Hyland 160x1200

Hyland 160x1200

Hyland 705x108

Thursday, 04 August 2022 15:03

From Babuk source code to Darkside custom listings – exposing a thriving ransomware marketplace on the dark web

By Venafi
Venafi vice president of security strategy and threat intelligence Kevin Bocek Venafi vice president of security strategy and threat intelligence Kevin Bocek

GUEST RESEARCH: Venafi investigation of 35 million dark web URLs shows macro-enabled ransomware is widely available at bargain prices.

Venafi, the inventor and leading provider of machine identity management, today announced the findings of a dark web investigation into ransomware spread via malicious macros. Conducted in partnership with criminal intelligence provider Forensic Pathways between November 2021 and March 2022, the research analysed 35 million dark web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine. The findings uncovered 475 webpages of sophisticated ransomware products and services, with several high-profile groups aggressively marketing ransomware-as-a-service.

• 87% of the ransomware found on the dark web has been delivered via malicious macros to infect targeted systems.

• 30 different 'brands' of ransomware were identified within marketplace listings and forum discussions.

• Many strains of ransomware being sold – such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry – have been successfully used in high-profile attacks.

• Ransomware strains used in high-profile attacks command a higher price for associated services. For example, the most expensive listing was US$1,262 for a customised version of Darkside ransomware, which was used in the infamous Colonial Pipeline ransomware attack of 2021.

• Source code listings for well-known ransomware generally command higher price points, Babuk source code is listed for US $950 and Paradise source code is selling for US$593.

"Ransomware continues to be one of biggest cybersecurity risk in every organisation," said Venafi vice president of security strategy and threat intelligence Kevin Bocek. "The ransomware attack on Colonial Pipeline was so severe that it was deemed a national security threat, forcing President Biden to declare a state of emergency."

Macros are used to automate common tasks in Microsoft Office, helping people to be more productive. However, attackers can use this same functionality to deliver many kinds of malware, including ransomware. In February, Microsoft announced a major change to combat the rapid growth of ransomware attacks delivered via malicious macros, but they temporarily reversed that decision in response to community feedback.

"Given that almost anyone can launch a ransomware attack using a malicious macro, Microsoft's indecision around disabling of macros should scare everyone," said Bocek. "While the company has switched course a second time on disabling macros, the fact that there was backlash from the user community suggests that macros could persist as a ripe attack vector."

In addition to a variety of ransomware at various price points, the research also uncovered a wide range of services and tools that help make it easier for attackers with minimal technical skills to launch ransomware attacks. Services with the greatest number of listings include those offering source code, build services, custom development services and ransomware packages that include step-by-step tutorials.

Generic ransomware build services also command high prices, with some listings costing more than US$900. At the other end of the price spectrum, many low-cost ransomware options are available across multiple listings — with prices starting at just US$0.99 for Lockscreen ransomware.

These findings are another example of the need for a machine identity management control plane to drive specific business outcomes including observability, consistency and reliability. In particular code signing is a key machine identity management security control that eliminates the threat of macro-enabled ransomware.

"Using code signing certificates to authenticate macros means that any unsigned macros cannot execute, stopping ransomware attacks in its tracks," Bocek concludes. "This is an opportunity for security teams to step up and protect their businesses, especially in banking, insurance, healthcare and energy where macros and Office documents are used every day to power decision making."

About the research

This research was carried out between November 2021-March 2022 by Venafi in partnership with Forensic Pathways, which has developed Dark Search Engine (DSE), an automated crawler/scraper of the Tor. Onion Dark Web. The intelligence tool contains >35 million URLs in the index.

Publicly available information, such as PC Risk, was used to determine if malicious macros were used in the initial attack vector.

For more information read the blog.

About Venafi

Venafi is the cybersecurity market leader in machine identity management. From the ground to the cloud, Venafi solutions manage and protect identities for all types of machines—from physical and IoT devices to software applications, APIs and containers. Venafi provides global visibility, lifecycle automation and actionable intelligence for all machine identity types and the security and reliability risks associated with them.

Jetstack, a Venafi company, is a cloud native products and strategic consulting company working with enterprises using Kubernetes and OpenShift. An open source pioneer, Jetstack has achieved notable industry recognition as the creator of cert-manager, the open source industry standard for cloud native machine identity management.

Jetstack's open source products and solutions protect the application environments and platform infrastructure of global banks, multinational retailing companies and defense organizations by providing enterprise platform and security teams the power to build, scale and security their cloud infrastructure.

With more than 30 patents, Venafi delivers innovative machine identity management solutions for the world's most demanding, security-conscious organisations and government agencies, including the top five US health insurers; the top five US airlines; the top four credit card issuers; three out of the four top accounting and consulting firms; four of the five top US retailers; and the top four banks in each of the following countries: the US, the UK, Australia and South Africa.



About Forensic Pathways

Incorporated in 2001, Forensic Pathways provides innovative technologies within the criminal intelligence arena.

Focused primarily on the provision of digital forensic technologies, Forensic Pathways offers its international clients unique technologies in the management of mobile phone data, image analysis and ballistics analysis.

Read 2042 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Hybrid cloud promises to bring together the best of both worlds enabling businesses to combine the scalability and cost-effectiveness of the cloud with the performance and control that you can get from your on-premise infrastructure.

Reducing WAN latency is one of the biggest issues with hybrid cloud performance. Taking advantage of compression and data deduplication can reduce your network latency.

Research firm, Markets and Markets, predicted that the hybrid cloud market size is expected to grow from US$38.27 billion in 2017 to US$97.64 billion by 2023.

Colocation facilities provide many of the benefits of having your servers in the cloud while still maintaining physical control of your systems.

Cloud adjacency provided by colocation facilities can enable you to leverage their low latency high bandwidth connections to the cloud as well as providing a solid connection back to your on-premises corporate network.

Download this white paper to find out what you need to know about enabling the hybrid cloud in your organisation.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News