Inside the hackers’ supermarket part 3: Malware

In the third in this series exploring the cybercrime tools for sale or hire on the dark web we take a look at how easy it is to buy malware and the rise in ransomware kits.

By Andy McCue

Tue 17 Oct 2017 @ 14:42

As we’ve explored in part 1 (botnets) and part 2 (zero day exploits) in this hackers’ supermarket series, the dark web has facilitated the growth and spread of so-called cybercrime-as-a-service, enabling inexperienced people to purchase ready-to-use tools relatively cheaply to launch various types of attacks on individuals and organisations.

Once upon a time, malware required a solid understanding of coding, systems and vulnerabilities to create effective viruses, worms and Trojans, usually by either well-resourced criminal gangs or skilled individuals. Today, anyone who is able to access and navigate the dark web can buy a whole range of malware tools for anything from a few dollars to thousands of dollars. These malware kits include keyloggers, remote access Trojans, remote administration tools and information stealers. These tools can also come with training and support offerings and detailed step-by-step instructions for infection and spreading the malware.

The takedown of AlphaBay and Hansa, two of the largest criminal dark web markets, in July by cross-border law enforcement operations dealt something of a blow to the underground criminal economy, but new markets are always emerging as the criminals try to keep one step ahead.

By far the biggest area of growth in malware recently has been in ransomware. There has been a 300 per cent rise in ransomware attacks since 2015, with more than 4,000 per day in 2016, according to the FBI.

This summer, the WannaCry ransomware epidemic hit major organisations around the world, including Telefonica in Spain, FedEx in the United States and large parts of the NHS in the UK. The malware used a backdoor into systems to encrypt files and data, then requested the equivalent of $300 to $600 to unlock them. It’s a lucrative and effective business for the criminals, and the tools to launch these ransomware attacks are increasingly available for sale if you know where to find them.

Last year, for example, a malware expert discovered the Hall of Ransom dark web site selling the Locky ransomware for $3,000 and the Goliath ransomware for $2,100. Even Macs are becoming a target with the MacSpy and MacRansom malware for attacking Mac computers being offered for sale with future support through portals on the dark web.

European Union law enforcement agency Europol has just published its 2017 Internet Organised Crime Threat Assessment, which says ransomware has now eclipsed most other cyber threats, with global campaigns indiscriminately affecting victims across multiple industries and potentially endangering lives through attacks targeted at critical national infrastructure.

Europol’s executive director Rob Wainwright said: "The global impact of huge cybersecurity events such as the WannaCry ransomware epidemic has taken the threat from cybercrime to another level. Banks and other major businesses are now targeted on a scale not seen before and, while Europol and its partners in policing and industry have enjoyed success in disrupting major criminal syndicates operating online, the collective response is still not good enough. In particular people and companies everywhere must do more to better protect themselves."

Despite the proliferation of these malware tools for sale, many of these attacks are preventable. They highlight the role of poor digital hygiene standards and security practices can allow these threats to spread quickly and cause damage.

Educating staff about security and helping them to spot increasingly professional phishing emails that contain malware is vital. As is a robust approach to patching systems, because malware and ransomware – including WannaCry – often target known vulnerabilities for which patches are available. Organisations also need to focus on detection and response through security intelligence and security information and event management for when malware inevitably does get through.