Ransomware Retail: Underground Remote Access Markets

Abstract: The recent attacks against Kaseya, Colonial Pipeline and other devastating cyberattacks have thrust ransomware back into the spotlight. A major component in the rise of the severity and scope of these attacks is the availability of remote access for purchase on the deep and dark web. For as little as several dollars apiece, the shadowy markets of the underground offer remote access to millions of machines for sale, bought and sold anonymously with a click of a button. Ransomware groups purchase and gain access, encrypt the corporate network, and hold the data hostage – demanding a huge ransom in exchange for a decryption key while threatening to release confidential data if they are not paid.

Fortunately, Cybersixgill’s fully automated solutions provide contextual and actionable threat intelligence to help organizations understand the threat landscape and their potential exposure: The Investigative Portal offers automated alerting when customers’ assets are mentioned in these markets, allowing analysts to dig deeper into the latest TTPs of ransomware; Darkfeed provides an automated stream of malicious IOCs, including IP addresses of compromised RDP connections; while the Dynamic Vulnerability Exploit Score (DVE) enables organizations to better-patch, so they hopefully will not be compromised in the first place.

The recent attacks against Kaseya, Colonial Oil Pipeline and other devastating cyberattacks have once again thrust ransomware back into the spotlight. Amid this rapidly escalating ransomware threatscape, the US government has taken unprecedented actions against ransomware groups, establishing a high-level task force, shutting down infrastructure, recovering ransom payments, and raising the issue directly at the highest levels with the Russian government.

While ransomware operators have many ways to infiltrate the targets’ networks, a major vector is through exploiting remote access. If an attacker can gain entry to a system via a malware backdoor or open RDP connection, for example, they can quickly spread from there to the entire internal network, exfiltrate confidential data, and then encrypt the systems. With the data now held hostage, they demand a hefty ransom, threatening to share the confidential data publicly on their dedicated leak sites (DLS) if they are not paid.

The deep and dark web are replete with opportunities for attackers to transact tools and services. One of the major services for sale is remote access: for a fee, various markets sell access to compromised endpoints, as well as access over various remote protocols. These markets also sell access to webshells, CPanels, and compromised email addresses.

The quantity of access for sale is staggering. In the year from June 1, 2020-May 31, 2021, access to 4,598,020 compromised endpoints was sold on dark web markets. In addition, there were 325, 917 RDP connections, 520,459 SSH connections, 5,055 FTP connections, 46,743 webshells, and 35,870 compromised Cpanels.

Anyone can purchase access on these markets, sometimes for as little as several dollars. Deploying ransomware is not the only way that access can be abused—actors can also siphon system resources, harvest confidential information, and assume control of logged-in financial accounts. However, considering how lucrative ransomware has become for attackers, we assess that these markets are very popular for ransomware operators; their massive, inexpensive inventory allows actors to effortlessly purchase their first step into the targeted network. Indeed, many security researchers have noted that these markets function as the initial steps of the “well developed money ecosystem” for these ransomware groups.

While most ransomware victims do not publicly disclose how the attackers got in, it is highly likely that in some incidents, actors simply purchased compromised remote access on a dark web market for several dollars.

Cybersixgill’s solutions

Investigative Portal

To these ends, Cybersixgill provides its customers with solutions that aim to detect when their resources are being sold on these markets. Through the Investigative Portal, customers receive automated alerts whenever their assets are mentioned on these markets. Furthermore, customers can review posts from ransomware groups, such as calls for affiliates or partners. This enables customers to understand which groups are expanding their activities and offers deeper insights about their operations and profit models.

In addition, through the Investigative Portal, customers can access posts from ransomware groups’ dedicated leak sites (DLS), offering intelligence about the latest victims and activities. Browsing these items from the safety of the portal prevents exposing one’s system to the ransomware groups.

Furthermore, Portal customers are alerted if they or a monitored third party is mentioned on a DLS, which would indicate a possible ransomware incident and exposure of data. These automatic and instantaneous alerts enable immediate action.

Using Cybersixgill’s Investigative Portal (or by accessing data simply through its API), users can also derive quantitative insights about ransomware trends. For example, the figure below indicates that the aggregated number of monthly ransom demands on dedicated leak sites is alarmingly trending upwards.

ransomware demands on dlss

Darkfeed

Cybersixgill’s Darkfeed is an automated feed of malicious IOCs, providing (among other items) the IP addresses of compromised RDP connections that are shared freely on underground forums. These RDP addresses are ticking time-bombs; any actor can use them as a point-of-entrance to internal systems or as a launching ground for further attack. The Darkfeed enables users to preemptively block items that could threaten their organizations and customers, ensuring that they remain protected against these threats.

Dynamic Vulnerability Exploit Score (DVE)

Perhaps the best defense against these markets is not being compromised in the first place. As attackers often gain initial access through using well-known exploits, Cybersixgill’s DVE solution enables customers to prioritize patching more intelligently, providing a dynamic rating to CVEs that factors in underground chatter and exploit development. We 

Let’s be honest—no single security product can possibly be 100% effective at preventing ransomware attacks. Rather, organizations must build a defense-in-depth strategy. Cybersixgill’s solutions can assist customers in preventing initial compromise through smarter patching and through automated detection of an organization’s assets sold in remote access markets. This will not solve ransomware—that will take a vast, coordinated global response—but it will help prevent your organization from becoming its next victim.

Compromised endpoint for sale for $40
Compromised endpoint for sale for $40


Compromised RDP connection for sale

Compromised SSH for sale for $0.10
Compromised SSH for sale for $0.10