The current ransomware-as-a-service (RaaS) pandemic is being fuelled by the tools and services offered by “gig” workers, making ransomware payload attribution harder and attacks easier to launch, according to Microsoft.
The tech giant explained in a lengthy post this week that short-term contractors of this sort are helping to lower the barrier to entry for other threat actors, who provide a cut of the profits from campaigns in return.
“The cyber-criminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets,” it said.
“In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.”
This has made it more difficult for investigators to link attacks to a particular ransomware payload developer group, Microsoft added.
Many of these gig workers are hired from other groups, and/or for a one-off, limited time period.
One such group, DEV-0193, has apparently been responsible for developing and distributing payloads, including Trickbot, Bazaloader and AnchorDNS, and operating the Ryuk, Conti and Diavol RaaS businesses.
“DEV-0193’s actions and use of the cyber-criminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions,” Microsoft explained.
“As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.”
Some of these contractors have produced offerings such as Cobalt Strike Beacon-as-a-service, which makes life easier for other cyber-criminals.
Microsoft also argued that many RaaS affiliates have “wildly different tradecraft, skills, and reporting structures,” as evidenced by those working with the Conti operators.
Some perform relatively small-scale intrusions using tools offered by the RaaS, while others dedicate weeks to operations using their own techniques and tools, it said. In addition, some prioritize organizations with big revenues, while others target those with sensitive data or big-name brands.
However, some common techniques still prevail, which should help organizations focus their defensive efforts.
“Attackers most commonly take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment,” Microsoft said.