Imposing cost on ransomware threat actors
During the years 2021 and 2022, numerous governments recognized the significance of ransomware as a major threat to national security. In response, they implemented a range of measures, encompassing both legal and regulatory actions, to modify the cost-benefit considerations for cybercriminals. Simultaneously, various initiatives aimed at combating ransomware emerged to address this pressing issue.
As a result of law enforcement efforts, several ransomware groups were compelled to exit the stage, with some even going as far as releasing decryption keys. In addition, law enforcement agencies offered substantial monetary rewards for the apprehension of ransomware group members. By means of international collaboration, law enforcement operations succeeded in arresting cybercriminals affiliated with notorious ransomware threat groups, including REvil, Cl0p, NetWalker, LockerGoga, MegaCortex, and others.
Ransomware became a focal point for military and intelligence services, leading to notable actions by various entities. Public reports indicated that the US military actively engaged ransomware groups, demonstrating its commitment to combatting the threat. A significant development occurred when the Russian Federal Security Service (FSB) apprehended members of the REvil ransomware group. This action could be attributed to Russia’s pursuit of its strategic geopolitical objectives or the possibility of the REvil group targeting Russian entities.
Meanwhile, the White House organized a meeting to coordinate an international response against ransomware, intentionally excluding Russia. In terms of regulatory measures, the Ransom Disclosure Act mandated that ransomware victims promptly inform the US government within 48 hours of making a ransom payment. Additionally, the government of the Netherlands declared its intention to leverage its intelligence and/or armed forces in response to ransomware attacks.
The efforts of law enforcement to disrupt ransomware groups are expected to persist in the foreseeable future. Such attention from law enforcement will inevitably impact the operations of various ransomware groups, leading to changes in their modus operandi. These changes may include heightened operational security, rebranding, internal conflicts, and a shift toward targeting smaller companies. Underground forums, too, are likely to respond to law enforcement actions by imposing bans on the promotion of ransomware affiliate programs, at least in the short term.
However, the long-term effects of law enforcement actions on the ransomware threat landscape remain uncertain. It is possible that new groups will emerge, employing innovative business methods, thus potentially increasing the risks for ransomware actors. Additionally, it is anticipated that the activities of non-US-based groups will rise, while the arrest of REvil members by the Russian Federal Security Service (FSB) is unlikely to deter Russia-based cybercriminals.
Governments are expected to allocate greater resources to combat ransomware threats, tasking their military and intelligence services with disrupting the operations of cybercriminals, gathering intelligence on group members, and recovering ransom payments. This signifies a growing commitment to addressing the ransomware challenge on a broader scale.
Continuous ‘retirements’ and rebranding to avoid law enforcement and sanctions
The significant surge in ransomware operations, coupled with highly critical incidents such as the Colonial Pipeline attack, has led to intensified efforts by law enforcement agencies and governments across the globe. Consequently, ransomware groups have adopted the strategy of “retiring” and rebranding themselves, typically taking an average of 17 months before doing so. This approach allows them to evade detection and adapt to evolving security measures and law enforcement actions.
Cybercriminals exhibit such behavior potentially due to several factors, including:
1) The necessity to restart their operations in the event of critical compromises to their tools, tactics, or infrastructure. For instance, if security researchers develop a decryptor or other countermeasures, cybercriminals may opt to reorganize their operations to maintain their effectiveness.
2) The desire to evade scrutiny from law enforcement, media, and political entities. By retiring and rebranding, cybercriminals can diminish the attention placed on their activities, making it more challenging for authorities to track and apprehend them.
3) The intention to impede and delay attribution efforts associated with an attack. This deliberate strategy allows the perpetrators to create obstacles that hinder identifying the responsible party. By doing so, they aim to ensure that victims are compelled to pay the ransom to an entity that is not subject to sanctions or legal consequences.
4) The need to resolve internal conflicts or disputes within the cybercriminal group. Retiring and rebranding can serve as a means to address and mitigate internal tensions, allowing the group to reorganize and move forward with their malicious activities more effectively.
During the period of 2021 to 2022, several ransomware families exited the cybercrime scene, including Egregor, REvil, BlackMatter, and Doppelpaymer. However, new ransomware families emerged, often exhibiting similarities to those that disappeared. Some notable instances of ransomware group rebranding are as follows:
– Grief ransomware showcased resemblances to DoppelPaymer in its operations and characteristics.
– WastedLocker ransom notes were observed under different aliases such as Hades ransomware or Cryptolocker in the spring of 2021, Payloadbin during the summer of 2021, and Macaw during the autumn of 2021.
– Darkside ransomware underwent rebranding as DarkSide 2.0 after the release of its decryptor, and subsequently transformed into BlackMatter206 following the high-profile Colonial Pipeline incident. The BlackMatter gang ceased their operations in November 2021 due to law enforcement pressure. In February 2022, the BlackCat ransomware gang confirmed their affiliation with the previous DarkSide or BlackMatter operation.
– GandCrab, an infamous ransomware strain, evolved into the REvil ransomware family, showcasing a shift in its identity and operational strategies.
These instances demonstrate the dynamic nature of ransomware groups, as they adapt, evolve, and rebrand themselves to continue their illicit activities in the ever-changing cybersecurity landscape.
Data exfiltration and extortion without the use of ransomware
Starting from around 2021, a noticeable trend emerged in the tactics employed by ransomware groups, commonly referred to as multi-faceted extortion or triple extortion. While this approach remained prevalent in 2022, an increase in data theft incidents was observed, with some instances of extortion occurring without any data encryption taking place. Cybercriminals realized that they could demand ransoms without deploying ransomware and subsequently established dedicated marketplaces where stolen data is advertised and sold.
During the negotiation phase, ransomware gangs began referencing victims’ cyber insurance policies as part of their strategy. Notable groups engaged in such activities include LAPSUS$ (also known as DEV-0537) and Karakurt. These groups have been actively involved in conducting multifaceted extortion operations, leveraging stolen data and adapting their tactics to exploit vulnerabilities in victims’ cyber insurance coverage.
The growing emphasis on data theft, accompanied by public shaming and extortion tactics, underscores the heightened privacy, regulatory, and reputational risks faced by victim organizations. It is crucial for these organizations to recognize that while having robust backup strategies is essential, it is not sufficient. They must also prioritize the implementation of effective security controls for detecting and preventing the exfiltration tactic outlined in the MITRE ATT&CK framework (TA0010233).
By focusing solely on backup strategies, organizations may overlook the importance of actively detecting and preventing data exfiltration attempts. Implementing relevant security controls aligned with the MITRE ATT&CK Exfiltration Tactic helps organizations bolster their defenses against malicious actors attempting to steal sensitive information. This comprehensive approach enables organizations to better safeguard their data, mitigate risks associated with privacy breaches, adhere to regulatory requirements, and protect their valuable reputation.