Ransomware gangs down but not out, says CyberCube

The recent success of law enforcement agencies in stemming the rise of ransomware may be only temporary, according to CyberCube.

According to the cyber risk analytics and data firm’s Global Threat Outlook briefing, the activities of ransomware gangs have been disrupted over the past six months, leaving the future ransomware threat in question.

“We are in a holding pattern today with ransomware. The numbers are down, but we are not likely to see this forever and we are speculating about what will happen next,” said William Altman, cyber threat intelligence principal at CyberCube.

Following a surge in attacks early in 2023, last year was one of the worst on record for ransomware, with all-time highs for the volume of compromised data from victims posted online. However, the volume of leaked data began to fall in the third quarter of 2023 due to increased enforcement activity, explained Altman.

In February, an international law enforcement operation took down the darkweb site of Russian ransomware-as-a-service (RaaS) group LockBit, which the UK’s National Crime Agency (NCA) described as the “world’s most harmful” cybercrime group. The NCA said it had compromised LockBit’s criminal enterprise, taken control of their systems, and obtained its ransomware source code, decryption keys, and intelligence.

“We have seen a large volume of these threat actors go offline as a direct result of law enforcement activities, the most recent of which is the LockBit gang,” said Altman during an online briefing. “These law enforcement activities have had more impact on the threat actors than ever before. It is now very clear and obvious to defenders and threat actors that no ransomware gang is out of the reach of the most powerful law enforcement agencies,” he said.

The shutdown of LockBit sends a clear message to ransomware groups, according to Altman.

“If you are a ransomware gang and you get big enough, and you have enough sensitive targets, the NSA, CIA and GCHQ will come after you, and there is no amount of operational security on the planet that can prevent those groups from figuring out who you are,” he said.

Despite the success of law enforcement agencies, ransomware gangs are likely to now regroup. The operations of ransomware gangs may have been disrupted, but most threat actors are still at large. The US Department of Justice arrested and charged two defendants responsible for using LockBit to carry out ransomware attacks in the US, while Europol arrested two hackers in Poland and Ukraine.

“We could see the volume of victim data and that will, I think, return at some point, given that we see a lull where these threat actors are just retooling their infrastructure and figuring out what is next for them,” said Altman.

The RaaS model – by which a large group supplies the tools and administration that enable affiliates to carry out ransomware attacks – will have been dented by the success of law enforcement agencies.

“We are likely to see a potential shift away from the RaaS model – whereby you have a large developer provisioning ransomware code to hundreds or thousands of affiliates, like a franchise model in a fast-food restaurant. We are less likely to see that model take hold again,” said Altman.

“For the most part, these developers have burned their affiliates enough – they have been caught enough – that the risk of joining a large centralised operation like that is pretty high. A lot of the threat actors are feeling the heat and are deciding whether to pack up shop or set up their own shop. Given that some of the ransomware code has been leaked, they can do this fairly easily,” he said.

On a positive note, the resilience of organisations to ransomware attacks continues to increase. Data from ransomware analytics firm Coveware shows that the propensity to pay a ransom demand has been trending down since 2019. At the start of 2024, less than a quarter of extortion and exfiltration attacks resulted in the payment of a ransom, down from more than half in 2022.

“It is pretty clear that more and more entities are able to withstand encryption attacks,” said Altman, who noted the success of data backup and recovery solutions and network segmentation in protecting critical data from encryption. “These types of precautions are allowing companies to experience an encryption attack, and then not actually pay the ransom to get the encryption key,” he said.

“By in large, organisations are better defended against ransomware than they were in the past. Part of this is due to insurance, and cyber insurers requiring stricter mandates and controls related to the top loss driver, ransomware,” he added.

At the same time, companies learnt that they cannot trust ransomware gangs to not publish stolen data, even where a ransom has been paid. The NCA found LockBit still held data belonging to victims who had paid a ransom.

“Defenders have learned that threat actors are not honourable. There is no honour among thieves. They might say they will delete the data once you pay to get it back, but they often don’t. There is no guarantee that the data will be returned and destroyed if you pay. So organisations are not even coming to the negotiation table anymore,” said Altman.

Ciaran Martin, former CEO of the UK’s National Cyber Security Centre (NCSC), recently called for the government to ban the practice of paying ransom demands. Altman, however, warned against “draconian rules” that would drive the practice underground and stop companies reporting attacks. Instead, he calls for the creation of a “pool of capital” that victims of a ransomware attack can access on the precondition that they have network security in line with best practices and report the incident.

While the ransomware threat in the US may be easing, it is increasing in many other countries. For example, CyberCube sees ransomware growing fastest in Ukraine, Finland and Serbia (the three combined account for 10% of ransomware sightings), as Russia sponsors criminal ransomware operations to destabilise the economy of neighbouring countries and their allies.

Ransomware is also rising in Asia Pacific and the Middle East, according to CyberCube. Taiwan, for example, is also seeing record ransomware attacks, which Altman believes is due to China adopting Russia’s tactics, using cyber criminals to destabilise the Taiwanese economy. Offshore domiciles like the Bahamas are also increasingly targets for ransomware groups, attracted by the data and money held or managed by financial institutions.

“Anywhere there is digital connectivity today, there will be ransomware as a possible attack vector,” said Altman.

Back to top button