Assessing the Disruptions of Ransomware Gangs Intel471

p
Delve deep into the world of Cyber Human Intelligence HUMINT where traditional human intelligence meets the digital world Discover the strengths challenges and best practices to arm your organization with advanced holistic defense strategies
ppA major factor that distinguishes Intel 471 from competitors is its emphasis on specific target profiles No other product was found to offer this valuable capabilitypp
AI tools could pose significant risk of amplifying political disinformation on a neverbeforeseen scale This report provides insights into the current threat landscape allowing for better preparation and protection against these emerging risks 
ppMore sources a better understanding of the threat landscape and better professionals working undercover in the darkest corners of the cybercrime worldppCountering ransomware remains one of the top priorities for nations and their law enforcement and intelligence agencies The growth of ransomware which can largely be attributed to its high profits combined with the safe haven given to ransomware actors in Russia has evolved into a cybercrime battle with no perfect solution The transnational nature of this crime has caused law enforcement to mount complex technical operations against these groups Those operations have aimed to identify and name perpetrators disrupt technical infrastructure make arrests where possible impose sanctions and seize their cryptocurrency Some of these operations have immediately stopped some ransomware groups The impacts of other operations have caused a denigration in the capabilities of ransomware groups that eventually resulted in the end of their operationsppUntil recently the LockBit ransomwareasaservice RaaS reigned uncontested as the most impactful ransomware group operating within the cybercrime underground Its notoriety hinged on bold marketing stunts and an outspoken leader the threat actor LockBitSupp However it was the sheer number of victims which at last count may have been as high as 7000 that propelled the gang into the spotlight and the crosshairs of law enforcement In two separate actions in February 2024 and May 2024 law enforcement struck back at LockBit in Operation Cronos an operation that deeply infiltrated its infrastructure As of this writing the group continues to function In this post we will analyze the effects of takedowns and disruptions against several highprofile ransomware groups including ALPHV Hive Ragnar Locker REvil and NetWalker with the aim of providing a projection of the future of LockBitppOn Feb 19 2024 the LockBit RaaS was disrupted in an operation UK National Crime Agency NCA officials conducted in cooperation with partner law enforcement agenciesppOn Feb 20 2024 the US Department of the Treasury announced the designation of two individuals affiliated with LockBit Artur Sungatov and Ivan Gennadievich Kondratiev aka Bassterlord FishEye Additionally two suspects allegedly implicated in the LockBit gangs activity were taken into custody in Poland and UkraineppOn Feb 24 2024 the actor LockBit posted a lengthy statement on the RAMP forum admitting negligence with regard to network security and provided an assessment of how the infrastructure was penetrated likely through the exploitation of the CVE20233824 vulnerability The actor also claimed to have recovered portions of LockBits infrastructure and stated the victim nameandshame blog was available at a new Tor domainppOn Feb 25 2024 LockBit threatened to purchase all gov edu org compromised network access credentials The actor also indicated there would be reprisals for the disruption and allegedly planned to attack the government sector more oftenppOn May 5 2024 former LockBit data leak sites that were seized in the previous disruption in February 2024 came back online as law enforcement promised new information about the groups illegal and damaging activity The sites displayed countdown tiles in the same style as how LockBit listed ransomware victims including short descriptions about what was planned to be revealedppOn May 7 2024 US law enforcement unsealed an indictment against Russian national Дмитрий Юрьевич Хорошев Eng Dmitry Yuryevich Khoroshev born April 17 1993 for an alleged role in running the LockBit RaaS affiliate program The actor also allegedly operated the putincrab and NeroWolfe online personas on multiple forumsppThe February disruption had an immediate impact on the number of victims that LockBit claimed to have attacked compared to the same period one year prior When a threat group claims to have attacked an organization we immediately publish a Breach Alert on our platform From Jan 1 2024 to Feb 18 2024 the day prior to the initial disruption we published 145 Breach Alerts about victims LockBit claimed to have attacked Since the relaunch of the groups data leak blog in late February 2024 until May 16 2024 we published 154 Breach Alerts about victims LockBit claimed significantly fewer than the 268 victims we reported during the same period the previous year Of those 154 new victims we discovered at least 48 were duplicates from previously executed attacks prior to the initial disclosure of Operation Cronos and likely carried out as early as July 2022 until a few days before the disruption announcement The group also listed alleged victims compromised by other ransomware groups predominantly the ALPHV RaaS although the exact dates and responsibility of the compromises remained unclear at the time of this report We acknowledge that these figures could change as there is usually a lag time of several weeks to months between when an organization is