at least partially.

The operation – and other recent takedowns of ransomware groups like REvil and DarkSide, not to mention various affiliates that use other ransomware – demonstrates how governments are becoming more offensive in stopping these threat actors. Law enforcement and cybersecurity agencies have realized that a purely defensive strategy isn’t the best approach to tackling this issue.

The Hive group’s affiliates attacked organizations all over the globe. A map of the affected countries provided by the United States Department of Justice (USDOJ) showed that, unsurprisingly, very few CIS countries were affected. In contrast, the group had victims in almost every other part of the globe.

Additionally, these attacks used various methodologies to breach organizations. That’s because different affiliates have different tactics, even within the same ransomware group. Every RaaS group will have multiple tactics and techniques they can implement in various ways. That complicates the challenge of defending against them.

Set up defense-in-depth

For security professionals, it means a good defensive posture should be holistic and include defense-in-depth mechanisms.

For example, Hive affiliates have been known to breach organizations using Remote Desktop Protocol (RDP) without multi-factor authentication (MFA), stolen credentials, phishing campaigns, and software vulnerabilities. There isn’t a single solution to effectively tackle these issues; you’d need multiple solutions working synergistically together to thwart attacks.

You would need to implement…



Read More: Trends in ransomware-as-a-service and cryptocurrency to monitor

Street Asset 21474 posts 3 comments

Unleashing the power of exceptional media, StreetAsset.com is your ultimate destination. With captivating content tailored to diverse needs, we exceed expectations. Our team's passion drives ongoing professional development, keeping us at the forefront of the ever-evolving industry. Upholding the highest standards of quality journalism, we inform and shape public opinion with accuracy, integrity, and impartiality. Trustworthy and respected, we are your go-to source of information. Valuing partnerships with advertisers, we offer innovative solutions for maximum impact. At StreetAsset.com, excellence reigns supreme. Join us on this extraordinary journey.

You might also like More from author
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

We respect your privacy and take protecting it seriously