Between Q2 2023 and Q2 2024, KELA has tracked more than 5,000 victims of ransomware and extortion actors, and the numbers are only growing year-on-year. Ransomware has become a huge business, and monetization opportunities are far broader than just the ransom demand itself. 

Our latest eBook takes a deep dive into the business of the ransomware supply chain, looking at headline-grabbing attacks, key personas that leverage the cybercrime underground for financial gain, and best practices for protecting your own organization. Download the eBook here, or keep reading for some choice highlights. 

How Does Ransomware Work? 

When we think of ransomware, we imagine the end game — where attackers encrypt data and demand a ransom for its return. In a double extortion attack, the threat actors threaten to leak the stolen data, and in a triple extortion attack, additional methods are used such as DDoS attacks or a spam campaign, usually intended to up the pressure. 

However, by the time any of these tactics become apparent to the victim, the ransomware attack is at its final stages. 

A ransomware attack begins long before an organization has any idea that they are under fire. First, attackers gather intelligence and conduct active reconnaissance, picking an organization that they believe may lead to a large pay-day. Attackers then need to obtain initial access to the victims’ network. They can do this by purchasing initial access from Initial Access Brokers (IABs) who have done the majority of the legwork, or through compromised employee accounts mostly obtained through infostealers which often infect a system via malicious links and attachments hidden in emails, social engineering, malvertising or perhaps as a result of software vulnerabilities. 

Once inside, attackers use lateral movement and privilege escalation to expand their reach, finding sensitive data or gaining control over endpoints. This puts them where they need to be for data exfiltration, which they can then leverage when they threaten to leak the data, or sell it on. Only then do attackers deploy their ransomware, encrypting files and making them inaccessible, and establish a communication channel to demand a ransomware payment. 

The Evolution of Ransomware Attacks

Historically, a single hacker or group might have targeted an enterprise, going through all of these steps in their own silo. However, today ransomware attacks are predominantly the work of different people with different specializations, coming together to make an attack possible through the cybercrime ecosystem. 

Those who have the expertise to build the malware can focus there — while others may be hired as traffers, individuals whose role it is to spread the malware far and wide, or as negotiators, who are highly-skilled in getting ransoms paid quickly. Ransomware-as-a-Service is a growing trend, and Autoshops are also more common than ever — allowing hackers to simply ‘click-to-buy’ what they need, whether that’s attack tools, initial access, or lists of credentials. 

The cybercrime ecosystem isn’t only used to buy things, it’s also a community of threat actors who can use it to recruit and coordinate for attacks, negotiate with victims, and share their own methodologies and support for one another. 

These changes have allowed ransomware efforts to scale beyond what anyone could have imagined, giving attackers many more opportunities to target organizations, and providing a greater chance of financial gain. 

Where Do Criminals Find Initial Access in the Cybercrime Ecosystem? 

In the past year compromised valid accounts (MITRE ID: 1078) and user credentials have become the top initial access vector for cyber attacks. Criminals can find credentials and compromised accounts from a combination of four main sources: 

• Botnet markets: These offer threat actors a list of data and logs to sift through and choose from, starting from as little as $0.50.  
• Telegram cloud of logs: By subscribing to a monthly channel, criminals can gain access to all credentials from compromised machines. 
• ULP files: These credential lists can often contain millions of plaintext credentials, which are usernames and passwords with a corresponding URL. 
• Initial access brokers: IABs directly sell remote access to a compromised organization, so criminals can step in at the final stage and launch the attack. 

Identity Security Offers Proactive Defense against Ransomware

Keeping a spotlight on these sources is a core part of protecting your organization against ransomware. After all, your attack surface is no longer about perimeter security — it’s about knowing what the attackers know about you. By onboarding a robust identity security platform like KELA Identity Guard, you get exactly this vantage point. 

KELA Identity Guard monitors illicit dark web marketplaces, cybercrime forums, and messaging and bot marketplaces, so that any compromised credentials related to organizational domains, SaaS tools and IP addresses can be intercepted in real-time. It offers a wide range of insights into infostealer and bot-related information, including threat trends, compromised service categories, and more. 

Download KELA’s Ultimate Guide to Combating Ransomware, to access information on: 

• High-profile ransomware attacks, including examples of businesses that paid the ransom.
• The cybercrime ecosystem, covering the key players and their roles, and how ransomware has changed in recent years.
• Best practices against ransomware, five key initiatives that should already be implemented in your organization. 

Download the eBook here.