compromised and when that organizations data is published on a data leak site Nevertheless the disruption to LockBits operational processes likely has and will result in a gradual downtick in victimsppRaaS groups depend on attracting other groups of threat actors or affiliates to rent their infrastructure and malware These affiliates pay a share of ransoms that come from successful extortion schemes to the RaaS The LockBit group ran one of the largest RaaS programs By gaining access to LockBits infrastructure law enforcement uncovered that the program had more than 190 affiliates In December 2023 around two months before the first action against LockBit law enforcement conducted an operation against ALPHV aka BlackCat which was the second most impactful ransomware group in 2023 following LockBitppBy March 2024 ALPHV was no more after pulling what appeared to be an exit scam and the ransomware landscape subsequently began to show the effects of the disruptions of both groups The increased law enforcement scrutiny surrounding ALPHV and LockBit possibly forced many affiliates still looking to remain active to shift to other RaaS programs Like any service industry actors often look for the most attractive package before committing which prompts competition between RaaS programs for their business When a customer loses faith in a brand they can move to another especially after law enforcement action With this in mind the migration of ALPHV and LockBit affiliates to other ransomware programs after their disruption was inevitableppSeveral existing and recently created ransomware groups including BlackSuit Black Basta Hunters International INC Medusa Play and RansomHub became more active The Play group showed a significant spike in breaches from January 2024 to March 2024 from five to 43 then a notable decline to 25 breaches in April 2024 The Play group is considered a veteran of the ransomware market and has been in the top three most impactful groups over the last six months A newcomer to the ransomware market the RansomHub RaaS which emerged in early February 2024 showed growth in its infections from just four victims in February 2024 to 13 in March 2024 and 16 in April In early April 2024 we reported the actor notchy a former ALPHV affiliate who was responsible for an attack against the USbased health care technology company Change Healthcare Inc allegedly joined the RansomHub program Additionally the BlackSuit ransomware group claimed to compromise 20 victims in April 2024 compared to eight victims in March and the Hunters International group increased its victim count by more than 65 from 15 entities in March 2024 to 25 in April We also observed the INC RaaS which surfaced in August 2023 claimed to compromise 26 victims in March and April 2024 after a pause in activity in February 2024ppAt least one group made a direct push to recruit LockBit affiliates and capitalize on the groups problems In late February 2024 the Medusa RaaS announced an intake of new affiliates and offered high ransom cuts from 70 to 90 247 support and the availability of several teams within the group including an administrator team media team and negotiators Other groups almost certainly sought to capitalize on emphasizing trust as a core value to reassure wouldbe members who were stung by the law enforcement actionsppThe ransomware ecosystem has experienced several law enforcement operations throughout the past few years We assess that by looking at historical disruptions and takedowns against ransomware programs and their effects we can better evaluate the likelihood of possible scenarios regarding the future of the LockBit RaaS Below is a timeline of multiple disruptions of several highprofile ransomware groups including ALPHV Hive Ragnar Locker REvil and NetWalker which resulted in complete or partial closure of the groups operationsppThe activity displayed in Figure 2 indicates law enforcement and intelligence agencies continue to improve antiransomware tactics dedicated to hampering and dismantling ransomware infrastructure Disruptions against Hive NetWalker and Ragnar Locker all resulted in the complete cessation of group activity The operation against Hive in particular is unlike that of Operation Cronos due to the advanced level of penetration law enforcement agencies were able to achieve and the protracted nature of the operation This disruption highlights the impact of a wellimplemented announcement and information campaign The group failed to post new victims following the operation and the eventual sale of Hives source code and infrastructure signaled the definitive end of the group The NetWalker RaaS also did not post any new victims after it was impacted by law enforcement action ppProlonged inactivity suggested NetWalker had completely vanished However on Jan 24 2024 we discovered a new victim shaming and data leak blog operated by the Alpha aka Alpha Locker MyData group In early March 2024 we examined the Alpha ransomware operation which first was observed in February 2023 Our findings together with research conducted by the Symantec endpoint protection software provider revealed several similarities and technical overlaps between Alpha ransomware and NetWalker While it was unclear whether the same threat actor or actors operated Alpha ransomware or if another actor acquired and repurposed the code the similarities suggested a strong connection between the two groups Nevertheless we reported the Alpha group impacted only 13 victims from January 2024 to April 2024 and assess it is unlikely to compete with other existing or recently created RaaS groups vying for the top spots left open by the demise of