Posted on Jul 5, 2021
Gang behind huge cyber-attack demands $70m in Bitcoin
583
14
4
5
5
0
Posted >1 y ago
Responses: 4
Ransomware as a Service (RaaS)
UNLCASS/OPEN DISCUSSION based on recent NEWS/OSINT. Know HOW the adversary is TARGETING US (Critical Infrastructure) Private organizations.
'It's just business' (Darkside, Russian APT Criminal motive group, 2021). <Observation - Darkside's similar TTPs and shared characteristics indicate the APT group is a 'faction' or affiliate of REvil>.
SEC 10Q/10K/8K/14A/etc. filings provide an unlimited dynamic source of businesses intelligence used by adversaries (threats) to target organizations based on their financial, policy (liability), and cyber posture (executive C-Suite perspectives, not just the 'technical' cybersecurity).
Take Z****, for example. A RaaS threat actor/group currently leverages open-source business intelligence to assess strategic risk in EBITDA terms like any corporate adversary in the 'cyber' industry.
Google search results:
• 10K "z****" site:*.sec.gov, or 14A "z***2020" site:*.sec.gov
o 2020 Proxy Summary
▪ "cash and cash equivalents" or just "cash"
• 'The Company has continued to enhance its capital structure and liquidity with cash on the balance sheet at December 29, 2019, of $172.6 million,'
• APT targeted ransomware yield from Z**** $1,726,000 (calculated 1% of cash),
o Is it worth it to pursue target?
• Preliminary recon. hXXps://pentest-tools.com/website-vulnerability-scanning/website-scanner#
o +more prelim, low cost, fast TTPs
RaaS collection managers would still find >$1.7 million ransom or ransom/extortion hybrid attractive. Still, Z**** being a US DIB (and CMMC C3PAO) contractor, may make the effort more costly over 'softer targets' available. The business decision would result in a 'big player' (ex. Darkside, REvil) kicking this business intelligence package down to a RaaS affiliate for action, where under the RaaS model, both parties split the proceeds.
Recommend **Don't just think 'technical security perimeter' and assume a 'reactive' posture (as many SOC/CISSP/CISOs are used to). Google the terms; 'Fusion' 'CRISC' 'BISO' and 'EBITDA', and the '5W's + H' starting analysis with WHO (APT), not just WHAT (malware, the ransomware). 'SOCs to Fusion Operations' (Carnegie Mellon SEI, 2019).
UNLCASS/OPEN DISCUSSION based on recent NEWS/OSINT. Know HOW the adversary is TARGETING US (Critical Infrastructure) Private organizations.
'It's just business' (Darkside, Russian APT Criminal motive group, 2021). <Observation - Darkside's similar TTPs and shared characteristics indicate the APT group is a 'faction' or affiliate of REvil>.
SEC 10Q/10K/8K/14A/etc. filings provide an unlimited dynamic source of businesses intelligence used by adversaries (threats) to target organizations based on their financial, policy (liability), and cyber posture (executive C-Suite perspectives, not just the 'technical' cybersecurity).
Take Z****, for example. A RaaS threat actor/group currently leverages open-source business intelligence to assess strategic risk in EBITDA terms like any corporate adversary in the 'cyber' industry.
Google search results:
• 10K "z****" site:*.sec.gov, or 14A "z***2020" site:*.sec.gov
o 2020 Proxy Summary
▪ "cash and cash equivalents" or just "cash"
• 'The Company has continued to enhance its capital structure and liquidity with cash on the balance sheet at December 29, 2019, of $172.6 million,'
• APT targeted ransomware yield from Z**** $1,726,000 (calculated 1% of cash),
o Is it worth it to pursue target?
• Preliminary recon. hXXps://pentest-tools.com/website-vulnerability-scanning/website-scanner#
o +more prelim, low cost, fast TTPs
RaaS collection managers would still find >$1.7 million ransom or ransom/extortion hybrid attractive. Still, Z**** being a US DIB (and CMMC C3PAO) contractor, may make the effort more costly over 'softer targets' available. The business decision would result in a 'big player' (ex. Darkside, REvil) kicking this business intelligence package down to a RaaS affiliate for action, where under the RaaS model, both parties split the proceeds.
Recommend **Don't just think 'technical security perimeter' and assume a 'reactive' posture (as many SOC/CISSP/CISOs are used to). Google the terms; 'Fusion' 'CRISC' 'BISO' and 'EBITDA', and the '5W's + H' starting analysis with WHO (APT), not just WHAT (malware, the ransomware). 'SOCs to Fusion Operations' (Carnegie Mellon SEI, 2019).
(1)
(0)
Read This Next