Ransomware is no longer an in-house operation but is widely outsourced to other gangs, as part of an expanded network of cybercriminal enterprise that explains why it has ballooned as a threat in recent years.
That’s the verdict from cyber-analyst Tenable, in its latest round-up of data collected from a wide range of sources on the ransomware threat over the past decade.
According to data from the FBI, in the six years to 2019, ransomware operators extorted $144 million. The following year, they reportedly made $692 million in total, nearly five times more than in all the previous years combined.
“These numbers are likely undercounts of the true figures because of a lack of insight into the cryptocurrency wallets used by all of the ransomware groups, along with delays in receiving such data,” said Tenable. “Ransomware has cemented itself as one the greatest threats to global organizations today – and it has become a lucrative criminal ecosystem in the process.”
What has helped to drive this in Tenable’s eyes has been the willingness of ransomware groups to evolve from ‘owner-operators’ to more entrepreneurial outfits that don’t mind outsourcing their tools to other threat actors in return for a cut of the proceeds. This criminal phenomenon is known as ransomware-as-a-service (RaaS), and it poses a grave threat to businesses and organizations around the world.
Affiliates and brokers
“Ransomware has become its own self-sustaining industry,” said Tenable. “Previously, attacks were perpetrated by the same ransomware groups that developed and propagated the malware, but the advent of RaaS has attracted multiple players. Each has a vital role, making up what we refer to as the ransomware ecosystem. Outside of the ransomware groups, the other key players include affiliates and initial access brokers (IABs).”
IABs are in effect the middlemen of the ransomware ‘industry.’ Highly specialized, they rarely, if ever, take part directly in cyberattacks themselves.
“IABs maintain persistence [find vulnerabilities] within the networks of victim organizations and sell it to other individuals or groups within the cybercrime ecosystem,” said Tenable. “Their fees are very affordable, as they vary between the types of organizations they’ve compromised and the type of access.”
Citing research by fellow cyber-analyst Digital Shadows, which scrutinized 500 listings posted by IABs in 2020, Tenable said simple control panel access to a target victim’s network can sell for around $300, with fully fledged remote-control access coming in at just shy of $10,000.
Another factor driving the seemingly exponential growth of the ransomware ecosystem is the adoption of affiliates – in this case, threat actors who take the frontline, assaulting a target with ransomware before letting the original group step in to handle ransom negotiations. Often the cut offered to such recruits is very generous, ranging from 70% of the final takings, to 90% in the case of BlackCat, a notorious RaaS group.
“For a ransomware group to succeed, they need to recruit affiliates to conduct attacks and provide a steady stream of ‘customers,’” said Tenable, meaning victims. “So it’s no surprise that ransomware groups are also very generous when courting affiliates. If ransomware is a vehicle, then affiliates are the drivers responsible for propelling ransomware attacks forward. This type of partnership is one of the key elements that has helped ransomware flourish over the last four years.”
Describing the success of most ransom gangs as “largely a byproduct of the affiliate programs they’ve put in place,” Tenable added: “These are no different from those of legitimate businesses. Just as affiliates bring companies leads, ransomware affiliates find and infect victims with ransomware, and bring them to ransomware groups to ‘close the deal.’”
Hard as iron
Another element explaining the startling growth of ransomware as an illegal service industry is its resilience, with many groups being ‘killed off’ only to return from the dead.
“Ultimately, the groups themselves are ephemeral,” said Tenable. “We have seen multiple ransomware groups disappear over the years, either of their own accord or as a result of government and law enforcement action.”
But ultimately, newer groups emerge that include members identified as belonging to older outfits previously thought disbanded. This in turn begs the question of whether RaaS groups are ever truly wiped out, or simply choose to lie low and rebrand at the right time.
“For instance, REvil was the successor to the infamous GandCrab ransomware outfit, while Conti is considered the successor to Ryuk,” said Tenable. “The famous phrase of the Ironborn in the Game of Thrones saga is applicable to today’s ransomware groups: ‘What is dead may never die, but rises again, harder and stronger.’”
More from Cybernews:
Subscribe to our newsletter