The Underground Economist: Volume 4, Issue 9

The Underground Economist: Volume 4, Issue 9
9 minute read

Welcome back to The Underground Economist: Volume 4, Issue 9, an intelligence-focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team.

The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of May 3, 2024.

New Ransomware-as-a-Service Operation Attempts to Build Credibility

On April 24, 2024, well-regarded threat actor “rtgtgth” posted in the Russian-speaking deep and dark web (DDW) forum RAMP advertising their new Ransomware-as-a-Service (RaaS) operation, ”psoglav” (translates from Russian to “dog-headed”), and their search for affiliates.

Rtgtgth claims that the service will be constantly developed based on user feedback, with a primary focus on reliable encryption. Many of the software functionalities specified are those typical of advanced ransomware tools, such as being written in pure C with no external dependencies, lateral movement, and backup deletion. Other notable features include:

  • Compatibility with all versions of the Windows operating system;
  • Fast file encryption with reliable decryption methods;
  • Disabling of processes that may interfere with the encryption process; and
  • No internet connection required to process the software.

The post further outlines the collective’s plans to never deceive their victims, stating that stolen information will always be decrypted and returned after a ransom payment is made. Extortion methods that require the victim to make additional follow-up payments are forbidden, and affiliates not adhering to these procedures will be banned from the service.

This announcement is very likely indicative of newer RaaS operations’ intent to capitalize upon a perception of discontent and distrust amongst affiliates—particularly those that have been affected by recent disruptive law enforcement (LE) activity and are seeking new malicious services with which to associate.

  • In recent months, affiliates have very likely been subjected to exit scams whereby payment was not received following successful extortion attacks. 
  • At least one recent extortion attack took place during Q1 2024 that resulted in a victim organization not being returned its stolen data upon payment of the ransom. This resulted in widespread media coverage and is likely contributing to low victim payout rates.

There is a roughly even chance that both new and existing RaaS operations will increasingly focus on creating services considered “credible” by forum moderators, ransomware and digital extortion (R&DE) affiliates, and victim organizations in an attempt to attract and retain affiliates and encourage victims to meet ransom demands.

Free Android Malware Shared in Deep and Dark Web Forum

On April 22, 2024, positive-reputation threat actor “SameditMarais” posted in the DDW forum RAMP advertising a new malware project dubbed “Brokewell.” Brokewell is alleged to be a loader capable of targeting Android versions 13, 14, and 15 by downloading malicious .apks onto victim devices.

  • An Android Package (.apk for short) is a file format used by the Android operating system for the distribution and installation of mobile applications, games, and other software and have previously been used by threat actors to conceal malicious software and bypass security features.
  • While Android 14 was released in Q3 2023 and is almost certainly globally widespread, Android 15 is not due to be released for general use until Q4 2024. It will almost certainly be released for limited use before this, however.

SameditMarais claimed that Brokewell does not prompt the user to grant access permissions when installing .apk files from external storage, while also bypassing other accessibility restrictions that were not specified. SameditMarais also specified that Brokewell can be acquired for free, along with user instructions, from a Gitea repository. Further direct assistance is available from the threat actor’s Telegram channel. 

The advertisement claimed that further development of the loader will continue should it garner sufficient community interest. This would very likely see the tool become chargeable and continually improved.

Android malware is very likely in high demand among malicious actors in DDW forums, due primarily to the widespread use of potentially vulnerable targets and the versatility of potential attack vectors that could be exploited. Compromised devices could be subject to data or identity theft, digital extortion, or performance degradation. It is very likely that Brokewell is currently underdeveloped, though likely still poses a threat to Android devices.

New Ransomware-as-a-Service Operation Claims Innovative Features

On April 19, 2024, positive-reputation threat actor “Bezzle” announced a new RaaS operation named Apos in the Russian-speaking DDW community RAMP. Bezzle proclaims Apos is the “fastest” and “most technically advanced” product on the market.

Similar to other RaaS offerings, Apos offers a bespoke victim negotiation platform, a dedicated victim leak site, and support from Bezzle. The post claims that affiliates are able to retain 90 percent of any ransom payouts, with Bezzle taking 10 percent. While 90 percent is almost certainly higher than average RaaS offerings, this has become more common during 2024, particularly amongst newer RaaS collectives.

  • Bezzle further specifies that any affiliate able to generate USD 1 million will be able to negotiate more favorable terms, though details are not specified. Such affiliates will also be authorized to leverage Apos infrastructure to conduct denial-of-service (DoS) attacks.

The “protection against re-encryption of already encrypted files” is also a feature rarely seen in new RaaS offerings. This is almost certainly intended to serve as a safeguard against competing R&DE operatives, as well as any other threat actors who have gained simultaneous illicit access to the victim’s network. There are numerous ways in which this could occur, with the following being the most likely:

  • The threat actor buys illicit network access from an initial access broker (IAB) in a DDW forum. In some cases, a threat actor can ensure that they are the sole buyer of the access, paying an often-premium price to ensure that the access is subsequently removed from the market. In the majority of cases, however, these sales are not limited to a single buyer, with the attack becoming a “first come, first served” opportunity.
  • A software vulnerability that enables illicit network access becomes common knowledge within DDW forums, enabling numerous R&DE affiliates to conduct attacks. However, it is very likely that the majority of these instances do not result in the same networks being targeted but, rather, different organizations operating the same vulnerabilities.

There is a very likely chance that these circumstances will arise more frequently within DDW forums over the coming months, due primarily to the instability that ensued following the disruption of both ALPHV and LockBit in Q4 2023 and Q1 2024, respectively. The cessation of their operations is almost certain to have led to the increasing number of active R&DE collectives observed by ZeroFox and to growing competition between both RaaS offerings and affiliates caused by an increasingly fragmented R&DE ecosystem.

It is very likely that RaaS operators anticipate a void in the R&DE marketplace where ALPHV—and to a lesser extent LockBit, which continues to conduct limited activity—used to dominate. RaaS offerings are very likely to become increasingly competitive during 2024 as a result, with collectives offering affiliates more software features, better technical support and digital infrastructure, and higher payouts and loyalty incentives. At the time of writing this report, ZeroFox has observed no Indicators of Compromise (IoCs) associated with Apos ransomware.

ZeroFox Intelligence Recommendations

  • Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege. 
  • Implement network segmentation to separate resources by sensitivity and/or function. 
  • Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
  • Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
  • Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently. 
  • Develop a comprehensive incident response strategy.
  • Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
  • Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible. 
  • Proactively monitor for compromised accounts being brokered in DDW forums. 
  • Configure ongoing monitoring for Compromised Account Credentials.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.

Tags: Dark OpsDeep & Dark WebRansomware

See ZeroFox in action