A new Venafi dark web investigation has uncovered 475 webpages of sophisticated ransomware products and services, with ransomware-as-a-service (RaaS) being the most accessible for procurement.
The research was conducted between November 2021 and March 2022 in partnership with criminal intelligence provider Forensic Pathways. Over 35 million dark web URLs were analysed, including marketplaces and forums, using the Forensic Pathways dark search engine.
The researchers found that many strains of ransomware being sold have been successfully used in high-profile attacks, with 87 per cent of the ransomware found on the dark web capable of delivering malicious macros in order to infect targeted systems. These include Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry.
According to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, ransomware persists as one of the biggest cyber security risks in every organisation.
“The ransomware attack on Colonial Pipeline was so severe that it was deemed a national security threat, forcing President Biden to declare a state of emergency,” Bocek said.
In total, 30 different “brands” of ransomware were identified within marketplace listings and forum discussions. Ransomware strains used in high-profile attacks command a higher price for associated services. The most expensive listing was US$1,262 for a customised version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021. A similar pricing hierarchy was identified for well-known ransomware source code listings, with the Babuk source code listed for US$950 and Paradise source code selling for US$593.
Macros are embedded codes that are designed to automate common, repetitive tasks in Microsoft Office and attackers can use exactly the same functionality to deliver malware, including ransomware. Microsoft announced a major change in February aimed at combating the rapid growth of ransomware attacks delivered via malicious macros, but temporarily reversed that decision in response to community feedback.
“Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft’s indecision around disabling of macros should scare everyone,” Bocek said.