Growing Cyber-Underground Market for Initial-Access Brokers

Ransomware groups are increasingly purchasing access to corporate networks from “vendors” who have previously placed backdoors on targets. 

Email is a well-known entry point for fraudsters attempting to breach a corporate network. According to researchers instead of doing the heavy lifting themselves, ransomware groups are teaming with other criminal groups who have already opened the path for access using first-stage software. 

As per the report released Wednesday by Proofpoint, researchers discovered a “lucrative criminal ecosystem” that works together to launch effective ransomware attacks, such as the ones that have lately made headlines (Colonial Pipeline) and caused substantial damage around the world. 

According to the analysis, recognized ransomware gangs such as Ryuk, Egregor, and REvil first link up with threat actors who specialize in initial infection utilizing various forms of malware, such as TrickBot, BazaLoader, and IcedID, before unleashing the ultimate ransomware payload on the network. 

“Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network.” states report. 

Proofpoint has identified at least ten threat actors who utilize malicious email campaigns to spread first-stage loaders, which are then exploited by ransomware groups to deliver the final payload. Researchers discovered that the relationship between such threat actors and ransomware groups is not one-to-one, as multiple threat actors employ the same ransomware payloads. 

“Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95 percent of ransomware as a first-stage email payload between 2020 and 2021,” according to the report. 

Proofpoint has also seen ransomware spread via the SocGholish malware, which infects users with fake updates and website redirects, as well as the Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators employ to avoid detection, according to researchers. 

About Attackers and Malware of Choice: 

Proofpoint identifies 10 threat actors that researchers have been watching as initial access enablers to their malware and techniques of choice for getting network access, which they subsequently sell to various ransomware groups for more sinister objectives, according to the study. 

Researchers discovered that TA800, a prominent cybercrime actor that Proofpoint has been tracking since mid-2019, provides banking malware or malware loaders to the Ryuk ransomware gang, including TrickBot, BazaLoader, Buer Loader, and Ostap. 

Since mid-2020, Proofpoint has been tracking TA577, a cybercrime threat actor that “conducts broad targeting across numerous businesses and regions” to distribute payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike via emails with malicious Microsoft Office files. 

According to the research, the Sodinokibi or REvil ransomware organization is linked to TA577, which has had a 225 percent increase in activity in the last six months. 

Many other cybercrime groups were tracked like TA569, TA551, TA570, TA547, TA544, TA571, and TA575, which is a Dridex affiliate that has been tracked by Proofpoint since late 2020 and distributes malware via malicious URLs, Office attachments, and password-protected files, with each campaign transmitting an average of 4,000 emails to hundreds of businesses.