Editor's note: The following is a guest article from Robert McArdle, director of cybercrime research at Trend Micro.
Ransomware attacks have made a lot of headlines lately, spurring unwanted awareness on several ransomware actors. This has had an immediate impact on ransomware groups and their affiliate models, changes to underground forums, and political responses.
It's not showing any signs of slowing down, political pressure or not, and it will likely have a lasting impact on cybercriminal businesses, which in turn will impact how companies globally defend against cyberattacks.
So, how have recent events impacted criminal businesses? There are three key ways:
- Ransomware groups are moving to a private model
- Extended extortion methods are becoming more common
- Many have said that ransomware will move to a purely data leak extortion model, but that may not be the case.
These three levels of change will happen over time. Here's how it will evolve.
What has changed
Since the fallout of the DarkSide Ransomware in the U.S., following Colonial Pipeline and the takedown of the healthcare system in Ireland by Conti ransomware, discussions in cybercriminal underground forums have undergone major changes.
Both DarkSide and Avaddon have shut down. Whether these were exit scams or related to excessive political heat they endured is not known. Several other ransomware groups have gone through several rounds of rebranding as well. This is an effort to distance their current and ongoing criminal activities from their past activity. Groups have had varying degrees of success with this approach.
Either way, this led to several affiliates filing on key forums for repayment. Meaning, they requested the actors behind the ransomware pay them back for their buy in to operate as affiliates in the ransomware as a service model. This refund has been visibly received by some.
Additionally, the XSS forum announced a ban on all ransomware-related activity on the forum on May 13. This is the main forum where DarkSide and several other ransomware affiliate programs, such as REvil, were advertised. Initially, some users moved their ads to Exploit – another similar, popular forum – until the forum announced a similar ban on May 14.
Since then, the Groove Gang has spun up a new dedicated forum called RAMP, which is purely dedicated to ransomware discussion.
There can be several implications of these changes and the shift to private models. The remaining groups may likely continue their work exactly as it was, just without relying on forum ads to recruit. While they are likely to use affiliates, they will be recruited directly.
Some mature groups have gone truly independent – essentially taking the role of affiliates internal to their organization in the form of pen-testing sub teams that provide initial access to victim organizations.
What will change next
The pressure and attention from recent attacks has clearly made several modern ransomware groups uncomfortable. However, the business model of ransomware is simply too profitable to vanish right now. Some of the major gangs have built themselves up as mini corporations.
Like it or not, when that happens you have staff to support, and at least some level of ethical commitment to keep the business trading.
To continue operating in the current political environment, groups will shift their tactics in a few ways.
First, there will be an increase in "triple" or "quadruple" extortion models. While this has already been implemented by some groups, it will increase to add pressure on victims to pay. The added pressure may be needed as many governments are taking a stronger stand against ransomware.
- Double extortion has become the norm – with data leak and ransomware encryption.
- The triple model adds a DDoS element. It was first performed by SunCrypt and RagnarLocker operators in the latter half of 2020.
- Quadruple extortion includes contacting customers found in the leaked data, via email or a call center. Cl0p and REvil have used this model.
Data leak extortion allows attackers to target off-limits industries like healthcare and CNI, and while many people believe this will be the model going forward, it might not be the case. Blackmail is a critical part of this business, but it's actually the weaker extortion ploy compared to preventing a company from working. There's no guarantee that attackers will delete any stolen data
Cybersecurity insurance also adds a whole new layer to the current ransomware environment. Some have theorized that ransomware gangs could specifically target organizations that they know have ransomware insurance coverage – because the likelihood that the victim will pay is high.
However, to date we have seen little evidence of this. In addition, there is concern that by covering ransomware payments, cybercriminal activity is being accepted. Recent declarations by the U.S. of sanctions on certain ransomware groups and the bitcoin exchanges they use further complicated matters.
So, where do we go from here? Will cyber insurance firms stop covering ransomware payments?
In fact, recently the opposite effect has been occurring – the Grief ransomware group recently threatened to permanently delete recovery keys if the victim brings in the service of professional negotiators. Such negotiators can lead to lower payments for the victims and help to buy the victim more time to put a recovery plan in place – neither of which is welcome news for the attacker.
What business leaders should do
The situation continues to be in flux with ongoing political conversations and changes in cyber risk management at the highest levels. So, what can you do to keep your organization protected?
The threat landscape continues to evolve, but that doesn't mean security teams have any additional resources to stop or identify criminal activity faster.
To navigate this ongoing challenge, here are three things security leaders can prioritize:
- Visibility is the key to identifying any type of ongoing attack – whether the criminals' end goal is to exfiltrate files, drop ransomware, or more. This seems obvious: You can't know they're in your environment if you don't have visibility across your environment. But while seemingly a simple concept, this is a major challenge for many organizations.
- Data correlation must be done to make sense of the visible data. Seeing 1,000 security logs a day is only helpful if the responsible team can make sense of the noise. Surveys and incident response scenarios continue to prove that this is not the case for most organizations.
- Early warning detection of activity commonly associated with the initial access or lateral movement phase is also key for any defense. This is the stage of the kill chain where the advantage is still on the defender's side, before an attacker gains significant control of the network and data exfiltration and ransomware can be deployed.
Again, this sounds simple on paper, but we know it is not that simple in practice.
Many companies are consolidating security vendors to eliminate gaps in visibility and protection and make it easier for their analyst team to make sense of fewer security logs.