Getting started in any business is a tricky affair. While estimations may vary, it’s widely believed that around 9 in 10 startup businesses fail within the first ten years of their establishment. Having enough money to get started, getting the right employees in, and navigating global conditions can be enough to knock over even the most robust of business models; we’ve recently reported that the latter is also causing cybercriminals a few headaches. Despite this, ransomware remains a highly profitable endeavor for its proponents, with dozens of currently active groups taking profits from their victims each week. So how do these groups get started, and what constitutes a working ransomware team? Check out the insights from our recent investigation below.
What constitutes a working ransomware team?
In short, it depends. As you’d imagine, the world of cyber criminality brings as much diversity in talent and approaches as you’d expect in the corporate world. While we all have this idea in our heads of a hoodie-bound, Russian-speaking threat actor sitting in their apartment in Siberia, the truth is cybercriminals involved in ransomware operations come from all parts of the world. The makeup of an individual ransomware team depends on the specific operation. Some groups get by with just a handful of individuals, while your more successful and active groups can involve hundreds of individuals, all with distinct roles and responsibilities.
At the very top, there’s likely an individual—or a handful of individuals—in overall charge of the group, running the direction and strategy of the group, much in the same way as a Chief Operating Officer (COO) might do at a legitimate company. This might be someone with previous experience in running a ransomware operation, or it might be the actual developer of the malware that’s being used—more on that later.
The majority of the work is of course conducted by your specialists within the group. This can include but is not limited to;
- Reconnaissance teams identifying susceptible networks.
- Initial access brokers (IAB) who sell the ransomware group a weak point into a network.
- Spammers who are responsible for the delivery of malware needed to gain access.
- Penetration testers who identify susceptible ways into a target network.
- Threat actors tasked with escalating privileges and the scale of access, once the foothold has been gained and subsequently executing the encryption process.
- Ransom payment negotiators, often requiring linguistic skills.
- Money launderers who turn ransom payments taken from victims into usable currency.
- Individuals tasked with acquiring and maintaining the infrastructure the group uses during their operations. For example, the virtual private networks (VPNs) or cracked remote desktop protocol (RDP) used to run operations
- Administrator of the data leak site hosting stolen data.
- Business analysts who identify other companies that are worthwhile targeting.
In short, there’s a lot to do and plenty of room for different skill sets. The bigger the group, the more specialized the roles will be. For example, in the largest groups, the reconnaissance roles could be split into active and passive; with one member responsible for gathering victim identity information such as employee names and email address from publicly available sources, and another member covering port knocking and vulnerability scanning on the victim’s network. Likewise, in a smaller group, fewer people could cover many roles. At McDonalds, you wouldn’t expect the janitor to double task as a cook and recipe creator, but at your mom-and-pop restaurant, the owner might also act as a stand-in electrician. While the makeup of these groups does vary, the majority of ransomware operations will have many individuals tasked with distinct roles.
The fire and forget model: Cryptolockers
Perhaps the most common approach for starting a ransomware operation is to purchase a pre-made ransomware build; this refers to a working piece of malware capable of encrypting data, that is ready for use. This is a cheap and effective way to start a low-level ransomware operation, permitting a cybercriminal to target individual computers, with users impacted by this activity having their files automatically encrypted and directed to a payment system. This type of operation will however be fairly unsophisticated and will likely not have success in targeting business its use will likely be restricted to personal computers. In short, a threat actor will purchase a ransomware build—or indeed use one that’s available for free—create an infection mechanism, and then sit back and wait for the profits, in a “hands off” approach.
A good example is the cryptolocker ransomware, which has been around for many years. This method involves fairly unsophisticated methods, being delivered via spam, drive-by downloads, or through the sharing of malicious torrents. This typically goes after the most computer illiterate and results in the charge of smaller amounts of money. There often is no support available to victims and it’s realistically possible that the victim may not be able to make a payment, if the proponent of the ransomware has since abandoned their operation.
The professionals: Big game hunters
The most impactful type of ransomware operation is of course those involved in big game hunting; i.e. those specifically targeting enterprise or business networks. Within this category of ransomware outfit, we’re referring to the big names we frequently mention on our blogs. REvil, Conti, Lockbit, Cuba, or ALPHV, all fall under this classification.
Within big game hunting operations, the leading figures within the organization is often the developer of the malware or an individual with significant experience from working on other operations. In terms of the team they build around them, it probably works much in the same way as the corporate world, it’s not what you know, but who you know. Networking probably goes a long way, and many of the individuals working within ransomware syndicates are likely to be compatriots who have worked on similar projects in the past.
