The number of hacker groups that entrust hacking to 'subcontractors' is increasing rapidly

Security specialist

Brian Krebs has reported a surge in criminal groups hiring 'subcontractors' to take charge of ransomware hacking.

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work — Krebs on Security

Partners in crime: North Koreans and elite Russian-speaking cybercriminals --Intel 471

Ransomware is a type of malware that restricts access to infected PCs and demands money instead of lifting the restrictions. Some ransomware is activated immediately after being infected from spam emails to take control of the PC, while others remain hidden until the infected PC takes control of the entire network to which it is connected.

Criminal groups dealing with latent ransomware such as the latter use the first infected PC as a foothold to infiltrate the administrator's PC or infiltrate the backup system to prepare for more damage. After that, we will limit the functions. And, at the stage of invading the administrator's PC, more advanced 'hacking work' such as breaking through the security system of the administrator's PC is required.

According to Krebs, this hacking process requires a lot of effort and can take months or more at the longest. Therefore, in recent years, the number of criminal groups that entrust hacking work to 'subcontractors' is increasing rapidly.

One of the most well-known criminal groups that subcontracts some of these hacking tasks is Dr. Samuel, a well-known group at the Russian Cybercrime Forum. Dr. Samuel sometimes recruits subcontractors for hacking work at the Cybercriminal Forum, and will post the following job advertisements.

・ Experienced in cloud storage and

VMware ESXi
・ Experienced in Active Directory
・ Persons who can perform privilege escalation attacks on accounts with limited privileges

According to the information obtained from the job advertisement, Dr. Samuel has accurate information on the funds that can be generated when the target company is hit by a ransomware attack, and it is believed that it is in control of the company's financial data. I will.

In an independent investigation, Mr. Krebs also found that Dr. Samuel's identity is 'Ruskod Networks Solutions,' which operates a VPN service 'MultiVPN' that anonymizes traffic via servers around the world that are heavily used by cybercriminals. That thing. Although MultiVPN claims to be based in tax avoidance such as Belize and the Republic of Seychelles, a

WHOIS search reveals that the domain of Ruskod Networks Solutions was acquired by a Russian named 'Sergey Rakityansky'.

A former partner who broke up with Dr. Samuel told Krebs that Sergey Rakityansky is the true identity of Dr. Samuil and Sergey Rakityansky lives in Bryansk , southwest of Moscow. ..

In connection with this case, security company Intel 471 CEO Mark Arena also pointed out that 'many cybercriminal groups hire subcontractors and many unauthorized access methods to specific companies are being bought and sold.' The evidence that the hacker group ' Lazarus ' supported by North Korea was linked to the cybercrime group in Eastern Europe and the fact that the malware 'TrickBot' that seems to have been created by Lazarus is distributed in the Russian-speaking world are cited as supporting evidence. , Claims that a 'cybercrime ecosystem' has been formed to exchange hacking services and products between cybercriminals.

North Korea 'Lazarus' conspires with Eastern European cybercriminal groups = report | Reuters

in Security, Posted by darkhorse_log