In a transition researchers consider to be a major improvement for cybercriminals who operate in the dark web, Everest ransomware has stepped up its efforts to direct employees into purchasing access to corporate networks directly from them.
Earlier this week, Everest said in a post at the top of its dark web victim blog that it would pay a "good percentage" of the profits generated from successful attacks to anyone who assisted in assisting in Everest's initial hack.
As a result of these commitments, the group is making an extra effort to be transparent regarding the nature of every operation, as well as maintaining confidentiality about the role each partner played in these operations.
Specifically, Everest is interested in providing access to organizations located in the US, Canada, and Europe.
The company would accept remote access to these organizations using a variety of methods, such as TeamViewer, AnyDesk, and RDP.
Upon looking at the message, it is similar to the one it published in July. Around the same time, researchers suggested that the ransomware game might be dead in the water and the company was dropping the ransomware altogether.
The IAB first became active in 2021, but activity has been rising since November 2022 with a greater level of IAB activity than that of previous years.
It has become very commonplace for internationally coordinated gangs of ransomware gangs to be busted to avoid being the next target. Everest could aim to avoid becoming the next victim.
Researchers say that BreachForums, which was closed earlier this year, may be trying to sell its access as part of a new business model, to take advantage of its fame as an established ransomware force as part of its campaign.
According to researchers, around the same time it published its first message, it seemed to be indicating it might be exiting the ransomware game entirely.
The message appears to be the same as the one it posted back in July.
According to Searchlight Cyber, over the past few months, there have been several signs that the ransomware group was moving toward being an initial access broker (IAB), which is an "extremely rare" move.
As of November 2022, it has shown increased IAB activity compared to the initial act of acting as an IAB that occurred in 2021. Ransomware criminals often hire IAB groups as a means of transferring access to organizations' networks, sometimes to more than one group at the same time, which makes it simpler for ransomware to be deployed.
It's not completely understood why a ransomware group might move to the IAB rather than a ransomware group, resulting in a less lucrative business, and the reasons for this are not fully understood but have been speculated to include evading law enforcement in addition to losing members of the team.
There is an increasing trend of international coordinated attacks by ransomware gangs that are becoming more and more common, and Everest may be trying to avoid becoming the next Hive or REvil. Researchers have indicated that BreachForums could also be trying to sell its access as part of a new business model to take advantage of its reputation as an established ransomware force.
In the past few years, cybercriminal groups, such as LockBit, have adopted the tactic of exploiting disgruntled employees or otherwise rebellious employees, which is not new. In a survey conducted by Pulse and Bravura Security in 2022, 65 per cent of corporate executives were interviewed directly by ransomware criminals to help facilitate access to their employers' networks, according to a report by Pulse and Bravura Security.
Promises of large payouts are frequently made to professionals who are willing to facilitate access for the thieves or even go as far as deploying the ransomware themselves. This tactic is used to entice individuals into participating in cybercrime activities.
Interestingly, an investigation conducted by Abnormal Security in 2021 shed light on one specific case involving the Demonware gang. It was discovered that this group offered a staggering 40 per cent of the total proceeds from a successful attack as compensation for anyone who would deploy their ransomware.
In an intriguing turn of events, the researchers at Abnormal Security were approached by someone claiming to be a member of the Demonware gang. This individual, who had adopted a fake persona, made an enticing offer of $1 million in Bitcoin. The catch? The researchers were expected to successfully ransom an organization for a whopping $2.5 million. It's fascinating to see how cybercriminals are willing to go to such lengths to entice others into their illegal activities.