Shifting Strategies: ShinyHunters and Known Cyber Threat Actors Change Tactics
April 21, 2021 • RBS
Successful criminals are known to change their tools, tactics, or targets frequently to ensure the highest payout. They are also keen observers of other criminal enterprises. So when a novel, more lucrative strategy is discovered, it is often duplicated and rapidly incorporated into other criminal schemes. The same can be seen with cyber criminals and the vast network of e-crime.
Ransomware is a notorious extortion tactic, exploding in recent years to encompass both data theft and encryption components. Though its predecessors first garnered attention in 2012, it has recently surged in popularity.
And the reason is clear; it works.
Ransomware “teams” or threat actor groups have formed steadily, some even evolving into ransomware as a service. Payouts have also increased, with average payouts growing exponentially and some even going as high as $15 million.
ShinyHunters Hops on the Bandwagon
Now some hackers, even those previously successful with other methods, are experimenting with extortion schemes as well.
ShinyHunters, one of the most prolific and notorious hackers of 2020, was responsible for compromising over 550 million users’ credentials just last year. The threat actor continuously profited off of hacking and selling databases in private sales. A majority of the threat actor’s most significant data hacks reached dark web forums, after being leaked or resold with many companies discovering they had been breached after the database had become public.
Beyond their own exploits, ShinyHunters has also been known to share compromised databases to undercut other database sellers, whether they were the ones responsible for the attack or not.
In an interesting turn of events after a brief absence from a popular dark web hacking forum, ShinyHunters posted a partial database with a rare message on March 22, 2021:
“If Medlife doesn’t contact us, full DB will be posted”ShinyHunters
This is the first time that ShinyHunters posted a partial database or sent an extortion message. Apparently the threat seemed to have worked, since as of March 23, 2021, the respective thread was deleted.
Whether a ransom was paid, how much it was, or if Medlife truly contacted the threat actor has yet to be determined. However, a threat actor of this caliber switching to ransom methods is certainly of great significance.
ShinyHunters Confirms the Shift to Extortion Tactics
ShinyHunters then posted once more on a popular dark web hacking forum. The threat actor shared a small sample allegedly compromised from the Indian company Upstox, after failing to contact the company. After the data was posted, ShinyHunters stated they soon entered negotiations with the company and removed all data samples.
“We tried to get in touch with Upstox. Unfortunately they still haven’t replied even after 2 weeks, it seems like users’ safety isn’t one of their top priorities.ShinyHunters
UPDATE: We are currently negotiating with Upstox. All download links are suspended.
While responding to another user on the dark web hacking forum ShinyHunters confirmed their current shift to extortion campaigns, claiming that they are attempting to extort American companies and hold their data for ransom:
“You really think I’m going to leak USA when I can extort them? I don’t give a single f*** about your needs. The only reason I leak India is because they never answer and I just want them to realize how screwed they really are.ShinyHunters
A Powerful Platform
Similar to posting on a popular hacking forum, many ransomware teams or operators leverage a personalized website on the dark web where they share victim data and information. It is used to pressure organizations to pay, to show proof of data, and to build a repuation.
Data is typically posted after a company refuses to pay a ransom, or leaked in parts during negotiations, and ransomware operators have historically only leaked data pilfered via their own operations.
In another curious twist, in February 2021 the Clop ransomware team started posting dat from the now infamous Accellion attacks on their ransomware name-and-shame website. While the Clop threat actors seem to be linked to these breaches, the Clop ransomware was not actually used.
Why it was not deployed is yet to be determined, but it is clear the hackers understand the powerful platform that they have created, and its ability to pressure organizations:
These leak site platforms are a novel breakthrough for e-criminals, apparently more powerful than the ransomware itself in some cases. With this in mind, we might witness more threat actors partnering with ransomware operators, or operators relying more on their websites.
A Simple Fad or a Future Trend?
These new developments certainly beg the question, is this a signal for what’s to come? Will ransomware operators continue to find ways to leverage the powerful and highly public extortion platform that they have created?
As the world continues to pay greater attention to ransomware, and more high-profile organizations succumb to ransomware, the pressure these platforms create can greatly increase.
Given the growing payouts, will individual hackers resort to ransoming companies as opposed to selling the data on the dark web?
For hackers, it appears to be simple math. If ransomware payouts continue to grow, as they clearly have been, the potential return can easily dwarf what will be paid for stolen data on the black market. We might be heading to an even higher increase in ransom cases – not only by ransomware operators, but by lone wolves too.
Protect Yourself and Your Data
Our research has shown that ransomware attacks have already jumped by 100% compared to 2019, and as 20221 continues, these attacks won’t stop. Organizations need to make sure that they are properly safeguarding sensitive data. There are many ways a threat actor can get into vulnerably systems, so it is important to have the most detailed data breach intelligence.
Cyber Risk Analytics (CRA) is the standard for actionable data breach intelligence, risk ratings and supply chain monitoring. It is the most comprehensive source of data breaches occurring worldwide with each entry having up to 68 attributes of rich metadata.
With CRA, organizations can reduce the likelihood of unauthorized access from password reuse by monitoring domains for leaked credentials. It also allows organizations to continually monitor their vendors and perform due diligence. As data breach events continue to rise, don’t let security gaps of other organizations affect you.