In the recent weeks, Flashpoint analysts have observed the usage of unconventional tactics, techniques, and procedures (TTPs) by various threat actors who are involved in ransomware activities. Though ransomware-related activities are officially banned from most top-tier forums, it does not stop threat actors from evading the rules of forums by carefully moderating their advertisements and therefore not officially breaking the forum rules.
Previously, Flashpoint analysts have written about the BlackMatter ransomware collective, who are not openly stating that they are looking for affiliates — but are instead claiming that they are looking for initial access brokers, from whom they would acquire the accesses and proceed to attack entities by themselves.
However, BlackMatter is not the only collective who uses this technique. Flashpoint analysts have identified a considerable number of threat actors who use similar language in order to evade the rules of forums. Including (but not restricted to):
- A user on the top-tier XSS and Exploit forums was offering “help” to those with VPN, Citrix, RDP and other kinds of accesses who “did not know what to do with them.” The threat actor would evaluate these accesses and buy those that interest them.
- Another user on XSS called themselves an “experienced pentester” and was looking for “VPN, Citrix and RDP” accesses, adding – as a proof of seriousness – that they had worked with the DarkSide ransomware gang.
- And yet another user on XSS was looking to buy accesses to corporate networks, including VNC, Citrix, Cisco, VPN and other kinds of accesses, for a percentage of the profit. The user called their collective “a team of experienced pentesters.”
Flashpoint analysts observed similar language in advertisements being spread on Jabber/XMPP servers that are frequently used by Russian-speaking cybercriminals for communication. These were likely also set up to evade forum rules.
In addition, Flashpoint analysts have observed ransomware operators seeking to connect with access sellers on the forums by “liking” their posts, which could be read as an encouragement to reach out to the buyers in a direct message.
In parallel, it was reported that the LockBit ransomware collective started actively recruiting insiders to acquire sensitive information about corporate networks in exchange for potentially millions of dollars.  The ransomware collective posted the ad on the wallpaper placed on encrypted devices, potentially in a bid to target IT consultants. In the wake of the Kaseya attack in July, Flashpoint analysts warned that big, established ransomware groups with the reputation and the funds necessary to recruit corporate insiders may move in this direction in order to obtain, among others, zero-day vulnerabilities necessary to perform supply chain attacks.
As adversaries become more creative about tailoring their content on underground forums, defenders have to also be cautious to recognize the new behavior. Understanding the skills that are being advertised, as well as the initial access may help to inform how threat actors get through the front door. This can be done by monitoring forums for keywords and technology specifically associated with enterprise networks, like VNC, Cisco, Citrix, VPN, and RDP.
At times, there is also more telling information about these leaks and disclosures. For example, on August 5, 2021, a Conti affiliate leaked training documents from the ransomware operator. The leaked documents highlight tools, training manuals, and IP addresses from Cobalt Strike servers. The information can be used to proactively monitor ransomware activity, in concert with additional best practices.
Proactively monitoring the cyber threat landscape can go a long way towards preventing and protecting against a ransomware attack. Flashpoint recommends the following actions:
- • Monitor illicit communities for newest targeting techniques, breached data for sale, and technologies that are being targeted
- • Implement MFA, password changes, and password complexity
- • Monitor bot shops for employee access to corporate domains
- • Monitor trending vulnerabilities and exploits being discussed in illicit communities to prioritize your patch management process
- • Review CISA’s “Stop Ransomware” site for additional tips https://www.cisa.gov/stopransomware.
Track Ransomware Trends at the Source with Flashpoint
Sign up for a demo and see how Flashpoint gives you the data that you need to identify, track and mitigate the impact of ransomware actors. Our comprehensive ransomware dashboard provides access to Flashpoint’s collections of ransomware-specific sites, allowing users to monitor activity in malicious communities more comprehensively and measure the risk impacting the organization or brand. Contact us today, and stay ahead of the threats.