Organizations warned of ransomware risk from smaller operators

The risk from small-scale ransomware cyber criminals is not to be underestimated, according to new research by McAfee.

Thibault Seret, a security researcher on the McAfee Advanced Threat Research team, said that while big ransomware attacks make the headlines, there are many smaller actors without access to the latest ransomware samples.

These small-time hackers are “getting creative and looking out for the latest malware and builder leaks they can be just as devastating to their victims.”

Seret said that away from the gaze of researchers who typically focus on the larger ransomware groups, many individuals and smaller groups are “toiling in the background, attempting to evolve their own operations any way they can.”

He said one small-scale threat actor has evolved from deploying homemade ransomware to using major ransomware. They made the transition by leveraging publicly leaked builders to create their versions of Babuk and Chaos.

Seret said there are two distinct types of cyber criminals taking advantage of leaks such as this. One less tech-savvy group merely copied and pasted the builder, substituting the Bitcoin address in the ransom note with their own. The second group has gone further, using the source material to iterate their versions of Babuk, complete with additional features and new packers.

Seret’s team followed one small-scale hacker and noted how they moved from simplistic ransomware and demands in the hundreds of dollars to toying with at least two builder leaks and ransom amounts in the thousands of dollars.

“While their activity to date suggests a low level of technical skill, the profits of their cyber crime may well prove large enough for them to make another level jump in the future,” he said.

“Even if they stick with copy-pasting builders and crafting ‘stagers’, they will have the means at their disposal to create an efficient attack chain with which to compromise a company, extort money and improve their income to the point of becoming a bigger fish in a small pond, just like the larger RaaS crews.”

John Fokker, head of Cyber Investigations for McAfee Enterprise's Advanced Threat Research team, told IT Pro that even though REvil accounted for 73% of ransomware detections in Q2 of 2021, cyber criminals are resourceful, and large groups are no longer the only players making a profit.

“The threat for businesses is intensifying as smaller-scale ransomware actors build on the work of these larger groups,” he said.

Fokker added that enterprises should use this warning as an opportunity to get ahead of adversaries and figure out how they could tighten up their defenses against future attacks.

“This could include the use of threat intelligence, which helps organizations to predict and prioritize potential threats before pre-emptively adapting their defensive countermeasures, ensuring optimized security and future business resilience,” he added.

Fokker said that organizations should also deploy a security strategy that blends zero trust and SASE approaches so enterprises can protect entry and data at every control point.

“This approach is particularly important as opportunistic actors evolve their tactics and will help to ensure organizations have the necessary barriers to protect against attacks of any size,” he said.