Half of 2021 has already blown past and yet again ransomware has dominated infosec headlines. Petroleum distributor Colonial Pipeline, meat supplier JBS, and IT service provider Kaseya have all been in headlines not for stellar business performance but because they have been victims of crippling ransomware attacks. No longer is ransomware a one-man-band operation but given the profitability seen they have turned into a mutated software-as-a-service (SaaS) business model termed Ransomware-as-a-Service (RaaS).
In a recent report by security Kela titled “Ransomware Gangs are Starting to Look Like Ocean’s 11” written by Victoria Kivilevich the trends dominating this mutated business model are investigated. As ransomware moved away from one operator developing or buying, the ransomware’s source code, compromising a victim’s machine or network, then executing the malware over the years specialists have assumed those specific roles.
For many RaaS operations each operation is now handled by a specific operative or group of operatives, also referred to as affiliates who share in the profit from extorting victims.
These roles can be seen as:
- Code (code or acquire malware with the desired capabilities)
- Spread (infect targeted victims)
- Extract (maintain access to infected machines)
- Monetize (get profits from the attack)
Kivilevich summarized the current ransomware ecosystem by stating,
“Each stage includes various malicious activities that different actors specialize in. As ransomware operations have been growing and maturing, KELA’s researchers have been observing more cybercriminals offering accompanying services that fall into one of the four niches. When looking specifically into the ransomware supply chain we can see many actors piling up in the “extract” niche – where actors focus on escalating privileges within a compromised network – and the “monetize” niche – where actors are involved in the negotiation process with victims, DDoS attacks and spam calls. In this post, KELA focuses on these two niches in order to better understand the actors who have surfaced around the growing RaaS ecosystem.”
Based on Kela’s observations it appears that hackers able to gain privileged access to networks are in the highest demand. Sometimes referred to as Initial Access Brokers, the prices they can demand their services can spike up to 115% if able to gain local administrator access. This level of access allows for hackers to gain near unrestricted access to machines and data stored on the network. This access enables the easier deployment of the ransomware with less threat of being detected.
Given that many ransomware gangs now also look to steal data before encryption to further increase the pressure to pay, a hacker that can gain such a privileged level of access further enables the easier extraction of stolen data. It is little wonder then that such a level of access demands ten times more than access granting simple user rights. At the same time gaining administrator access is much harder and this is shown in the percent of hackers advertising administrator access.
Of all the advertisements analyzed by Kela, only 19% were offering administrator-level access. 27% percent of the ads offered an unspecified level of access and 53% offered user-level access.
The Rise of the Negotiator
While there were several key takeaways from the report perhaps the most interesting was the increase in demand for negotiators. In the past ransomware, operators would speak directly to victims via email addresses provided on ransom notes. Given that specializations arose along with ransomware looking more and more like a business operation, albeit an illegal one, the need for special negotiators seems like a logical progression.
As to the exact reason ransomware operators would need a negotiator, Kivilevich provided two scenarios with the first being,
“Victims started using negotiators – while a few years ago there was no such profession, now there is a demand for negotiating services. Ransomware-negotiation specialists partner with the insurance companies and have no lack of clients. Ransom actors had to up their game as well in order to make good margins.”
And the second,
“As most ransom actors probably are not native English speakers, more delicate negotiations – specifically around very high budgets and surrounding complex business situations – required better English. When REvil’s representative was looking for a “support” member of the team to hold negotiations, they specifically mentioned “conversational English” as one of the demands. This is not a new case: actors are interested in native English speakers to use for spear-phishing campaigns.”
These scenarios are supported by underground hacker forum threads seen by Kela researchers. The threads observed by researchers saw several instances where threat actors were actively seeking negotiators. In one instance the threat actor claimed to have hacked a company in Saudi Arabia and required someone to act as a go-between and contact the upper management of the company to facilitate payment of the ransom.
The emergence of specialized negotiators is supported by the dispute between Conti and Sodinokibi operators and the negotiation team they worked with. The dispute occurred following a ransomware attack on the Broward County Public Schools body when Conti demanded a 40 million USD ransom.
The dispute arose when negotiations were held both by Conti’s affiliates and side negotiators who didn’t manage to collaborate properly. The negotiators claimed they managed to gain insider information that could force the victim to pay the ransom. The negotiators rather than facilitate payment only ended up meddling in the affair and effectively spoiling the payment chances.
Sodinokibi reports a similar incident involving the same negotiators. Sodinokibi claimed they had been scammed. The irony of hackers and scammers being scammed is entertaining but the incidents seem to prove Kela’s belief in negotiators now becoming a separate ransomware specialization.
“During recent years, ransomware gangs grew into cybercrime corporations with members or “employees” specializing in different parts of ransomware attacks and various accompanying services. The recent ban of ransomware on two major Russian-speaking forums does not seem to affect this ecosystem, because only the advertisement of affiliate programs was banned on the forums. Ransomware operators and affiliates still remain active participants in cybercrime discussions, they can hire others, buy their services and offers. Ransomware operations attract cybercriminals by being a fast way to make profits – not only for ransomware developers and affiliates but for everyone involved in their activities with millions of USD in ransom.”
The very recent Kaseya attack is perhaps proof of Kela’s assertions regarding the RaaS ecosystem and the use of specialized negotiators. Initially, Sodinokibi operators demanded 70 million USD in return for a master decryption key that could be used by any of the 1,500 small to medium enterprises or 50 managed service providers that were victims of the attack to regain access to encrypted data.
CNBC later reported that the demand was decreased to 50 million USD. This information was revealed to the public when Jack Cable, a member of cybersecurity-focused Krebs Stamos Group, said that an affiliate of the ransomware gang boasted that they could get the demand reduced to the later 50 million USD.
Reuters confirmed this when Cable told Reuters he managed to get through to the hackers after obtaining a cryptographic key needed to log on to the group’s payment portal. Reuters was subsequently able to log on to the payment portal and chat with an operator who said the price was unchanged at $70 million but the threat actors were always willing to negotiate.
Based on this new information it would certainly seem like negotiators are involved. Further, given that the Sodinokibi appears from Kela’s research to have worked with negotiators it is no stretch to say that the profession of negotiator is fast becoming an in-demand specialization for the RaaS model.
While negotiations are likely continuing behind the scenes regarding the Kaseya incident we can only speculate if the ransom will be paid and who will be fitting the bill, Kaseya or the smaller enterprises directly impacted by the attack.