Cybereason Blog | Cybersecurity News and Analysis

What is the Dark Web Ransomware Marketplace?

Written by Anthony M. Freed | Oct 19, 2021 1:08:21 PM

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit...

The theme for Week 3 of Cybersecurity Awareness Month 2021 is “Explore. Experience. Share.” It’s also Cybersecurity Career Awareness Week. The purpose of the theme is to highlight all the many contributions that people in cybersecurity roles can make to society through their work.

One of the ways that cybersecurity people can benefit society is by investigating ransomware actors’ use of the dark web. We’ll explore how these malicious actors use the dark web later in this article. But first, let’s contextualize the dark web itself.

What Is the Dark Web?

To understand the dark web, it’s important to understand the difference between what’s known as the “surface web” and the “deep web.” The former is what we all know to be the part of the Internet that’s accessible through major search engines. Netflix, Facebook, and anything that pops up on a Google search results page falls into this category.

The surface web makes up only about 0.03% of the Internet, however. The rest sits on the deep web, or the part of the Internet not indexed by search engines like Google. Per Encyclopedia Britannica, the deep web includes benign sites like users’ password-protected email accounts and other web pages accessible only via an online form. It also includes other resources that owners have intentionally prevented web crawlers from indexing.

The dark web falls into that last category. It’s a part of the deep web that visitors can’t access without the help of a special browser known as The Onion Router (or TOR). People can use the dark web for legitimate purposes such as joining a chess club and creating a channel for private communication, notes CSO. Alternatively, they can use it for nefarious purposes.

At least some of that activity takes place on dark web marketplaces (or “dark markets”). According to Nature, dark markets are places where members can trade in illicit goods such as drugs and weapons. In this capacity, these marketplaces enable digital attackers to connect with one another anonymously so that they buy and sell stolen credit card information, for example, or offer access to a new phishing-as-a-service kit.

All transactions usually involve bitcoin or another form of cryptocurrency as their form of payment. This is by design to help conceal the identities of whoever is involved in a given transaction.

Ransomware Services on the Dark Web

When it comes to ransomware, members of dark markets commonly promote Ransomware-as-a-Service (RaaS) operations. Cybersecurity Ventures clarified that malicious actors post ads highlighting different ransomware kits and their varying levels of service. One ad might mention a discounted bundle of multiple digital crime kits, for example. Another might display the positive user reviews of one RaaS operation only.

Popularity, functionality, and bundled items are just some of the factors that help to influence the cost of a ransomware offering. CPO Magazine wrote that some ransomware sell or rent out access for as little as $5. By contrast, more established strains can go for $100 or more.

In the context of these dark market ads, ransomware developers have traditionally sought to recruit affiliates to the RaaS schemes. But that changed after the Colonial Pipeline attack. As reported by KrebsonSecurity at the time, the administrators of the Russian digital crime forum XSS banned individuals from discussing ransomware around the same time that the DarkSide ransomware affiliate program went offline. Two other digital crime forums followed suit shortly thereafter, as pointed out by The Record.

Some ransomware actors have consequently shifted their tactics so that they can continue to engage dark markets. In particular, Flashpoint has witnessed a shift towards advertising for and working with initial access brokers (IABs) on dark markets. This change lets ransomware actors quietly advertise their activities on the dark web. It also lets them focus on honing their malware payloads instead of needing to worry about gaining access to their target’s networks.

The Cybereason Advantage Over Ransomware

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion.

The Cybereason Operation-Centric approach provides the ability to detect ransomware attacks earlier based on rare or advantageous chains of malicious behavior. This is why Cybereason is undefeated in the battle against ransomware and delivers the best prevention, detection, and response capabilities on the market.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.