Laurence Pitt

Using Dark Web Intelligence Against Ransomware Groups

our Director of Product Laurence Pitt looks at the ransomware landscape and how dark web intelligence can help security teams and law enforcement to combat this evolving threat.

Ransomware Search and Insights

Ransomware is a malware name that everyone – regardless of whether they work in security or not – is familiar with. This is no surprise given how prolific the threat is. According to the Zscaler 2022 Ransomware Report, attacks increased by 80 percent between 2021 and 2022, with continued impact on high-profile organizations and high-profile verticals, including healthcare and infrastructure.

Today, we have launched Ransomware Search and Insights, a new strategic enhancement to Cerberus that automatically collates dark web data from ransomware groups to help organizations to investigate, track, and gather intelligence on live ransomware activity. This blog looks at the ransomware landscape and how dark web intelligence can help security teams and law enforcement to combat this evolving threat.

Below: Ransomware Search and Insights gives organizations a consolidated view of the dark web presence of ransomware groups.

An Evolving Threat

Ransomware constantly evolves. In the beginning, attacks were simple: files were encrypted, and unlocked only on ransom payment, often demanded in Amazon or iTunes gift cards, as crypto-currency was still in its infancy.

When organizations started refusing to pay the ransom, instead using third-party services to unlock or restore their data, gangs countered with more complex attacks, threatened increased levels of exposure, and demanded ransom payments in Bitcoin due to the perceived anonymity it offered. Examples of these attack types include:

  • Double extortion attacks: The ransomware tools infiltrate the network and steal critical data before launching their attack and encrypting files across the network. The gang then threatens to publish the data online until payment of the ransom. This extra leverage means that many companies will pay the ransom and not risk exposure.
  • Triple extortion attacks: The gang not only extorts the company where the data and encryption occurred but also threatens to release personal data related to individuals whose data was stolen in the breach unless they pay a ransom.

Many people don’t realize that the most significant ransomware gangs run their ransomware as a business. They see themselves as professional criminals and often are proud to provide customer service with help desks and chatbots to assist customers in unlocking their data.

While ransomware gangs still develop advanced code to launch attacks against targeted organizations, their success has created new market opportunities. Ransomware-as-a-service (RaaS) is a dark web economy where forums act as resale brokers for code, enabling gangs to launch their attacks with minimal effort – or to collaborate on new, more deadly releases of already successful attacks.

Shift Left Of The Threat, Reduce Risk And Impact

When a ransomware attack occurs, the only option is to clean up and repair any damage – hoping to learn from the experience. It’s worth remembering that the gangs launching ransomware attacks often return – the risk of repeat attacks is high and likely.

Shifting left means getting ahead of an attack by gaining visibility into the pre-attack activity of ransomware actors, which gives you more time to understand the threat and prepare a response. When malware detonates, there will be collateral damage, server outages, data loss, staff costs, and brand and fiscal impact. Investing in technology to shift left provides advanced warning and gives more time to build an effective plan.

This is a shift in mindset for security teams. Instead of putting all of their time into working out what a threat does, they need to focus on what it is and get ahead to prevent or reduce its impact.

How To Get Ahead

Protection from ransomware is essential; email protection services can strip malicious attachments, advanced threat and malware protection will move high-risk content into quarantines, and of course, user awareness to reduce the risk of anyone opening or clicking on the message that launches an attack.

However, moving beyond protection into preparedness requires more. Your security team needs to be well-armed with data to understand the ransomware groups they are facing, to help them be better prepared to defend against a potential attack. They need the ability to monitor and research information on the dark web across different chat tools and messaging boards and to have a view on shared OSINT, which could indicate breached email addresses, lost passwords, or impacted business services on the network in the supply chain.

This is why we have launched Cerberus Ransomware Search and Insights: to arm your security team with pre-attack data that enables them to get ahead of ransomware groups. With our dark web investigation platform, they can access intelligence to determine which groups are active in real time and whether your organization is likely to be targeted as part of a vertical attack vector.

Cerberus ensures your security team has the information they need for developing a response plan that can keep them one step ahead of this global challenge.

For more insights on what you can learn about ransomware groups from the dark web, download our report DARK WEB PROFILES: THE MOST PROLIFIC RANSOMWARE GROUPS OF 2022.