Page 35 - Banking Finance October 2023
P. 35
ARTICLE
CA. It is estimated that Hive left behind over 1,500 victims
worldwide and extorted millions of dollars in ransom
payments.
DarkSide: DarkSide is a RaaS operation associated with an
eCrime group tracked by CrowdStrike as CARBON SPIDER.
DarkSide operators traditionally focused on Windows
machines and have recently expanded to Linux, targeting
enterprise environments running unpatched VMware ESXi
hypervisors or stealing vCenter credentials. On May 10, the
FBI publicly indicated that the Colonial Pipeline incident
involved the DarkSide ransomware. It was later reported
that Colonial Pipeline had approximately 100GB of data
stolen from their network, and the organization allegedly
paid almost $5 million USD to a DarkSide affiliate.
LockBit: In development since at least September 2019,
REvil: REvil, also known as Sodinokibi, was identified as the
LockBit is available as a RaaS and is advertised to Russian-
ransomware behind one of the largest ransom demands on
speaking users or English speakers with a Russian-speaking
record: $10 million. It is sold by the criminal group PINCHY
guarantor. In May 2020, an affiliate operating LockBit
SPIDER, which sells RaaS under the affiliate model and
typically takes 40% of the profits. posted a threat to leak data on a popular Russian-language
criminal forum.
Like TWISTED SPIDER's initial leaks, PINCHY SPIDER warns
victims of the planned data leak, usually via a blog post on Combating RaaS:
their DLS containing sample data as proof, before releasing Addressing the issue of Ransomware as a Service (RaaS)
the bulk of the data after a given amount of time. REvil will requires a multi-faceted approach involving various
also provide a link to the blog post within the ransom note. stakeholders. Here are some key solutions that may help
The link displays the leak to the affected victim prior to being mitigate the impact of RaaS:
exposed to the public. Upon visiting the link, a countdown 1. Enhanced Cybersecurity Measures: Organizations
timer will begin, which will cause the leak to be published should implement robust cybersecurity measures to
once the given amount of time has elapsed. protect their networks, systems, and data. This includes
using up-to-date security software, regularly patching
Dharma: Dharma ransomware attacks have been attributed vulnerabilities, enforcing strong access controls, and
to a financially motivated Iranian threat group. This RaaS conducting regular security audits and risk assessments.
has been available on the dark web since 2016 and is mainly
associated with remote desktop protocol (RDP) attacks. 2. Employee Training and Awareness: Education and
Attackers usually demand 1-5 bitcoins from targets across training programs are vital to raise awareness among
a wide range of industries. Dharma is not centrally employees about the risks of ransomware and how to
controlled, unlike REvil and other RaaS kits. recognize and respond to potential threats. This
includes educating them on best practices for email and
Dharma variants come from many sources, and most web browsing, avoiding suspicious links and
incidents in which CrowdStrike identified Dharma revealed attachments, and reporting any suspicious activity
nearly a 100% match between sample files. The only promptly.
differences were the encryption keys, contact email, and a
few other things that can be customized through a RaaS 3. Regular Data Backups: Maintaining regular backups of
portal. Because Dharma attacks are nearly identical, threat critical data is essential to minimize the impact of a
hunters are not able to learn much about who is behind a ransomware attack. Organizations should follow the 3-
Dharma attack and how they operate from a single incident. 2-1 backup rule, which involves keeping at least three
BANKING FINANCE | OCTOBER | 2023 | 35
