Getty Images/iStockphoto

Ransomware Groups Team Up, as Hackers Shift into Cloud Operations

A number of hacking groups, including those employing ransomware, are teaming up to expand the threat landscape and take advantage of stolen data troves in cloud-based operations.

Hackers are teaming up with other cybercriminals to increase the impact of attacks and to take advantage of troves of stolen data. Trend Micro and Intel 471 found ransomware groups are teaming up with lesser-known actors, while others are shifting operations to cloud-based services and technologies to increase the monetization of their hacking efforts.

Throughout the year -- and in response to the global COVID-19 crisis, hackers have steadily worked to take advantage of the new threat landscape provided by the rapid adoption of remote technologies and heightened fears amid the pandemic.

Microsoft previously warned that attacks have significantly increased in sophistication, as healthcare continues to be a prime target for many of these attack vectors given its vulnerable infrastructure and the likelihood of providers will opt to pay hacking demands.

The latest report from Intel 471 warned that given the success of ransomware attacks, its hacking groups are steadily developing new variants -- and offering access to corporate networks on the dark web.

The researchers tracked more than 25 different ransomware-as-a-service groups in the past year, including both well-known threat actors, lesser-known variants that spawned from failed strains, and completely new ransomware variants, among other private hacking groups and other threat actors.

According to the report, DopplePaymer, Egregor (formerly Maze), NetWalker, REvil, and Ryuk are the leading ransomware hacking groups.

Ryuk caused millions of ransomware attacks across the globe in 2020, with a prime focus on the healthcare sector -- including the massive attack on Universal Health Services. The variant was previously delivered via Trickbot, but most recently it’s been paired with the Bazar loader, as recently noted to HealthITSecurity.com.

Further, at least 10 RaaS groups have emerged since December 2019, with another nine groups dubbed as “rising” powers tied to double extortion efforts. Conti, in particular, has found the greatest amount of success this year, claiming 142 ransomware victims.

Notably, Conti was behind several concerning extortion attempts on the healthcare sector this year, including nonprofit organizations that provide mental health and substance abuse services like Riverside Community Care in Massachusetts, Family Health Centers of Georgia, and Adams Memorial Hospital.

Trend Micro’s report highlighted another concerning shift in the threat landscape: hackers moving operations to the cloud. The emerging underground market is driven by efforts to sell access to troves of stolen information, which is commonly advertised on the dark web as “clouds of logs.”

The “unprecedented increase” of the cloud model was brought on by companies adopting digital transformation to improve the scalability and agility of their networks. But Trend Micro noted that just as legitimate businesses are reaping the benefits of a cloud service model, hackers are seeking the same success.

“This underground market affects not just users whose credentials are stolen and sold to cybercriminal customers, but also the organizations that users are a part of, as these would have less time to detect and respond to attacks enabled by data provided by the clouds of logs,” Trend Micro researchers explained.

“Some malicious actors host their clouds of logs in their private cloud-based platforms, which can be conveniently accessed by customers via tools for analyzing and extracting the data that they need to conduct malicious activities,” they added.

The timeline between the initial hack and leveraging the stolen data from the victim has drastically decreased, as well, from several weeks to sometimes within days or hours when the hacker employs the cloud-based method.

Thus, organizations have less time to detect and respond to these attacks.Hackers are also leveraging this model in response to the volume of data offered on the dark web, which Trend Micro’s insights found to include several terabytes of data.

What’s more, all organizations are at risk to this new threat model, regardless of whether they’ve adopted cloud-based services and technologies. As hackers are primarily selling and buying stolen data, including credentials that can be reused to gain access to a victim organization’s infrastructure. 

In fact, the emerging market for clouds of logs has spurred an increase in attempts to steal credentials to further victimize entities. The stolen information will often include authentication credentials, authenticated session attributes, keystrokes, documents scans, personally identifiable information, tax reports, and a host of other sensitive data.

“With the exponential growth of cybercrime, some criminal gangs might be operating on massive amounts of valuable data,” researchers explained. “However, it is likely that they are unable to exploit the full potential of such a colossal amount of data.”

As a result, hackers are employing a “pay-for-access” scheme that allows other cybercriminals to monetize the data extracted from sellers’ clouds of logs, given that the stolen data is commonly exfiltrated from compromised end users and corporate systems.

The cost of access to these datasets have varying price tags: limited access and downloads are offered for a few hundred dollars, while monthly subscription rates will cost a cybercriminal anywhere from $300 to $1,000.

The Trend Micro and Intel 471 reports should serve as a warning to all organizations, including those in healthcare: Hackers are not only employing more sophisticated means in addition to traditional, less-complex attack methods, these criminals are also beginning to work together in a more coordinated fashion to ensure the biggest payout.

Given the federal joint alert on the presumed coordinated ransomware wave targeting the healthcare sector, providers should again review insights on human-operated campaigns to ensure all endpoints and vulnerabilities are secured.

“Organizations should be able to design and implement countermeasures to avoid falling prey to criminal schemes that could compromise their data and systems,” Trend Micro researchers wrote. 

“Organizations [should] implement data-breach prevention and mitigation strategies as an integral part of their daily operations, particularly ones that could preclude criminals from compromising system accounts, which in turn could provide attackers with remote access (for example, through VPN and RDP) to organizational IT premises,” they continued.

Next Steps

Dig Deeper on Cybersecurity strategies