Scale of crime-as-a-service economy a growing concern, say researchers

Researchers at cyber security companies Sophos and Trend Micro have been sharing fresh intelligence on the activities of the cyber underground, revealing how the sheer scale of the criminal economy is increasingly giving rise to various cyber criminal groups offering their talents on an as-a-service basis.

The rise of ransomware-as-a-service is probably the most widely known of these offerings, and this is the subject of a new Sophos report assessing how the “gravitational force” of the ransomware black hole is pulling in other types of threat to form a massive, interconnected system dedicated to servicing the ransomware economy. It said this was likely to have significant implications for IT security in 2022.

Sophos predicts that in 2022, the ransomware landscape will become both more modular, and at the same time more uniform, with various groups of specialists offering themselves as hired guns, and providing playbooks with tools and techniques that enable different threat groups to implement attacks that seem, on the surface, to be very similar.

This will, to some extent, be the natural evolution of the trend towards ransomware-as-a-service (RaaS) observed pretty much across the board during 2021.

“Ransomware thrives because of its ability to adapt and innovate,” said Chester Wisniewski, principal research scientist at Sophos. “For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers.

“This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies and negotiators,” he said.

“They’re now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered cryptocurrencies,” said Wisniewski. “This is distorting the cyber threat landscape, and common threats, such as loaders, droppers, and Initial Access Brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.”

Meanwhile, Trend Micro has been tracking a gang of cyber mercenaries focused on making money from breaking into email and social media accounts and selling on the personal and financial data it obtains to other malicious actors.

The group has been active since 2018 and recruits its affiliates through Russian-language cyber forums, where it also has a slew of unanimously positive reviews. It self-identifies as Rockethack, but Trend Micro researchers have dubbed the gang Void Balaur – a balaur being a many-headed dragon, akin to a hydra, in Romanian folklore, which appears in some versions of the St George and the Dragon myth.

“Cyber mercenaries are an unfortunate consequence of today’s vast cyber crime economy,” said Feike Hacquebord, senior threat researcher for Trend Micro.

“Given the insatiable demand for their services and harbouring of some actors by nation states, they’re unlikely to go away anytime soon. The best form of defence is to raise industry awareness of the threat in reports like this one and encourage best practice cyber security to help thwart their efforts.”