Business is booming on the dark web -- what does this mean for cyber risk?
It's been another profitable year for the cybercriminal underworld. Once again, headlines have been regularly dominated by serious breaches such as the Royal Mail and Capita, whilst behind the scenes, criminal gangs have raked in huge profits.
The shadow economy of the dark web has continued to thrive and develop as a mirror of the legitimate business world. Threat actors are increasingly well-organized, from highly developed ransomware-as-a-service (RaaS) offerings to extremely lucrative vulnerability trading. Here, we'll delve into the most prominent trends driving the bustling dark web economy -- and how organizations can defend themselves against such threats.
Ransomware is the star moneymaker
Ransomware remains one of the most prominent threats, and there have been a staggering number of incidents during 2023. Rapid7's 2023 Mid-Year Threat Review found at least 1,500 separate ransomware incidents reported globally, with the true number likely to be higher.
Dominant groups like LockBit and ALPHV/BlackCat have been particularly active, whilst new players like Akira and CryptBB are rapidly making their mark.
The ransomware ecosystem is not just growing; it's also becoming increasingly profitable. High-profile attacks orchestrated by prominent threat groups have led to significant downstream impacts, giving the attackers more leverage for ransom demands. The Cl0p group has, for example, heavily targeted file transfer systems in order to expose third party customer data. This year’s MOVEit breach is one of the most recent examples of this trend.
Threat actors also pair system encryption with mass data exfiltration to further increase their profits. This enables attackers to demand greater ransoms or acquire valuable data to sell on dark web markets. As demonstrated by the MOVEit breach, however, some high-profile attacks are forgoing the ransomware element to focus purely on extortion.
The continued growth of RaaS
Alongside attacks launched by established threat groups, ransomware has become a popular commodity on the dark web. Just as software-as-a-service (SaaS) offerings allow legitimate organizations to access skills and resources, ransomware-as-a-service (RaaS) packages have opened up cybercrime to a new range of participants.
Even those with limited technical skills and experience can buy everything they need to launch sophisticated attacks. Further mimicking legitimate SaaS practices, these packages often come with flexible payment plans and additional features such as tech support.
The commoditization of cybercrime tools on the dark web has led to a more diversified and mature ransomware ecosystem. The barrier to entry has been significantly lowered, leading to an increase in the number and variety of attacks.
The thriving dark web marketplace
Our research indicates that these RaaS operations have staggeringly huge potential profit margins. Well-established RaaS players like Cl0p use this revenue to acquire zero-day exploits for enterprise software. This enables them to launch even more damaging attacks or increase profits through service models. Evidence suggests that Cl0p may have even tested their infamous MOVEit Transfer exploit almost two years before bringing it to bear in this year's high-profile Memorial Day Weekend attack.
Alongside RaaS, access-as-a-service is another popular and highly lucrative dark web offering. Our research found that zero-day exploits for network devices from industry giants like Juniper and Cisco can fetch prices upwards of $75,000. Since ransomware payouts often reach multi-million dollar figures, threat groups can easily afford these access prices and still make huge profits.
Ransomware gangs are also becoming increasingly reliant on initial access brokers (IABs) which sell direct access to already compromised networks, enabling criminals to tailor their ransom demands for maximum profitability. Whereas crews would previously have handled everything themselves, they now outsource the initial access, with IABs taking a share of the profit in a successful attack and ransom payment.
In one example, our researchers encountered a relative newcomer called Br0k3r offering direct access to nearly 50 corporate networks. The site provided access to companies worldwide in industries including finance, real estate, and legal services, with sales listings including the victim's revenue and number of users and endpoints.
How can organizations defend against dark web threats?
The growing sophistication of the dark web economy contributes to a more hostile threat landscape. Smaller criminal operations -- or even lone wolf threat actors -- access tools and techniques that would normally be outside their skill level, while larger players use the profits to bankroll more zero-day discovery and malware development.
But while threats are becoming more advanced, the best defense focuses on the foundations of cybersecurity. For example, multi-factor authentication (MFA) should be standard practice for most organizations in 2023, but we found that many companies are still falling short with their implementation. Our research found that nearly 40 percent of the reported security incidents were due to missing or inconsistent MFA, particularly on SaaS, virtual private network (VPN), and virtual desktop infrastructure (VDI) applications.
Capabilities around restricting data access and detecting and stopping unusual activity will also go a long way in mitigating the damage of a breach. Monitoring data transfer and archiving, unusual cloud storage access requests and abnormally large file uploads will help reduce the risk of data exfiltration -- an important defense as more attackers combine data theft with ransomware encryption. Tighter controls over data access, particularly at admin level, will also make it more difficult for attackers to reach valuable assets undetected.
Finally, effective vulnerability management is a key area that will greatly mitigate the risk of these attacks, particularly in applying security updates. Network perimeter devices such as VPNs, routers, switches and internet-facing load balancers serve as primary access points to corporate networks and are a primary target for attackers of all levels. As such, devices like these should be on a high-urgency patch cycle that sees updates applied as soon as possible.
As zero-day exploits have become more accessible, these devices need to be patched within hours or days whenever possible. Implementing measurable deadlines and results can help tighten up patching processes. Community resources such as AttackerKB can help organizations to better prioritize the most critical vulnerabilities.
Focus on the fundamentals to fight advancing threats
The dark web has undeniably fueled the surge in ransomware attacks in 2023, but businesses can still take actionable steps to mitigate these threats. While the cybercriminal ecosystem has become more sophisticated, most attacks still exploit the same handful of security gaps.
Fundamentals such as effective MFA implementation and strong patching hygiene will close off the most common attack paths. Focusing on getting these essentials right can not only greatly reduce the chances of a breach, they can also help put a dent in the dark web economy.
Christiaan Beek is Senior Director, Threat Analytics at Rapid7.