[BreachExchange] Shifting Strategies: ShinyHunters and Known Cyber Threat Actors Change Tactics

[Destry Winant]

https://www.riskbasedsecurity.com/2021/04/21/shifting-strategies-shinyhunters-and-known-cyber-threat-actors-change-tactics/

Successful criminals are known to change their tools, tactics, or targets
frequently to ensure the highest payout. They are also keen observers of
other criminal enterprises. So when a novel, more lucrative strategy is
discovered, it is often duplicated and rapidly incorporated into other
criminal schemes. The same can be seen with cyber criminals and the vast
network of e-crime.

Ransomware is a notorious extortion tactic, exploding in recent years to
encompass both data theft and encryption components. Though its
predecessors first garnered attention in 2012, it has recently surged in
popularity.

And the reason is clear; it works.

Ransomware “teams” or threat actor groups have formed steadily, some even
evolving into ransomware as a service. Payouts have also increased, with
average payouts growing exponentially and some even going as high as $15
million.

ShinyHunters Hops on the Bandwagon

Now some hackers, even those previously successful with other methods, are
experimenting with extortion schemes as well.

ShinyHunters, one of the most prolific and notorious hackers of 2020, was
responsible for compromising over 550 million users’ credentials just last
year. The threat actor continuously profited off of hacking and selling
databases in private sales. A majority of the threat actor’s most
significant data hacks reached dark web forums, after being leaked or
resold with many companies discovering they had been breached after the
database had become public.

Beyond their own exploits, ShinyHunters has also been known to share
compromised databases to undercut other database sellers, whether they were
the ones responsible for the attack or not.

In an interesting turn of events after a brief absence from a popular dark
web hacking forum, ShinyHunters posted a partial database with a rare
message on March 22, 2021:

“If Medlife doesn’t contact us, full DB will be posted”

ShinyHunters

This is the first time that ShinyHunters posted a partial database or sent
an extortion message. Apparently the threat seemed to have worked, since as
of March 23, 2021, the respective thread was deleted.

Whether a ransom was paid, how much it was, or if Medlife truly contacted
the threat actor has yet to be determined. However, a threat actor of this
caliber switching to ransom methods is certainly of great significance.

ShinyHunters Confirms the Shift to Extortion Tactics

ShinyHunters then posted once more on a popular dark web hacking forum. The
threat actor shared a small sample allegedly compromised from the Indian
company Upstox, after failing to contact the company. After the data was
posted, ShinyHunters stated they soon entered negotiations with the company
and removed all data samples.

While responding to another user on the dark web hacking forum ShinyHunters
confirmed their current shift to extortion campaigns, claiming that they
are attempting to extort American companies and hold their data for ransom:

“You really think I’m going to leak USA when I can extort them? I don’t
give a single f*** about your needs. The only reason I leak India is
because they never answer and I just want them to realize how screwed they
really are.

ShinyHunters

A Powerful Platform

Similar to posting on a popular hacking forum, many ransomware teams or
operators leverage a personalized website on the dark web where they share
victim data and information. It is used to pressure organizations to pay,
to show proof of data, and to build a reputation.

Data is typically posted after a company refuses to pay a ransom, or leaked
in parts during negotiations, and ransomware operators have historically
only leaked data pilfered via their own operations.

In another curious twist, in February 2021 the Clop ransomware team started
posting dat from the now infamous Accellion attacks on their ransomware
name-and-shame website. While the Clop threat actors seem to be linked to
these breaches, the Clop ransomware was not actually used.

Why it was not deployed is yet to be determined, but it is clear the
hackers understand the powerful platform that they have created, and its
ability to pressure organizations:

These leak site platforms are a novel breakthrough for e-criminals,
apparently more powerful than the ransomware itself in some cases. With
this in mind, we might witness more threat actors partnering with
ransomware operators, or operators relying more on their websites.

A Simple Fad or a Future Trend?

These new developments certainly beg the question, is this a signal for
what’s to come? Will ransomware operators continue to find ways to leverage
the powerful and highly public extortion platform that they have created?

As the world continues to pay greater attention to ransomware, and more
high-profile organizations succumb to ransomware, the pressure these
platforms create can greatly increase.

Given the growing payouts, will individual hackers resort to ransoming
companies as opposed to selling the data on the dark web?

For hackers, it appears to be simple math. If ransomware payouts continue
to grow, as they clearly have been, the potential return can easily dwarf
what will be paid for stolen data on the black market. We might be heading
to an even higher increase in ransom cases – not only by ransomware
operators, but by lone wolves too.

Protect Yourself and Your Data

Our research has shown that ransomware attacks have already jumped by 100%
compared to 2019, and as 20221 continues, these attacks won’t stop.
Organizations need to make sure that they are properly safeguarding
sensitive data. There are many ways a threat actor can get into vulnerable
systems, so it is important to have the most detailed data breach
intelligence.

Cyber Risk Analytics (CRA) is the standard for actionable data breach
intelligence, risk ratings and supply chain monitoring. It is the most
comprehensive source of data breaches occurring worldwide with each entry
having up to 68 attributes of rich metadata.

With CRA, organizations can reduce the likelihood of unauthorized access
from password reuse by monitoring domains for leaked credentials. It also
allows organizations to continually monitor their vendors and perform due
diligence. As data breach events continue to rise, don’t let security gaps
of other organizations affect you.

Learn More <https://pages.riskbasedsecurity.com/cyber-risk-analytics>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210421/5c812a40/attachment.html>