ALPHV and blow to LockBitppWhile some law enforcement action leads to the near immediate and complete closure of ransomware operations other disruption attempts take longer to reveal their full impacts For instance after REvils infrastructure went offline in July 2021 the group remained somewhat active until law enforcement action was disclosed in October 2021 However it only posted nine victims which is significantly fewer than the number of victims claimed before the disruption ppAdditionally after the announcement of arrests and further takedowns of REvilrelated individuals and infrastructure in November 2021 and January 2022 an actor or actors claiming to be a part of the REvil ransomware group launched a Torbased victim shaming blog in late April 2022 and we reported the group allegedly impacted 15 victims from April 2022 to November 2022 However it was unclear if these perpetrators belonged to the original REvil group Moreover the underground community expressed skepticism over this alleged REvil return with many actors believing it was additional law enforcement action Others stated REvil irreparably lost its credibility and reputation after the loss of infrastructure and group members arrests Consequently the initial unexpected infrastructure shutdown an array of law enforcement efforts and subsequent announcement of arrests and indictments put an end to the REvil gang ppThe disruption of ALPHV is another example where the effects of law enforcement action were not immediate but still assisted in the demise of a notable RaaS In the 75 days between the disruption and eventual termination of ALPHV the group posted 63 victims to its nameandshame blog fewer than the 89 victims claimed during the same period preceding the disruption Additionally the RaaS possessed several similarities to LockBit in terms of victim numbers affiliate base and profile The disruption also demonstrated some parallels such as the seizure of domains which was contested and then subsequently restored The disruption of ALPHV was well publicized and caused shockwaves in the underground prompting many other ransomware groups including LockBit to try and poach unsettled ALPHV affiliates While the eventual termination of ALPHV operations may not have been the direct result of law enforcement action the damage to the groups image and loss of revenue almost certainly played into its calculations when deciding to conduct an exit scam ppThere are several possible developments that could play out in relation to LockBits future moving forward We assess the selection of drivers seen in the images below likely will be integral to LockBits fate We then made informed assumptions on the trajectory of these drivers which led us to our baseline plausible and wildcard assessmentsppWe assess our baseline theory as the most likely outcome for LockBits future Since relaunching its data leak site in late February 2024 we recorded significantly fewer victims listed While the number of victims claimed postdisruption still makes the group one of the more impactful in the ransomware ecosystem the figure is far less than we recorded during the same period the previous year Furthermore open source reports alongside our own research showed duplicates from previously executed attacks on the list of alleged new victims LockBit claimed postdisruption While we acknowledge not all victims always are named the drop is stark and indicates group members likely are struggling to encourage remaining affiliates to resume operationsppMoreover the recent reveal of LockBitSupps realworld identity possibly will compound this decline Although Operation Cronos was relatively limited in scope the highly public nature with which it was conducted helped to amplify the impact The slow drip of information is further evidence of this method and likely will cultivate additional anxiety to LockBit affiliates who possibly will lose faith in the RaaS and seek to abandon the project Since the initial disruption LockBitSupp has been vocal in trying to assuage doubts and likely will continue to seek to rebut any claims about the actors identity Nevertheless new and existing variants likely will take advantage of affiliates now without a program increasing their activity and profits at the expense of LockBits demise However if LockBit activity ceases altogether we cannot rule out the possibility of a rebrand in the future of which the success would be uncertainppOn a broader scale with the continued rise in law enforcement action and disruptions against cybercriminal activity we maintain our assessment that threat actors likely always will strive to develop tactics techniques and procedures TTPs and enhance operational security OPSEC to circumvent apprehension or interference to their illicit activity Consequently law enforcement action against cybercrime remains somewhat cyclical cyberattacks grow in prominence causing a proportionate increase in arrests takedowns and disruptions Threat actors respond by altering their activity such as avoiding certain targets or attack vectors until law enforcement abates at which point threat actors may resume their activitiesppFor more threat intelligence and research about the ransomware ecosystem please contact Intel 471pp
Stay informed with our weekly executive update sending you the latest news and timely data on the threats risks and regulations affecting your organization
pp
Whether scaling your cybersecurity presence or starting to build your team we help you fight cyber threats
pp
AresLoader is a new loader malwareasaservice MaaS offered by threat actors with links to Russian hacktivism that was spotted recently in the wild
p