Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,060
- Points
- 113
Elena Shamshina, head of the cyber intelligence department at F.A.C.C.T., explained in an interview with the Cyber Media portal how the cybercrime market works.
Key trends are:
Development of a service model of cybercrime
The main driver of ransomware is the RaaS (Ransomware as a Service) model. This is a popular affiliate scheme in which malware owners rent it out for a percentage of the ransoms received.
️However, most of the ransomware that are detected today in Russia and the CIS do not work using RaaS schemes.
In addition to ransomware, a similar concept is used to sell other types of malware:
MaaS - Malware-as-a-Service.
PhaaS - Phishing-as-a-Service.
DaaS - DDoS-as-a-service.
Adaptation of legal business mechanics
Small projects - stealers, phishing whales - are actively promoted in Telegram channels. Teams can include designers, marketers, SMM.
Sometimes VPO owners hold promotions for customers: discounts are tied to holiday sales - New Year or Black Friday.
Sellers/suppliers value their reputation. They link to articles about their services, research from information security vendors. Some attackers even give interviews to moderators of underground forums.
Guarantor services and arbitrations
“Trustworthy” attackers work through a guarantor service provided by an underground forum. This is a third party that stands between the buyer and the malware supplier so that they cannot deceive each other.
Arbitration is widespread on underground forums - a process in which controversial situations, usually of a financial nature, are resolved with the help of forum moderators.
Elena Shamshina, head of the cyber intelligence department at FACCT, told the Cyber Media portal about how the cybercrime market works, the specifics of recruiting for blackhat projects and the development of service models for committing crimes (Malware-as-a-Service).
Cyber Media: In recent years, the service model of cybercrime has been gaining popularity, the clearest example being RaaS. How do such panels work, how common are they, what related services do they offer?
Elena Shamshina: The concept of RaaS stands for “Ransomware as a service”, “ransomware as a service”. This is an affiliate scheme in which its owner provides a malicious program for encrypting computer networks (actually, the ransomware itself), and the “partner,” in exchange for the opportunity to use the ransomware, undertakes to pay a percentage of the ransoms received as a result of the attacks. In some cases, RaaS affiliate programs actually provide access to the administrative panel, where participants can generate ransomware files with certain parameters, specify information about victims, and add other users to the panel.
Sometimes, in addition to the ransomware, members of the group are provided with additional tools and services, such as experienced negotiators (to negotiate the ransom amount with the victim), additional software to, for example, download data from the victim’s network.
Currently, RaaS schemes are quite widespread, since ransomware represents a lucrative business area in the field of cybercrime. But affiliate programs differ from each other. Someone is looking for participants openly by posting advertisements on the forum. Someone is more closed and recruits a team from private sources and does not advertise their activities much.
By the way, on most Russian-language underground forums the rules state that the activities of attackers, including within the framework of RaaS models, should not affect Russia and the CIS countries. Therefore, the majority of ransomware that are currently detected in Russia and the CIS do not work using RaaS schemes.
In addition to ransomware, a similar concept is used to sell other types of malicious software: in general, this is called MaaS - Malware-as-a-Service. There are also such concepts as PhaaS - Phishing-as-a-Service, phishing as a service; DaaS – DDoS-as-a-service, DDoS attack as a service.
Cyber Media: How do cybercriminals use the experience of developing and promoting legal businesses in their projects? What tools or techniques are used?
Elena Shamshina: Small projects (“simple” malicious software, such as stealers, as well as phishing whales) are actively promoted in Telegram channels, they have colorful advertisements, so they probably have designers, marketers, and sometimes SMM in their teams. They write advertisements in different languages, targeting different audiences.
Sometimes they offer promotions with discounts for customers - often, as in legal businesses, tying discounts to the New Year or Black Friday.
Just like in a legitimate business, sellers/suppliers on the dark web value their reputation. Sometimes, as an advertisement, they may show off articles describing their “service” if they have one. In the case of ransomware, this could be research from information security vendors. Some attackers even give interviews themselves to journalists or moderators of underground forums.
Cyber Media: A large project built on a service model requires the involvement of a large number of people - from developers and technical support, to marketers and accountants. How do such cybercrime projects ensure their security? Do cybercriminals have their own “information security service”?
Elena Shamshina: We do not have enough information to say that all major criminal projects have an “information security service.” Perhaps some have. It is necessary to understand that this will require additional financial costs, therefore, according to our assumption, the basic verification is carried out by those who hire people - they read other messages (if it is a forum), study the user’s reputation. We assume that participants can get involved in large projects through acquaintances if they have previously worked with each other.
In some cases, we have seen that when searching for partners, attackers target users with old registrations, which is already an indicator of the “quality” of the attacker and that this is not a researcher who wants to get more information.
