Ransomware as a Service Innovation Trends to Watch

Following the unprecedented actions of the Russian FSB to constript into service arrest a large number of REvil operators, the risk profile of being a RaaS operator has shifted. The main takeaway from these arrests may be to cut a lower profile (i.e. don’t draw the IRE of the US government or other governments that may take disruptive or even kinetic actions against a group). The Conti group, while still quite brazen against US LEA, has tried to learn the lessons from DarkSide (who was responsible for the Colonial Pipeline attack) and has conspicuously avoided inflaming certain governments and industries (outside of their own) in their attacks. LockBit 2.0 has also tried to seize on some of the missteps of REvil. 

Late majority RaaS operations are relinquishing control of the attack life cycle by allowing affiliates to handle the entire attack. They are also relinquishing more control over the outcome and, by extension, whether the attack actually results in revenue. It is up to the affiliate to ensure the attack is successful, that backups are compromised and that the encryption spreads far enough to inflict meaningful damage. If they fail, the victim is better positioned to restore from secure backups. 

Further RaaS Innovation Trends to Watch

Ceding control to affiliates: Coveware’s data shows that only 22.6% of victims in 2020 had viable backups, but in 2021, this margin has jumped to 42% of victims. This data point is surely influenced by multiple variables, but there has been a distinct drop in the number of cases where the threat actor was successful in rendering the backups useless. In parallel, we note that the percentage of cases involving the threat to release data continues to climb. We may deduce from these trends that threat actors are relying less on the operational disruption (harder from a technical perspective) of encrypted backups and more on the threat of sensitive data leakage to intimidate victims into paying. 

RaaS operations like Conti and Lockbit 2.0 are ceding control over their ‘brand’ by allowing sloppy affiliates to carry out attacks without the victim’s profile being vetted. While RaaS groups may SAY they don’t attack hospitals or charities, most of them still do. The cybersecurity community is acutely aware of which extortion groups generally stick to their word, and which groups are routinely problematic and unreliable. In Coveware’s YTD examination of 2021 attacks, 78.3% of re-extortion events were attributed to RaaS actors, which is an increase from 66.7% of re-extortion events in 2020. Re-extortion is a particularly nasty behavior wherein the bad actor signals to the victim that they agree to an offer, takes the money, and then informs the victim they need to pay another sum or they will get nothing. This behavior is observed far less when dealing with non-RaaS ransomware groups (such as closed RaaS or lone wolf groups). 

Another equally damaging habit of RaaS affiliates is their propensity to prematurely leak victim information before negotiations have completed and sometimes before they’ve even had a chance to begin. Over 90% of premature data leaks observed in 2021 were attributed to RaaS actors. More concerning still is that of these disclosures where the actor responsible was part of a RaaS organization, over 60% were from Closed RaaS groups, which are historically more selective about who they allow in and – theoretically – should be more experienced and professional. We infer from this trend that either the vetting process for Closed RaaS recruiting has started to deteriorate and/or that contemporary ransomware actors do not place much value anymore on preserving their reputations as trustworthy hostage takers. Regardless, these increasingly volatile behavior patterns will have a direct and lasting impact on future victims’ inclination to pay or not pay.

There have been other small innovations that RaaS operators are testing. Last month, security researchers reported that the FIN7 hack group was dipping their toes into the ransomware business not by advertising to new affiliates, but by trying to recruit legitimate IT practitioners under the guise of recruiting them to provide commonplace penetration testing services. As noted by Bleeping Computer, “By creating fake cybersecurity firms to conduct attacks, Gemini believes it is an attempt to hire cheap labor rather than partnering with affiliates who demand a much larger 70-80% share of any paid ransoms.”

Innovations in Affiliate Deception:  Not all innovation is for the good of the community.  In September 2021, Yelisey Boguslavskiy of Advanced Intelligence reported that REvil leadership had planted a backdoor into victim TOR negotiation chats that would allow them to discreetly scam their own affiliates out of a payment without the affiliate realizing anything was amiss. REvil affiliates were entitled to 70% of each ransom but with this magic trick, a REvil administrator could impersonate the victim and announce they were deciding not to pay, while simultaneously setting up a secret mirrored chat with the real victim to finish the transaction. News of this compelled the Lockbit 2.0 operations to advertise that THEIR affiliates could control 100% of the negotiation and payment, and only share proceeds on their own terms with the developers. 

Balancing brand and LEA attention: The original draw of ransomware to cyber criminals was its inherent nature of being a low risk/high return enterprise. The explosion of ransomware attacks over the past several years has been fueled by innovation to the RaaS model. While the profitability has soared, the risk profile has substantially increased given the volume of LEA actions against RaaS groups and against infrastructure tools / tradecraft used by these groups.  All high profile seizures and shutdowns of ransomware gangs in 2021 and 2022 were RaaS affiliate-based groups as opposed to non-affiliate based groups.