Ransomware ecosystem fragmenting under law enforcement pressure and distrust

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Veteran cybercriminals involved in ransomware attacks are increasingly shying away from large ransomwareasaservice RaaS platforms following a spate of law enforcement disruption operations as well as the AlphVBlackCat gangs highprofile exit scam according to officials and industry experts pp Organized online crime groups are attempting to reduce their dependence on RaaS services by developing their own variants of the malicious software building on leaked tools to carry out attacks independently rather than as affiliates of an existing group said a Europol threat assessment published Monday pp Experts caution that the ongoing fragmentation may not result in a decrease in ransomware or extortion incidents The cybercrime underworld remains  a bona fide economic marketplace based on monetizing software vulnerabilities which are in no short supply and the ecosystem is driving forward profitable ways to monetize vulnerabilities at scale pp The economic chain of the RaaS ecosystem starts with initial access brokers buying and selling access to victims vulnerable computer networks This access is then exploited by the affiliates of the RaaS program who use the ransomware gangs platforms to steal and encrypt files as well as for the infrastructure for the extortion negotiations in exchange for a commission on the final payment pp In recent months several of these platforms including Hive LockBit and AlphVBlackCat have been hit by law enforcement operations In the case of the AlphV group the criminals attempted to return following the takedown only before exit scamming its affiliates and disappearing with a 22 million extortion payment pp Experts believe that law enforcement disruptions are having a significant impact even when they dont involve capturing the leak sites or the infrastructure managing the cryptographic keys used in attacks pp Kimberly Goody the head of cybercrime analysis at Mandiant told Recorded Future News that in the wake of an international operation to dismantle the Qakbot botnet last August her team had seen a drop in attacks by the Black Basta ransomware group pp Instead of consistently relying on malicious email campaigns distributing Qakbot the actors shifted to a variety of other malware such as Darkgate and Silentnight and stolen credentials which may have been obtained through other malware or acquired in underground communities said Goody pp However identifying other reliable methods for initial access wasnt immediate and resulted in a significant dip in Basta ransomware operations in Q3 2023 underscoring the value of disruption efforts aimed at initial access operations she stated pp Will Lyne the head of intelligence at the British National Crime Agencys cybercrime unit said that while law enforcements work may have caused or accelerated how the large RaaS platforms appeared to be losing their most dangerous affiliates his agency was also seeing ecosystem fragmentation driven by criminal actors within the market such as with the BlackCatAlphV exit scam pp Online marketplaces and forums for example both Russian and Englishlanguage ones are regularly disrupted by a mixture of scams infighting and law enforcement operations Similar can be said for other key elements of the online cybercriminal ecosystem that supports and enables threats such as ransomware said Lyne pp We are seeing the possible shift of cybercrime consumers such as ransomware affiliates are shifting away from big platforms as trust and confidence decreases pp Lyne assessed this could be because ransomware affiliates with existing skills and experience no longer needed the tools provided by RaaS schemes to make money due the leaks referenced by Europol He cautioned the barrier to entry into cybercrime and ransomware is continuing to get lower noting that criminal organizations need fewer people with specialist cyber skills to successfully run a scheme pp As part of the LockBit takedown the NCA revealed that a large number of affiliates had failed to make any return on their initial investment in joining the RaaS program  pp Rafe Pilling the director of threat in intelligence at Secureworks stressed the main motivation for ransomware actors is for profit adding that while affiliate groups moving towards leaked tools would no longer have to share their profits with the larger RaaS providers they were also going to incur additional costs pp They have to evolve the malware on their own or pay someone to do it explained Pilling Working with an established brand means they can rely on that reputation for holding up their end of any negotiation a key part of the ransomware dynamic that encourages victims to pay There are other costs as well depending on whether they remain small and interact with each victim directly or choose to expand and set up leak blogs negotiation portals data exfiltration and hosting infrastructure etc pp Mandiants Goody agreed Even independent ransomware operators may rely on partnerships or tools and services provided by third parties for some aspects of their operations whether that is malware infrastructure or laundering services pp While the economies of scale provided by thirdparty services appeared to be driving growth in the sector during the heyday of RaaS platforms the everlowering barrier to entry and continued evolution in extortion practices seems to be allowing the underworld to flourish even amid disruptions and internal scams pp Were seeing a move to extortiononly incidents that do not involve encryption That lowers the bar too because getting encryption to work can be technically and administratively challenging for threat actors said Lyne pp With extortiononly you need access to the victim network to steal data and to then subsequently demand a ransom these may be quicker and more scalable than attacks involving encryption he added pp The experts agree that the fundamentals of the market have not changed even if competition is shuffling how its major players are interacting because it is still very easy to monetize software vulnerabilities Lyne said he was not confident that a fragmented ecosystem will lead to a decrease in ransomware or extortion incidents noting that 2024 is currently tracking similar to 2023 pp Although we are making progress on resilience unfortunately there are still lots of opportunities for cybercriminals to exploit said Lyne noting that the UKs National Cyber Security Centre has excellent guidance available online to help organisations and individuals protect themselves ppAlexander Martinppis the UK Editor for Recorded Future News He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research InitiativeppPrivacyppAboutppContact Uspp Copyright 2024 The Record from Recorded Future Newsp