Connect with us


The ransomware landscape is more crowded than you think




Ransomware-as-a-Service (RaaS) ads on hacking forums

Ransomware-as-a-Service (RaaS) ads on hacking forums

Image: ZDNet

Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.

RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.

These methods vary between RaaS affiliate and can include email spear-phishing attacks, en-masse indisciriminate email spam campaigns, the use of compromised RDP credentials to gain access to corporate networks, or the use of vulnerabilities in networking devices to gain access to internal enterprise networks.

Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.

RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.

The RaaS tiers

According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking scene.

While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.

But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.

Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public exposure.

This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.

With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.

These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).

Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.

This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.


Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.

This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.


All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.

A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks.



Google Cloud: We do use some SolarWinds, but we weren’t affected by mega hack




Google Cloud’s first chief information security office (CISO) has revealed that Google’s cloud venture does use software from vendor, SolarWinds, but says its use was “limited and contained”. 

Google Cloud announced the hire of its first CISO, Phil Venables, in mid-December, just as the US was beginning to understand the scope of the Russian government’s software supply chain malware attack.

The hack affected US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Justice, Microsoft’s source code and many more. 

But Venables, a Goldman Sachs veteran, insists that no Google systems were affected by the attack. It’s an important message from Google at a time when hacks have undermined trust in known software suppliers, which in turn threatens Google’s $12bn-a-year cloud business. Google is set to announce its Q4 2020 FY financial results on Tuesday, February 2. 

“Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event,” Venables said in a blogpost

“We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.”

Venables also shared some top tips that Google uses to protect itself and customers from software supply chain threats. This particular attack exposed how connected the entire software industry is, and how vulnerable the ecosystem is because of assumptions built into the systems that are used to receive updates from known and trusted suppliers. 

Hackers breached SolarWinds and planted malware inside software updates for Orion, which offered a beachhead from where attackers could move within networks of companies and government agencies. 

Researchers at Crowdstrike last week revealed a third piece of malware was used in the attack on SolarWinds’ customers via official software updates. SolarWinds last week disclosed that the attackers were testing malware distribution through Orion updates from at least September 2019, indicating the planning that went into the attack. 

Other organizations affected by this breach included the Department of Health’s National Institutes of Health (NIH), the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Agency (CISA), the US Department of State, the National Nuclear Security Administration (NNSA), the US Department of Energy (DOE), several US state governments, and Cisco, Intel, and VMWare.

According to Venables, Google uses secure development and continuous testing frameworks to detect and avoid common programming mistakes. 

“Our embedded security-by-default approach also considers a wide variety of attack vectors on the development process itself, including supply chain risks,” he says. 

He goes on to explain what trusted cloud computing means at Google Cloud, which comes down to control over hardware and software.  

“We don’t rely on any one thing to keep us secure, but instead build layers of checks and controls that includes proprietary Google-designed hardware, Google-controlled firmware, Google-curated OS images, a Google-hardened hypervisor, as well as data center physical security and services,” says Venables.  

“We provide assurances in these security layers through roots of trust, such as Titan Chips for Google host machines and Shielded Virtual Machines. Controlling the hardware and security stack allows us to maintain the underpinnings of our security posture in a way that many other providers cannot. We believe that this level of control results in reduced exposure to supply chain risk for us and our customers.”

Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.

The company then enforces these controls during deployment, depending on the sensitivity of the code. 

“Binaries are only permitted to run if they pass such control checks, and we continuously verify policy compliance for the lifetime of the job. This is a critical control used to limit the ability of a potentially malicious insider, or other threat actor using their account, to insert malicious software into our production environment,” says Venables.  

Finally, Google ensures that at least one person beyond the author provably reviews code and configuration changes submitted by its developers.   

“Sensitive administrative actions typically require additional human approvals. We do this to prevent unexpected changes, whether they’re mistakes or malicious insertions.”


Continue Reading


iOS 14.4 kicks off crackdown on non-genuine iPhone cameras




iOS is already flagging non-genuine batteries and displays, and now it seems that iOS 14.4 will add non-genuine cameras to the list.

According to reports by MacRumors, and confirmed by ZDNet, iOS 14.4 developer beta 2 now throws up an error message when it detects a non-genuine camera fitted to an iPhone.

The message, which reads “Unable to verify this iPhone has a genuine Apple camera,” can be dismissed and does not seem to affect the use or operation of the camera.

