Ransom Gangs with Network Sellers collaboration. Deadly combošŸ‘¹

Accenture Cyber Threat Intelligence team outlined a trend of collaboration between network access sellers and ransomware gangs. Several cybercriminals are increasingly offering initial network access to already-compromised companies used by Ransomware gangs

Deadly deals

Researchers have warned that hackers are seen selling credentials for RDP connections, Citrix, and Pulse Secure VPN clients to ransomware groups such as Avaddon, Exorcist, Lockbit, Maze, NetWalker, and Sodinokibi.

  • Ransomware operators get direct access to corporate and government networks. Thus, they can concentrate on establishing persistence and moving laterally.
  • The network-access sellers have been observed using attack vectors such as remote working tools, zero-day exploits, or malware such as Cerberus Trojan to attempt corporate network access in the future.
  • The network access credentials are usually offered between $300 and $10,000, depending on the size and revenue of the victim.

The destructive relationship

Accenture has tracked more than 25 persistent network access sellers, as well as the occasional one-off seller, with more entering every week.

  • In August, four actors were seen utilizing the source code of Cerberus Trojan to gain corporate and government network access credentials, which they sold to other cybercrime groups for a handsome profit.
  • In July, the threat actor Frankknox aborted a sale of a self-developed Zero-day targeting a well-known brand of a mail server and began exploiting the vulnerability to gain corporate network access to multiple victims. Until September, Frankknox has advertised access to 36 corporations for between $2,000 and $20,000, of which at least 11 they claim to have sold.

Maze Cartel ! Expands

The Maze ransomware “cartel” is growing.

Two more ransomware gangs, Conti and SunCrypt, have apparently joined the Maze collective, which currently consists of Maze, LockBit and Ragnar Locker.

Maze operators announced the creation of a ransomware cartel that included other cybercrime gangs, which teamed up to share resources, leak victims’ data on Maze’s “news” site and extort their victims.

The Conti ransomware gang, which recently launched its own data leak site, is collaborating with Maze. “They’ve published data from a number of Maze attacks,”.

Conti may be a replacement for Ryuk, which has seen a significant dip in activity in recent weeks. It shares some of its code with Ryuk, uses the same note and also the same infrastructure, which could indicate it was created by the Ryuk team or a splinter group.

Recently,researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen Group.

The further expansion highlights Maze’s increasing momentum, which has claimed responsibility for several high-profile ransomware attacks in recent months. Earlier this month, a major cyberattack on technology giant Canon was believed to the latest work of the cybercriminal gang.

Ransomware Gang forming a chain cartel

Ransomware gangs are teaming up to extort victims through a shared data leak platform, and the exchange of tactics and intelligence.

In November 2019, the Maze Ransomware operators transformed ransomware attacks into data breaches after they released unencrypted data of a victim who refused to pay.

Soon after, they launched a dedicated “Maze News” site used to shame their unpaid victims by publicly releasing stolen data.

This extortion tactic was quickly adopted by other groups, which now includes thirteen active ransomware operations known to leak stolen data if not paid.

Ransomware cartel formed

The Maze gang is once again stirring up the threat landscape by creating a cartel of ransomware operations to share resources and extort their victims.

What made this leak different was that the info was not from a Maze ransomware attack, but rather by another enterprise-targeting ransomware operation known as LockBit.

LockBit is a Ransomware-as-a-Service (RaaS) that began operating in September 2019 as a private operation.

They have since begun marketing themselves on Russian hacker forums where they encourage malware distributors and hackers to apply to their operation.

Maze confirmed that they are working with LockBit to share their experience and data leak platform. They also stated that another ransomware operation would be joining their collaborative group in the coming days.

“In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies.”

“Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business,”

They did state that they are in discussion with other ransomware groups to join this collaborative effort to generate ransom payments.

“We will post one new another group in a few days, and we await also few others to come in upcoming weeks,” Maze operators stated.

With the average ransom payment over $100,000, and some victims allegedly paying millions, enterprise-targeting ransomware operations working alone have been very successful.

By joining forces to share advice, tactics, and a centralized data leak platform, ransomware operations can focus more on creating more sophisticated attacks and successful extortion attempts.