Ever More Toxic Ransomware Brands Breed Lone Wolf Operators

Ransomware Responders See a Surge, Likely Comprising Groups' Displaced Affiliates

The downfall of previously high-flying ransomware operations Alphv and LockBit has shaken up the criminal underground, turning some former affiliates into lone operators and causing some under-the-radar groups to rack up record extortion payments.

Ransomware incident response firm Coveware said in a report that 10% of all ransomware attacks it monitored from April through June came from lone operators - a massive surge.

Those hackers likely are former affiliates of Alphv - aka BlackCat - or LockBit, "or actors that made the decision to operate independently due to the increasing threat of exposure, interruption and profit loss associated with 'toxic' ransomware brands," Coveware said.

Not every former affiliate of a disrupted ransomware gang is choosing to go it alone. One victim earlier this year paid the highest publicly known ransom in history, worth $75 million, to the Dark Angels ransomware group, said Zscaler ThreatLabz. Dark Angels has operated since May 2022 and runs the Dunghill data leak site, but it "has managed to attract very minimal attention."

Blockchain analytics firm Chainalysis said it saw the record-setting payment. Big game hunting, or "fewer attacks on larger targets with deeper pockets," lately continues to grow "more pronounced," it said in a post to social platform X.

Who paid the recent $75 million ransom? Zscaler declined to name names, saying only that the firm is on the Fortune 50 list of the most profitable publicly traded U.S. companies. As Bleeping Computer reported, this could line up with a ransomware attack against Fortune 10 pharmaceutical giant Cencora in February, which disclosed the attack but offered no specifics.

No ransomware group ever claimed credit for the hit. When this happens, it often means a victim did pay a ransom, which forestalled the attackers from trying to name and shame them or leak stolen data.

Rampant Innovation

Never-ending innovation by top-flight ransomware attackers highlights their profit-making imperative at the expense of all else, as repeat hits on hospitals, blood banks, schools and critical infrastructure demonstrate.

Much innovation arrived in recent years alongside the rise of ransomware-as-a-service groups. These paired operators who built crypto-locking malware, ran data leak infrastructure and sometimes handled negotiations with affiliates who used the malware to take down targets, typically keeping 70% or 80% of every resulting ransom in return.

Even with these RaaS groups, experts said credit for most attacks also goes to the affiliates involved. After BlackCat disappeared in March, one of its Western affiliates accused the Russian operators of purposefully shutting down, rather than sharing his cut of a $22 million ransom paid by UnitedHealth Group after he hit its Change Healthcare unit.

Even without such dramatic backstabbing, affiliates regularly switch allegiance, sometimes in return for a bigger commission or to access technical innovations. Some also work with multiple groups at once, deciding on a per-victim basis which type of ransomware might be the best fit, perhaps based on the crypto-locking malware's capabilities, if it is a supply chain attack, or on the basis of a group's data leak infrastructure, negotiation capabilities or even the scariness of its reputation (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).

Just as affiliates come and go, the groups themselves may have opaque relationships with each other. When Dark Angels debuted, it used a variant of Babuk ransomware, reported Cyble. The group then switched to Ragnar Locker, at least until police seized that group's infrastructure last October, ThreatLabz said.

Imperative: Make Victims Pay

The impetus for ransomware threat actors' unceasing innovation is to counteract the constant improvement in organizations' collective defenses and force more victims to pay.

Lately, the bad guys appear to have gained an edge. Coveware said 36% of victims chose to pay a ransom during the second quarter of this year, up from 28% in the first three months. They paid on average $391,015 - a 2.4% increase from the prior quarter. In the same time frame, the median ransom payment dropped by one-third, to $170,000. This could reflect a relatively higher number of lower-price ransom payments than before and/or a few very high payments.

Of the companies who paid, 43% did so solely in response to data exfiltration, in return for a promise from criminals to delete their stolen data. This was a sharp increase from the 23% who paid only for data deletion from January through March (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).

Coveware said the greatest number of attacks it saw involved Akira ransomware, followed by independent operators. Next up in terms of market share were Black Basta, BlackSuit, LockBit 3.0, Medusa, BianLian, Inc Ransom and Phobos.

Both Akira and Black Basta's market shares held steady in the first half of this year, and the tactics, techniques and procedures used to distribute their ransomware didn't appear to change, "suggesting not all ransomware brands have opened their doors to receive displaced affiliates," Coveware said. At the same time, TTPs previously tied to just BlackCat or LockBit attacks suddenly became tied to other groups' or independent operators' attacks.

As that highlights, simply tracking which ransomware groups appear to be hot or not doesn't tell the full story - and especially now with more lone wolves in play.

Source