[ad_1]
Contributors: Jason Baker, Senior Threat Intelligence Consultant; Drew Schmitt, GRIT Practice Director
This blog expands on observations from GRIT’s February 2024 ransomware report. For our original analysis and other observations on the ransomware ecosystem, check out our February report here.
introduce
In late 2023 and early 2024, ransomware-as-a-service (RaaS) groups, the largest group in the ransomware ecosystem, were repeatedly disrupted by international law enforcement agencies (LEs). Alphv’s darknet exfiltration site was seized, then unblocked, and then re-blocked in a law enforcement operation in December 2023, which seemed to fail to stop the group – until AlphV finally shut it down after a high-profile attack A lawsuit filed against Change Healthcare in March 2024 claiming it was dissolved through an apparent exit scam. LockBit experienced a more dramatic and market-oriented disruption, Operation Cronos, in February 2024, which resulted in the compromise of its infrastructure, internal operational details, and data. While LockBit ostensibly continues to operate, its highly publicized disruption raises the question of whether the group can continue to operate and attract affiliates at the levels they once enjoyed.
RaaS operations rely not only on maintaining infrastructure and the core ransomware constellation of the ransomware of the same name; But also targeting affiliates that do the heavy lifting of manual keyboard compromise and may support multiple ransomware groups. With some exceptions caused by Operation Kronos, affiliates supporting RaaS groups remain “in the wild” and can reorganize or support other RaaS groups, which leads to the inevitable question: where will these affiliates go next? Where, and how will they decide? During our research into the Deep Web and Dark Web (DDW) in the wake of Operation Kronos, we discovered multiple smaller RaaS groups trying to welcome displaced affiliates with open arms, potentially seeing recruitment emerge amid the recent chaos Chance.
Kronos Operations, Destruction and Deception
As part of February’s Operation Cronos, a joint operation with the UK’s National Crime Agency (NCA), the new owners of LockBit infrastructure replaced elements of the LockBit data breach website with the law enforcement agency’s banners and logos, a nod to LockBit A tongue-in-cheek parody of the iconic website. design. Over the next few days, Cronos affiliates released a series of disclosures, each accompanied by a countdown timer and tantalizing headlines such as “LB Backend Leak” and “Who is LockbitSupp?” ” The latter article sparked much speculation that the ambitious administrator behind LockBit, who goes by the pseudonym “LockBitSupp,” had been identified by law enforcement. Sadly, this dream ultimately failed to come true, as the new site owners issued a series of cryptic assertions regarding LockBitSupp’s identity, but failed to provide complete proof of identity (or indictment).Importantly, among these assertions is this statement: “LockbitSupp has cooperated with law enforcement
(black) cat, domesticated
After the December 2023 breach of the data breach website, Alphv appeared to seek damage control, increasing its ransom share to 90% for affiliates and announcing that it was lifting a ban on attacking all targets except the Commonwealth of Independent States (CIS) organization limit. , composed of Russian-speaking countries such as Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Romania, Russia, Tajikistan and Uzbekistan). Alphv rebuilt replacement infrastructure and appeared to resume operations until they announced Change Healthcare as a high-profile victim. March 1YingshiA user nicknamed “notchy” on the illegal darknet forum RAMP claims they are the affiliate responsible for the attack on Change Healthcare, that they did not receive a $22 million ransom and that their access to the Alphv affiliate group has been revoked , they retained copies of the Change Healthcare materials.
The same user would go on to provide evidence: a link to a blockchain tracking website reflecting the alleged ransom payment amount and its subsequent transfer; and chat logs with Alphv administrators that purportedly corroborated Notchy’s claims. Just two days later, Alphv’s leak website was updated to display a familiar banner explaining that the site had once again been seized by law enforcement.
On the surface, the situation seemed to reflect additional law enforcement interference affecting Alphv, but security researchers soon claimed that Alphv was “staging” a second takedown, according to a review of the page’s source indicating that “the seizure notice has been copied.” . ”March 5thAn apparent spokesperson for Alphv, who uses the nickname “Ransom,” responded to notchy’s accusations on RAMP:
“Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”
The emerging consensus in the security community is that this series of events reflects a thinly veiled “exit scam,” with Alphv’s administrators absconding with a final hefty ransom while offering rational explanations and attributing blame for the impact to law enforcement agencies.
(insult) honor among thieves
We assess that LockBit may continue to work with some affiliates in the short term, but we expect the total number of affiliates to decrease. These disruptive events have led to distrust of the most mature RaaS organizations in today’s ransomware ecosystem, including LockBit, and will almost certainly lead to some parts of the associated affiliates being replaced; the reasons for departures may ultimately vary, From distrust to disillusionment to newfound unemployment. While some affiliates undoubtedly belong to multiple RaaS groups, this is not universally true, and displaced affiliates may seek a new home out of preference or out of future need. Other RaaS organizations are taking note.
