The adage “teamwork makes dreamwork” extends to cybercriminals as well. To launch more successful cyberattacks, malicious actors with different specialized skills have conglomerated to form Cybercrime as a Service (CaaS).
We’re now seeing people and groups specialize in various parts of the attack lifecycle. This means that we’re likely going to see less mistakes made leading to detections, and we should expect multiple groups colonizing an infected network.
Within CaaS there are five types of cybercrime groups:
- Access as a Service (AaaS)
- Ransomware as a Service (RaaS)
- Bulletproof Hosting
- Crowdsourcing
- Phishing as a Service
Thinking from an incident response mentality, this means they will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks. Identifying the commonly used tactics, techniques, and procedures (TTPs) can help CISOs and security leaders strengthen their cybersecurity strategy and minimize risk.
Types of Cyber Crime Groups
Trend Micro Research analyzed Access as a Service (AaaS), a service offering in the undergrounds whereby malicious actors are selling access into business networks.
AaaS is composed of individuals and groups that use numerous methods to obtain remote access into an organization’s network. There are three types of AaaS sellers:
- Opportunistic actors who noticed a demand and decided to turn a profit.
- Dedicated sellers—their full-time job is gaining and selling access. They even market their services and leverage their extensive network to make sales.
- Online shops, which typically only guarantee access to a single machine, not a network or corporation.
Groups who specialize in gaining access to networks and then purposely selling it to others are more worrisome as their access is usually solid and ensures their buyers that they can deliver their service. Both types of AaaS actors can be troublesome, but the latter is certainly the group that will trouble more organizations due to the complexity of attributing the initial attacker.
Read more: Organized Cyber Crime Cases: What CISOs Need to Know
Credited as one of the reasons ransomware attacks continue to increase, RaaS has enabled less-skilled hackers to launch costly attacks on large organizations – like SolarWinds – by providing the necessary tools and techniques.
This newfound accessibility has led to a dramatic 63.2% increase of RaaS extortion groups in the first quarter of 2022. Trend Micro 2023 Midyear Cybersecurity Report found 14 new ransomware families in the first half of 2023—four more than 2H 2022.
Unfortunately these new ransomware families aren’t wasting any time establishing themselves as powerful adversaries. Rhysida, which has been active since May 2023, was deemed a “significant threat to the healthcare sector” by the US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3).
In 2022, LockBit, Conti, and Blackhat were the most prominent RaaS threat actors in the first six months, but new ransomware families like Black Basta and SolidBit are growing. Trend Micro has noticed a changing of the guards, with Locky, Gorf, and Cerber being the top three detected ransomware families in the first six months of 2023.
Trend Micro’s Eric Skinner, VP of market strategy, and Chris Lafleur, Sr. global incident response program manager, discuss the new Rhysida ransomware attack on the healthcare sector and remediation strategies for organizations.
Read more: How to Prevent Ransomware as a Service (RaaS) Attacks
Reliable web hosting services that can withstand abuse complaints and law enforcement takedown requests are critical to keeping a cybercriminal operation running smoothly and covertly. Bulletproof hosting services are essentially leased hideouts where malicious actors can store files or even the malware necessary for their attack campaigns.
Void Griffin offered its first fast-flux bulletproof hosting service in 2015 and has been home to many different APT groups and prominent malware families since.
Read more: Looking into The Void: Probing a Top Bulletproof Hosting Service
Cybercriminals have turned to crowdsourcing their offensive research and development processes to find new attack methods. This relatively new type of cyber crime had increased in the last two years. Trend Micro Research observed an uptick in malware actors holding public contests in the criminal underground to find new creative attack methods.
Some contests will seek talent (like The Voice or American Idol), but these are rarer. Most contests are seeking knowledge; they’re looking for technical articles on new attack techniques, vulnerabilities, etc. And yes, a prize – or even multiple – are awarded to the best or most innovative technical proposal. Oftentimes the requests are more generic versus limiting the topic to a specific domain.
Trend Micro Research anticipates an increase in the number of crowdsourcing competitions, which in turn will accelerate criminal innovation. And such evolutions do not need to be major; small tactical wins can allow criminals to bypass current defenses.
Read more: From Bounty to Exploit: Cybercriminals Use Crowdsourcing for New Attacks
According to Verizon, 78% of organizations experienced email-based ransomware attacks in 2021. Not only is phishing common, but it’s costly — the email-based attack cost large enterprises almost $15 million USD annually.
Like RaaS or Aaas, this attack technique allows anyone with even entry-level knowledge of the cybersecurity landscape to deploy a phishing attack. Cybercriminals act as a service provider on behalf of others in exchange for payment and/or a portion of a ransomware payout.
Wannabe scammers can also purchase a phishing kit, which include the capabilities and tools required to launch an attack such as email templates, spoof website templates, tact lists of potential targets, etc.
Read more: Phishing as a Service Stimulates Cybercrime
Cybersecurity Defense Strategies
So, how can you address the different types of cyber crime groups? Unfortunately, enterprises can’t jump into the cybercriminal underground and stop crowdsourcing. But they can work to prevent or limit the scope of the outcome by implementing a cybersecurity defense strategy that focuses on detecting and preventing the initial access breach.
The earlier you can detect the initial access of an attack, the more likely you can prevent the following components of the attack lifecycle from occurring, like ransomware. Here are other components to consider when creating an effective security strategy:
1. Partner with a security vendor that leverages global threat research to constantly monitor public breaches and bulletproof hosting services in the criminal underground. This ensures your solutions are optimized to defend against the latest threats. Additionally, by proactively locating and blocking the bulletproof hosting infrastructure, defenders can block attacks in the earlier stages of the kill chain.
2. Follow a zero trust approach to network security by implementing a SASE architecture. SASE is composed of Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) capabilities to strengthen protection and control across the attack surface.
3. Establish an incident response (IR) playbook to surface any security gaps. Make sure your IR teams or vendor understand the multi-attacker scenario and know where to focus their efforts.
4. Establish a strong patch management strategy to limit the scope of exploits. This should include identifying the most relevant patches, making a zero-day exploit plan, communicating with vendors, and utilizing virtual patching.
5. Leverage trusted cybersecurity frameworks for password best practices like the National Institute of Standards and Technology (NIST) and the European Union Agency for Cybersecurity (ENISA). The Center of Internet Security (CIS) provides thorough guidance on prioritization and resource management, as well as filling any gaps that could be exposed by attackers.
6. Use a unified cybersecurity platform with XDR capabilities to help consolidate and correlate threat activity across endpoints, cloud, networks, email, etc., for more visibility.
For more insights into types of cyber crime groups and how to strengthen your defense strategy, check out the following resources: