Ransomware, data disclosure and malware-as-a-service on the Dark Web. 2/2

Analysing the victims of groups like Egregor (some of whose members were arrested in Ukraine in February 2021) reveals that ransomware operators do not just target big or world-renowned companies or institutions. While the victims do include major firms, attacks have also targeted medium-sized companies, such as a company in France’s Rhône-Alpes region with 340 employees and a Canadian logistics company with fewer than 60 employees.
Ransomware operators are simply opportunistic. The target’s economic profile ultimately matters little; it is the IT system’s vulnerability that determines the probability of attack. It is more profitable for hackers to target several small companies with weak protection than try to penetrate the highly protected systems of a company that understands the risks. Unfortunately, not everyone thinks about securing their information system, and not all companies can afford this protection.
Due to its ease of execution combined with an increase in intrusion points, ransomware has quickly become one of the most profitable types of attack. This method is very common on the dark web, with a constantly expanding attack surface and the development of the Malware-as-a-Service market.

Examples of Malware-as-a-Service offered by hackers on the dark web

ANSSI issues alerts but also makes recommendations.

This threat, which involves little effort but can be very profitable, has now become firmly embedded in the cyberthreat landscape.
In September 2020, ANSSI (French National Cybersecurity Agency) issued an alert about Emotet, a very widespread type of ransomware. The agency had noticed a resurgence in the number of French entities targeted by this malware. However, France was not the only country Emotet attacked, with New Zealand and Japan also among its victims.

Discussions in a dark web forum about new targets (captured by our software)

Job offer from a user looking to use the coronavirus as a vector to spread the Emotet ransomware (captured by our software)

In addition to the alert issued in September 2020, on 29 October of the same year, the French National Cybersecurity Agency also published a study on Malware-as-a-Service using Emotet as an example. In this new trend, the cyberattack can simply be outsourced to a hacker, with no skills required. This “uberisation” of cyberattacks further increases existing threats. Now anyone with the means can hire a hacker. The jobs can range from compromising social media or email accounts to completely destabilising information systems.

Example of services to launch ransomware attacks that can be found on the dark web

“Typical” hacking services offered on the dark web

Although the network of hackers associated with the Emotet ransomware was dismantled in January 2021 , we have noticed that France remains a preferred target for hackers using this type of cyberattack. Hackers are taking advantage of the increase in attack vectors to create a real cyberattack marketplace. Not only has this become the most common type of cyberattack, but it has significant consequences for the victims.
We recommend utmost caution as the strongest form of prevention since hackers’ imagination seems to be limitless. ANSSI has also published a guide with many recommendations. Companies of all sizes and all employees must remain vigilant because these kinds of attacks rely on human error to succeed.