Writing in his bog Krebs said that ransomware attacks required a lot of boots on the ground and most criminal gangs carrying them out have too few staff to carry out such attacks.
"Judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today's attackers have zero trouble gaining that initial intrusion. but the real challenge seems to be hiring enough people to help everyone profit from the access already gained."
They also have a cash flow problem because there is a yawning gap of days, weeks or months between the initial intrusion and the deployment of ransomware within a victim organisation.
This has opened the way for freelancers such as “Dr. Samuil”, a cybercriminal who has maintained a presence on more than a dozen top Russian-language cybercrime forums over the past 15 years.
Krebs said that in a series of recent advertisements, Dr. Samuil says he’s eagerly hiring experienced people who are familiar with tools used by legitimate pentesters for exploiting access once inside of a target company — specifically, post-exploit frameworks like the closely-guarded Cobalt Strike.
“You will be regularly provided select accesses which were audited (these are about 10-15 accesses out of 100) and are worth a try”, Dr. Samuil wrote in one such help-wanted ad. “This helps everyone involved to save time. We also have private software that bypasses protection and provides for smooth performance.”
According to cybersecurity firm Intel 471, Dr. Samuil’s ad is hardly unique, and there are several other seasoned cybercriminals who are customers of popular ransomware-as-a-service offerings that are hiring sub-contractors to farm out some of the grunt work.