The dark web is a subset of unindexed websites on the internet (the deep web) that can only be accessed via specialized software or tools. The most well-known of these tools is The Onion Router or TOR browser, that redirects web traffic through a series of different routers, thus masking IP addresses and providing anonymity to those using it.

The dark web plays host to a whole community of criminals who research, plan, and implement cyberattacks and other illegal activity (drug trafficking, weapon sales) using information and resources published or sold in underground forums and marketplaces. Over the past several years, cybercriminal operations on the dark web have become increasingly organized and structured, with Ransomware-as-a-Service (RaaS), cryptocurrency growth, and easy monetization of attacks providing a boost to the ecosystem.

A more structured dark web ecosystem

As revenues have increased, the practitioners of cybercrime have been able to take up more specialized roles, with different sets of criminal groups becoming active at different stages of the attack lifecycle. These roles range from the developers of the malware/ransomware, to initial access brokers (IABs), product and service marketers, and those deploying the malware on victims’ systems. This not only lowers the barriers to entry for malware service affiliates and operators (with even nontechnical actors able to use plug-and-play software to carry out attacks) but also allows developers to focus on creating more sophisticated malware strains and distance themselves from actual criminal activity. In fact, a common tactic used by malware developers is to advertise such software as being available for “educational purposes only”.

What cybercriminals can buy

The dark web ecosystem is made up of a wide array of marketplaces and forums, with an astounding variety of services, products and data available for purchase. This includes:

• Remote Access Trojans, Infostealers, Ransomware, Crypters, other malware (often bundled and sold as toolkits)
• Initial access credentials and access to already compromised servers
• Educational guides and resources on effective tools and techniques
• Credit cards and other financial information for straightforward theft and financial fraud
• A variety of criminal services (different attack services, hosting services, monetizing and negotiating services, ransomware consultancy)
• PII, Electronic Health Records, Intellectual property, other data records
• Marketing and advertising services that malware developers and service providers use to promote their products/services

While this is only a very small subset of what’s available for purchase or for free on the dark web, it reflects the increase in specialization within the cybercriminal community and how systematic their operations can be. The transactions are made using both cryptocurrency and conventional payment models, although crypto is the mode preferred by most cybercriminals because of the anonymity it provides.

For the early stages of an attack, threat actors may buy access credentials from initial access brokers to gain entry into victim networks without having to expend time and effort on this themselves. For later stages of the attack, depending on their end goals, attackers can choose from a variety of tools and malware to establish command and control, maintain persistence, conduct espionage, exfiltrate or encrypt data, and evade detection.

The prices for different kinds of malware, even within a specific category like RaaS, can vary widely depending on sophistication of technology, capabilities, popularity, success rate, etc. RaaS kits are known to be available starting from under US $100 to more than $50,000 for more advanced toolkits.

Among data records, initial access credentials and credit cards are the most highly priced.

Dark web marketplaces selling stolen data

Dark web marketplaces these days function like eCommerce sites that connect vendors with buyers and advertise their services aggressively to grow business. A study published on The Conversation details how stolen data is trafficked between producers, wholesalers and consumers in 30 dark web markets. The researchers – C J Howell from the University of South Florida and David Maimon from Georgia State University – extracted information from these markets between September 1, 2020 and April 30, 2021, and found that top dark web marketplaces were earning enough to be categorized as midsize companies, with revenues exceeding $30 million. In total, “marketplaces recorded 632,207 sales across these markets, which generated $140,337,999 in revenue.” The highest earners in the period under review were Agartha, Cartel, Aurora, DeepMart and WhiteHouse.

Dark web discussion forums

In addition to conducting transactions on dark web marketplaces, threat actors also actively use discussion forums on the dark web for exchanging information on successful attack tactics, techniques and procedures (TTPs) and to talk about new offers and sales. Common discussion themes include operational techniques as well as ways to remain anonymous while conducting illegal activity, hard drive encryption and erasure methods, the importance of separating online and real-life identities, and the risk of being found out.

Disrupting underground cybercriminal groups

Over the past couple of years, law enforcement agencies have had some success in disrupting cybercriminal gangs, particularly RaaS operators. Going after ransomware gangs became a focus for authorities in the US after the Colonial Pipeline attack in May 2021, attributed to the DarkSide group. The attack caused temporary fuel shortages across several cities on the East Coast, where the Pipeline was active. While Colonial Pipeline did pay the ransom demanded by the ransomware group ($4.4 million), the US Department of Justice (DoJ) was later able to recover approximately $2.3 million out of this amount.

More recently, the DoJ, using intelligence sources from multiple international agencies, brought down Hive ransomware’s leak site and disrupted its infrastructure after a sustained, months long effort. “Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.”

While relentless efforts by law enforcement have the potential to disrupt ransomware groups, many of these victories are temporary and cause criminal gangs to adapt and shift tactics to evade scrutiny and disruption. As old groups die, individuals associated with these groups create new strains and renew operations under different names. What also makes it difficult to bring criminals to justice is that cybercriminal groups are often based in countries other than where their victims are, placing them outside the direct control of investigating authorities.

Security experts caution organizations against complacency and advise them to keep their shields up to stop emerging threats.

How Dark Web Monitoring can help

Many organizations use dark web monitoring solutions to search the dark web for data leaks, information and discussions about their brands. By proactively searching for and tracking their data on the dark web, these organizations can:

• Find exposed information early,
• Fill gaps in their security infrastructure that allowed the leaks,
• Involve law enforcement agencies where necessary,
• Prevent further damage.

In addition to helping with discovering breached data, dark web monitoring also allows organizations to follow chatter and spot mentions of their brand that may indicate ongoing or planned intrusions so they can shore up their defenses.

CYRISMA’s Dark Web Monitoring Solution

CYRISMA combines multiple cyber risk management features and tools in a single, easy-to-use SaaS platform. This includes a feature for Dark Web Monitoring, which allows users to track their organization’s information on the dark web and check if any of their sensitive data has been compromised or is being sold illegally or discussed in hacker forums. Early warnings and insights gleaned from dark web monitoring helps users tweak their incident response strategy to deal with potential attacks more effectively; stop malicious activity early; and assess the damage that attackers may have caused in past attacks.

To know more about CYRISMA’s complete feature-set or book a demo, contact our team today.