Threat Spotlight: Data Extortion Ransomware Threats

A navy background with the white text "Data Extortion Ransomware Threats"

Over the last few years, the ransomware landscape has changed significantly. Between 2022 and 2023, ransomware attacks increased by more than 100% year-over-year, with more attacks consisting of double and triple extortion. At a high level, the categories of ransomware can be defined as:

  • First extortion: stealing sensitive data or extracting it from systems
  • Second extortion: publishing sensitive data to create additional pressure by exposing it on the dark web
  • Third extortion: All other techniques for placing pressure on organizations to pay ransoms, including targeting employees and their personal information, sending patients extortion emails, or exposing file listings 

Modern ransomware attacks are no longer a lone individual sitting at a computer. They arise from a complex Ransomware-as-a-Service (RaaS) ecosystem that consists of:

  • Ransomware groups: organized criminal groups focused on ransomware creation, distribution, and extortion
  • Affiliates: third-parties sharing in the potential profits
  • Initial Access Brokers (IABs): malicious actors selling stolen credentials or other ways of gaining access to target systems

Current Ransomware Trends

As defenders work to mitigate risks, going beyond the basic data provided by the threat intelligence feeds becomes more challenging. While feeds can give them facts, they often fail to provide nuance around how malicious actors think and how these systems work. 

Shifting Targets

Increasingly, malicious actors target critical infrastructure across NATO and its allies, typically meaning western European countries and the United States. For example, the US accounted for approximately:

  • 33% of ransomware victims
  • 33% of IAB posting

When looking at the broader ecosystems, 50-60% of IAB postings and ransomware attacks target western Europe and the United States. 

A review of over 450 IAB posts and 3000 ransomware attacks found that only one affected a country in the Coalition of Independent States which consists of Russia and former Soviet states still allied with it, like Azerbaijan, Kazakhstan, and Belarus. 

Three Top Ransomware Groups

The following three ransomware groups and their affiliate networks drove the increase in attacks:

  • LockBit: RaaS model with a large number of unconnected affiliates whose attack tactics, techniques, and procedures (TTPs) vary significantly
  • Clop (Cl0P): Ransomware group and variant using both “pray and spray” and targeted approaches
  • AlphV (Black Cat): Newer RaaS group with advanced social engineering techniques and open source research on targets to gain initial access 

Of note, ransomware affiliates have had a significant impact on the overall attack landscape. Any “freelancer” cybercriminal can buy the ransomware, similar to how legitimate companies purchase Software-as-a-Service (SaaS). After subscribing to the ransomware, these buyers can:

  • Access the toolset
  • Deploy the infection
  • Get into the company
  • Exfiltrate the data

Then, the ransomware group steps in to negotiate the ransom with the victim, and everyone splits the profits. Currently, LockBit has the largest affiliate program, enabling them to supply the infection to buyers then focus on negotiating the ransom for their customers.  

Understanding the Affiliate Ecosystem

The affiliate ecosystem transformed ransomware attacks into a big business, creating competition between ransomware groups and driving incentive structures that increase the number of successful attacks. However, with this new business model, the unspoken rules of self-governance within the criminal ecosystem appear to be changing. 

The Unspoken Rules

Historically, cybercriminal organizations have self-governed dark web operations by following a few unspoken rules:

  • Critical infrastructure is off-limits because the attacks draw law enforcement attention. 
  • Scamming other threat actors leads to being banned from the dark web forum. 
  • Never target companies in the Coalition of Independent States. 
Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

Interestingly, these rules of engagement seem to be shifting as ransomware gangs compete for affiliate loyalty and profits.

BlackCat: Eliminating Limits

Historically, cybercriminal organizations tried to limit the number of attacks that their affiliates deployed against the critical infrastructure vertical, meaning targets like hospitals or power plants. However, in December 2023, the US Federal Bureau of Investigation (FBI) compromised part of BlackCat’s infrastructure, disrupting the group’s business operations. 

In response, BlackCat posted a message to its affiliates that essentially declared war on the US and western Europe. The message gave their affiliates tacit “permission” to target any type of company within any industry vertical. Rather than breaking ties with affiliates who target the critical infrastructure vertical, BlackCat now tacitly encourages it, expanding the scope of its operations. 

