Ransomware is so lucrative for the gangs involved that other parts of the cybercrime ecosystem are being repurposed into a system for delivering potential victims.
“The gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system — with significant implications for IT security,” said security company Sophos in a report.
Ransomware is considered by many experts to be most pressing security risk facing businesses — and its extremely lucrative for the gangs involved, with ransom payouts increasing significantly.
See also: A winning strategy for cybersecurity (ZDNet special report).
Sophos said that ransomware is becoming more modular, with different groups specialising in particular elements of an attack. It also pointed to the linked rise of ‘ransomware as-a-service’, where criminal gangs are able to purchase access to tools to run their own ransomware attacks when they lack the technical ability to create those tools themselves.
These so-called ransomware ‘affiliates’ don’t even have to find their own potential victims: the ransomware ecosystem has developed so that they can go to other groups who specialise in gaining access to corporate networks and who will sell that backdoor on to them.
As well as doing business with these ‘initial access brokers’, would-be ransomware attackers can turn to botnet operators and malware delivery platforms to find and target potential victims. And because of the potential profit to be made, these groups are increasingly focusing on serving ransomware gangs rather than concentrating on less lucrative forms of online crime, Sophos said.
“Established cyberthreats will continue to adapt to distribute and deliver ransomware. These include loaders, droppers and other commodity malware; increasingly advanced, human-operated Initial Access Brokers; spam; and adware,” said the security company.
The idea of ransomware-as-a-service has been around for a while, and has often been a way for lower-skilled or less well-funded attackers to get started.
But what has changed now, said Chester Wisniewski, principal research scientist at Sophos, is that ransomware developers are now using this as-a-service model to optimise their code and get biggest payouts, offloading to others the tasks of finding victims, installing and executing the malware, and laundering the cryptocurrencies.
See also: Ransomware: It’s a ‘golden era’ for cybercriminals – and it could get worse before it gets better.
Separate research has even suggested that ransomware gangs are now rich enough to start buying their own zero-day flaws, something that was previously only available to state-backed hackers.
“This is distorting the cyberthreat landscape,” Wisniewski said, as common threats such as loaders, droppers, and Initial Access Brokers — which were around and causing disruption well before the ascendancy of ransomware — are now servicing the demands of ransomware gangs.