Why Do Ransomware Gangs Keep Coming Back From the Dead?

Ransomware gangs are major players in the cybersecurity space, especially in recent years. ZDNet reported that ransomware gangs increased their payments by over 311% from 2019 to 2020, with totals for all groups exceeding $350 million in 2020. Ransoms continued rising in 2021. Unit 42, a threat research team at Palo Alto Networks, found that the average payment in 2021 was up 78% to approximately $541,000, with demands from specific attacks increasing 144% to $2.2 million.

A few months ago, vx-underground posted an image they’d received from the LockBit ransomware group. The gang bragged that they had ransomed 12,125 companies, with varying degrees of success. If each of those companies paid an average ransom of $100K (a very low estimate, in terms of ransoms), that totals $1,212,500,000. LockBit has more than 850 published companies on their blog, more than any other ransomware group.

The FBI called the Conti gang’s ransomware variant “the costliest strain of ransomware ever documented.” Interestingly, Conti’s official date of death is May 19, 2022. However, the group may have set up its own demise because of mistakes that made it too risky to continue. And, on the same topic, REvil is back again as of May. This is either the third or fourth time they have re-emerged after arrests. Many regard the group as one of the most prolific ransomware groups to ever exist.

Why are these gangs so wildly successful? The two most active ransomware gangs in the first quarter of 2022, LockBit 2.0 and Conti, accounted for 58% of all incidents during that time, according to Digital Shadows. How do groups continue to reform and emerge even after the authorities catch and arrest the leaders?

Forming Cartels for Strength in Numbers

When looking at the most successful groups, size is one factor that jumps out. The more members there are in the gang, the more resources they have, both in terms of skills and people. On a basic level, the larger groups are more powerful and tend to have more staying power. Law enforcement often keeps close tabs on key players. A larger group means that when one person is arrested or goes undercover, other skilled attackers can fill in.

Many groups take it to the next level by joining forces. According to a study by Analyst1, Twisted Spider (creators of Maze and Egregor ransomware), Viking Spider (creators of the Ragnar Locker ransomware), Wizard Spider (creators of Conti and Ryuk ransomware) and LockBit Gang created a cartel. As a cartel, the groups share resources such as infrastructure, victim data and tactics.

Changing Tactics to Evade Authorities

Gangs know how their targets work. After an attack, honest cybersecurity workers study the incident. Many companies make changes to their security to reduce the risk of that specific type of attack. In addition, defenses — especially AI-based tools — continue to improve. A ransomware group that maintains the same strategy will subsequently be less successful as time goes on. The most resilient groups evolve their strategies based on their specific strengths compared to current vulnerabilities.

Although many groups use the same ransomware in most of their attacks, it’s important to remember that the group and the ransomware are two separate entities. Groups will often keep the same ransomware type and use a new delivery method. For example, UNC1878 used Cobalt Strike in 90% of its attacks in the last three years. But it recently used a customer-compliant phishing scheme to spread malicious JavaScript through a PDF.

In addition to changing strategies for conducting breaches, successful groups also continually evaluate their targets. While sizable attacks on large companies are the ones that make headlines, ransomware groups are increasingly moving to smaller targets. A REvil ransomware affiliate shared that large attacks make it easier for authorities to find them. They also said groups are realizing that demanding stable sums from mid-size companies, and only occasionally targeting enterprises, is a better strategy.

ZDNet reported in January 2022 that over half of ransomware attacks target banking, utilities and retail organizations. While a great deal of research has been published about industries targeted by ransomware gangs, the most resilient gangs do not focus on a specific industry. Instead of using industries to guide their attacks, the gangs tend to focus on the size of the company, specific vulnerabilities and their signature type of attacks.

The Future of Ransomware Gangs

Interestingly, ransomware groups that shut down often re-emerge as a totally new group or join forces with other existing groups. For example, members of the GandCrab started REvil in 2019, and key members were arrested in January 2022 in Russia. REvil ransomware’s servers in the TOR network were up again recently, as was its blog.

When news hits of a gang shutting down, it’s tempting to consider that a victory. But as Satnam Narang, senior staff research engineer at Tenable told CPO Magazine, when one gang shuts down, another one emerges. Affiliates often have little loyalty to a specific group. They often help multiple groups by offering Ransomware-as-a-Service, where they sell their expertise and infrastructure to any group for a fee. This means those affiliates are still out there even after one major gang gets arrested and/or shut down. 

The future of ransomware gangs is likely similar to the recent past. The most successful groups will dominate the attacks both in terms of volume and fees. Arrests and dissolving of the groups will likely only change the landscape of the gangs temporarily as the groups continue to re-emerge. While the focus on arrests and dissolution is the right move, organizations should continue to take charge of their own security by reducing their risk and vulnerabilities.

For more information, read the X-Force Definitive Guide to Ransomware here

The post Why Do Ransomware Gangs Keep Coming Back From the Dead? appeared first on Security Intelligence.