February 17, 2022by Dov Lerner

The State of the Underground

Our analysis of 2021 resulted in two major findings. First, the underground ransomware economy grew tremendously, as the proliferation of services before attacks contributed to the rise in overall attacks. Second, the underground ecosystem has become increasingly decentralized, as the largest forums shrunk but overall underground participation rose.

The headline story of 2021 was ransomware. While also a hot topic in 2020, in 2021 ransomware was even bigger, solidifying its standing as the highest impact cyberthreat as countless organizations worldwide were disrupted and even debilitated by attacks. The damages caused by ransomware attacks were as devastating as its victims were diverse - affecting organizations both large and small across many different verticals, including software vendors, schools, governments, broadcasters, a major meat processing plant, and a critical US oil pipeline.

Indeed, only seven months into the year, the FBI reported that it had already “received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.”

The cybercriminal underground provides the perfect environment for the development, expansion, and proliferation of ransomware attacks and their extortionist aftermaths. First, it provides a platform for the planning and execution of the attacks, where ransomware groups can advertise calls on cybercriminal forums for affiliates (operational partners) to support their operations. In addition, operators can purchase access to a vast array of compromised systems in illicit initial access markets, which provide the first entry point from which to launch their attacks. Secondly, after executing the attack and infiltrating their victims’ systems, ransomware groups use their dark web-hosted dedicated leak sites (DLS) to extort victims, threatening to publicly share their stolen confidential data should they refuse to comply with the hackers’ ransom demands.

Cybersixgill’s sources demonstrate a tremendous expansion in the underground ransomware economy during 2021. Throughout the year, access to 4,286,150 compromised endpoints was sold on the underground, a whopping 457% compared to 2020. Evidently, vendors on access markets increased their supply capacity to match the exploding demand. Similarly, in 2021 we collected 3,264 posts on ransomware groups’ dedicated leak sites (each post signifying a successful attack), which was more than double the total collected in 2020 (1,509).

In addition to the dramatic rise in ransomware, analysis of the underground activity throughout 2021 produced another major insight of value: while the total number of posts in forums and on messaging channels rose considerably (45% and 338%, respectively), the number of posts and participating actors decreased significantly in the ten most popular underground forums. This seems to suggest that the underground has become increasingly decentralized. Accordingly, analysts can no longer rely on the top forums as the lone source of their intel. In order to gain a comprehensive understanding of underground developments and compile an accurate intelligence picture, analysts must expand their investigative search to include as many sources as possible.

Looking ahead to 2022

While many may assume that ransomware will follow its upward trajectory in 2022, such a projection is an oversimplification, and in our mind, not entirely accurate.

In 2021, two significant developments generated difficult headwinds for large ransomware groups. First, in mid-May, multiple underground forums banned activity advertising ransomware or affiliated partnership programs, cutting ransomware operators off from their main platform for recruitment, partnerships, and promotion of their activities.

Second, the US Federal government took aggressive action against several prominent ransomware groups and cryptocurrency exchanges that processed ransomware payments.

If anything, this showed that ransomware attackers have become victims of their own success. While profiting from exorbitant ransom payments, they now suffer the repercussions of their notoriety. Accordingly, we assess that in 2022 ransomware groups will be more selective when choosing their targets, largely eschewing attacks on sensitive or prominent targets (and perhaps avoiding targeting US-based organizations altogether) in favor of lower-profile targets, so as to avoid the wrath of a federal response. Some ransomware groups may choose to shut down their dedicated leak sites—designed to generate publicity—instead choosing to carry out their ransom attacks and negotiations over private channels. Overall, we assess that ransomware groups will adopt a more discreet modus operandi instead of aiming for splashy attacks.

This ought to encourage remote access markets to up their game. If ransomware operators demand a broader menu of potential targets, the markets will be driven to step up accordingly to provide the supply.

Furthermore, we expect that the increased distribution and decentralization of the underground ecosystem will persist. The largest forums can be too noisy, inundated with spam and raucous chatter, and due to their popularity, often attract the scrutiny and attention of law enforcement officials, researchers, and otherwise curious observers. It is therefore reasonable to expect that the threat actors of the underground will branch out to new forums and messaging channels, perhaps seeking out platforms that are more focused on a single subject matter in place of the larger, broad-based forums that deal with everything - from hacking to recipes for cooking.

Concerning the rapidly evolving cyberthreat landscape and continued impact of the COVID-19 pandemic on digital security to support the remote workforce, one thing remains certain: cybercriminals are fast innovators, quickly adapting and retooling their tactics to maximize their profits at their victims’ expense. It is therefore imperative that organizations maintain vigilance, staying aware of the developments in the underground to enable proactive cyber defense. Fortunately, no matter where malicious actors choose to set up shop – be it new sites, messaging apps, forums or other platforms – Cybersixgill will be there with eyes in the underground, making sure you know what’s out there.

For the complete story, read: The State of the Underground, Cybersixgill’s Annual Report for 2021.

You may also like

SANS Report Blog-Thumbnail

July 18, 2024

SANS CTI Survey 2024: Reports Rise to the Top for Communicating Critical Information

Read more
Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more