Ransomware groups test new business models to hit more victims, increase profits

The operators behind the DragonForce and Anubis ransomware-as-a-service schemes are launching new business models to attract affiliates, according to research published Wednesday.

Much like their counterparts in legitimate commerce, ransomware enterprises are continuing to develop new services to increase their market share and profits, and are taking advantage of recent disruptions to the ecosystem by offering hackers new ways to collaborate with them.

As detailed by Secureworks, DragonForce and Anubis are attempting to entice hackers to come and work with them by adopting affiliate models that would increase the volume of incidents their services can be used in.

DragonForce, which launched as a traditional RaaS scheme in August 2023, last month rebranded itself as a “cartel” and announced what Secureworks described as a “shift to a distributed model that allows affiliates to create their own ‘brands’.”

The “cartel” model would allow DragonForce to provide its own established infrastructure and operation management tooling to hackers, but not necessarily force those service users to attack victims using DragonForce’s own encryptor. 

“Even sophisticated threat actors may appreciate the flexibility that allows them to deploy their own malware without creating and maintaining their own infrastructure. By broadening its affiliate base, DragonForce can increase its potential for financial gain,” as Secureworks explained.

“However, the shared infrastructure does introduce risk to DragonForce and its affiliates. If one affiliate is compromised, other affiliates' operational and victim details could be exposed as well.”

Anubis, which researchers started tracking in December, is offering three monetization schemes for its customers, from traditional encryption attacks that see the affiliates pocket 80% of the ransom through to data extortion attacks (60% of the ransom) and simple access monetization (50% of the ransom).

Anubis includes various tactics for increasing pressure on victims to pay, including threatening to publish stolen data as well as naming them on social media.

“The threat actors claim they will also notify the victims' customers about the compromise. These tactics have been used by multiple ransomware groups,” wrote Secureworks, noting that the Anubis operators “threaten to take the notifications a step further” by submitting reports themselves to various regulators.

While this type of extortion is not completely novel, with AlphV/BlackCat reportedly disclosing an incident to the U.S. Securities and Exchange Commission after a victim refused to make a ransom payment, Secureworks said it has not seen other incidents of ransomware groups attempting to abuse regulatory or compliance entities for extortion purposes.

Rafe Pilling, the director of threat intelligence at Secureworks’ Counter Threat Unit, said it was unsurprising that in the wake of the LockBit takedown he and his team were seeing "wider experimentation with different operating models” among ransomware groups.

“These two examples shine a light on some of how this is taking shape in the ecosystem. Understanding how these groups are operating, tooling and monetizing is crucial in deploying the right defenses to secure people and businesses,” said Pilling.

If successful, the new business models could reshape the ransomware ecosystem in the same way LockBit’s affiliate model helped that scheme become the market-leader, before it was effectively shuttered following a law enforcement disruption operation last year.

Disrupting the most successful groups and driving decentralization across the ransomware ecosystem has been a major focus for officials attempting to tackle the ransomware problem. 

Laura Galante, a former director for cyber at the Office of the Director of National Intelligence, told journalists last September that disruptions such as those by the FBI and Britain’s National Crime Agency were intended to have a strategic effect.

“Disruption operations have been really key to making this harder for certain groups to really get deeper and more specialized and mature, and makes the organizations a little bit more chaotic, which ends up being helpful because it takes more time for them to reconstitute and have successful operations in the future,” she said.

Although attacks largely seem to have plateaued over recent years, incidents causing social disruption remain common. The good news is that efforts to starve ransomware cybercriminals of their profits appear to finally be having an effect.

According to a report by Chainalysis, the extortion payments that have been funding the criminal ecosystem dropped last year. Jackie Burns Koven, the company’s head of cyberthreat intelligence, cautioned it was “premature to be celebrating” describing the new situation as “extremely fragile and could turn on a dime.”

“There’s always going to be a new kid on the block that comes through and is able to take advantage of the situation,” said Koven. “There’s always going to be new vulnerabilities, and the attack numbers are still staggering.”