Also, one of the criteria for a “trustworthy” partner in the underground world can be considered to be the fact that he has funds on the forum deposit.
And of course, “trustworthy” attackers are always ready to work through the guarantor service provided by the underground forum. This is a third party that stands between the “buyer” and the “supplier” of the product/service, so they cannot deceive each other.
On underground forums, “arbitration” is widespread - a process in which controversial situations, usually of a financial nature, are resolved with the help of forum moderators. Disputes between ransomware affiliate program owners and partners are not uncommon.
Cyber Media: How often do new services appear on the cybercrime market? What unusual or interesting proposals have you encountered in your practice?
Elena Shamshina: The emergence of new types of services is usually due to the emergence of new technologies and trends in the IT world. For example, when new social networks appear, fraud/attack schemes for these new platforms begin to appear very quickly.
The recent spread of artificial intelligence technologies has also affected shadow business. Thus, an interesting new proposal was WormGPT, a project that was positioned by the creator as a chat bot for hackers. It was released in July 2023 on underground forums and also advertised itself on Telegram. However, already in August 2023, the author announced the closure of the project due to increased negative attention from the media.
Fragment of the message about the closure of the project:
«Today, the five of us, who are responsible for WormGPT, have come together and decided to put an end to the project, letting go of everything we believed in and distancing ourselves a bit from a society that opposes freedom of expression and code.
Thank you to all who believed in the project, to those who contributed to its growth, and above all, thanks to the members of Hackforums for providing us the strength to carry on its development. Regrettably, the world is not yet prepared to coexist with a tool of such vast freedom.»
Cyber Media: There are some of the most prominent hacker forums on the dark web. One of them, BreachForums, was closed not long ago. How does the closure of large forums affect the world of cybercrime, and how effective are such measures?
Elena Shamshina: Similar events occur in the underground world quite often. BreachForums is not the first famous forum to be closed; before it, the very famous Raidforums suffered a similar fate.
Usually, after some time, a “replacement” appears in the form of a new site. So such a measure does not put an end to criminal activity, but it is true that criminals need time to re-establish their process. Also, if hacker forums are closed as a result of law enforcement operations, this may be accompanied by arrests of participants, which is undoubtedly a more significant measure in the fight against cybercrime.
(c) https://securitymedia.org/articles/...upnykh-uslug-obychno-obuslovleno-poyavle.html
Key trends are:
Development of a service model of cybercrimeThe main driver of ransomware is the RaaS (Ransomware as a Service) model. This is a popular affiliate scheme in which malware owners rent it out for a percentage of the ransoms received.
️However, most of the ransomware that are detected today in Russia and the CIS do not work using RaaS schemes.In addition to ransomware, a similar concept is used to sell other types of malware:
MaaS - Malware-as-a-Service.PhaaS - Phishing-as-a-Service.DaaS - DDoS-as-a-service. Adaptation of legal business mechanicsSmall projects - stealers, phishing whales - are actively promoted in Telegram channels. Teams can include designers, marketers, SMM.
Sometimes VPO owners hold promotions for customers: discounts are tied to holiday sales - New Year or Black Friday.
Sellers/suppliers value their reputation. They link to articles about their services, research from information security vendors. Some attackers even give interviews to moderators of underground forums.
Guarantor services and arbitrations“Trustworthy” attackers work through a guarantor service provided by an underground forum. This is a third party that stands between the buyer and the malware supplier so that they cannot deceive each other.
Arbitration is widespread on underground forums - a process in which controversial situations, usually of a financial nature, are resolved with the help of forum moderators.
Elena Shamshina, FACCT: The emergence of new types of cybercrime services is usually due to the emergence of new technologies and trends in the IT world
Elena Shamshina, head of the cyber intelligence department at FACCT, told the Cyber Media portal about how the cybercrime market works, the specifics of recruiting for blackhat projects and the development of service models for committing crimes (Malware-as-a-Service).
Cyber Media: In recent years, the service model of cybercrime has been gaining popularity, the clearest example being RaaS. How do such panels work, how common are they, what related services do they offer?
Elena Shamshina: The concept of RaaS stands for “Ransomware as a service”, “ransomware as a service”. This is an affiliate scheme in which its owner provides a malicious program for encrypting computer networks (actually, the ransomware itself), and the “partner,” in exchange for the opportunity to use the ransomware, undertakes to pay a percentage of the ransoms received as a result of the attacks. In some cases, RaaS affiliate programs actually provide access to the administrative panel, where participants can generate ransomware files with certain parameters, specify information about victims, and add other users to the panel.
Sometimes, in addition to the ransomware, members of the group are provided with additional tools and services, such as experienced negotiators (to negotiate the ransom amount with the victim), additional software to, for example, download data from the victim’s network.
