FIC 2023: Are ransomware gangs just like any other business?

Cybercriminal organisations are businesses like any other. They are born, grow and sometimes die. In fact, their mortality rate is particularly high, judging by recent setbacks suffered by leading ransomware gangs. In September 2021, the Babuk gang scuppered itself after its ransomware decryption keys were published on the dark web.

In March 2022, the Conti group disappeared after taking a stand in support of Russia in the war against Ukraine. In January 2023, the Hive group ceased all activities after their platform was seized by the FBI and Europol. Europol also pulled off a major bust by arresting two members of DoppelPaymer in March.

Other notorious gangs are still active but have suffered a number of setbacks. In September, LockBit’s builder – the kit used to create its malware – was leaked on social media after the group’s leader refused to pay a developer’s salary. REvil’s activities dropped drastically after the May 2021 attack on Colonial Pipeline, the main US oil pipeline operator.

These events raise questions about the long-term viability of ransomware groups. These 21st century mafia gangs seem to follow the same pattern as their physical counterparts. They get rich quickly, live large, and then disappear after one too many sideswipes or one fatal misstep.

Humans are the weakest link

These groups may hide behind the Ransomware as a Service (RaaS) business model, which with its resale of creation kits to affiliates and 24/7 commercial assistance looks similar to the legal SaaS model, but they are still vulnerable. It is ironic that the main vulnerability is still human beings.

“Their mass model is based on optimised techniques and a distribution of tasks among stakeholders. This chain cannot be 100% automated; there are always humans behind it,” says Livia Tibirna, cyber threat intelligence analyst at Sekoia.io.

Although gangs list which organisations to target and which to spare, their affiliates have been known to slip up and, for example, attack healthcare facilities. LockBit reportedly apologised and sent a free decryption key to a Toronto children’s hospital that was attacked by mistake. RaaS groups also brag about their misdeeds by signing their names or leaving clues on discussion forums.

A mainly Russian-speaking ecosystem

Despite the rivalries that sometimes come to the fore, such as those between LockBit and REvil, a code of honour keeps fratricidal battles at bay. “The ecosystem is still mainly Russian-speaking, with unwritten rules of camaraderie. Most groups in former Soviet countries do not attack each other. And this situation has not changed with the war in Ukraine,” says Tibirna.

There have even been new collaborations. For example, software publisher Sophos reported that Hive, LockBit and BlackCat orchestrated an attack targeting the same network three times. The geopolitical situation has nevertheless destabilised the teams involved. “To escape military mobilisation, Russian cybercriminals have relocated to Turkey or Iran, exposing themselves to the risk of being arrested by international law enforcement agencies,” Tibirna adds.

According to Karim Abillama, International Business Pre-Sales Director at NetWitness, detecting and tracking these gangs can take years: “These groups are very well structured and sophisticated, especially in the way they pay, but they still have a fairly standard method of entry based primarily on spear-phishing.”

Ransomware is just the tip of the iceberg

In terms of targeting, the threat is still primarily opportunistic. It involves knocking on every front door before breaking into the information system. “The gangs have a choice: either attack easy prey or go after bigger fish to increase their profits. Both scenarios are possible,” adds Abillama.

Furthermore, ransom demands are systematically coupled with the threat to disclose the exfiltrated data. Abillama even highlights an increasing trend towards re-extortion. Cyber-gangsters return to the scene of their crime by holding the victim to ransom a second time. More than a third of companies attacked by ransomware in 2022 had already been attacked in the past, according to a Barracuda Networks report.

Tibirna also notes a greater flexibility in the relationship between RaaS groups and their affiliates: “It used to be that it was not good for affiliates to buy from different groups. Now it is more acceptable. They can use two or three different malware programs.”

She also points out that ransomware, a particularly visible and high-profile threat, is only the tip of the iceberg: “Behind it is a whole industry that has been developed around reselling data or laundering Bitcoins.”

Lower revenues

Despite this desire to maximise profits, the experts at the FIC 2023 round table on this topic pointed to a decline in revenues generated by the ransomware industry. Several factors are contributing to this market downturn. Tibirna mentions the increased maturity of businesses that have (finally) introduced backup systems and the fall in the price of Bitcoin and other cryptocurrencies.

There have also been developments in the legal framework. The attack on Colonial Pipeline in the United States in May 2021 was a wake-up call. It showed that in addition to being profitable businesses, gangs could disrupt the way in which enemy states operate. Shortly afterwards, according to Reuters, FBI boss Chris Wray urged companies and public institutions not to pay ransom demands to prevent crime from flourishing.

More recently, on 1 March 2023, Joe Biden’s administration outlined its national cybersecurity strategy. The policy is clear: any ransomware attack that targets the country’s critical infrastructure will be considered a threat to national security. The strategy identifies 16 key sectors, including health and energy.

For Cody Barrow, Vice President for Intelligence and Director of Threat Intelligence at EclecticIQ, this is “a serious warning to cyber attackers and their accomplices”. As ransomware becomes a national security issue, more government resources will be brought to bear.

“International cooperation is also likely to increase, with the US working more closely with allied countries,” says Barrow. Ransomware groups will have at least played their part in encouraging the exchange of information throughout the Western world.