The time was that a cybercriminal gang would do all the heavy lifting themselves: reconnaissance of targets, compromising systems, deploying their malware, and monetising the attack. Now these groups have realised they can work more efficiently if they specialise in one or two parts of this process. From this we have seen the development of Cybercrime-as-a-Service, or a collection of services.
One of these is Ransomware-as-a-Service, which means a group of cybercriminals who will develop the ransomware. They usually also provide additional services to that, such as negotiations, having the website where the victim can connect to, and they will provide also the personnel who would negotiate the ransomware payment. But these are not going to be the same people who infiltrated the company and deployed ransomware. That is outsourced to another group, who carry out the attack and then hand it back to the commissioning group – in exchange for a fee or split of the profits.
In recent years, we have seen the emergence of groups that focus on collecting access to companies. They will infiltrate a company, establish access to the company through credentials for example. , and then go to dark web and sell these on to people with ransomware ready to deploy.
The outcome of this is that is has become incredibly easy for someone with no specialist knowledge or technical expertise to engage in cybercrime. They can easily and conveniently contract all the services and expertise they need to launch an attack on a target of their choice.
For cybercriminals, it also means they can specialise and develop more sophisticated tools in their particular area. These gangs can focus on just developing, for example, better malware and ransomware because they don’t need to care about the rest of the attack. The same for a group that is just focused on gaining access to systems, or a reconnaissance service that provides a package of data on a company detailing its infrastructure, internal systems and people. What Fortinet predict for 2023 is that there will be more and more Cybercrime-as-a-Service as these specialist groups continue to emerge and develop their products.
The variance in ransomware has almost doubled too. So not the number of attacks, but the number of different variants of ransomware. One reason behind this could be because of Ransomware-as-a-Service making access to tools that can customise available to a wider range of people. This helps newcomers to, really quickly, get ransomware ready for their specific attacks.
Breaking cybercrime down into its constituent parts makes it easier for gangs to recruit and build their organisations. We found out from the Conti Leaks that sophisticated cybercriminal gangs have the internal structures of a business, with an HR function and training programme to train new people up rather than just relying on the old-style hacker who has been doing this their whole life. Raw recruits with no training can be put to work immediately on simple tasks, such as laundering money
Money is still a weak point in the cybercriminal world. It is still quite hard to use cryptocurrency in the real world and it too is becoming more sophisticated, regulated and monitored. For instance, if you go to a crypto exchange, you increasingly have to identify yourself with some kind of official ID. Many gangs still depend on “money mules”, people paid to go to ATMs and pick up money that has been partially laundered through crypto, and then get the cash back to the original criminals. So, this is still a difficult process at present, and we suspect criminal gangs will try and innovate with a view to fully automating it in the future.
One of the biggest growing risks is the proliferation of “wiper” malware, which is purely about destroying the system under attack by deleting the information, corrupting the hard drive, or causing physical damage. There is no ransom to get back lost data, and the damage caused can disrupt operations for months or longer. With the on-going situation in Ukraine lately, we have seen a surge in wiper attacks. These are predominantly against Ukrainian targets or their allies, with a high degree of sophistication that included targeted attacks against industrial systems.
Wiper attacks have also led to significant collateral damage, early in the war a wiper attack against Ukrainian modems resulted in thousands of German wind turbines being severed from their control systems. Depending on the threat actor, wiper malware could be combined with a worm and spread globally to create maximum chaos and while it is difficult to monetise at the moment, we could, for example, see it sold as a service as part of hybrid warfare, terrorism, or even hacktivism.
For the moment, the key risks come from cybercriminals innovating in their business models. The tools and strategies themselves are broadly familiar, and there are steps that can be taken to protect businesses and organisations. For example, our FortiRecon service can detect potential attacks when they are still in the earliest of stages – such as when credentials and information gained from reconnaissance is being sold. Machine learning and Artificial Intelligence have enhanced our ability to respond to threats in real time, however we still advocate that only an integrated, and automated cybersecurity mesh platform can provide the necessary level of protection.
Related
