Ransomware: The rise of Misfortune 500 businesses

Far too many executives and employees think ransomware is a nuisance delivered via an obviously fake phishing email. This misconception leaves companies exposed to attack. Ransomware has become a commodity threat that fosters new tools and technologies; skills and expertise and reputations carrying menacing “street cred.” Unfortunately, technology is sold as a service; skills and expertise are leased across criminal organizations and reputations now ensure victim firms pay six or seven figure ransoms.

Misfortune 500

We’ve witnessed the rise of “Misfortune 500” organizations in the criminal world. Each organization specializes in various aspects of cyberattacks: creating phishing lures, credential harvesting, initial intrusion, data theft, malware crafting, fencing of stolen information of crypto-laundering, etc. Some operators are small-time independents while others work in loose allegiances. More advanced gangs are funded by nation states and others are ignored with the unspoken understanding that when the time comes, and they are called upon, they will do the bidding of their state.

We know their names: Maze, REvil, Ryuk and so on. According to the CrowdStrike 2020 Global Threat Report, these ransomware gangs earned over $80 million in ransoms. Their success is based on a business model in which these ransomware developers sell access to their technology through a partnership program that splits profits per attack between the developers and the distributors. This business model is not limited to ransomware; it applies to all stages of a cyberattack.

In 2019, another gang, PINCHY SPIDER, advertised its intention to partner with individuals skilled in remote desktop protocol (RDP) and other remote network administration tools and with spammers experienced in corporate networking. The report also highlights the developers of TrickBot, who offer customized modules with government or business themes to identify victims of interest, steal SMS messages containing two-factor authentication (2FA) tokens and broker other exploitation tools.

And this business model is lucrative. A VMware Carbon Black report on global incident responses measures ransomware-as-a-service (RaaS) as a…