Ransomware Outsourcing Is Taking Unprecedented Proportions

Last updated September 28, 2021

Written by:

Bill Toulas
Infosec Writer

Outsourcing access for ransomware attacks is now bigger than it ever was, and Russians lead the operation.
One of the most active actors in the field may have had his real identity exposed by Brian Krebs.
His outsourcing posts on forums indicate lengthy, persistent, and stealthy access on numerous corporate networks.

The ransomware space is booming right now, with existing actors looking to extend their partnerships, new groups trying to recruit skillful hackers, access brokers selling more than what can be practically used, and established players drawing the attention of the community with a vulgar display of financial power.

Researcher Brian Krebs is doubling down on this by presenting the details of the current situation on the most notorious Russian-speaking forums of the dark web, and how a wave of outsourcing ransomware activities has swept everything.

Here’s a sample of a post that details what one of the subcontractors has access to and what they’re looking for.

There is huge insider information on the companies which we target, including information if there are tape drives and clouds (for example, Datto that is built to last, etc.), which significantly affects the scale of the conversion rate.

Requirements:
– experience with cloud storage, ESXi.
– experience with Active Directory.
– privilege escalation on accounts with limited rights.

Serious level of insider information on the companies with which we work. There are proofs of large payments, but only for verified LEADs.
There is also a private MEGA INSIDE, which I will not write about here in public, and it is only for experienced LEADs with their teams.
We do not look at REVENUE / NET INCOME / Accountant reports, this is our MEGA INSIDE, in which we know exactly how much to confidently squeeze to the maximum in total.

The ad clearly shows that ransomware groups gain a strong foothold on their targets’ networks, know how much money they could realistically demand from their victims, and they seem able to maintain their presence in a stealthy manner, so the compromised companies and organizations don’t realize what’s going on even after weeks or months.

Krebs focuses on a specific cybercriminal nicknamed “Dr. Samuil,” who is among those leading the outsourcing activities right now. The doctor has been around for at least 15 years, promoting services like ‘MultiVPN,’ which is a specialized VPN tool that’s marketed to hackers who want to stay anonymous and protected. Old registration details of the website of 'Ruskod Networks Solutions,' which is the company behind MultiVPN, point to the name Sergey Rakityansky.

By digging deeper, and with the help of a former business partner of MultiVPN, the researcher figured that Rakityansky is indeed linked with the Dr. Samuil moniker and that he is a 33-year-old man living in the city of Bryansk, in Russia.

This website uses cookies to ensure you get the best experience on our website.

Ransomware Outsourcing Is Taking Unprecedented Proportions

“Maze” Ransomware Actors Compromised Large IT and Aerospace Companies

Ransomware Hits 110,000 Domains with Exposed AWS Access Keys Due to Cloud Misconfigurations

A New Ransomware Group Is Calling Hackers to Join the “DarkSide”

Here’s What Ransomware Gangs Do With the Data That Was Paid for Deletion

The “Maze” Ransomware Operation Is Closing Shop After a Successful Year

New 'Mad Liberator' Ransomware Gang Targets AnyDesk Users via Fake Windows Updates