Within the RaaS community, operational tempo and maturity levels vary, with more than 40 different groups claiming monthly victim counts ranging from zero to double digits. While some groups start and stay “low-level,” others are eager to grow and expand their operations. Given the potential influx of experienced affiliates, we observed at least three smaller RaaS groups (Medusa, Cloak, and RansomHub) attempting to attract or recruit new members through advertisements on illegal forums on the deep web and dark web. Each group falls into a different level of the GRIT ransomware classification, indicating that RaaS groups at different maturity levels are seeking to exploit the environment.
All eyes are on Medusa
We first observed the RaaS organization Cloak posting on the illegal forum UFO Labs, while Medusa and RansomHub chose the Russian RAMP forum to post advertisements. Each ad contains some fairly boilerplate details about the group, including a brief description, ransom split rate, and communication details for contact via TOX. Encryption strength is touted, the panel is easy to use, and there are plenty of opportunities for interested “penetration testers.” In addition to these similarities, we also noted some differences in the approaches of each different group.
As objective outside reviewers, we find Medusa’s post particularly compelling because the group claims a sliding payout ratio that starts at 70/30 affiliate/core split and increases to 90/10, depending on the ransom amount obtained ; Only affiliates that receive more than $1 million in ransom are eligible for a 90/10 split, which may stimulate or cause the emergence of high ransom demands. To obtain these hefty ransoms, Medusa provides 24/7 support with their “admin team
,” “media advertising team
,” and their own “negotiators
” if potential affiliates wish to take advantage. On March 12, the organization responded on the RAMP forum that they accept non-Russian speakers and “welcome teams worldwide
”.
(Ransom) Spoke Model
In comparison, RansomHub appears to take a less materialistic approach and chooses to rely on contemporary events as a tool of persuasion. A user named “koley” on the RAMP forum opened a RansomHub ad, alluding to the recent law enforcement outage:
“We have noticed that some affiliates have been seized by the police or have escaped from fraudulent activity causing you to lose your funds.”
RansomHub continued to implicitly address the trust crisis in the RaaS community, announcing that its affiliates were able to collect ransoms directly before paying a 10% fee to the core group. This approach may be an attempt to assuage concerns about “exit scams” or other deceptions that have recently been circulating around the proverbial cybercriminal water cooler in the form of gossip and accusations. Finally, the group explicitly mentioned participating in multiple RaaS groups where allowed, resulting in an open and popular ad that became the most junior group among the ads we observed.
cloak and dagger
Compared to Medusa and RansomHub, RaaS group Cloak’s ads appear to be the least compelling, with barely any unique features to attract potential affiliates. The ad clarifies that “for privacy reasons, ransom should be paid in Monero (XMR),” a request often made by ransomware affiliates due to the traceability of Bitcoin transactions but rarely indulged by victims this requirement. Cloak advertises an 85/15 ransom ratio for its affiliates/core companies, with no deposit or payment required to join their ranks; instead, it is recommended to vet new entrants through interviews. Cloak emphasized the strength of its ransomware and its availability to add features upon request, but otherwise failed to promote the full service and generous ransom split we observed from its sister RaaS groups.
Desperate search for cyber criminals
In addition to these ads from known and active RaaS groups, we have also observed recent attempts to exploit potential and current RaaS affiliates elsewhere on the deep and dark web, including the following:
On March 12, a post was posted on the illegal forum “CyberNulled”, promoting a $100/month or $800/year subscription membership for “RAAS FLOCKER’s Elite Affiliate Program,” an ambiguously named service products, commitment “access to the latest
[ransomware] tools and techniques
,” “[securing] your spot in the ransomware market with unparalleled access
,” and”a lucrative share of the profits for each successful campaign you execute.
”
On February 12, a new forum member posted an advertisement for “BEAST ransomware” targeting Windows, Linux, and ESXi on the illegal violation forum. When faced with their lack of credibility or members vouching for their products, users who originally posted reiterated that their plans offer “The most favorable conditions on the market and dynamic raites for each advert. First contact with a description of your experience, availability of targets for attacks.
While the ransomware has been advertised on illicit forums intermittently since at least mid-2022, users on the forums have responded with denials or censorship in recent months.
As we assess in GRIT’s ransomware classification and regular ransomware reports, ransomware groups (including RaaS groups) most often rebrand or splinter as a means to continue operating despite law enforcement scrutiny. In contrast, affiliates face a competitive market among RaaS groups, with a limited pool of affiliate talent to recruit from; the recent increase in affiliate advertising may indicate continued constraints on available human resources, distrust of specific RaaS groups or the RaaS operating model The number of affected groups is increasing, or no longer intends to continue operating. If affiliates were to migrate to other RaaS groups, we would expect to see a decrease in the number of victims posted as a result of losing RaaS groups and an increase in the number of victims posted as a result of gaining RaaS groups; we also expect to see historically The more high-profile victims are less mature RaaS organizations.
We intend to continue to monitor for other signs of distrust and dissatisfaction among the RaaS community and affiliates, as there are signs that the RaaS model may be subject to increased scrutiny, particularly as RaaS TTPs make scammers and unskilled actors more vulnerable Easy access. From a law enforcement and policy perspective, complaints within the RaaS ecosystem and its constituent members may represent opportunities to encourage discord, amplify suspicious information, and seek out collaborators with unique access or connections.
[ad_2]
Source link