Ransomware attacks continue to evolve, and so do the tactics used by ransomware actors. One of the key components in their operations is the infrastructure they use, often hosted on what are known as bulletproof hosting (BPH) sites. In addition to BPH, these actors also utilize virtual private servers (VPSs) and have sophisticated affiliate programs to expand their reach.
What is Bulletproof Hosting (BPH)?
Bulletproof hosting (BPH) providers offer hosting services without any concern for the type of content being hosted. This makes them ideal for cybercriminals, including ransomware operators, who need to host malicious infrastructure. These providers often operate in countries that have lenient privacy policies and no extradition agreements with countries like the United States.
Why BPH? Unlike regular hosting providers that respond to abuse reports, BPH providers ignore these reports, allowing illegal activities to continue.
Finding BPH: These services are often advertised and purchased on darknet forums.
Virtual Private Servers (VPS)
In addition to BPH, ransomware actors frequently use virtual private servers (VPS) from companies like DigitalOcean and Vultr. These servers offer more flexibility and anonymity.
How it works: Attackers spin up a VPS, use it for a few attacks, and then shut it down to avoid detection. This process is repeated multiple times.
Identifying VPS: Sometimes, a whois lookup on an IP address used by attackers can reveal its VPS origin. For instance, Vultr uses Choopa autonomous system numbers (ASNs), which can be identified by the prefix "CHOOPA-ASN."
Ransomware Affiliate Programs
Ransomware groups have professionalized their operations by creating affiliate programs. These programs are similar to business partnerships where the ransomware developers and affiliates share profits from successful attacks.
Evolution: Initially, these programs were informal partnerships. Today, they are structured programs managed by project managers.
Rules and Marketing: Ransomware groups often provide specific rules for their affiliates and market their programs to attract skilled partners.
Example:
Notable Ransomware Affiliate Programs
One of the well-known ransomware groups with an affiliate program is the BlackCat/ALPHV group. Their affiliate program is frequently cited as a sophisticated example of how ransomware operations are run like businesses.
BlackCat/ALPHV: This group offers a well-structured affiliate program. For more detailed information, you can read Group-IB’s analysis titled “Fat Cats: An analysis of the BlackCat ransomware affiliate program”
Conclusion
By staying informed about these tactics and adopting strong security practices, organizations can better protect themselves against these evolving threats.
Akash Patel
Comments