A new Venafi dark web investigation has uncovered 475 webpages of sophisticated ransomware products and services, with ransomware-as-a-service (RaaS) being the most accessible for procurement.
The research was conducted between November 2021 and March 2022 in partnership with criminal intelligence provider Forensic Pathways. Over 35 million dark web URLs were analysed, including marketplaces and forums, using the Forensic Pathways dark search engine.
The researchers found that many strains of ransomware being sold have been successfully used in high-profile attacks, with 87 per cent of the ransomware found on the dark web capable of delivering malicious macros in order to infect targeted systems. These include Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry.
According to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, ransomware persists as one of the biggest cyber security risks in every organisation.
"The ransomware attack on Colonial Pipeline was so severe that it was deemed a national security threat, forcing President Biden to declare a state of emergency," Bocek said.
In total, 30 different "brands" of ransomware were identified within marketplace listings and forum discussions. Ransomware strains used in high-profile attacks command a higher price for associated services. The most expensive listing was US$1,262 for a customised version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021. A similar pricing hierarchy was identified for well-known ransomware source code listings, with the Babuk source code listed for US$950 and Paradise source code selling for US$593.
Macros are embedded codes that are designed to automate common, repetitive tasks in Microsoft Office and attackers can use exactly the same functionality to deliver malware, including ransomware. Microsoft announced a major change in February aimed at combating the rapid growth of ransomware attacks delivered via malicious macros, but temporarily reversed that decision in response to community feedback.
"Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft's indecision around disabling of macros should scare everyone," Bocek said.
"While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector."
The research also uncovered a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks.
Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.
Generic ransomware build services also command high prices, with some listings costing more than US$900, but there are also many low-cost ransomware options available across multiple listings with prices starting at US$0.99 for Lockscreen ransomware.
According to Bocek, the findings demonstrate the need for a machine identity management control plane, to drive specific business outcomes including observability, consistency and reliability. In particular, code signing is a key machine identity management security control that eliminates the threat of macro-enabled ransomware.
"Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks."
"This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, healthcare and energy where macros and Office documents are used every day to power decision making," Bocek concluded.