Tinker Tailor Cyber Spy

by Rory Duncan

12 January 2021

Business professional on a mobile phone

Ransomware as a Service – fact not fiction

Lovers of John le Carré will mourn his recent passing. The author, who explored the shadowy world of intelligence and counter-intelligence between East and West, once said that he was bemused by the success of Tinker Tailor Soldier Spy as it was ‘sheer fiction from start to finish.’ But in the last few weeks, fact has perhaps become stranger than fiction, in the world of cyberespionage.

Just when we thought we had finished learning about the profusion of state-sponsored cyber-intrusions into the production and testing of COVID-19 vaccines, news outlets reported that US federal agencies have been hacked in a way that could potentially have allowed a foreign power to monitor government communications.  This seems to have formed part of a highly sophisticated reconnaissance operation including the reported theft of hacking tools from one of our industry’s leading software vendors.

This is all big, scary, state-sponsored cyber tradecraft. But organizations of all sizes can’t let these high-profile breaches distract them from the cyberthreats much closer to home.

Business professional typing on a laptop

Cybercriminals have become bolder advertising their services openly on social media and other platforms

Our December GTIC monthly threat report highlighted the growth in the promotion of Ransomware-as-a-Service (RaaS). This latest business model for cybercriminals sees a move towards selling or leasing ransomware platforms to those looking to financially benefit from totally disrupting a company’s operations.  Some of the RaaS options our experts have identified are even aimed at novice hackers who no longer need to know how to get onto the dark web to find the latest RaaS platforms. Several of these malicious entrepreneurs have shamelessly used social media and other sources like YouTube, Vimeo and Sellix to advertise and demonstrate their RaaS products, which encourage budding hackers with sub-$50 starting costs for their RaaS-builder.

The products used to build RaaS platforms are being promoted in such a way that it’s easy for budding hackers to know exactly which unsuspecting organizations they’re designed to disrupt. For example, according to the original RaaS seller, ZagreuS is designed to attack larger networks of companies, enterprises and hospitals. The 11-minute demo video posted online clearly outlines the commercial terms between the RaaS seller and the hacker. In this case once the buyer has paid the fee in cryptocurrency to the seller’s wallet, the RaaS seller will receive a 30% commission for each ransom collected, while the remaining 70% is kept by the individual hacker.

Several interested buyers left comments on the sale posts displayed on underground forums inquiring if anyone had tested the ZagreuS builder and expressed interest in trying it out. Typically, in these instances, the low platform price is an indication that the seller lacks experience or that the tool isn’t very valuable. Insikt Group has found that often, tools that are this cheap don’t function well, can be easily decrypted, and it can be very difficult for the ‘affiliate’ criminals to make a profit from their victims.

Many online and social media platforms are aware of these advertisements and are working to have them removed. But this isn’t a lasting fix and needs constant attention. When this particular demo video was taken down from the original YouTube channel, the threat actor quickly uploaded it again under a different link and pivoted to other platforms for clear web and deep web marketing.

Ransomware has undoubtedly taken center stage for cybercrime in this most challenging of years, quickly becoming one of the most damaging and prevalent forms of cyberattacks. Industries such as state and local government, healthcare, manufacturing, and finance have been especially hard hit from this form of attack with no sign of the number of instances slowing down. RaaS tools are readily available to both experienced and inexperienced hackers, although with mixed results. Sadly, those that are successful have taken advantage of their success and increased ransom demands. Some are even practicing double exploitation of their victims – demanding a ransom and still releasing the victims’ personal data for sale on underground forums after they have paid.

There are currently over 1,800 variants of ransomware, with the top 45 variants reportedly bringing in the most ransom money. With more of the workforce likely to remain remote as we recover from the pandemic and embrace the revised ways of working, we need to remember that vigilance is key and ensure that tools are kept up to date. Phishing emails remain a key vector for introducing malware, but preparation, effective backups and tested incident response plans all mitigate the impact if there is a successful ransomware attack.

Despite Lee Child’s latest fiction that sees the return of Jack Reacher rescuing a town brought to a standstill by a ransomware attack, Ransomware-as-a-Service is very much a fact of business life for cybersecurity professionals.

Rory Duncan

Rory Duncan

GTM Leader, Security, NTT Ltd. UK and Ireland