Why rookie hackers are capitalizing on ransomware


Ransomware attacks continue to rapidly rise in 2023. Research by Visa Inc. found that March of this year recorded the most attacks of any month to date, with ransomware up by 91% compared to February, or a 62% since March 2022.

Today’s increasingly hostile ransomware landscape has been caused by two main factors. First, the increased use by ransomware gangs of AI services such as ChatGPT and its dark web equivalent FraudGPT to mass produce highly personalized and plausible emails with weaponized links as phishing lures. Second, the proliferation of highly professional do-it-yourself ransomware kits, frequently packaged with 24x7 phone support for budding cybercriminals with weak computing skills.

These two factors are spawning a new generation of ransomware gangs with novel tactics, techniques and procedures (TTPs). In addition to established players like LockBit, security teams must thwart this host of newcomers, each of whom presents their own unique threat.

Rhysida Ransomware, a new Ransomware-as-a-Service (RaaS) group that emerged in May 2023, exemplifies this trend. Rhysida primarily targets the education, government, manufacturing, technology and managed service provider sectors, in addition to recent attacks on the healthcare and public health organizations. Rhysida operates as a 64-bit Portable Executable (PE) Windows cryptographic ransomware application deployed through phishing attacks or by dropping payloads across compromised systems after first deploying Cobalt Strike or similar command-and-control frameworks. Once deployed, Rhysida encrypts files and demands payment in bitcoin via a TOR-based portal.

And Rhysida is just one of an expanding array of emerging threats. Big Head ransomware is another example. Still under development, this .Net-based malware gets distributed through malvertising campaigns, disguised as fake Windows updates and MS Word installers. Big Head’s fearsome functionalities, from data stealing to file encryption, make it a formidable adversary, even as the identity of its creators remains elusive.

Refined iterations of existing threats are also appearing, as exemplified by the latest version of Raccoon Stealer. Also known as "Racealer," Raccoon malware has been designed to steal sensitive information. First observed in April 2019, it’s back on the scene with user-friendly updates that Fox News has termed “the Netflix of cybercrime.” Written in C++ and distinguished by comprehensive functionality, Raccoon targets nearly 60 applications to extract sensitive data such as login credentials, credit card details, cryptocurrency wallets and browser information. Raccoon compromises systems by exploiting kits on vulnerable browsers or through phishing campaigns with malicious macros embedded in email attachments.

Ease, low fees, and a new era of script kiddies

Not every threat actor populating today’s ransomware landscape belongs to a highly organized ransomware group, nor do they all pose an equal threat. This dynamic was brought to light when the relatively novice creators of Titan Stealer malware, an info stealer first documented in November 2022, sought to emulate the success of legacy ransomware leaders. On Telegram, the creators advertised Titan’s ability to steal credentials from crypto wallets, data from web browsers, and FTP login information. Titan even came bundled with a web panel to facilitate easy access to the stolen data, should users wish to release any of it, competitively priced at $150 for a basic monthly subscription or $1,000 for a premium package.

Despite these efforts, the Titan project team members were mercilessly mocked across dark web forums, with critics chiding that such amateurish software should be free. The ridicule reached a crescendo when Titan’s source code was leaked — including the Titan socket that’s the “heart” of the stealer, the Titan client that’s the main data collection software and even an instructional video on how to install the software.

Raccoon Stealer has been priced at $75 per week, or $200 per month. That’s a low financial barrier to entry for aspiring cybercriminals with rudimentary hacking skills. Paradoxically, the widespread availability of RaaS options offers security teams an advantage — if they know how to capitalize on it. Security teams can purchase the Raccoon kit, for example, and then stage mock attacks against their organization. Once the entry points for the malware are identified, the team can close those gaps to secure their network against a real Raccoon attack by an actual adversary.

Other best practices, such as persistent monitoring, are critical for security teams to protect their organizations from increasingly sophisticated attacks and inbound threats. As potential risks are observed, security teams can dissect malware samples in laboratory settings to assess their characteristics and behavior. In this way, effective monitoring and threat intel gathering can bolster situational awareness and facilitate technical analysis to inform enhanced security measures as adversary TTPs evolve. It’s paramount that organizations approach these exercises not as one-off penetration tests, but an ongoing process. Security teams must stay adaptable, ruthless, and innovative — just like their adversaries.

Emanuel Moshayev, CyOps Analyst, Cynet

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.