In big game hunting operations, there will likely be significant day-to-day management, with shift patterns, leave days, and rewards systems in place to encourage hard work. Our previous blog covering the Conti leaks identified many of these insights, including a distinct lack of work on weekends, the office chatterboxes, and working practices.
The copycatter / Setting up a rebranded group
If it’s not broken, don’t fix it. Of course, many ransomware operations are not established from scratch, with many of the main groups tracked by Digital Shadows operating as either a rebrand or an alternative established by former members of another ransomware operation. There are a number of reasons why rebranding takes place. Many occur immediately in the aftermath of law enforcement operations, or as a result of significant scrutiny due to the impact of a certain attack; yes REvil and Darkside, we’re looking at you.
Starting your own operation does however create a number of inherent challenges. An actor will need to decide whether they will develop their own malware—which from scratch is likely incredibly time-consuming and challenging—and of course will need to recruit a supporting cast behind them. To the security community, it often appears that many of the rebrands are merely a name change and a refresh of infrastructure being used. Many of the same tactics will be the same, and often the malware used in attacks will be identical to what has been observed with other operations.
A couple of recent examples include Conti’s apparent rebranding to “BlackBasta” and “Monti”. Investigations of the latter have led researchers to a couple of conclusions; it is unclear whether Monti is a rebranded iteration of Conti or merely a new variant based on leaked Conti ransomware source code. It’s very difficult to distinguish between groups that copy each other and which simply flew too close to the sun.
While the ransomware scene of 2022 is far more active than only a few years prior, it still exists as a fairly unsaturated market; there are far more potential victims to target than current victims, with significant room for further groups to enter the space. This is why the likes of Digital Shadows is needed to track the activity and tactics, techniques, and procedures (TTPs) of these groups. Even for sectors that aren’t currently a favorite target of ransomware activity, they very well may be in the not-so-distant future.
We’ll end by touching on RaaS, which is an area that’s been discussed at length, however still worth briefly mentioning. RaaS of course is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Many of the major ransomware groups operate such models, including the likes of Conti, REvil, and also Lockbit, which has raced ahead as the leader of the pack by fine tuning their RaaS program. Each of these groups takes different approaches on RaaS. Lockbit takes a more controlled approach to their affiliates strategy and daily running of operations.
An example of a smaller but persistent RaaS operation is “Ranion”, which is believed to have been in existence since at least 2017, offering cybercriminals a cheap way into launching their own operations. This likely represents the middle ground between a basic cryptolocker type service and the RaaS that is being offered by the likes of Lockbit.
Ranion offers a number of packages that users can select, with a standard 6 month package purchasable for as little as $590 for 6 months. The test package would also be 100% hands off, with no involvement from the Ranion development team. So a threat actor could essentially gain access to a ransom executable and direct it to whatever target they desire for as little as $150.
Typically in a RaaS model, the malwares operators/developers will take a cut of 20-40% of any ransoms taken from victims identified and encrypted by affiliates. In Ranion’s business model this is quite different, with users of the service able to collect 100% of the ransom, without tipping the developers a middleman fee. In essence they are purchasing a service to proceed however they want. There is also no screening, no scrutiny of potential users of the service, which allows inexperienced threat actors to enter the ransomware scene. Ranion can represent a genuinely useful entry point for new threat groups to gain experience of running their own operations, before moving onto more professional services later on.
Keeping one step ahead of the game
Ransomware is arguably the biggest threat facing business in 2022, which is almost certainly going to continue in the medium term future (3-6 months). As we commented earlier in the blog, while the number of active groups has increased dramatically, there will always be a market for potential victims. Some of the sectors which are not frequent targets of ransomware could be in the future.
How can you best prepare for this risk? Well the most effective method is receiving up to date information on the evolving landscape, allowing companies to make change proactively, rather than reactively when it’s too late. Ransomware groups are opportunistic in nature, targeting the lowest hanging fruit and taking the path of least resistance; in other words, if you’re trying to outrun a bear, you simply need to be faster than the guy running next to you.
Ransomware in 2023 is almost certainly going to continue to become more organized, with newer groups entering the scene. That’s why it’s as important as ever to stay one step ahead of the game. You can get a comprehensive look at the data that we used to build this blog and our quarterly ransomware reporting with a free 7-day trial of SearchLight here. You can additionally get a customized demo of SearchLight to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.