Ransomware As A Service And The Strange Economics Of The Dark Web
Ransomware is changing, fast. The past three months have seen dramatic developments among the ransomware ecosystem to include the takedown of LockBit’s ransomware blog, BlackCat exiting the ecosystem, and the emergence of several smaller ransomware groups.
This article aims to provide context for recent news. First we will cover how ransomware groups and affiliates work together. Then we’ll dive into affiliate competition, a key driving force for the ecosystem, how ransomware is changing in 2024, and what might come next.
Ransomware Groups and Affiliates: A Complex Supply Chain
As the cybercrime ecosystem has grown, it’s also grown more complex with many different actors carrying out individual legs of a complex supply chain.
It’s worth pausing for a moment to explain just how the ransomware ecosystem works. Ransomware as a Service (RaaS) has emerged as the dominant business model among large ransomware groups.
In this model RaaS groups focus on developing novel ransomware code and attracting affiliates. Ransomware affiliates work with the broader group to compromise IT infrastructure and distribute ransomware, the ransom itself is then often negotiated by the RaaS provider.
This model works well for both the operators and affiliates, and is used by both LockBit and BlackCat, the largest two groups which alone accounted for a plurality of ransomware attacks in 2023.
Giving affiliates the hard work of executing successful attacks allows the groups to scale much faster and compromise many more victims than would otherwise be possible while also enabling the groups to continue to innovate on their ransomware code.
Affiliates themselves rely on other supply chains to effectively carry out attacks. In many cases we see affiliates sourcing access from another type of dark web threat actor – the initial access broker (IAB).
Affiliate Competition Among Groups
Competing for the best affiliates is a difficult and complex business. Ransomware as a Service groups face the same dilemma as a legitimate business, they need affiliates to make the model work, and have to compete on price and quality to attract the best affiliates.
This has led to a highly competitive ecosystem, in which the largest ransomware groups try to offer potential affiliates a larger share of successful ransoms and less restrictions than other groups as a play to win the most sophisticated affiliates. In fact, LockBit even purchases privileged access to corporate IT environments from other threat actors to distribute to affiliates, even though this substantially reduces potential return for LockBit.
Why is the Ransomware Ecosystem Changing?
The past four months have seen a dramatic shift in the landscape. First BlackCat’s ransom blog was taken down in December of 2023. This led to BlackCat setting up a new blog and announcing they were increasing the share of ransoms paid to affiliates to 90%, a substantial increase that likely reflected insecurity about their ability to retain top affiliates.
This was followed by a takedown of LockBit’s blog in February of 2024. It’s worth noting that while infrastructure was compromised, the groups themselves remain at large. The ability of law enforcement to completely stop these groups operations is limited, however takedowns have substantial effects with the affiliate ecosystem.
Being a large group has benefits and drawbacks. Affiliates want to work with established groups that have good ransomware code and seem stable. Since the RaaS group typically pays out for success ransoms, working with an unstable group is highly risky.
However, large groups also become massive targets for law enforcement actions. By taking down LockBit and BlackCat, law enforcement has reduced confidence in affiliates with both groups.
Reduced affiliate confidence is likely one of the reasons that BlackCat is exiting the ransomware ecosystem after allegedly refusing to pay an affiliate out for a successful 22 million dollar ransom against a major U.S. healthcare entity.
Reputation is Everything in Cybercrime
Ransomware groups run on reputation; in the cybercrime world trust is non-existent and scams are incredibly common. Ransomware groups that want to have talented affiliates with deep technical skills need to build and earn trust over time and associate that trust with their “brand.”
Ransomware groups need an aura of invulnerability to successfully do business. For affiliates a takedown represents the existential threat that law enforcement may gain enough information to personally identify them.
Likewise if victims of the group believe that law enforcement may compromise infrastructure and provide decryption keys they become heavily disincentivized from paying, further disincentivizing affiliates to work with that group.
Where are Things Headed?
Ransomware likely isn’t going away any time soon, but we do expect substantial changes to the ecosystem. Taking down ransomware infrastructure certainly causes temporary disruption to the groups affected, but it does not permanently impact an ecosystem driven by hundreds to thousands of affiliates.
If history is any guide we may see a fragmentation of the ransomware ecosystem. In 2022 Raid Forums was taken down by law enforcement, this resulted in many new smaller dark web forums popping up as fleeing users formed their own communities.
The sudden shock caused by the exit of BlackCat and the takedown of LockBit may result in a similar phenomenon in the ransomware ecosystem as affiliates lose trust in large groups and instead opt to run their own smaller organizations.
What Implications does this have for Corporate Security?
In the short term the threat of ransomware may recede somewhat as the ecosystem shifts into a new paradigm. Regardless of how the ecosystem changes, the same blue-teaming recommendations can help organizations reduce the risk of high-impact incidents. We recommend organizations to:
Conduct Extensive Monitoring for Stealer Logs and Leaked Credentials: Identity based attacks are one of the top vectors threat groups are using to compromise corporate IT environments. Ensure that your organization has extensive dark web monitoring across hundreds of cybercrime communities where stealer logs and leaked credentials are sold and shared.
Patch Known Exploited Vulnerabilities: Many ransomware affiliates gain initial access through known vulnerabilities that organizations delay patches for. Prioritize currently exploited vulnerabilities on externally facing assets in your patch management program.
Use MFA/2FA on all corporate applications: We recommend that companies implement 2FA controls on all internal SaaS and corporate applications. Authentication apps work better than SMS as a result of the ever-present risk of SIM swapping.
Detect & Remediate Stealer Logs with Flare
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors.
Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools.
Learn more by signing up for our free trial.
Sponsored and written by Flare.