Extortion Economics

Ransomware’s new business model

Over 80 percent of

Cyber Signals 80% ransomware attacks can

be traced to common
configuration errors in
August 2022 software and devices.1
Ransomware
attacks exploiting
configuration errors
 Introduction
Cybercriminals
emboldened by
underground
ransomware economy
While ransomware continues to be
a headline-grabbing topic, there’s
ultimately a relatively small, connected
ecosystem of players driving this
sector of the cybercrime economy.
The specialization and consolidation
of the cybercrime economy has fueled
ransomware as a service (RaaS) to
become a dominant business model,
enabling a wider range of criminals,
regardless of their technical expertise,
to deploy ransomware.

We are all cybersecurity defenders.

Cyber Signals 1
 Security
Snapshot
Microsoft’s Digital Crimes Unit (DCU)
Directed the removal of more than 531,000 unique
phishing URLs and 5,400 phish kits between July
2021 and June 2022, leading to the identification
and closure of over 1,400 malicious email accounts
used to collect stolen customer credentials.1

Email Threats:
Median time for an attacker to access
your private data if you fall victim to a
phishing email is one hour, 12 minutes.1

Endpoint Threats:
Median time for an attacker to begin moving
laterally within your corporate network if a device
is compromised is one hour, 42 minutes.1

Cyber Signals 2
 New business model Threat briefing
offers fresh insights
for defenders service, with varying tools, tradecraft,
and objectives. Just as anyone with a car
can drive for a rideshare service, anyone
Just as many industries have shifted toward
with a laptop and credit card willing
gig workers for efficiency, cybercriminals
to search the dark web for penetration
are renting or selling their ransomware
testing tools or out-of-the-box malware
tools for a portion of the profits, rather than
can join this economy.
performing the attacks themselves.
This industrialization of cybercrime has
The Ransomware as a Service economy
created specialized roles, like access
allows cybercriminals to purchase access to
brokers who sell access to networks.
Ransomware payloads and data leakage as
A single compromise often involves
well as payment infrastructure. Ransomware
multiple cybercriminals in different
”gangs” are in reality RaaS programs like
stages of the intrusion.
Conti or REvil, used by many different actors
who switch between RaaS programs and
RaaS kits are easy to find on the dark
payloads.
web and are advertised in the same
way goods are advertised across the
RaaS lowers the barrier to entry and
internet.
obfuscates the identity of the attackers
behind the ransoming. Some programs have
A RaaS kit may include customer
50+“affiliates,” as they refer to users of their
service support, bundled offers, user

DEV-0237 ransomware payloads over time

Ryuk
2020-Jun 2021
Conti
Jul-Oct 2021

Hive
Oct 2021-present
BlackCat
Mar-June 2022

Nokoyawa
May 2022-present

Agenda, etc.
June 2022 (experiment)

2021 2022
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

Source: Microsoft 365 Defender Threat Intelligence Team

Cyber Signals
and Microsoft Threat Intelligence Center (MSTIC)
3
 Threat briefing
reviews, forums, and other features. allows prolific and impactful ransomware
Cybercriminals can pay a set price for attacks to be performed by attackers
a RaaS kit while other groups selling without sophistication or advanced skills.
RaaS under the affiliate model take a Since the shutdown of Conti we’ve
percentage of the profits. observed shifts in the ransomware
landscape. Some affiliates who were
Ransomware attacks involve decisions deploying Conti moved to payloads from
based on configurations of networks established RaaS ecosystems like LockBit
and differ for each victim even if the and Hive, while others simultaneously
ransomware payload is the same. deploy payloads from multiple RaaS
Ransomware culminates an attack that ecosystems.
can include data exfiltration and other
impact. Because of the interconnected New RaaS like QuantumLocker and
nature of the cybercriminal economy, Black Basta are filling the vacuum
seemingly unrelated intrusions can build left by Conti’s shutdown. Since most
upon each other. Infostealer malware Ransomware coverage focuses on
that steals passwords and cookies payloads instead of actors, this
get treated with less severity, but payload switching is likely to confuse
cybercriminals sell these passwords to governments, law enforcement, media,
enable other attacks. security researchers, and defenders about
who is behind the attacks.
These attacks follow a template of
initial access via malware infection or Reporting on ransomware may seem like
exploitation of a vulnerability then an endless scaling problem; however, the
credential theft to elevate privileges reality is a finite set of actors using the
and move laterally. Industrialization set of techniques.

