Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

The Upside-Down, Topsy-Turvy World of Ransomware

Crowded Leak Site May Be a Weakness and Fewer New Players a Sign of Higher Quality
The Upside-Down, Topsy-Turvy World of Ransomware
What's up is now down. (Image: Shutterstock)

How many ransomware victims pay their attackers to avoid the psychological fallout of having their name listed - or their stolen data dumped - on a data leak blog?

See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work

We don't know. The answer to that question involves a complex mix of psychological pressure, public relations fears, shame at falling victim and myriad other factors, rational or otherwise.

Here's what we do know: Compared to last year, "ransomware announcements continue to increase, despite multiple notable law enforcement disruptions and arrests," says a new report from Unit 42, the threat intelligence group at Palo Alto Networks.

In the first half of this year, 53 ransomware groups collectively listed 1,762 new victims - an average of about 294 per month - across their leak sites.

Attackers' continuing use of data leak sites suggests they still serve as a useful prod for driving at least some victims to pay. Extortion groups aim to make themselves look as big and bad as possible to scare future victims into paying.

But as so often is the case, those who shout the loudest are hiding a weakness, since leak site posts don't correlate well with security companies' telemetry data. LockBit has long claimed the spot of "most prolific hacker" based on its leak site. But ransomware response group Coveware said that of the thousands of cases it helped investigate from April through June, LockBit accounted for just 7%.

Victim counts also may not reflect a few big scores. Take the Dark Angels ransomware group, which first appeared in May 2022 and "managed to attract very minimal attention," said Zscaler ThreatLabz. That was until ThreatLabz recently tied the group to receiving the biggest-known ransomware payoff in history, worth $75 million, earlier this year.

That's a reminder that data leak sites never tell the full story. Not all ransomware groups use them, and when they do, they only ever list a subset of nonpaying victims, rather than a full and complete accounting of who did pay (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).

The Rise of RansomHub

Another wrinkle is the concept of the groups themselves, which can disguise how amorphous the criminal ecosystem can be. Ransomware-as-a-service operations rely heavily on affiliates. These business partners function as contractors, taking an operation's crypto-locking malware and using it to infect a victim, typically in return for 70% to 80% of every ransom paid.

Affiliates sometimes work with multiple ransomware operations at the same time, or they change allegiances. The same affiliate might be responsible for victims tied to different ransomware groups. Even as the groups themselves come and go, at least in name, affiliates typically remain at work.

Take Notchy, the self-described spurned affiliate of BlackCat. Notchy next took the Change Healthcare data to RansomHub, which began re-extorting the medical billing middleman.

RansomHub is a newcomer that appeared in February and "quickly established itself as a prominent extortion group," listing 181 victims through the end of June, said cybersecurity firm Rapid7.

Broadcom's Symantec security group said RansomHub appears to be a reboot of the Knight group, formerly known as Cyclops, based on the similarity of their malware.

Whether the same players are involved isn't clear, but the developers of the Knight source code announced their retirement in February and the sale of their source code, meaning "it is possible that other actors bought the Knight source code and updated it before launching RansomHub," Symantec said.

The ransomware group's rapid rise appears to have been aided by it likely featuring "veteran operators with experience and contacts in the cyber underground," Symantec said, and also because it recruited seasoned affiliates from BlackCat, including Notchy.

Decline in Newcomers

Despite so many ransomware groups being in play, the number of new operations appears to be in decline. Coveware said it saw during the second quarter a surge in lone-wolf operators, likely driven in part by law enforcement takedowns and the "toxicity" attached to so many groups, especially when they hit healthcare or other public services.

Rapid7 said that 95 new ransomware groups debuted in 2022. The number last year was only 43. But again, numbers don't often speak for themselves when assessing the ransomware criminal underground, since the lower number may represent a push for quality versus quantity, as ransomware operators double down on what works.

Tactically speaking, that appears to involve "more specialized and highly effective ransomware variants," Rapid7 said, as well as more extortion-only operations. "This shift indicates that ransomware groups are focusing on quality over quantity, refining their techniques and utilizing proven tools that allow for targeted and disruptive attacks."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.