Currently, RaaS schemes are quite widespread, since ransomware represents a lucrative business area in the field of cybercrime. But affiliate programs differ from each other. Someone is looking for participants openly by posting advertisements on the forum. Someone is more closed and recruits a team from private sources and does not advertise their activities much.
By the way, on most Russian-language underground forums the rules state that the activities of attackers, including within the framework of RaaS models, should not affect Russia and the CIS countries. Therefore, the majority of ransomware that are currently detected in Russia and the CIS do not work using RaaS schemes.
In addition to ransomware, a similar concept is used to sell other types of malicious software: in general, this is called MaaS - Malware-as-a-Service. There are also such concepts as PhaaS - Phishing-as-a-Service, phishing as a service; DaaS – DDoS-as-a-service, DDoS attack as a service.
Cyber Media: How do cybercriminals use the experience of developing and promoting legal businesses in their projects? What tools or techniques are used?
Elena Shamshina: Small projects (“simple” malicious software, such as stealers, as well as phishing whales) are actively promoted in Telegram channels, they have colorful advertisements, so they probably have designers, marketers, and sometimes SMM in their teams. They write advertisements in different languages, targeting different audiences.
Sometimes they offer promotions with discounts for customers - often, as in legal businesses, tying discounts to the New Year or Black Friday.
Just like in a legitimate business, sellers/suppliers on the dark web value their reputation. Sometimes, as an advertisement, they may show off articles describing their “service” if they have one. In the case of ransomware, this could be research from information security vendors. Some attackers even give interviews themselves to journalists or moderators of underground forums.
Cyber Media: A large project built on a service model requires the involvement of a large number of people - from developers and technical support, to marketers and accountants. How do such cybercrime projects ensure their security? Do cybercriminals have their own “information security service”?
Elena Shamshina: We do not have enough information to say that all major criminal projects have an “information security service.” Perhaps some have. It is necessary to understand that this will require additional financial costs, therefore, according to our assumption, the basic verification is carried out by those who hire people - they read other messages (if it is a forum), study the user’s reputation. We assume that participants can get involved in large projects through acquaintances if they have previously worked with each other.
In some cases, we have seen that when searching for partners, attackers target users with old registrations, which is already an indicator of the “quality” of the attacker and that this is not a researcher who wants to get more information.
Also, one of the criteria for a “trustworthy” partner in the underground world can be considered to be the fact that he has funds on the forum deposit.
And of course, “trustworthy” attackers are always ready to work through the guarantor service provided by the underground forum. This is a third party that stands between the “buyer” and the “supplier” of the product/service, so they cannot deceive each other.
On underground forums, “arbitration” is widespread - a process in which controversial situations, usually of a financial nature, are resolved with the help of forum moderators. Disputes between ransomware affiliate program owners and partners are not uncommon.
Cyber Media: How often do new services appear on the cybercrime market? What unusual or interesting proposals have you encountered in your practice?
Elena Shamshina: The emergence of new types of services is usually due to the emergence of new technologies and trends in the IT world. For example, when new social networks appear, fraud/attack schemes for these new platforms begin to appear very quickly.
The recent spread of artificial intelligence technologies has also affected shadow business. Thus, an interesting new proposal was WormGPT, a project that was positioned by the creator as a chat bot for hackers. It was released in July 2023 on underground forums and also advertised itself on Telegram. However, already in August 2023, the author announced the closure of the project due to increased negative attention from the media.
Fragment of the message about the closure of the project:
«Today, the five of us, who are responsible for WormGPT, have come together and decided to put an end to the project, letting go of everything we believed in and distancing ourselves a bit from a society that opposes freedom of expression and code.
Thank you to all who believed in the project, to those who contributed to its growth, and above all, thanks to the members of Hackforums for providing us the strength to carry on its development. Regrettably, the world is not yet prepared to coexist with a tool of such vast freedom.»
Cyber Media: There are some of the most prominent hacker forums on the dark web. One of them, BreachForums, was closed not long ago. How does the closure of large forums affect the world of cybercrime, and how effective are such measures?
Elena Shamshina: Similar events occur in the underground world quite often. BreachForums is not the first famous forum to be closed; before it, the very famous Raidforums suffered a similar fate.
Usually, after some time, a “replacement” appears in the form of a new site. So such a measure does not put an end to criminal activity, but it is true that criminals need time to re-establish their process. Also, if hacker forums are closed as a result of law enforcement operations, this may be accompanied by arrests of participants, which is undoubtedly a more significant measure in the fight against cybercrime.
(c) https://securitymedia.org/articles/...upnykh-uslug-obychno-obuslovleno-poyavle.html
