Ransomware Groups Keep Blaming Affiliates for Awkward HitsAvosLocker Kicks 'Free' Decryptor to Unnamed Police Department in United States
Ransomware-wielding attackers continue to hit businesses, demand a ransom payment and oftentimes dump stolen data if a victim chooses not to pay. But some attackers also appear to be keeping a closer eye on victims - at least after they have been infected - in case they bring unwanted attention.
The AvosLocker gang last month apologized and issued a free decryptor to a victim, after realizing it was a U.S. police department, the security researcher who goes by @pancak3lullz reported Wednesday.
"Sometimes an affiliate will lock a network without having us review it first."
The identity of the police department, as well as how attackers breached its network or what data they may have stolen, remains unclear.
A representative from AvosLocker told Bleeping Computer that while the gang tries to avoid attacking government entities or healthcare, it has no prohibition on attacking any specific type of target. It further claimed "that sometimes an affiliate will lock a network without having us review it first."
This "we blame our affiliate" excuse trotted out by AvosLocker has been previously wielded by others, including the DarkSide group. It memorably blamed an affiliate for having gone off-piste and hit Colonial Pipeline in May, claiming the affiliate had been acting without authorization. But affiliates are in effect business partners, or contractors, who get vetted by a ransomware operation and then conduct attacks in its name.
Hence blaming the affiliate is simply marketing spin, as ransomware-as-a-service operations largely outsource their attacks, leaving it to affiliates to choose targets, in return for typically giving the affiliate 70% or 80% of every ransom paid by one of their victims. In many cases, affiliates don't appear to spend any time attempting to identify an organization until after it's already fallen victim, at which point they will sometimes attempt to backpedal (see: Secrets and Lies: The Games Ransomware Attackers Play).
Another bit of spin: promising in advance to give a "free decryptor" to any government or healthcare targets that may get "inadvertently" hit. Unfortunately, having a decryptor won't magically make the impact of a ransomware attack disappear. Mitigating such attacks and rebuilding systems is often a lengthy, painful process.
After being hit with Conti ransomware in May, for example, even after Conti gave it a gratis decryptor, Ireland's Health Services Executive spent months recovering from the attack, during which time patient care in the country was significantly disrupted.
Demise of DarkSide
Is there any accountability for ransomware groups failing to avoid disruptions that affect the security or health of a nation? DarkSide's attempt to pass the buck arguably failed, given that the attack provoked a furious response from the White House, including - we now know - the government tasking military hackers to target ransomware groups' infrastructure.
Scrambling for cover as the Biden administration publicly called for a crackdown, DarkSide in May announced it would cease working with affiliates, and appeared to go dark. But shortly thereafter, security researchers reported that it had simply rebranded as the BlackMatter group, welcoming affiliates back into the fold
Far from going into hiding, from July through September, BlackMatter was responsible for 7% of all known ransomware attacks, according to threat intelligence firm Intel 471.
So while some ransomware operators will attempt to deflect the blame for awkward attacks, or promise they've retired, it seems these extortionists will say anything in pursuit of their illicit profits.