The AN-Security Attack: A Cautionary Tale of a Complex, Competitive Ecosystem

Recently, a threat actor publicly posted on a dark web forum that they were selling 5 TB of data from a ransomware attack related to AN-Security, advertising that the data contained customers’ financials, confidential documents, and infrastructure and network data. The threat actor initially posted the advertisement on RAMP, a small dark web forum with a closed ecosystem, but was banned within six hours. From there, they posted on larger forums, including the Russian-language forum XSS, finding themselves banned again. 

While this might sound par-for-the-course for these forums, the sequence of events shows some abnormalities:

  • Targeted Coalition of Independent States: AN-Security advertises itself as located in Dubai, St. Petersburg, and Moscow, a geographic region typically considered off-limits.  
  • High Payment Request: Actor requested 100 bitcoin, roughly $4.3 million, when typical posting sell for tens of thousands of dollars
  • Fake News Link: Cybernewsint.com was registered within the last month and contained only this story.
  • Insider Knowledge: Actor was a veteran who knew that the listings would be banned. 
  • Decreased Data Size: Leak size decreased by 1TB between first post on RAMP and last post on breach forums.
  • Additional Dark Forum Posts: After initial posting, a series of follow up posts between LockBit’s “official” account posts twice, with a copy of the ransom note and discussion of potential original Actors trying to “frame” LockBit.

Essentially, the two different malicious actors follow the same types of digital forum “drama” seen on the clear web, creating posts that argue back and forth. 

Dark Web Forums: Resolving Disputes without a Court 

IABs, ransomware gangs, and affiliates create a complex illegal network of connected business partnerships that parallel the ones created by legitimate businesses and their partner programs. For example, many ransomware gangs have relationships with IABs. The IAB provides the initial access data so the ransomware gang can provide it to affiliates as part of the subscription. These sales never go through the forums, only encrypted messaging services, providing affiliates the benefit of “exclusive” data as part of the partnership. 

However, unlike legitimate businesses, these underground organizations have no legal remedy for issues like breach of contract. Instead, they often take these grievances to the dark web forums hoping to resolve the issues online. 

A short time after the LockBit/AN-Security incident, an IAB complained on XSS that the ransomware group provided its affiliates the initial access information but failed to pay the agreed up-front amount. LockBit argued that they agreed to pay a percentage fee on the ransoms rather than up-front, direct compensation, noting that they needed to validate the IAB data before providing payment. 

In the business world, this type of disagreement would be taken to civil court for breach of contract. However, these criminal organizations have no way to enforce these agreements legally, so they created a self-regulating process on the dark web forums. In this case, lockBit found themselves banned from XSS, at least temporarily. 

The Near-Future of Ransomware

As the ransomware landscape continues to evolve, near-future predictions provide more insight than longtail ones. 

Market Disruption

Currently, the pool of cybercriminals remains stable, meaning that the number of groups may not increase even if the number of attacks do. Today’s ransomware market is similar to the illicit markets of 2017, with strong established groups and newer contenders seeking to break into the business. Most likely, the ransomware market “leaders” will start to shift and smaller organizations will begin to scale their operations. 

Communication Shifts

As with any business, technology changes how cybercriminals communicate. Law enforcement has become more adept at tracking down cybercriminals on the dark web, leading to large-scale disruptions like the recent LockBit server seizures and arrests.  While historically dark web forums, like RAMP and XSS, played a large role, Telegram has more market capacity because it offers greater anonymity. Its distributed model makes it more difficult for law enforcement to track, turning it into a more robust cybercriminal communication channel.

Increasingly Specialized Ecosystem

Coordination within the cybercriminal ecosystem enables malicious actors to collaborate more effectively, create more sophisticated attacks, and make more money. For example, threat actors who specialize in building infostealer can sell it to threat actors specializing in infections. From here, the initial access brokers purchase the monetized stealer logs and then sell that access to the ransomware group who provides it to their affiliates. Essentially, with these different criminal elements working together, they can leverage traditional business concepts, like economies of scale and role specialization. 

How Flare Can Help with Supply Chain Ransomware Exposure Monitoring

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.

With Flare Supply Chain Ransomware Exposure Monitoring, gain unique visibility and proactive security across your extended supply chain to efficiently mitigate threat exposures that exist within ransomware data leaks. Learn more by signing up for our free trial.

Share This Article

Related Content