Malicious source code leaked from established cybercriminal enterprises like LockBit and Babuk is breeding a new generation of rough and ready ransomware gangs, says a new report from Cisco Talos. According to a new report from the threat intelligence team, code that has been dispersed across dark web forums has been detected in dozens of cyberattacks against companies perpetrated by criminal enterprises that are sometimes only weeks old. Such leaks, the report argues, ‘are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.’
Dragon’s teeth
Ransomware is not easy to build. Indeed, writing software designed to evade complex corporate cybersecurity defences, exfiltrate data and then automatically demand a payment for its release is usually the preserve of talented software engineers. As such, explains the report, leaks of existing source code from major ransomware gangs ‘allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.’
According to the Cisco Talos report, at least four major ransomware gangs – Babuk, Conti, LockBit and Chaos – have seen valuable code published on dark web forums in recent years. Some of this has been intentional, says the authors, the product of one affiliate’s disgruntlement with another within the overall group. Many examples of leaks, however, have arisen as a result of operational error. Such was the case with the ransomware group Babuk in September 2021, when a series of internal mishaps released enough source code to power a fully functioning ransomware operation in its own right. Novice cybercriminals pounced. Babuk’s leaked source code has appeared in attacks perpetrated by at least ten new ransomware gangs.
It’s not the only example of leaked source code spawning new ransomware operations. According to the Cisco Talos report, a spate of recent ransomware attacks can be traced back to the leaking of a ransomware builder called Yashma in May 2022, itself a rebranded version of a program leaked from the Chaos gang. A type of program that allows the user to customise ransomware, builder programs also afford the opportunity for neophyte cybercriminals to create their own variants with minimal effort.
Another group called Buhti, meanwhile, has successfully deployed code leaked from both LockBit and Babuk to target Windows and Linux systems. New operations like these tend to charge smaller ransoms to release corporate data back to its owners, according to Cisco Talos, with sums ranging from a mere $3.50 to $4,390 in Bitcoin. According to the threat intelligence provider, this could be because such gangs are effectively ‘lone wolf operators,’ reluctant to make elaborate demands from their victims before they have fully tested the capabilities of the ransomware they have adapted from the leaked source code from larger rivals.
How to mitigate these new risks
The fact that new groups are mushrooming as a consequence of leaked code shouldn’t be surprising, argues Vasileios Karagiannopoulos, co-director of the Centre of Cybercrime and Economic Crime at the University of Portsmouth. Nevertheless, it’s a useful reminder of how quickly the ransomware ecosystem can evolve – and how dangerous that process is for companies that neglect their cyber-defences.
Such risks can be mitigated, argues Karagiannopoulos, but only through a combined effort from both the private and public sectors. “Cybersecurity organisations and companies, ethical hackers and even governments can gain access to the code and try to provide patches and generate defensive measures in their software and security tools to counter the effects of new ransomware,” he says. “It is therefore important that the security community works together to tackle new code that comes to light quickly – ideally with investment from governments and international organisations.”
New solutions coming from the cybersecurity landscape, such as zero-trust, can also be used to counter the risks from the new ransomware gangs. Other solutions, says Karagiannopoulos, like “segmented structures, monitoring use patterns across all levels and layers, and regular and up-to-date cyber awareness training, are also important in order to reduce vulnerable attack vectors and become aware of the problem early on and minimise its impact.”