High-profile, name-brand ransomware takedowns are starting to have a real impact, sowing discord among hackers and causing big changes in the cyber underground.
Governments in the United States and the European Union have stepped up efforts to disrupt ransomware-as-a-service (RaaS) operations in recent months, particularly with headline-grabbing coordinated actions against the infamous LockBit AND ALPHV/Black Cat groups. Police have identified ringleaders, seized malicious infrastructure and data, including affiliate information, and even trolled adversaries with messages posted on their leak sites.
While well intentioned, these missions tend to receive criticism when, inevitably, the remnants of such large and widespread groups they appear days or weeks after their reported disappearance. After all, if threat actors aren’t eradicated, what’s the point?
A new relationship from GuidePoint Security on the current state of the ransomware ecosystem provides this answer.
Thanks to the drama surrounding domestic RaaS groups, affiliates – the hackers who actually carry out attacks on their behalf – have increasingly moved away from them, towards new, lesser-known RaaS that offer what they couldn’t: trust.
“The question has been for years: How do we stop ransomware?” says Drew Schmitt, practice manager of the GuidePoint Research and Intelligence Team (GRIT). “One element of the response could be the creation of mistrust between groups and their affiliates.”
How LockBit and ALPHV have lost their credibility
“At first glance, if you don’t go into details, you could say that the law enforcement agencies were unsuccessful in their operations,” admits Schmitt.
“But when you dig a little deeper, you realize that there are some consequences for ransomware groups that weren’t really aiming to destroy their infrastructure permanently,” he adds. “And I think the biggest one is influencing these larger groups to make decisions or take actions that ultimately damage their credibility.”
The strangest episode occurred later The removal of ALPHV last December. After an effort to rebuild its infrastructure and reputation by offering affiliates a larger share of their winnings and eliminating some targeting restrictions, the group found a way to actually capitalize on the loss, using an exit scam. When one of its affiliates pulled off a $22 million heist at United Healthcare a few weeks ago, the group did not comply with its profit-sharing agreement, withholding their entire winnings and claiming they had once again been defeated by law enforcement. The affiliate published chat logs and blockchain data to suggest otherwise.
Affiliate reports ALPHV exit scam. Source: GuidePoint Security
In LockBit’s case, petty law enforcement trolling also had a significant reputational impact. In the context of Operation Chronolaw enforcement posted on the LockBit leak site that “LockbitSupp cooperated with law enforcement ☺”, which dented the RaaS leader’s credibility and, if true, also put all of his affiliates.
As trust in ransomware’s formerly most trusted names wanes, other groups are attempting to step in and take their place.
RaaS startups want YOU
In the void left by the larger groups, Schmitt noted: “We see a sort of back and forth between some of these smaller groups, like LockBit and ALPHV have had in years past, competing with each other. This is very similar in I think how many different emerging companies in the same type of product or market area are competing with each other, always trying to change and evolve and really stand out.”
RaaS startup Cloak, for example, recently posted an above-average profit split offer of 85/15 on the underground forum UFO Labs, with no upfront payment required to access its supposedly powerful and modifiable signature malware.
Mid-range RaaS group Medusa is looking to sweep away former affiliates ALPHV and LockBit by offering 24/7 access to its admin, advertising and trading teams and a sliding-scale payment sharing model that begins from 70/30, but rises to 90/10 for redemptions over $1 million.
Another emerging group called “RansomHub”, which recruits from the same Russian-language underground forum as Medusa – RAMP – advertises a fixed 90/10 split and a policy that affiliates can freely bargain with other groups as well. But its core value proposition is about trust.
RansomHub RAMP Recruitment Station. Source: Guidepoint Security
“We have noticed that some affiliates have been seized by the police or have fled fraudulent activities causing the loss of your funds,” the group wrote online. To allay any fears that they might do the same, RansomHub has reversed the traditional model: instead of controlling all funds and paying affiliates their share, affiliates control their own wallets and pay RansomHub.
Evidently, Schmitt notes, “There’s a kind of pendulum shift going on right now, where these groups are trying to figure out where they can take advantage of the distrust of larger groups like LockBit and ALPHV.”
“Ransomware has traditionally been a very reactive type of cybercrime,” he says, “and that’s where we are now. It’s all very volatile and we’ll have to see how it plays out.”