Concerted efforts by law enforcement have significantly impacted ransomware groups, with the takedown of QakBot and BlackCat/AlphV last year and then LockBit in Operation Cronos and Volt Typhoon in February. Are they simply down, not out?

The groups have struggled to reform: LockBit’s claim to have hacked the US Federal Reserves was grossly exaggerated (it published data from one bank, Evolve Bank & Trust, which was already under investigation). BlackCat/AlphV also attempted to reform earlier this year, only to bail after scamming an affiliate and keeping all of the $22m payout for the ransomware attack against Change Healthcare.

Other factors are also transforming the Ransomware-as-a-Service (RaaS) market. A victim of its own success, RaaS is seeing services become commoditised, and prices fall, with affiliates now typically only required to give 10-15% to the group, down from the 45% charged previously. Initial Access Brokers (IABs) too are fighting for their slice of the market: their numbers have grown, driving down the price of access exploits.

It’s a trend that’s set to continue as these operators begin to use generative AI. The NCSC has warned that the volume and impact of attacks are set to increase over the next 18 months as the technology will allow less skilled operators to carry out access and information gathering as well as improved targeting. We may even see RaaS expand into the emerging GenAI-as-a-Service criminal marketplace.

Cause and Effect

So how are these destabilising forces affecting the market? Firstly, we’ve seen some contenders looking to take the place of those toppled by the authorities. Cactus, which emerged in March 2023, has targeted some of the largest companies in the US, UK, France, Italy, and Switzerland and has all the hallmarks of being run by experienced ransomware players. More recently, Eldorado has sprung up with its own ransomware variants and data leak site (DLS).

We’ve also seen a spike in the number of DLS with the Q1 Ransomware Report: Ransomware Groups Don’t Die, They Multiply finding 18 new data leak sites sprung up in Q1 2024, resulting in a 20% rise in victims compared to 2023. This is partly due to affiliates looking to reuse data they have ransomed outside their relationship with the group they work with, resulting in organisations that have paid the ransom being subjected to further extortion and their data leaked.

Ransomware operators have resorted to some unusual tactics too. Last November, Alphv/BlackCat filed an SEC complaint against MeridianLink over its failure to disclose a breach they had caused. That’s an approach that could be used in Europe once NIS2 comes into effect this October: it will see senior management and board members become personally accountable for their risk management and incident response, providing threat actors with more leverage.
We can expect the trawling by IABs and opportunistic attacks to intensify, making any organisation fair game, irrespective of size or sector. We’ve already seen some evidence of this, with ransomware groups going after organisations that cannot pay, such as those in the public sector.

In fact, it could be argued this is largely the reason why ransomware payments have declined by 46% according to Chainalysis, rather than because back-up defences have improved. After all, back-up offers little comfort to those threatened with extortion, an increasingly common ploy

The result is that IABs increasingly work with nation-state actors, mixing political motivation and APT objectives such as espionage, data theft, and disruption into the RaaS economy. In addition, ransomware gangs increase the sophistication of their attacks, using more ‘living off the land’ techniques, which Advanced Persistent Threats (APTs) often use to masquerade access and increase the likelihood of success.

Counter Measures

The RaaS regroup has some real implications for defenders. It focuses the lens back on cyber hygiene, for instance, which the NCSC has stated is the primary cause of most ransomware attacks. The NCSC proposes the ten steps be used to counter the threat, which covers everything from risk management to logging and incident response.

The steps are equally relevant to small businesses, as large corporates and defence capabilities have now improved too, with SMEs now able to leverage next generation Security Incident and Event Management (SIEM) to detect, investigate, and respond to threats. However, few organisations have implemented the ten steps today with the government’s Cyber Security Breaches Survey 2024 revealing that only three percent of UK businesses have done so.

Will we see a resurgence of ransomware groups, or will new ones replace them? Will AI democratise RaaS or see the dominant groups/nation-states remain in control? Will groups demand affiliate loyalty or turn a blind eye as they take data to different DLS? Only time will tell. What we do know for certain is that ransomware isn’t on the wane.

Kennet Harpsoe Lead security researcher Logpoint