A fresh report from Europol suggests that the recent disruption of ransomware-as-a-service (RaaS) groups is fragmenting the threat landscape, making it more difficult to track.

Attribution in cybersecurity is a difficult thing, but important for defenders when developing strategies to mitigate future attacks from the same group or individual. Yet the way in which cybercriminals reorganize is making this process more difficult following the mass exodus of affiliates from fallen ransomware gangs, the EU's law enforcement agency said.

Criminals are commonly seen realigning their loyalties to other groups. However, there is also an increase in those opting to work independently using stolen, modified tools, we're told.

The findings were echoed by members of the wider industry too, although since the takedowns of ALPHV/BlackCat and LockBit earlier this year, things have become less tumultuous.

"While there seemed to be an increase in fragmentation at the beginning of the year, WithSecure has observed a decrease in the number of active RaaS leak sites since January 2024," said Stephen Robinson, senior threat intelligence analyst at WithSecure. 

"This suggests that while the industry has been disrupted, actors have since settled down behind a smaller number of brands which may be perceived as safe hands."

The success of recent disruption efforts targeting the likes of LockBit and ALPHV/BlackCat has also led to another notable development in that affiliates are increasingly looking to develop their own payloads.

According to the Eurocops, the more talented affiliates at top RaaS gangs are growing tired of having to switch allegiances when law enforcement gets closer to the operation. They're now looking to lessen their reliance on the big players and instead go solo with their own tools, which are usually rejigged versions of leaked builders - a common practice among less-sophisticated fledgling groups.

"This trend might also be perpetuated by the wider availability and increased quality of AI tools that lack prompt filtering, which cybercriminals can use to quickly assemble and debug their code," the report reads.

It's a change that also subverts the norm, whereby if one gang is taken down by law enforcement, another would try to lure the talent to their own operation. One goes down, the other becomes stronger.

However, using modified versions of leaked builders as their main tooling arguably isn't the most iron-clad route to long-term success. Although the code may have changed in some way, the top EDR vendors have protections and rules implemented that were trained on numerous past attacks involving the builder, so it's likely that if one stage of the attack works, another may be blocked at organizations that stay on top of threat intelligence.

From the threat intelligence field, Robinson said it's difficult to say for sure whether there is indeed an increase in lone wolves on the ransomware scene, as Europol asserts, although there are notable examples that support the idea.

"There may have been an increase in the number of actors operating as loners without leak sites or infrastructure, but this is hard to quantify as it cannot be seen in leak site stats," he said.

"Examples of this behavior would include the recently reported GitLoker campaign targeting GitHub repos, and Volcano Demon, who use Tox messenger and phone calls to negotiate, rather than a leak site."

Naturally, as the LockBit leaks proved earlier this year, if you were a top cybercriminal it would make one think about how safe it is to have an unidentified criminal group having access to any level of data on you.

After Operation Cronos broke into LockBit's servers, the details of nearly 200 affiliates were exposed to law enforcement, informing future investigations into major cybercrime.

In the early days of the disruption efforts, this finding prompted early suspicions that trust in LockBit's operation would be severely affected, which has been proven true. In the past three months, Dmitry Khoroshev's gang has registered two record-low months for claimed attacks, which many attribute to lost affiliates.

Bad day to be an SMB

Ransomware gangs have continually shifted their attention between larger enterprises and small and medium sized businesses, reflecting the trends at the time to either go after those with the deepest pockets or the weakest defenses. The latter is once again the case, in Europol's view.

It's a trend supported by the wider industry too, with researchers saying less than a year ago that ransomware actors were going after the low-hanging fruit after a period of big-game hunting.

"Most ransomware operators choose their targets based on the size, likelihood of a pay-out and the effort required to compromise the target's systems," said Europol. "This means that attackers seek out publicly accessible systems and services within the infrastructure (reconnaissance) and assess which of them can be compromised most easily,

"Gaining initial access can be done through stolen credentials or by exploiting vulnerabilities in the public-facing technologies. Ransomware groups and affiliates usually employ [initial access brokers], who are essentially penetration testers specialized in certain technologies and applications. 

"Usually the IABs (and their specialization) that ransomware operators have available to them determine the viable attack surface and therefore influences the target selection process. Some technologies are very common, while others are more sector-specific, which is why patterns of some ransomware groups targeting certain sectors might emerge."

What hasn't changed much, though, are the extortion tactics. Multi-layered extortion methods have been used for years now and remain the de facto route for negotiating ransom payments.

The importance of keeping up-to-date backups is still the best route out of paying a ransom, should attackers find a way into the most important systems. The publication of stolen data is always a threat, but maintaining operational capacity is often more important than any possible data leak, as recent events at the NHS have revealed. ®

https://www.theregister.com//2024/07/22/europol_says_ransomware_takedowns_make/