Security Experts:

Defeating the Organized Cybercrime Ecosystem

The recent attack against users of the Kaseya VSA platform is yet another example of the increasingly organized dynamic of cybercrime. The days of the lone attacker are long gone; these attacks are now big business with significant reconnaissance. Unofficial reports have identified the REvil ransomware threat actors as being behind this supply chain attack. REvil has been attributed to the DarkSide actors who most recently attacked Colonial Pipeline and JBS foods back in May. The Russian-based criminal organization uses a ransomware-as-a-service model; its hackers develop and sell ransomware hacking tools to criminal affiliates, who then carry out the actual attacks.

These attacks demonstrate the fact that an organized cybercrime network is flourishing under the surface. In today’s cybercrime landscape, many cybercriminals are now operating as large, distributed businesses. And many are targeting large corporations and industries or high-profile individuals to get the highest return on their investment – a strategy known as “Big Game Hunting.” 

Beneath the tip of the iceberg

We tend to focus on the attack surface when it comes to cybersecurity, but the reality is, much like an iceberg, there’s so much more lurking beneath the surface. The attack surface is porous. In other words, there are many different vectors and points of entry, and those create vulnerabilities. 

But then, what about the mechanisms– the ways and means of infiltrating those vectors and points of entry? Those represent the phishing emails or other such attempts to exploit the vulnerable surface, so that bad actors can then execute malware or ransomware attacks. But, we can’t just focus our efforts in the cybersecurity community on the ways and means. We must remember that what lies beneath the attack surface is an entire, flourishing cybercrime ecosystem. We must start examining how they’re organizing, how they’re creating those weapons and how they’re operating. 

Exploring the cybercrime ecosystem

Cybercrime is increasingly organized; there are entire criminal supply chains, which means hacking has become much more sophisticated and dangerous. For instance, more than half of all attacks are managed by cybercrime organizations that are better organized than most companies. They have CEOs, account managers and dedicated call centers that help victims pay their ransoms. Their revenue streams are stolen data and extortion. Their Cybercrime-as-a-Service ecosystem is one of the primary reasons why the cybercrime industry continues to grow dramatically and generates more than one trillion dollars in revenue each year.  

DarkSide is just one example of this type of increasingly organized cybercriminal operation.

Another example is the group known as Sodinokibi (aka REvil), which uses a Ransomware-as-a-Service business model, and recruits affiliates to distribute their ransomware. Their exploits include stealing nearly a terabyte of data and demanding a ransom to not publish it. 

Getting ahead of the criminals

Modern attacks and the increasingly organized cybercrime ecosystem are putting data, assets, and lives at risk. Action must be taken now using a two-pronged approach. First, organizations in the public and private sectors need to collaborate to take down the supply chains of these criminal ecosystems: their affiliates. This will have a tremendous impact because it reduces the profitability for these bad actors, producing a huge ripple effect. Otherwise, this problem will just continue to get worse, with increasingly dire impact.

The other prong is that organizations must become more proactive, using real-time endpoint protection, detection and automated response solutions to make their environments secure. 

Technically speaking, network segmentation, encryption cyber hygiene and zero-trust policies (and relatedly, zero trust network access) offer protections. Further, these strategies work best when organizations use asset visibility tools to identify their critical assets. Once they know where the data resides, they can create a strategy of proactive protection.

Proactive protection on two fronts

Malicious actors have matured over time, increasing their threat level and their profit. Modern cybercrime has its own ecosystem of affiliates, but that ecosystem is ripe for disruption. Disrupting these “supply chains” is an opportunity to stop criminals in their tracks. Though ransomware affiliates are proliferating, public and private organizations can join forces to dismantle affiliate programs. This is the big picture goal, but on the more micro level, individual organizations can implement proactive security tools to find and eliminate threats before bad actors can score.

view counter
Derek Manky is Chief of Security Insights and Global Threat Alliances at Fortinet’s FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.