Understanding the visible landscape is more accurate when we understand the underlying morphology that shapes the landscape.
WithSecure’s Ransomware Landscape report for H1 2024 (PDF) provides similar information to many other recent ransomware reports. This is unsurprising since most researchers use the same sources for their data – and especially an analysis of leak sites to understand the nature and volume of ransomware attacks that lie beyond public reporting. Note that leak sites and public reports still omit one major factor in ransomware statistics: the number of successful attacks where the ransom is paid (no inclusion on a leak site), and there is no public disclosure (the victim is protecting its business brand reputation).
So, from the leak sites, we know there is growth in the number of ransomware attacks against SMBs. We know that the industry is contracting while there is no real contraction of ransomware attacks – implying that attackers are coalescing around a fewer number of successful malwares. We know that engineering and manufacturing, real estate and construction, health services, and finance are the most attacked sectors. This is all probably statistically accurate, even though we don’t know what we don’t know.
On their own, these bald ‘facts’ do not help us understand the current ransomware landscape – but the WithSecure report provides several other discussion points that are illuminating. For example, cyber is new and continuously evolving. It requires new terminology that must also evolve to accurately reflect this changing landscape.
A recent example of the changing lexicography of ransomware is required by the growth of ransomware-as-a-service (RaaS). We used to describe the malware as a ‘family’ and the malware operator as a ‘group’, sometimes combining both concepts under one name.
This no longer works with the influx of affiliates operating within the RaaS framework. LockBit is a good example. Does the term ‘LockBit’ refer to the founding group, a specific malware, or an unknown affiliate? WithSecure is championing a new term: ‘brand’. LockBit is the name of a brand, and the use of this term gives us a better understanding of how the RaaS ecosystem works.
It is a useful concept because it can be applied to each different RaaS operation. It also reflects and helps us understand the growing professionalism in the world of bad actors. We now have malicious brands as well as legitimate business brands. The same rules apply to both worlds: all businesses must protect their brand reputation to maintain its profitability. Brand protection and the failure of brand protection are driving forces in the RaaS world, both attracting new and repelling existing affiliate operators. And in both worlds, there are nomad workers, who change businesses frequently, and sometimes work for two or more different ‘employers’ at the same time.
Two major and instructive events in H1 2024 (the LockBit takedown and the AlphV ‘takedown’ and exit scam) are discussed in the WithSecure report. Both illustrate the importance of brands and brand protection. They also illustrate the importance of law enforcement actions against ransomware brands. Such action never eliminates the ransomware and rarely removes the actors (unless they can be arrested). But they do damage the brand. A weaker brand will attract fewer affiliates, weaken the overall ransomware ecosphere while existing affiliates choose and move to a different brand, and probably dissuade some wannabe criminals from thinking RaaS is a risk-free easy-money occupation. Continuous law enforcement action is important and valuable. “It is almost certain that law enforcement action has significantly impacted the ransomware ecosystem,” says the report.
Advertisement. Scroll to continue reading.
In February 2024, Law Enforcement infiltrated LockBit and seized its leak site. “LEA also gained access to the affiliate communications/control panel and were able to leave messages threatening LockBit affiliates,” adds the report. Many of these affiliates jumped ship and moved to another brand. But as with any business suffering brand reputation loss, there are two options: rebuild the brand or shutter the business.
“LockBit is ALMOST CERTAINLY [sic] in a rebuild phase intending on returning to the industry with a more robust operation,” states the report.
Tim West, WithSecure’s director of threat intelligence and outreach, told SecurityWeek, “LockBit is trying to rebuild. We don’t know if it will be successful, but there are signs that it is in a serious phase of overhaul with new infrastructure being established and tested. For example, some of its leak sites are being made live, taken down, and being made live again with slightly different underpinning technologies. Some human-oriented analysts have detected a demeanor change in the personnel putting out information that we could view as LockBit press releases.”
LockBit is taking the first option: rebuild. AlphV took the other option: cash in quick and leave. The brand claimed its departure was in response to an LEA seizure. It probably wasn’t, although it had been taken down previously in 2023. The operators simply wanted out and used putative LEA action to confuse a basic ‘exit scam’. In its ‘terms’ with affiliates, the brand would receive ransom payments acquired, and pay the affiliate a commission. In this case, the brand received what is almost certainly a $22 million payment by Change Healthcare, kept the entire amount without paying the affiliate and disappeared.
It is worth noting that this would result in an almost total but self-inflicted loss of AlphV brand reputation.
At around the same time, a new brand became active: RansomHub, which expanded rapidly. Since AlphV had a history of rebranding, there was a suggestion at the time that this was a new AlphV rebrand. This is possible, but WithSecure believes it is unlikely. The code similarities between AlphV and RansomHub are insufficient to claim they come from the same source. But the rise of RansomHub at the same time as the disappearance of AlphV does suggest a fairly widespread migration of affiliates from the latter to the former.
“The affiliates that were working to AlphV, or using the AlphV brand, are now using the RansomHub brand,” said West.
This hypothesis is strengthened by the appearance of Change Healthcare data on the RansomHub leak site (the AlphV affiliate had retained the data if not the ransom, and had now joined RansomHub), and RansomHub’s terms and conditions are designed to attract former AlphV affiliates: you keep the money and pay us, rather than we keep the money and pay you; that is, you can trust us.
So, what can we learn from the interaction of RaaS brands and trust on the ransomware ecosphere? First, there may appear to be a fluid movement between brands by affiliates – loyalty seems more based on inertia than genuine loyalty. LockBit’s affiliates left in the face of LEA threats and brand damage – they haven’t waited for LockBit to rebuild its brand reputation. AlphV’s affiliates were forced to leave by the disloyalty of the brand. Brand recruitment and marketing seems to work, with RansomHub attracting new affiliates through attractive terms.
This history of LockBit, AlphV and RansomHub provides a neat picture of the threat from RaaS, with affiliates, whether individuals or small groups, moving from one brand to another as necessary. That, however, is misleading. Things are never so simple.
“It’s highly likely that many ransomware actors remain loyal to a particular brand they know and trust,” explained West, “and some ransomware brands will run a ‘core’ set of actors. BianLian is a good example of this, as they do not appear to vary their TTPs or tooling – only rarely do we see activity that deviates from what we believe is a core cluster of actors.”
At the same time, some actors will work with multiple brands. “Ukrainian police recently arrested a crypter (someone who wraps or packs malicious binaries to evade detection by endpoint security products) who was known to work with both Conti and LockBit,” he continued. “And a ransomware affiliate named DEV-0504 / Velvet Tempest has been tracked across BlackMatter, Ryuk, AlphV, and Lockbit intrusions. DEV-0504 was recently observed in RansomHub intrusions.”
Similarly, affiliates working with a particular brand can spin off and form their own brand – a process simplified by several leaks of ransomware source code. “There are also examples of one-to-many rebrands, where brands like 8base and Faust are derivatives of a single variant.”
In short, while the statistics around the effect of ransomware are fairly constant between different researchers (because the source of those statistics is common to the researchers) the interpretation of the underlying causes (the morphology of the landscape) may differ between different researchers. WithSecure and its Ransomware Landscape H1/2024 report shows that the criminal underground is not fundamentally different to the legitimate business world: employees come and go, get head-hunted and sometimes take business knowledge from one job to another; sometimes moonlight between multiple brands; and will stay where there is mutual trust and good treatment, and move on when brand, and trust, and treatment deteriorates.