The proliferation of criminal underground marketplaces that make it easy for would-be criminals to purchase equipment is contributing to the surge in cyber attacks.
The 2023 Threat Report published in November by Sophos, a global security company, noted that the activities of marketplaces like Genesis Market have made it possible to buy malware and malware deployment services (malware-as-a-service), as well as to sell stolen credentials and other data in bulk.
The rising number of these marketplaces means that almost anyone with the money can walk into these underground markets and get their equipment to launch attacks. The report says this has led to the increasing popularity of ransomware, and the birth of an entire ransomware-as-a-service economy. The ‘as-a-service’ model has only expanded in 2022 with nearly every aspect of the cybercrime toolkit – from initial infection to ways to avoid detection – available for purchase.
Sean Gallagher, principal threat researcher, at Sophos, says the threat is more than the usual fare such as malware, scamming, and phishing kits for sale.
“Higher rung cybercriminals are now selling tools and capabilities that once were solely in the hands of some of the most sophisticated attackers as services to other actors. For example, this past year, we saw advertisements for OPSEC-as-a-service where the sellers offered to help attackers hide Cobalt Strike infections, and we saw scanning-a-service, which gives buyers access to legitimate commercial tools like Metasploit, so that they can find and then exploit vulnerabilities. The commoditization of nearly every component of cybercrime is impacting the threat landscape and opening up opportunities for any type of attacker with any type of skill level,” said Gallagher.
As the “as-a-service” model grows, underground cybercriminal marketplaces are also evolving, becoming more commodified and operating like legitimate businesses. The operators of these cybercrime businesses are advertising their services and recruiting talents with distinct attacking skills.
Some marketplaces now have dedicated help-wanted pages and recruiting staff, while job seekers are posting summaries of their skills and qualifications.
“Early ransomware operators were rather limited in how much they could do because their operations were centralized; group members were carrying out every aspect of an attack. But as ransomware became hugely profitable, they looked for ways to scale their productions. So, they began outsourcing parts of their operations, creating an entire infrastructure to support ransomware. Now, other cybercriminals have taken a cue from the success of this infrastructure and are following suit,” said Gallagher.
The market expansion is being driven by high profitability. Over the past year, ransomware operators have worked on expanding their potential attack service by targeting platforms other than Windows while also adopting new languages like Rust and Go to avoid detection. Some groups, most notably Lockbit 3.0, have been diversifying their operations and creating more “innovative” ways to extort victims.
Lockbit 3.0 now offers bug bounty programs for its malware and crowd-sourcing ideas to improve its operations from the criminal community.
“Other groups have moved to a ‘subscription model’ for access to their leaked data and others are auctioning it off. Ransomware has become, first and foremost, a business,” said Gallagher.