The dark web is darkening as cybercriminal gangs increasingly buy their malware, phishing and ransomware from illegal cybercrime marketplaces.

In April 2022, the US Treasury sanctioned Hydra’s Russian market. Hydra, the the largest dark web market in the world, provided malicious cybercrime and cryptocurrency exchange services to global threat actors. The United States and Germany shut down Hydra around the same time.

Ransomware groups operating on the dark web employ hundreds of hackers and earn revenue in the hundreds of millions of dollars. Moreover, they could generate billions in illicit funds over time.

In 2022, researchers found 475 pages of ransomware code for sale on the dark web. Ransomware from 30 strains, including DarkSide and GoldenEye ransomware-as-a-service (RaaS), were available among these offerings.

Threat actors, including script kiddies and people with no hacking experience, are increasingly joining Ransomware-as-a-Service (RaaS) operations to easily start extorting victims.

In 2022, favorite threat actors join a RaaS for ransomware attacks as they tend to have more freedom and can deploy faster than private ransomware.

How Selling and Buying RaaS Works

The costs to join a RaaS are low, considering the damage the malware does and the large payouts it extracts from victims.

For example, Venafi reported that a customized version of DarkSide, the same ransomware used by hackers to shut down Colonial Pipeline, sold for $1,262 on the dark web.

RaaS solutions, associated source code, and custom RaaS services sell directly on the dark web, using cryptocurrencies like bitcoin to make the sales. For such a niche business, these RaaS offerings are increasingly legit – some include subscription packages, user instructions, and technical support.

The threat actors involved in these types of operations buy access to a network from the initial access brokers (IABs). Initial access includes stolen credentials that open access tools, such as Citrix, Microsoft RDPand PulseSecureVPN.

It is easier for criminals to buy compromised credentials than to collect the passwords themselves through phishing or brute force attacks.

What the Rise of RaaS Means for Cybercrime in 2023

Predictions show Ransomware-as-a-Service operations reinforcement in 2023 as they adjust operations for more efficient data exfiltration and help affiliates shame non-paying organizations by posting their data on leak sites.

This year, 72% of ransomware incidents used a variant that cybersecurity engineers had only seen once before.

The trend of unique and innovative ransomware attacks will continue in 2023: IABs, RaaS groups and affiliates will increase initial access transactions, including compromised user credentials that unlock various access tools.

Defending against the rise of RaaS attacks

The ransomware solution uses a multi-layered cybersecurity defense. Defense in depth against ransomware attacks includes data security, endpoint security, and gateway-based security solutions.

Data security

Data security provides backups on external, segmented networks and devices, so ransomware that encrypts production data cannot access backups.

Endpoint security

Endpoint security strengthens user devices. Organizations such as NIST provide secure configurations for computers and smartphones. Endpoint security solutions combine behavior-based anti-malware and anti-phishing with ransomware protection against unauthorized modification by malicious users.

Gateway Security

Gateway security protects users and networks against ransomware. Security gateways inspect encrypted data used by ransomware attacks. Security gateways can detect and block ransomware from entering and leaving the network.

Locking End User Credential Entry Points

Most cyberattacks use end-user credentials as network entry points. Ransomware groups purchase hacked credentials from IABs to gain initial network access during ransomware attacks.

By deploying a secure password policy, the organization can help users fulfill their role in the fight against ransomware by choosing and using secure passwords.

Specops password policy uses Breached Password Protection, blocking over 3 billion known compromised passwords, including passwords that IABs sell to ransomware groups and affiliates for initial access.

Specops Password Policy continually updates its breach list with open source data as well as live attack data from RDP honeypots.

Sponsored and written by Specops software