The Microsoft has published the second edition of its Cyber ​​Signals Report, It analyzes key security trends, with a particular focus on ransomware, which has cost businesses and governments many millions around the world this year, including ransom payments, reputation damage, and service failures.

As the report highlights, in this as in many other industries, Those who develop ransomware tools stop using them for external attacks and tasksor sell or lease these instruments to whomever does so, either at a pre-determined fixed price, or for a portion of the profits obtained (the affiliates).

there “Cybercrime Manufacturing”, which specializes in the roles of each actor. For example, agents who sell only network access and others who interfere with other stages of the intrusion process which, in the case of ransomware, start long before the extortion attempt. To have a chance of success, an attack of this type has already been preceded by data theft, or access to systems at a level capable of affecting the organization, a path that is silently created.

Inversely proportional to the size of the problem is the number of actors working in the field, where there are a relatively small, interconnected, specialized and standardized ecosystem, which has made ransomware as a service the dominant business model. This has allowed a wide range of criminals, even without advanced technical knowledge, to gain access to the necessary means to launch a ransomware attack. RaaS groups are easy to find on the dark web and are advertised in the same way any product or service is advertised on the internet.

“Just as anyone with a car can drive to a ride-sharing service, anyone with a laptop and a credit card would like to search […] By means of malware tools on the dark web, it can join this economy,” the report confirms.

These groups can include an increasingly wide range of features, such as bundled offers, customer support, user reviews, forums, and more. Most ransomware campaigns are based on the same softwarewhich are chosen by those who carry out the attacks according to the tools they incorporate, or the goals they allow to achieve, with dozens of affiliates for each program, the authors themselves advertising to the customers of their services.

in Attack strategies can be different. They can start from using malware to enter victims’ systems and secure access privileges, combine the use of malware and legal tools, to extract data or demand payments. You can use other methods. a Lapsos Collectionwhich may be responsible for some of this year’s most notorious cyberattacks on Large companies in Portugal And multinational companies like T-Mobile or the Microsoftbehaves differently.

As Microsoft explains, here is a file The initial strategy is to purchase access passwords to target systems on the black market. These passwords are legitimate and belong to company employees who have been victims of previous attacks.. The group favors attacks on telecom companies or IT services, knowing that these companies can be a gateway to others, their partners, and systems linked to those of the first target.

Since the different actors in this ecosystem are highly interconnected, Attacks that seem unrelated to others, can actually take advantage of each other. Another example noted in the report is the Infostealer malware designed to steal passwords and cookies. What in this case is the end, in a subsequent attack, with other tools, it will be a means to reach a new end, as accurately demonstrated by the way the Lapsus Group operates.

a internet signals It is also noted that recently, Disable some major programs In this field of ransomware, such as county, made the ecosystem move, which re-adjusted itself. Many Conti Ransomware affiliates have moved to LockBit or Hive, and some have switched to using multiple suites simultaneously. In addition to New programs appeared that occupied the space that Conte left vacantsuch as QuantumLocker and Black Basta.

This Microsoft report is based on insights from 43 billion security alerts received and 8,500 security experts the company works with directly. It provides some more interesting data, noting that, On average, an attacker needs 1 hour and 12 minutes to access the personal data of a person who “falls” into a phishing scam And open the link you received in a fraudulent email. Already to start developing actions in the background, which will eventually lead to an attack on the corporate network, the attacker will need only an hour and 42 after he managed to enter the corporate machine.

The Microsoft’s Digital Crime Unit removed more than 531,000 phishing website links (URLs) and 5,400 phishing groups Between July 2021 and June 2022, which led to the identification and closure of 1,400 malicious email accounts used to collect stolen credentials.