4 Types of Cybercrime Groups

The adage “teamwork makes dreams come true” also applies to cybercriminals. To launch more successful cyberattacks, malicious actors with different expertise have joined together to form Cybercrime as a Service (CaaS).

We are now seeing people and groups focusing on various parts of the attack lifecycle. This means that we are likely to see fewer errors leading to detections, and we should expect multiple groups to colonize an infected network.

There are four types of cybercriminal groups in CaaS:

From an incident response perspective, this means they have to identify these different groups that accomplish specific aspects of the overall attack, making it harder to detect and stop the attack. Identifying common policies, techniques, and procedures (TTPs) can help CISOs and security leaders strengthen their cybersecurity strategies and minimize risk.

Types of cybercriminal groups

Trend Micro research analyzed access as a service (AaaS), a service offered underground where malicious actors sell access to business networks.

AaaS consists of individuals and groups that use a variety of methods to remotely access an organization’s network. There are three types of AaaS sellers:

  1. An opportunistic actor who notices demand and decides to profit.
  2. Dedicated sellers – their full-time job is to gain and sell access. They even market their services and use their extensive network to sell.
  3. Online stores, usually only guarantee access to a single machine, not a network or company.

Groups that specifically gain access to a network and then knowingly sell it to others are more of a concern, as their access is often reliable and ensures their buyers can deliver their services. Both types of AaaS actors can be troublesome, but the latter is sure to cause trouble for more organizations due to the sophistication attributed to the initial attacker.

Read more: Organised cybercrime cases: What CISOs need to know

RaaS is cited as one of the reasons for the continued increase in ransomware attacks, by providing the necessary tools and techniques to enable less-skilled hackers to launch costly attacks on large organizations such as SolarWinds.

This newfound accessibility led to a dramatic 63.2% increase in RaaS extortion groups in Q1 2022. Trend Micro Research’s 2022 Mid-Year Cybersecurity Report found that more than 50 active RaaS and ransomware groups compromised more than 1,200 organizations in the first half of 2022.

LockBit, Conti, and Blackhat were the most prominent RaaS threat actors in the first six months, but new ransomware families like Black Basta and SolidBit are growing.

Read more: How to prevent ransomware-as-a-service (RaaS) attacks

A reliable web hosting service that can withstand abuse complaints and law enforcement takedown requests is critical to keeping cybercriminal operations running smoothly and covertly. Bulletproof hosting services are essentially rented hideouts where malicious actors can store files and even malware needed for an attack campaign.

Void Griffin offered its first fast-moving bulletproof hosting service in 2015 and has been home to many different APT groups and prominent malware families since then.

Read more: Survey Gaps: Exploring the Top Bulletproof Hosting Services

Cybercriminals have turned to crowdsourcing their offensive R&D processes to find new attack methods. This relatively new type of cybercrime has increased over the past two years. Trend Micro Research has observed an increase in the number of malware attackers holding open competitions in the criminal underground to find new and creative attack methods.

Some competitions look for talent (like The Voice or American Idol), but these are rare. Most competitions are looking for knowledge; they are looking for technical articles on new attack techniques, vulnerabilities, etc. Yes, an award – or even multiple – is given to the best or most innovative technical proposal. Requests are often more general than limiting the subject to a specific domain.

Trend Micro research anticipates an increase in the number of crowdsourcing competitions, which in turn will accelerate criminal innovation. And this evolution doesn’t need to be big; small tactical victories can allow criminals to bypass current defenses.

Read more: From bounties to exploits: Cybercriminals use crowdsourcing for new attacks

Network Security Defense Strategy

So how do you deal with different types of cybercriminal groups? Unfortunately, businesses cannot jump into the cybercrime underground and stop crowdsourcing. But they can prevent or limit the scope of outcomes by implementing a cybersecurity defense strategy focused on detecting and preventing initial access breaches.

The sooner you detect initial access to an attack, the more likely you are to prevent components of the attack lifecycle, such as ransomware, from occurring. Here are other components to consider when creating an effective security policy:

1. Partner with security vendors utilizing global threat research Continuous monitoring of public infractions and bulletproof hosting services in the criminal underground. This ensures your solution is optimized to defend against the latest threats. Additionally, by proactively targeting and blocking bulletproof hosting infrastructure, defenders can stop attacks early in the kill chain.

2. Follow a zero trust approach Improve network security by implementing a SASE architecture. SASE consists of Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) capabilities to enhance attack surface protection and control.

3. Establish a Incident Response (IR) Handbook for any security breaches. Make sure your IR team or vendor understands the multi-attack scenario and knows where their priorities are.

4. Establish a Robust patch management strategy to limit the scope of exploits. This should include identifying the most relevant patches, developing a zero-day exploit plan, communicating with vendors, and leveraging virtual patches.

5. Leverage a trusted cybersecurity framework Cryptographic best practices such as the National Institute of Standards and Technology (NIST) and the European Union’s Cyber ​​Security Agency (ENISA). The Center for Internet Security (CIS) provides comprehensive guidance on prioritization and resource management, as well as closing any holes that attackers might expose.

6. use one A unified cybersecurity platform with XDR capabilities that helps consolidate and correlate threat activity across endpoints, cloud, network, email, and more for increased visibility.

For more insights into the types of cybercriminal groups and how to strengthen defense strategies, check out the following resources:

Leave a Reply

Your email address will not be published. Required fields are marked *