As cybercrime gangs increase their cybercrime market purchases of malware, ransomware, and phishing tools, the dark web becomes darker.
The U.S. Treasury approved the Russia-based Hydra market in April 2022. Hydra was the and provided cryptocurrency exchange services for global threat actors. Hydra was shut down by Germany and the United States at around the same moment.
Ransomware organizations operating via the dark web have hundreds of hackers working for them and earning millions in revenue. They could also generate millions of illicit funds in the future.
Researchers discovered 475 pages of ransomware code on the dark internet in 2022. Ransomware from 30 strains, including DarkSide and GoldenEye ransomware-as-a-service (RaaS), was available among these offerings.
Threat actors, including script kiddies and people with no hacking experience, increasingly join Ransomware-as-a-Service (RaaS) operations to easily get started extorting victims.
In 2022, joining RaaS ransomware attacks because they have greater freedom and are more likely to be deployed faster than private ransomware.
What happens when RaaS is purchased or sold?
Due to the severity of the malware and large amounts it receives from its victims, joining RaaS is relatively inexpensive.
Venafi, for example, reported that DarkSide was a modified version that the criminal hackers used in closing Colonial Pipeline. It sold on the dark internet for $1,262.
RaaS solutions and related source code as well custom-built RaaS service are available for sale directly through the dark internet, where they can be transacted using cryptocurrency like bitcoin. These RaaS services are becoming more popular for such niche businesses. Some include subscription plans, instructions and technical support.
These types of attacks often involve threat actors who buy access from Initial Access Brokers. The initial access to a network includes the theft of credentials. These can be used for accessing tools such as Citrix and .
Criminals can buy compromised credentials much easier than they can collect them themselves via phishing and brute-force.
Cybercrime and the Rise of RaaS in 2023
Forecasts show Ransomware-as-a-Service operations as they adjust operations for more efficient data exfiltration and help affiliates shame organizations that don’t pay by publishing their data on leak sites.
The ransomware variant used by 72% of ransomware cases this year was one that security engineers hadn’t seen before.
In 2023, the trend towards unique ransomware attacks is expected to continue. IABs, RaaS group and affiliates will increase transaction of initial access. This includes compromised user credentials which unlock access tools.
RaaS Attacks on the Rise: The Defense
A multi-layered cybersecurity defense is the best way to combat ransomware. Security-in-depth defense against ransomware includes endpoint security and data security.
Security of data
Data security offers backups for external segments and networks, which means that ransomware can’t access backups if it encrypts production information.
Endpoint security hardens user devices. provides secure configurations to computers and phones. Endpoint security solutions include behavior-based antimalware, anti-phishing and ransomware protection to prevent malicious users from unauthorized modifications.
Gateway security protects networks and users from ransomware. Ransomware attackers use encrypted data. Security gateways check this information. Security gateways are able to detect ransomware and prevent it from leaving or entering the network.
End-user credentials entry points locked down
Cyberattacks employ end-user credentials to gain network access points. Ransomware organizations buy compromised credentials from IABs in order to get initial access to the network for ransomware attacks.
A secure password policy can be implemented to help end ransomware. Users will choose and use safe passwords.
utilizes Breached Password Security to block over 3 billion compromised passwords. This includes passwords IABs are sold to ransomware organizations and their affiliates.
Specops Password Policy keeps its breach list updated with live attack data and open source information from RDP honeypots.