Cybercriminals quitting, or just evolving to different roles?
Every few months a high-profile ransomware group announces that it's shutting down its operations. Last month it was Avaddon. Before that it was DarkSide. Before that it was Maze, and so on. Sometimes, when they decide to disband, these groups release their master keys which might help some victims who have not already paid a ransom or recovered their files from backups, but the criminals behind the groups don't really disappear from the ecosystem or go to jail. They just move to other groups or change roles, for example from a manager of a successful ransomware operation to an investor.
Ragan compares this to traditional criminals using shell companies to funnel money and then, when the heat gets too high, disbanding them and moving on. "It's almost exactly like that," he says. "Again, that's another parallel between the criminal world and what we see on our side of the little wall. They're both criminal acts, but at the same time, organisations that aren't thinking of cyber, they're used to the concept of shell companies and how they can be used for nefarious means. Well, these brands that the ransomware and the malware groups use—same difference."
According to Krehel, the lifespan of ransomware groups is usually around two years because they understand that after that time they'll receive too much attention, especially if they've been very successful, and the best thing to do is to retire the group and create a new one. Maybe some members retire and become venture capitalists in other groups, but this shuffling of groups is more about generating confusion and making it harder for law enforcement to get all of the participants' names, he says.
The ROI from ransomware is so good that career cybercriminals can't afford not being involved in it. That's why groups that have been associated with other forms of cybercrime, such as credit card theft or hacking into banks, have started either adopting ransomware as a revenue stream or collaborating with ransomware gangs.
"The groups have shifted and joined up with other groups and made alliances," Ragan says. "Literally, if you were to parallel that similar to the real world it's mergers and acquisitions. They might think they obtained talent from other groups who joined them and now they're developing their own ransomware, or they get their affiliate programs and merge it into one."
"It's quite clear that some of these 'new strains' are likely stemming from 'old' groups," says Hoffman. "Maze, Egregor, REvil, all these guys, they splinter off and they create other things like AstraLocker and LV and all these new ones that are coming out. They're not all related but there's a lot of association between new groups and old groups."
Some of the new groups might also serve the purpose of recruiting new people into the business and giving them a platform where they can gain experience. When the group has served its goal and lived its life, some of its affiliates will move on to more established groups.
"There is an ecosystem for criminals for hire, who do have a good criminal record, who conducted good offensive missions and they didn't get arrested," Krehel says. "Those people are now more expensive and their expertise has been added to their criminal CV and are trusted by criminal rings. It also seems to be the case that members are often changing groups. It's almost like you look at Google and Facebook, or some large companies where people are switching jobs. So, there's this constant job switch."
Offensive actions might be needed
Cybercriminals are not going to give up on ransomware easily because it's too profitable and many of them live in Russia or former Soviet Union countries where the likelihood of getting arrested for extorting money from Western organisations is low. Malware programs that originate in Russia or the Commonwealth of Independent States (CIS) often have had built-in checks that prevent their deployment on computers that use Russian or other languages from CIS countries. It's an unwritten rule that malware creators and cybercriminals know: Don't target local companies and you'll be fine. Russia doesn't extradite its citizens and given the current geopolitical climate between the country and the West, increased collaboration at the law enforcement level on cybercrime is not very likely.
Following another high-profile ransomware attack in July that impacted over a thousand companies from around the world, President Biden spoke with Russian President Vladimir Putin and declared himself optimistic about a collaboration on cyberattack issues, but he also hinted that the US is ready to attack servers used in ransomware attacks in retaliation. REvil, the group behind the attack, went silent shortly after, and Kaseya, the company whose software was hacked and was used to propagate the ransomware received the master decryption key from a source it didn't disclose, but referred to as "a trusted third-party."
If the diplomatic channels fail to produce results in the future and Russian law enforcement agencies don't act domestically, a more offensive approach might be required to discourage these groups and stop attacks before they make a lot of victims.
"If a foreign government is targeting you [the ransomware gang], that's it. There's nothing you can do," Ragan says. "You're dealing with an adversary that has unlimited time and resources. They will get you. I don't care how good you are. It's a realistic fear that these criminals have and I think that is what's causing the scurry. But here's the problem: The mere mention of sanctions, policies and things like this, sent them scrambling, right? What happens if there's no actual enforcement? What happens if these laws and policies come out, but they don't have teeth? Then the criminals come back and they'll come back stronger because now they know there's no teeth and no enforcement."
Hoffman sees an opportunity for the US to be more offensive in supporting businesses, noting that he’s not privy to the government’s domestic policy on offensive tactics. "Similar to other countries, the national infrastructure that's used for nation-state purposes is not available to combat commercial crime, but in this case we may have to make it available to reduce some of the strain on the businesses here, to become offensive.”
Cybercriminals don’t want to fight the government versus a company that's ill prepared. “So, if the full force of the national cyber infrastructure of the US comes to bear against the cybercrime world, which is exactly what the forum operators do not want, it could have a significant impact,” says Hoffman. “On the other hand, will that cause the 'cyber war' that's been pending between US and Russia down the road and then Russia's national cyber infrastructure will come to bear in a more apparent way against us? Maybe."
If the US government was the one who hacked the people behind DarkSide, took their Bitcoins, destroyed that infrastructure and wrecked those computers, then that's already pretty big, Krehel says. Imagine saying: We'll fly over your house, we're going to take every coin you have in the marketplace, we're going to take your private keys, we're going to destroy every server you ever touched, and we're going to put you on the wall so that if you attack any other business going forward you'll be a target for the rest of your life.