Editor’s Note: Unlock the knowledge, resources, and expert advice you need to successfully prevent ransomware attacks from impacting your organization’s operations with this free Ransomware Toolkit…
The theme for Week 3 of Cyber Security Awareness Month 2021 is “Explore. To live. Share. ”This is also Cyber Security Career Awareness Week. The purpose of the theme is to highlight all of the many contributions that people in cybersecurity roles can make to society through their work.
One of the ways people in cybersecurity can benefit society is by investigating the use of the dark web by ransomware actors. We will see how these malicious actors use the dark web later in this article. But first, let’s contextualize the dark web itself.
What is the Dark Web?
To understand the dark web, it is important to understand the difference between what is called the “surface web” and the “deep web”. The first is what we all know to be the part of the internet that is accessible through the major search engines. Netflix, Facebook, and anything that appears on a Google search results page falls into this category.
However, the surface web only makes up about 0.03% of the internet. The rest is on the deep web, or the part of the internet not indexed by search engines like Google. According to the Encyclopedia Britannica, the Deep Web includes benign sites such as users’ password-protected email accounts and other web pages that can only be accessed through an online form. It also includes other resources that the owners have intentionally prevented web crawlers from indexing.
The dark web belongs to the latter category. It’s a part of the deep web that visitors can’t access without the help of a special browser called The Onion Router (or TOR). People can use the dark web for legitimate purposes, like joining a chess club and creating a private communication channel, notes CSO. Alternatively, they can use it for malicious purposes.
At least some of this activity takes place in dark web markets (or “dark markets”). According to Nature, Dark Markets are places where members can trade illicit goods such as drugs and weapons. As such, these marketplaces allow digital attackers to connect with each other anonymously to buy and sell stolen credit card information, for example, or provide access to a new phishing kit- as-a-service.
All transactions typically involve bitcoin or some other form of cryptocurrency as the method of payment. This is designed to help conceal the identity of anyone involved in a given transaction.
Ransomware Services on the Dark Web
When it comes to ransomware, Dark Market members typically promote Ransomware-as-a-Service (RaaS) operations. Cybersecurity Ventures clarified that malicious actors post advertisements highlighting different ransomware kits and their different levels of service. An ad might mention a discounted set of multiple digital crime kits, for example. Another can display positive user reviews from a single RaaS operation.
Popularity, functionality, and bundled items are just a few of the factors that help influence the cost of a ransomware offering. CPO Magazine wrote that some ransomware sells or leases access for as little as $ 5. In contrast, more established varieties can cost $ 100 or more.
In the context of these black market advertisements, ransomware developers have traditionally sought to recruit affiliates with RaaS schemes. But that changed after the colonial pipeline attack. As reported by KrebsonSecurity at the time, administrators of the Russian Digital Crime Forum XSS banned individuals from discussing ransomware around the same time the DarkSide ransomware affiliate program went offline. Two more digital crime forums followed shortly thereafter, as The Record pointed out.
Some ransomware players have therefore changed their tactics so that they can continue to engage in dark markets. In particular, Flashpoint has witnessed a shift towards advertising and working with Initial Access Brokers (IABs) in dark markets. This change allows ransomware players to quietly advertise their activities on the dark web. It also allows them to focus on perfecting their malware payloads instead of having to worry about accessing their target’s networks.
Cybereason’s advantage over ransomware
The best strategy for organizations is to prevent a ransomware attack from succeeding in the first place. To do this, they need to invest in a layered solution that leverages behavioral indicators (BIOs) to detect and prevent a ransomware attack in the early stages of initial entry, before sensitive data is exfiltrated for double extortion.
The Cybereason Operation-Centric approach provides the ability to detect ransomware attacks earlier based on rare or beneficial chains of malicious behavior. That’s why Cybereason is undefeated in the battle against ransomware and offers the best prevention, detection and response capabilities on the market, including:
- Anti-ransomware and deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques to detect the most complex ransomware threats and end the attack before critical data can be encrypted.
- Intelligence-based antivirus: Cybereason blocks known variants of ransomware by leveraging an ever-growing pool of threat information based on previously detected attacks.
- NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants before execution.
- Fileless Ransomware Protection: Cybereason disrupts attacks using fileless, MBR-based ransomware that traditional antivirus tools lack.
- Endpoint controls: Cybereason strengthens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls, and enforcing full disk encryption on a range of device types, fixed and mobile .
- Protection of behavioral documents: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that exploit malicious macros and other stealth attack vectors.
Cybereason is committed to teaming up with advocates to stop cyber attacks from endpoints across the enterprise and everywhere, including modern ransomware. Learn more about ransomware defense here Where schedule a demo today to find out how your organization can benefit from a operations-centric approach to security.