September 2023 Cybercrime Report | Emerging Ransomware Threats and the Growing Danger of Telegram

In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. From the burgeoning market of bypass services to the alarming criminal activities on Telegram, we provide an update on cybercriminal activity to help defenders, SOC Teams, and security leaders stay abreast of the latest developments and fortify their defenses in this ever-evolving battleground.

The AV/EDR/XDR Bypass Market

Threat actors across the cybercrime landscape are interested in anything that will help them bypass security solutions and evade detection, resulting in a busy trade for tools and services that claim to answer this need. The bypass market is not new but has witnessed alarming growth in both the sophistication of the tools being offered and the assertiveness of the actors involved.

These actors are leveraging unprecedented access to enterprise-level tools, continually testing and refining their malware against these tools. This culminates in a sophisticated and potent threat in targeted environments, causing defenders to be on high alert.

Bypass tools and services, which are far from being budget-friendly, are becoming staples in the arsenal of ransomware operators. The bespoke nature of these services, exemplified by vendors such as “r1z,” indicates a burgeoning market where customizations can drive the price upwards from a base of around 3000 USD.

However, modern EDR/XDR technologies are not entirely helpless against these tools, provided they are well-maintained and appropriately configured. The most effective defenses arise from constant updates and vigilant monitoring, as threat actor tools tend to exploit outdated versions or poorly configured setups.

Ransomware | New Threat Actors Ramping Up Attacks

The ransomware threat may be less in the headlines than this time last year, but known and new threat actors continue their activities, exploiting novel techniques and detecting overlooked weaknesses in organizations’ security postures.

A recent ransomware attack on MGM Resorts highlighted these ongoing risks.

All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.

A company valued at $33,900,000,000 was defeated by a 10-minute conversation.

— vx-underground (@vxunderground) September 13, 2023

Elsewhere, new threat actors continue to appear and are ramping up operations. The coming months are expected to bring a surge in new attacks.

INC Ransom

The INC Ransom group emerged on the scene in early August 2023, establishing themselves with a semi-private, affiliate-based operation. Their strategy includes exploiting weaknesses in Remote Desktop Protocols (RDP) and utilizing purchased valid account credentials acquired through Initial Access Brokers (IAB).

Their modus operandi includes leveraging living-off-the-land binaries (LOLBINs) such as WMIC.EXE and MSTC.EXE, aiming to bypass detection technologies embedded in targeted environments. Once infections occur, victims are ushered into a negotiation process via a TOR-based portal, with a stringent 72-hour window to comply with payment demands before their data is published.

Ransomed.VC

Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels, including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.

Their evolutionary journey can be traced back to the “RANSOMED” forums, with their website undergoing a significant transformation before a highly publicized launch in August 2023. The group has expanded its communication channels, utilizing both clearnet and dark web platforms to circulate news and updates about their activities.

Despite facing bans from various social media and communication platforms, they have adapted quickly, shifting their communication hub to other platforms, including underground Russian cybercrime forums. Their approach demonstrates a brazen disregard for the potential humanitarian consequences of their actions, even allowing for attacks on critical infrastructure sectors, provided they get approval from the “admin.”

Their business model includes an affiliate program, providing a platform for like-minded criminals to collaborate and enhance their nefarious activities. The group has demonstrated their ability to deface websites, including government domains, using them as billboards to showcase their ransom demands and attack details.

Leveraging GDPR laws, they have positioned themselves as a pure extortion group, operating without deploying any ransomware. This approach complicates efforts to neutralize and respond to their threats effectively.

Telegram | The “Wild Wild West” of Cybercrime

Since its inception in 2013, Telegram has gradually but steadily morphed into a hub for criminal activities, resembling the unregulated and chaotic nature of early internet IRC channels. From malware distribution to recruitment into criminal organizations, the platform is now a hotbed for various cybercrime ventures.

Telegram’s encrypted environment, coupled with the capability to host large groups and automate processes through “bots,” has enabled a significant migration of cybercriminal activities from traditional dark web markets to this more secure platform.

As of September 2023, the platform continues to teem with vendors offering custom malware tools and crypters. It has become the preferred channel for ransomware groups to disseminate stolen data and recruit affiliates, functioning as a versatile tool in their operations.