This appears to be yet another step forward (or backward) by Apple, as it continues its fight against user-repairable iPhones.

Must read: Switching to Signal? Turn on these settings now for greater privacy and security

Interestingly, according to tech repair site iFixit, cameras can now be swapped between iPhone 12 units without any problems. However, before you start celebrating that, iFixit believes that Apple will soon start flagging any camera replacements that have not been followed up with by running Apple’s proprietary, cloud-linked System Configuration app as non-genuine.

This basically means that this warning will be present any time a repair is not carried out by Apple or an Apple Authorized Service Provider.

Is this a money-making ploy by Apple? In response to US politicians investigating anti-competitive practices asking about repair revenue, Apple responded that “each year since 2009, the costs of providing repair services has exceeded the revenue generated by repairs.”

However, according to iFixit’s Kay-Kay Clapp, ” there’s no way to fact check Apple’s accounting on repairs because of the vagaries of revenue reporting.”

“Knowing how much we pay for parts and the general labor costs of the repair industry, it seems unbelievable that they’re not making money from repair services.”


Continue Reading


Ongoing ransomware attack leaves systems badly affected, says Scottish environment agency




The Scottish Environment Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and is continuing to feel the impact.

SEPA’s contact centre, internal systems, processes and internal communication have all been affected by the attack, which hit on Christmas Eve. The organisation, which is Scotland’s government regulator for protecting the environment, has also confirmed that 1.2GB of data has been stolen as part of the attack – including personal information relating to SEPA staff.

More on privacy

Despite the ransomware attack, SEPA’s ability to provide flood forecasting and warning services, as well as regulation and monitoring services, has continued.

SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    

But while the infected systems have been isolated, SEPA’s latest update on the ransomware attack says that recovery will take a “significant period” and that a number of systems will “remain badly affected for some time” with entirely new systems required. SEPA has blamed the ransomware attack on “serious and organised” cyber criminals.

“Whilst having moved quickly to isolate our systems, cybersecurity specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre, have now confirmed the significance of the ongoing incident,” said Terry A’Hearn, Chief Executive of SEPA.

“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”

While the organisation itself hasn’t confirmed what form of ransomware it has fallen victim to, the cyber-criminal group behind Conti ransomware has published what it claims to be data stolen from the Scottish government agency.

Stealing data has become increasingly common for ransomware gangs. They use the stolen data to double-down on attempts at extortion by threatening to leak the information if the victim doesn’t give into the ransom demand of hundreds of thousands, or even millions, of dollars in bitcoin in exchange for the decryption key.

SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network

SEPA hasn’t yet detailed how cyber criminals were able to break into the network to deploy ransomware and the investigation into the incident is still ongoing.

“We are aware of this incident affecting the Scottish Environment Protection Agency and are working with law enforcement partners to understand its impact,” an NCSC spokesperaon told ZDNet.

Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and cyber criminals show no signs of slowing down ransomware campaigns because, for now at least, ransomware gangs are still successfully extorting large payments out of victims.



Continue Reading


UK police warn of sextortion attempts in intimate online dating chats




As politicians play whack-a-mole with COVID-19 infection rates and try to balance the economic damage caused by lockdowns, stay-at-home orders have also impacted those out there in the dating scene. 

No longer able to meet up for a drink, a coffee, or now even a walk in the park, organizing an encounter with anyone other than your household or support bubble is banned and can result in a fine in the United Kingdom — and this includes both dates and overnight stays. 

Therefore, the only feasible option available is online connections, by way of social networks or dating apps. 

Dating is hard enough at the best of times but sexual desire doesn’t disappear just because you are cooped up at home. Realizing this, a number of healthcare organizations worldwide have urged us not to contribute to the spread of COVID-19 by meeting up with others for discreet sex outside of our social bubbles, bringing new meaning to the phrase, “You are your safest sex partner.”

This doesn’t mean, however, that we’ve abandoned the search in the time of a pandemic; instead, dating apps — such as Tinder, eHarmony, and the new Quarantine Together — are signing up users in record numbers. 

Apps and chats over Zoom, however, can only go so far and after you’ve made your way through remote small talk, what’s next?

If you’re not careful, it’s blackmail. 

In a recent case documented by the UK’s Thames Valley police, a sextortion scam started innocently enough: a young man was contacted over Facebook by a woman who wanted to video chat. 