Recommendations:
Build credential hygiene: Develop a logical Reduce the attack surface: Establish attack
network segmentation based on privileges surface reduction rules to prevent common
that can be implemented alongside network attack techniques used in ransomware
segmentation to limit lateral movement. attacks. In observed attacks from several
ransomware associated activity groups,
Audit credential exposure: Auditing credential organizations with clearly defined rules
exposure is critical in preventing ransomware have been able to mitigate attacks in their
attacks and cybercrime in general. IT security initial stages while preventing hands on
teams and SOCs can work together to reduce keyboard activity.
administrative privileges and understand the
level at which their credentials are exposed.

Cyber Signals 4
Cybercriminals add Defending
double extortion to
attack strategy
against attacks
Ransomware exists to extort payment from Strike, Brute Ratel C4, and the legitimate
a victim. Most current RaaS programs also Atera remote management utility to
leak stolen data, known as double extortion. maintain access to a victim. DEV-0390 will
As outages cause backlash and government escalate privileges by stealing credentials,
disruption of ransomware operators locate sensitive data (often on corporate
increases, some groups forgo ransomware backup and file servers), and send the
and pursue data extortion. data to a cloud file sharing site using a file
backup utility.
Two extortion focused groups are DEV-0537
(aka LAPSUS$) and DEV-0390 (a former DEV-0537 uses a very different strategy
Conti affiliate). DEV-0390’s intrusions initiate and tradecraft. Initial access is obtained
from malware but use legitimate tools to by purchasing credentials on the criminal
exfiltrate data and extort payment. They underground or from employees at
deploy penetration testing tools like Cobalt targeted organizations.

Problem Action

1 1
Stolen passwords and unprotected identities Authenticate Identities
More than malware, attackers need credentials Enforce multifactor authentication (MFA) on all accounts,
to succeed. In nearly all successful ransomware prioritize administrator and other sensitive roles. With
deployments, attackers gain access to privileged, a hybrid workforce, require MFA on all devices, in all
administrator level accounts granting broad access locations, at all times. Enable passwordless authentication
to an organizations’ network. like FIDO keys or Microsoft Authenticator for apps that
support it.

2 2
Missing or disabled security products Address Security Blind Spots
In almost every observed ransomware incident, at least one Like smoke alarms, security products must be installed in
system exploited in the attack had missing or misconfigured the correct spaces and tested frequently. Verify that security
security products that allowed intruders to tamper with or tools are operating in their most secure configuration, and
disable certain protections. that no part of a network is unprotected.

3 3
Misconfigured or abused applications Harden internet facing assets
You might use a popular app for one purpose, but that Consider deleting duplicative or unused apps to eliminate
doesn’t mean criminals can’t weaponize it for another goal. risky, unused services. Be mindful of where you permit
Too often, “legacy” configurations mean an app is in its remote helpdesk apps like TeamViewer. These are
default state, allowing any user wide access across entire notoriously targeted by threat actors to gain express
organizations. Don’t overlook this risk or hesitate to change access to laptops.
app settings for fear of disruption.

4 4
Slow patching Keep systems up to date
It’s a cliché, like “Eat your vegetables!” – but it’s a critical Make software inventory a continuous process. Keep track
fact: The best way to harden software is to keep it of what you are running and prioritize support for these
updated. While some cloud based apps update with no products. Use your ability to patch quickly and conclusively
user action, companies must apply other vendor patches to gage where transitioning to cloud based services is
immediately. In 2022 Microsoft observes that older beneficial.
vulnerabilities are still a primary driver in attacks.

5
 Defending
against attacks
Understanding the interconnected an attack by a sophisticated attacker,
nature of identities and trust ransomware is an avoidable disaster.
relationships in modern Reliance on security weaknesses by
technology ecosystems, they target attackers means that investments in
telecommunications, technology, IT cyberhygiene go a long way.
services, and support companies to
leverage access from one organization Microsoft’s unique visibility gives us a
to gain entry into partner or supplier lens into threat actor activity. Rather
networks. Extortion only attacks than rely on forum posts or chat leaks,
demonstrate that network defenders our team of security experts studies new
must look beyond end stage ransomware tactics and develops threat
ransomware and keep a close eye on intelligence that informs our security
data exfiltration and lateral movement. solutions.

