Cybercrime increasingly converging towards ransomware, cartel models

New research finds that cybercriminal groups are increasingly gravitating towards ransomware. Here, a North Korean national is identified in a complaint announced by First Assistant U.S. Attorney Tracy Wilkison in a range of cyberattacks on September 6, 2018 in Los Angeles, California. The complaint includes the cyberattack against Sony Pictures in...

Cybercriminal groups are increasingly gravitating towards ransomware, while evolving more and more towards a cooperative cartel model, according to new research from threat intelligence firms.

In a new report released today, Mandiant spotlights the evolution of FIN11 – a financially motivated hacking group – from specializing in high-tempo, high-volume malicious email campaigns to a laser-like focus on ransomware and extortion.

The shift is “emblematic” of the way established groups have pivoted their operations to the lucrative ransomware industry as companies continue to pay an increasingly high price to have their systems and data unlocked.

They’ve also transformed their operations in the last two years, changing their tactics, techniques and procedures and greatly expanding their targeting pool of victims. Whereas the group mainly hit businesses in the financial, retail and restaurant sectors in 2017 and 2018, Mandiant researchers have observed far more indiscriminate targeting in the past two years across a wide range of industries and regions. Along the way, FIN11 has made a number of subtle changes to their techniques, likely in an effort to avoid the latest threat detection regimes.

More recently in 2020 they were seen targeting pharmaceutical companies in phishing campaigns, a common occurrence in the post-COVID-19 environment. Here again, they believe these new strategies and focus can be traced back to the group’s larger shift toward ransomware as their primary revenue generator.

Kimberly Goody, senior manager of analysis at Mandiant Threat Intelligence, told SC Media that groups like FIN11 are “regularly learning of organizations paying" ransoms, and altering their operations and business models to take advantage. FIN11’s shift is reflective of the broader trend of big game hunter threat groups reshaping their operations toward ransomware.

Attackers in the ransomware space “are constantly capitalizing on the success of those who have tested the waters before them by incorporating tactics that have proven to be effective,” Goody said.

As the group gravitated towards this new business model, Mandiant noticed a number of common tactics and behaviors. FIN11 typically relies on proprietary malware strains like FlawedAmmyy or MIXLABEL to gain an initial foothold, before shifting to commodity malware or open source tools to install multiple backdoors in a victim’s network. More recently, they have begun using CLOP ransomware to encrypt networks and demand payment.

Because of their successful background in email compromise, they often have success re-infecting a victim’s network after they’re identified and kicked out. For example, after one ransomware victim was able to restore their systems and services through backups, the group was able to re-infect their network again months later.

Their ransom demands range from hundreds of thousands of dollars to up to $10 million.

“Notably, these extortion demands have seemingly increased since late 2019, which is likely a result of public reporting on companies’ willingness to pay large ransoms as well as the introduction of hybrid extortion,” Mandiant notes.

Organized (cyber) crime

The world of organized cyber crime is scary enough to contemplate. The notion that major threat groups could be steadily evolving towards a cartel model of business is even more alarming.

This dynamic is already prevalent among collectives like Maze, a business partnership between multiple ransomware groups who share tools and profits from successful heists. In a new Thales report, the authors argue that major cybercrime in general is moving inescapably toward an organized model, converging their operations and working together, even as they maintain their own independence.

For example, one group might design their malware in a way that consciously compliments a tool created by another outfit, or connect in a larger kill chain that mutually increases the attack surface for all or most parties. While each have their distinct operations and styles, they are also hyper aware of how their work interacts with each other and align their operations to maximize profit.

Even as financially motivated hacking groups have their own distinct goals and operations, there is often overlap and sharing of tools, techniques and procedures with other groups that can muddy the analytical waters. According to Mandiant, these groups “can purchase a wide range of services and tools in underground communities — including private or semi- private malware capabilities, bulletproof hosting providers, various DNS-related services (including registration and fast-flux or dynamic DNS offerings) and code signing certificates — from actors who specialize in a single phase of the attack lifecycle.”

For example, parts of FIN11 activities share “notable” commonalities with another group, dubbed TA505, that specializes in ransomware and was recently observed exploiting newly disclosed vulnerabilities like Zerologon. According to Thales, TA505 is also “closely linked” with another financial cybercrime group – FIN6 – and shares some proprietary malware. However, Mandiant and Thales each stress that they track TA505 activities as separate and distinct from FIN11 and FIN6 and warn against conflating them.

Jeremy Kennelly, a manager of analysis at Mandiant Threat Intelligence, told SC Media that different groups sharing common TTPs “can suggest many different types of collaboration or association.”

“At one extreme it could imply that groups share one or more members, or could mean as little as suggesting that two groups individually adopted the same open-source project, or incorporated the same snippet of code from a public blog into one of their tools,” said Kennelly in an email. “Beyond the use of publicly available tools, we have found that the most common way in which distinct threat groups will overlap is via the use of a criminal service provider – one that supplies infrastructure, malware, certificates or some other facet of a criminal campaign.”

Kennelly also said being able to attribute activities back to certain threat actors could provide insight into what they may do next or buttress threat detection rules. A threat group known to focus on payment card theft, may spend weeks or months gaining an initial foothold into a victim network, whereas one who deploys ransomware strains like Ryuk may only linger for a day or two before encrypting a network. 

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.