There are many myths surrounding hackers and threat actors. People often imagine a hacker as a lonely hoodie-wearing youngster sequestered in a dark basement, lit only by glowing computer screens, nestled among stacks of pizza boxes and empty cans of energy drinks.
The basement hacker myth is very harmful to cybersecurity because it is nothing like what is happening on the Dark Web.
Today’s ransomware groups operate like legitimate businesses; they do it for illegitimate purposes. To provide an efficient defense against ransomware and malware attacks, we must first reject the idea that we are dealing with one person trying to hack into one computer system.
Dark Web-based malware vendors operate like legitimate software companies, with customer service and a place for client reviews. They hire subcontractors for time-consuming or repetitive tasks or to do work that’s not their specialty.
The structure of a ransomware group and its network of underground suppliers.
Starting at the top with the ransomware group – here are some of the common subcontractors and affiliates:
PR and advertising companies bolster the brand of the ransomware group and showcase its exploits.
Reconnaissance brokers and actors prowl the Dark Web looking for data sets or access credentials offered for sale, then strike a deal with the ransomware group.
Initial access brokers (IABs) work on gaining access to networks, then sell that access back to the ransomware group.
Underground escrow services are neutral go-betweens in trading malware as a service (MaaS) that receives and holds a ransomware payment until the threat actor has confirmed that the victim’s payment is accurate. The escrow service charges a percentage of the total deal amount. Escrow services are also often used by initial access brokers (IABs) as well as for drug or arms deals, as they protect the identity of both the buyer and the seller.
A customer support group allows the ransomware victim to communicate with the ransomware group. It also services those who purchase ransomware as a service and malware as a service.
Everyone has to make a living, so each of the affiliates (subcontractors) gets a cut of the ransom. Remembering this structure when one hears that a ransomware group or malware has been dissolved is crucial.
While It may be true that the original group no longer exists, every single subcontractor or third-party affiliate connected with the original group still has access to the know-how and original techniques developed. They will use this knowledge to orchestrate new attacks.
On the Dark Web, image is everything.
It’s challenging to gain the trust of other threat actors and ransomware groups. If you are new to the Dark Web, you may have to prove yourself in specific ways to gain access to chatrooms and forums.
Chatroom admins will ask who you have worked with and whether you have a reference from a well-established threat actor. Ironically, threat actors also worry about scammers or undercover law enforcement posing as threat actors. Once you’ve made it into a forum, there’s no time to rest on your keyboard. Because of the criminal nature of many Dark Web transactions, forums may suddenly close, and you lose all your newly established contacts.
Building your threat actor brand includes showing off your skills, and some do that by giving away free samples of hacking tools or by acting like mentors for novice users in the Dark Web ecosystem.
Some forums appear more ethical (though still illegal) because they ban the sale of child pornography and certain illicit drugs. There are also examples of threat actors who’ve hacked into the wrong system – for instance, a hospital – and handed over the encrypted key for the ransomware free and clear.
My business is too small and insignificant to be a ransomware target.
Everyone is a target for a ransomware or malware attack. It doesn’t matter how big or small an organization is. Some initial access brokers (IABs) specialize in smaller targets because they like a quick flip: they sell access to your computer for $100 and then move on to the next victim.
There are many simple things you can do if you have a smaller budget but still want to keep your data secure:
Practice good password hygiene – don’t share passwords or keep them stored in a spreadsheet. Develop a policy for passwords and find a simple way to implement your policy. Require frequent password changes by everyone.
Use multi-factor authentication – it is very efficient and doesn’t cost anything.
Limit company email addresses to company business – don’t let employees use company email to sign in to accounts on music streaming services or banks, for example.
Educate employees – human error is the most common way hackers get into your system. Phishing attacks, social engineering, and other email-based scams remain very successful. Staff education can go a long way in keeping your assets safe.
Make sure business is conducted on business computers – don’t allow employees to use a private network or a home computer. Encrypt your wifi connection if at all possible.
Keep your organization ahead of new cyber threats with access to the latest and most accurate Dark Web information.
Cybersixgill’s portal does not require a lot of training. Our customers report that they see significant reductions in cyber threat investigation. All it takes to get you rolling is an initial kickoff session to review every part of the portal and align specific areas and features your organization needs. Alternatively, we offer numerous integration points so you can easily merge our body of Dark Web threat intelligence data into your existing systems.
Learn more about how Cybersixgill can help you stay ahead of cybercrime.