Ransomware gangs explained: from AIDS Trojan to corporate structure

With ransomware now being a billion-dollar industry, and prolific attacks forcing countries into a state of emergency, it’s about time to discuss the growing threat of “ransomware cartels.”

Ransomware is one of the most damaging types of malware. Falling victim to a ransomware attack often means the loss of irreplaceable files and weeks wasted on recovering computer access.

But with large entities, governments, and even countries being targeted, it has gotten a lot more concerning.

Cybercriminals use various attack vectors – and constantly develop innovative ways to target victims. An IBM report showed that four of the top five vulnerability exploitation methods used in 2021 were, in fact, brand new.

How does a ransomware attack actually happen?

Imagine you receive an invoice in a Microsoft Word document. You’re rushing to get ready, and without thought, you click on it. Here’s the problem: you’ve unwittingly installed a common ransomware type. Slowly, the ransomware scrambles your files, one by one. A dreaded display message or txt file is now presented on your background, server, or PC, stating a harsh ultimatum; pay and have your files retrieved, or lose your files forever.

Now, that’s just one type of ransomware, usually spread via phishing campaigns and targeting devices. The bottom line – you’d be required to actively participate in ransomware infecting your device.

Then, there’s the non-interactive ransomware. The notorious WannaCry virus is a commonly used example of standalone malware. It is a worm that infected a huge number of computers and servers back in 2017. This type took no involvement from the victims, yet, the outcome was similar – it still encrypted files, allowing the gang to demand a ransom for the decryption key.

Profitable venture

The advancement of ransomware is staggering, from the 1989 AIDS Trojan to a sophisticated business model. AIDS Trojan was responsible for the first ever ransomware attack decades ago, when evolutionary biologist Dr. Joseph Popp emailed the malware-containing floppy disk to thousands of victims.

Ransomware cartel gangs are now offering ransomware-as-a-service (RaaS) and working with affiliates to widen their workforce to target organizations of all sizes. To name some of the Godfathers of the cyber-world, the Maze gang, LockBit, Ragnar Locker, Conti, and SunCrypt.

In late 2019, the Maze cartel attacked the University of Utah, forcing it to pay a $457,059 ransom. Despite the fact that they had restored their data from backups, Maze was still threatening to leak exfiltrated personal student information.

This claim isn’t without threat, some ransomware operators tend to advertise exfiltrated data from a company on the dark web, especially if they haven’t received their payment within a specific time window.

While this just gives us a glimpse into the catastrophic damage that ransomware gangs cause, the most aggressive ones have anywhere from 670 victims on their list.

Who gets the biggest bite?

Ransomware gangs are now trying to address their 'labor scarcity' by hiring new members. A few years ago, they would just blatantly put ads on hacker forums, looking for affiliates. Today, this isn’t as common due to the focus on ransomware by legal entities. Quite to the contrary, it can end up being a “who-you-know” hiring situation.

Touching on the hierarchy of such nefarious groups, it usually involves two major parties: the ransomware operators, who develop the malware, and the affiliates. These can consist of any number of people, and usually, a very lucrative share of earnings is put on the table.

One advertisement on a hacker forum said ransomware operatives were looking to take a mere 20-30% for themselves, offering 70% of earnings to the affiliates.

To put this into perspective, the group's biggest payout was supposedly a whopping $18 million, so we’re talking big figures here.

If you’re curious about the reasoning behind the so-called ”pay gap,” an affiliate will actually do most of the hard work; initial compromises, hacking the company, and lateral movement. Affiliates work the network, choosing victims by buying access from access brokers, scanning for vulnerabilities, or just simply using social engineering or phishing to gain an initial foothold.

Basically, it takes a lot of leg work, with affiliates doing reconnaissance on companies, looking where they could do the most damage, reputational or otherwise. And they tend to strike when they have a better chance of going unnoticed.

After the network has been compromised and data exfiltrated, the ransomware operators will provide the locker and the service to extort the money. And that’s a whole other kettle of fish. Bitcoin tends to be a common form of payment, legitimized in many different ways, often through third parties.

The UK and EU have strict know-your-customer (KYC) checks and anti-money laundering policies. If the crypto is not registered in those places, it may bypass these checks, making it much harder for law enforcement to work out where the money landed.

Where is law enforcement in all of this? Well, an IBM report found that ransomware gangs have a lifespan of about 17 months. Despite the growing efforts of law enforcement, ransomware gangs seem to easily relaunch and rename themselves to evade pressure. Just this year alone, Conti, one of the most nefarious gangs, was proclaimed dead, and then Cl0p was brought back to life.

That’s where they’ve made a true anchor in the ransomware market – particular gangs may not last, but business models do. With newcomers already joining the market and making quite the footing – Black Basta is an alarming example, managing to attack at least 26 victims within their first month.

Shift in the market

Business models aside, there are still changes within the ransomware landscape, especially before and during the Ukrainian war. One such change happened with the arrest of members of the Russia-tied ransomware gang, REvil, captured by Russia’s domestic intelligence service themselves. It would seem to be the first time Russia took public legal action against such groups and one of the most prolific takedowns to date. The message is clear: no cybercriminal is immune.

Furthermore, the pro-Russia ransomware group Conti, notorious for attacks against over a thousand organizations in the US and other countries, has been targeted by data leaks.

A pro-Ukrainian insider, known as “Conti leaks” on Twitter, has a clear agenda, posting sensitive data from internal chats, TrickBot sources, and even unmasking some members. This demonstrates a shift in the market, making the hunter – the prey.