They talked twice online and the woman asked him to show off his body. While no “intimate” acts took place in the first online session, the police say, the second chat was another story — and the intimate footage he provided was then covertly recorded by the scam artist. 

She then told her victim that their online session had been recorded and demanded £200 ($270) on pain of it being sent to all of his family and friends, now available to her through the Facebook connection. 

The man refused, but over the next two hours, he received over 100 demands for payment. Eventually, he appeared to cave in — but instead blocked her and deactivated all of his accounts before contacting law enforcement. 

Thames Valley asks for us to “not do anything silly” online, but this case — as it goes, a small fish in a large phishing pond and one in which the young man escaped from the net — still highlights how careful we need to be now about sharing intimate footage or allowing the opportunity for it to be taken online without our permission. 

Sextortion is not a new concept, and unfortunately, the internet has provided a lucrative arena for people trying to extort money, sexual acts, services, or images from others. Some of the most common forms of sextortion are:

  • Phishing emails: Messages claim to have seen your web history or pornographic website visits, and may also say that ‘hackers’ accessed your webcam and recorded you. 
  • Phishing emails containing known passwords: The same, but with the addition of passwords used by you to access online accounts that may have been leaked in a data breach to try and appear more legitimate.
  • Revenge porn: Threats to release intimate photos or videos online, sometimes by ex-partners or other people you know. 
  • Internet of Things: Nest and Ring devices have been compromised to recycle old tactics and convince victims that hackers have illicit recordings of them. 

Emotional triggers are the key: humiliation, fear, worry of friends, family, or co-workers finding out or viewing footage, and the concern of the future impact such material could have on your life. 

A report conducted by Thorn and the Crimes Against Children Research Center (CCRC) estimates that in 45% of cases where a perpetrator has access to sensitive material, they will carry out their threat. 

After all, it’s not them who face humiliation.

With this in mind, it’s time to reconsider just what risks we are comfortable taking online, lockdown or not. Sextortion can be devastating but there’s no guarantee that a scammer will delete footage they have obtained after you’ve paid up — and may simply demand more and more from you.

“Anybody who is threatened with this type of blackmail by an online contact is advised to contact the police and should refuse to send the scammer any money,” commented Ray Walsh, Digital Privacy Expert at ProPrivacy. “Once a scammer knows that a victim is willing to pay they will only double down and ask for more. For this reason, it is vital that you contact the police and refuse to pay.”

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Continue Reading
Amb Crypto3 days ago

Ethereum, Dogecoin, Maker Price Analysis: 15 January

Amb Crypto3 days ago

How are Chainlink’s whales propping up its price?

Amb Crypto3 days ago

NavCoin releases its new privacy protocol, one day after Binance adds NAV to its staking program

Blockchain4 days ago

Bitcoin Cloud Mining With Shamining: Is it Worth it? [Review]

Blockchain4 days ago

Litecoin Regains Footing After Being Knocked Back by Resistance

Blockchain4 days ago

Warp Finance Relaunches With ‘Additional Security’ from Chainlink

Blockchain2 days ago

The Countdown is on: Bitcoin has 3 Days Before It Reaches Apex of Key Formation

Venture Capital5 days ago

Ghana fintech startup secures $700k investment 

Blockchain1 day ago

Litecoin, VeChain, Ethereum Classic Price Analysis: 17 January

Cannabis3 days ago

Subversive Capital Acquisition Corp. Closes The Largest Cannabis SPAC In History

Blockchain2 days ago

Is Ethereum Undervalued, or Polkadot Overvalued?

Blockchain5 days ago

Is Gold Still Worth Buying in the Bitcoin Age?

SPACS3 days ago

Affinity Gaming’s SPAC Gaming & Hospitality Acquisition files for a $150 million IPO

Blockchain5 days ago

DeFi DEX Loopring Launches L2-to-L1 Gas Free Transfers

Blockchain2 days ago

Here’s why Bitcoin or altcoins aren’t the best bets

ZDNET4 days ago

SAP’s Q4 shows improvement, adds Microsoft Azure alum as marketing chief

Payments5 days ago

Grab raises $300 million to grow fintech business

Blockchain5 days ago

Unprecedented Demand for Crypto Sees eToro Place Limits on Buy Orders

Blockchain1 day ago

Bitcoin Worth $140 Billion Lost Says UK Council

Blockchain1 day ago

Data Suggests Whales are Keen on Protecting One Key Bitcoin Support Level