If a threat actor is planning to extort Integrated threat protection across

an organization to keep their data devices, identities, apps, email, data, and
private, a ransomware payload is the the cloud helps us identify attacks that
least significant and least valuable part would have been labeled as multiple
of the attack strategy. Ultimately, it’s an actors, when they’re in fact a single set
operator’s choice what they choose to of cybercriminals. Our Digital Crimes
deploy, and ransomware is not always Unit composed of technical, legal, and
the big ticket payout every threat actor business experts continues to work with
is after. law enforcement to disrupt cybercrime.

While ransomware or double extortion

can seem an inevitable outcome from

Recommendations:

Harden the cloud: As attackers move Prevent initial access: Prevent code execution
toward cloud resources, it’s important by managing macros and scripts, and enabling
to secure these resources and identities Attack Surface Reduction Rules.
as well as on-premise accounts. Security
teams should focus on hardening security Close security blind spots: Organizations
identity infrastructure, enforcing multifactor should verify that their security tools are
authentication (MFA) on all accounts, and running in optimum configuration and perform
treating cloud admins/tenant admins with regular network scans to ensure a security
the same level of security and credential product protects all systems.
hygiene as domain admins.
Microsoft has in-depth recommendations at
[Link]

6
 Expert Profile
Emily Hacker: of customers’ networks, while also contributing to
MSTIC’s ever growing assessment of ransomware
Threat intelligence analyst linked actor tools, motives, and strategies.
Emily Hacker did not expect to become a threat When it comes to a ransomware incident, the stakes
intelligence analyst at Microsoft after studying can be incredibly high. Ransomware operators
journalism in college. Her first job in cybersecurity are known to target critically important networks
was as a technical writer at an oil and gas firm. related to education, transportation, healthcare, or
“I was editing intelligence reports, intelligence telecommunications systems. When these networks
presentations, and helping with incident metrics. are affected, the results can be catastrophic.
Over the course of that first year, I became
absolutely enthralled with the work that intelligence “The work we do at Microsoft to track and prevent
analysts do.” ransomware incidents is important because
we’re protecting not just our customers, but their
Emily’s work at Microsoft began in 2020 as an customers as well,” Hacker said. “Identifying the
analyst for Microsoft Defender for Endpoint and tools and techniques associated with ransomware
Microsoft Defender for Office. One of the focus and pre-ransomware incidents as early as possible
areas for these teams is to protect customers from is critical when these incidents have potentially
threats associated with ransomware. Emily is directly wide-reaching consequences for companies, their
involved in many of the investigations that built employees, and their customers.”
Microsoft’s knowledge of the RaaS economy and the
access broker/operator/affiliate relationship, actively
hunting for evidence of pre-ransomware signals.

“Following trends and techniques used by RaaS

operators and their affiliates in the pre-ransom
phase of an incident is critical to protecting
customers from these types of threats,” she said. “ My job
is to s
“My job is to spot these pre-ransomware actors ranso pot th
mwar ese pr
as early as possible. If you are only looking for the possib e acts e-
ransomware payload, itself—you’re too late.” le. If y a s early
for th ou are as
e rans only l
To stay on top of the changing RaaS landscape, itself— omwa o oking
you’re re pay
Emily and her team use a combination of automated too la l oad,
systems and human analysis to analyze, escalate, Th
te.”
reat
and act on logs, alerts, and other activity in real Emily intelligence
Hacke analys
time. Emily’s team helps anticipate, pre-empt, and r t
respond to different incidents on the front lines

Cyber Signals 7
 u n d le
o rd B
ass w ne g e t o ne fre
e
Buy o
pack

1. Methodology: For snapshot data, Microsoft platforms, including Defender and Azure Active Directory,
and our Digital Crimes Unit provided anonymized data on threat activity, such as malicious email accounts,
phishing emails, and attacker movement within networks. Additional insights are from the 43 trillion daily
security signals gained across Microsoft, including the cloud, endpoints, the intelligent edge, and our
Compromise Security Recovery Practice and Detection and Response teams. Cover art is representative of
the affiliate business model. Percentages do not represent actual discounts. Cover stat is based on Microsoft
engagements over the past year.

© 2022 Microsoft Corporation. All rights reserved. Cyber Signals is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
DOCUMENT. This document is provided “as is.” Information and views expressed in this document, including
URL and other Internet website references, may change without notice. You bear the risk of using it. This
document does not provide you with any legal rights to any intellectual property in any Microsoft product.