Euro Security Watch with Mathew J. Schwartz

Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Ransomware Groups Keep Blaming Affiliates for Awkward Hits

AvosLocker Kicks 'Free' Decryptor to Unnamed Police Department in United States
Ransomware Groups Keep Blaming Affiliates for Awkward Hits
Apology from AvosLocker (Source: @pancak3lullz)

Ransomware-wielding attackers continue to hit businesses, demand a ransom payment and oftentimes dump stolen data if a victim chooses not to pay. But some attackers also appear to be keeping a closer eye on victims - at least after they have been infected - in case they bring unwanted attention.

See Also: Realities of Choosing a Response Provider

The AvosLocker gang last month apologized and issued a free decryptor to a victim, after realizing it was a U.S. police department, the security researcher who goes by @pancak3lullz reported Wednesday.

The identity of the police department, as well as how attackers breached its network or what data they may have stolen, remains unclear.

A representative from AvosLocker told Bleeping Computer that while the gang tries to avoid attacking government entities or healthcare, it has no prohibition on attacking any specific type of target. It further claimed "that sometimes an affiliate will lock a network without having us review it first."

Affiliate-Based Excuses

This "we blame our affiliate" excuse trotted out by AvosLocker has been previously wielded by others, including the DarkSide group. It memorably blamed an affiliate for having gone off-piste and hit Colonial Pipeline in May, claiming the affiliate had been acting without authorization. But affiliates are in effect business partners, or contractors, who get vetted by a ransomware operation and then conduct attacks in its name.

Hence blaming the affiliate is simply marketing spin, as ransomware-as-a-service operations largely outsource their attacks, leaving it to affiliates to choose targets, in return for typically giving the affiliate 70% or 80% of every ransom paid by one of their victims. In many cases, affiliates don't appear to spend any time attempting to identify an organization until after it's already fallen victim, at which point they will sometimes attempt to backpedal (see: Secrets and Lies: The Games Ransomware Attackers Play).

Another bit of spin: promising in advance to give a "free decryptor" to any government or healthcare targets that may get "inadvertently" hit. Unfortunately, having a decryptor won't magically make the impact of a ransomware attack disappear. Mitigating such attacks and rebuilding systems is often a lengthy, painful process.

After being hit with Conti ransomware in May, for example, even after Conti gave it a gratis decryptor, Ireland's Health Services Executive spent months recovering from the attack, during which time patient care in the country was significantly disrupted.

Demise of DarkSide

Is there any accountability for ransomware groups failing to avoid disruptions that affect the security or health of a nation? DarkSide's attempt to pass the buck arguably failed, given that the attack provoked a furious response from the White House, including - we now know - the government tasking military hackers to target ransomware groups' infrastructure.

Scrambling for cover as the Biden administration publicly called for a crackdown, DarkSide in May announced it would cease working with affiliates, and appeared to go dark. But shortly thereafter, security researchers reported that it had simply rebranded as the BlackMatter group, welcoming affiliates back into the fold

Far from going into hiding, from July through September, BlackMatter was responsible for 7% of all known ransomware attacks, according to threat intelligence firm Intel 471.

So while some ransomware operators will attempt to deflect the blame for awkward attacks, or promise they've retired, it seems these extortionists will say anything in pursuit of their illicit profits.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.