Ransomware ecosystem fragmenting under law enforcement pressure and distrust

Veteran cybercriminals involved in ransomware attacks are increasingly shying away from large ransomware-as-a-service (RaaS) platforms following a spate of law enforcement disruption operations, as well as the AlphV/BlackCat gang’s high-profile exit scam, according to officials and industry experts.

Organized online crime groups are attempting to reduce their dependence on RaaS services by developing their own variants of the malicious software, building on leaked tools to carry out attacks independently rather than as affiliates of an existing group, said a Europol threat assessment published Monday.

Experts caution that the ongoing fragmentation may not result in a decrease in ransomware or extortion incidents. The cybercrime underworld remains  a bona fide economic marketplace based on monetizing software vulnerabilities — which are in no short supply — and the ecosystem is driving forward profitable ways to monetize vulnerabilities at scale.

The economic chain of the RaaS ecosystem starts with initial access brokers buying and selling access to victims’ vulnerable computer networks. This access is then exploited by the “affiliates” of the RaaS program who use the ransomware gangs’ platforms to steal and encrypt files, as well as for the infrastructure for the extortion negotiations, in exchange for a commission on the final payment.

In recent months several of these platforms, including Hive, LockBit, and AlphV/BlackCat, have been hit by law enforcement operations. In the case of the AlphV group, the criminals attempted to return following the takedown only before “exit scamming” its affiliates and disappearing with a $22 million extortion payment.

Having an impact

Experts believe that law enforcement disruptions are having a significant impact even when they don’t involve capturing the leak sites or the infrastructure managing the cryptographic keys used in attacks.

Kimberly Goody, the head of cybercrime analysis at Mandiant, told Recorded Future News that, in the wake of an international operation to dismantle the Qakbot botnet last August, her team had seen a drop in attacks by the Black Basta ransomware group.

“Instead of consistently relying on malicious email campaigns distributing Qakbot, the actors shifted to a variety of other malware such as Darkgate and Silentnight and stolen credentials, which may have been obtained through other malware or acquired in underground communities,” said Goody.

“However, identifying other reliable methods for initial access wasn’t immediate and resulted in a significant dip in Basta ransomware operations in Q3 2023, underscoring the value of disruption efforts aimed at initial access operations,” she stated.

Will Lyne, the head of intelligence at the British National Crime Agency’s cybercrime unit, said that while law enforcement's work may have “caused or accelerated” how the large RaaS platforms appeared to be losing their most dangerous affiliates, his agency was also seeing “ecosystem fragmentation driven by criminal actors within the market” such as with the BlackCat/AlphV exit scam.

“Online marketplaces and forums, for example, both Russian- and English-language ones, are regularly disrupted by a mixture of scams, infighting and law enforcement operations. Similar can be said for other key elements of the online cybercriminal ecosystem that supports and enables threats such as ransomware,” said Lyne.

“We are seeing the possible shift of cybercrime consumers, such as ransomware affiliates, are shifting away from big platforms as trust and confidence decreases.”

Lyne assessed this could be because ransomware affiliates with existing skills and experience no longer needed the tools provided by RaaS schemes to make money due the leaks referenced by Europol. He cautioned the “barrier to entry into cybercrime and ransomware” is continuing to get lower, noting that criminal organizations “need fewer people with specialist cyber skills to successfully run a scheme.”

Fragmentation

As part of the LockBit takedown, the NCA revealed that a large number of affiliates had failed to make any return on their initial investment in joining the RaaS program. 

Rafe Pilling, the director of threat in intelligence at Secureworks, stressed the “main motivation for ransomware actors is for profit,” adding that while affiliate groups moving towards leaked tools would no longer have to share their profits with the larger RaaS providers, they were also going to incur additional costs.

“They have to evolve the malware on their own or pay someone to do it,” explained Pilling. “Working with an established ‘brand’ means they can rely on that reputation for holding up their end of any negotiation, a key part of the ransomware dynamic that encourages victims to pay. There are other costs as well depending on whether they remain small and interact with each victim directly or choose to expand and set up leak blogs, negotiation portals, data exfiltration and hosting infrastructure etc.”

Mandiant’s Goody agreed: “Even independent ransomware operators may rely on partnerships or tools and services provided by third parties for some aspects of their operations whether that is malware, infrastructure, or laundering services.”

While the economies of scale provided by third-party services appeared to be driving growth in the sector during the heyday of RaaS platforms, the ever-lowering barrier to entry and continued evolution in extortion practices seems to be allowing the underworld to flourish even amid disruptions and internal scams.

“We’re seeing a move to extortion-only incidents that do not involve encryption. That lowers the bar too, because getting encryption to work can be technically and administratively challenging for threat actors,” said Lyne.

“With extortion-only, you need access to the victim network to steal data, and to then subsequently demand a ransom — these may be quicker and more scalable than attacks involving encryption,” he added.

The experts agree that the fundamentals of the market have not changed — even if competition is shuffling how its major players are interacting — because it is still very easy to monetize software vulnerabilities. Lyne said he was “not confident that a fragmented ecosystem will lead to a decrease in ransomware or extortion incidents,” noting that “2024 is currently tracking similar to 2023.”

“Although we are making progress on resilience, unfortunately there are still lots of opportunities for cybercriminals to exploit,” said Lyne, noting that the U.K.’s National Cyber Security Centre “has excellent guidance available online to help organisations and individuals protect themselves.”