2 min Security

Cybercriminals are paying pentesters to vet their ransomware

Cybercriminals are paying pentesters to vet their ransomware

Through advertisements on cybercrime marketplaces, ransomware groups are looking for pentesters. It’s another step in the professionalization of cyber attackers.

This is what research by Cato’s Cyber Threats Research Lab (CTRL) has unearthed. In addition to checking 1.46 trillion instances of network traffic from 2,500 customers, the research team also took a look at activity on criminal marketplaces. One of these is RAMP (Russian Anonymous Marketplace), which revealed that several ransomware variants were pentestable for a fee. These include at least Apos, Lynx and Rabbit Hole.

Even further away from the ‘script kiddies’

The professionalization of cybercrime has increased as the potential profits have grown. The cyber threat has also increasingly been coordinated from government agencies, particularly in Russia and China. Now, however, the similarity to legitimate software makers is even more obvious. Pentests should now prevent ransomware that has been deployed “in production” (read: installed at a victim’s premises) from simply being cracked.

“They definitely want to make sure that all the effort they’re putting into their software is not going to be turned over when somebody finds a vulnerability,” says Etay Maor, chief security strategist at Cato Networks. “They’re really stepping up their game in terms of approaching software development, making it closer to what an enterprise would do than what is typically seen today from other development groups.”

Research

Cato Networks’ research revolves around both AI algorithms and human research and focuses on both defenders and attackers. This holistic view is presented quarterly in a SASE Threat Report. The research touches on the professionalization of cybercriminals, as well as the danger of “Shadow AI,” or unknown or underexposed situations in which AI is deployed without permission and can lead to data breaches.

With Cato’s focus being on data traffic flows, it has a clear picture of where improvement can be made in that area. For example, it found that TLS inspection is not used often enough. This methodology allows organizations to decrypt their traffic, inspect it and then encrypt it again. Only 45 percent of the organizations that participated in the Cato survey do this. The gains can be enormous, so more security teams should be paying attention here, as 60 percent of CVE exploitation attempts are blocked via TLS traffic.

Also read: Virtually every industrial company hit by cyber attack: where to go from here?