Ransomware gangs may appear to have the upper hand -- the number of ransomware attacks rose in 2021. But look a little closer, and you'll see cracks in the multibillion-dollar empire:
- Seven ransomware affiliate suspects linked to REvil and GandGrab have been arrested since February 2021, including one suspect believed to be involved in the Kaseya attack.
- The U.S. Department of Justice seized $6 million from REvil.
- The formation of a new forum called RAMP hinted at fallout and conflict between ransomware gangs.
Conflict is brewing between ransomware operators and affiliates that could impact the way ransomware gangs operate and launch attacks in the future.
The rise of ransomware
Ransomware gangs have run with impunity for a long time. Many ransomware gangs operate out of Eastern Europe with approval from their local governments. Despite political pressure from the U.S., Russia has done little to change the laws that enable ransomware gangs to operate within its borders. Law enforcement groups can only arrest cybercriminals when they travel to extradition countries -- for example, the Kaseya threat actor who traveled from Ukraine to Poland.
The emergence of ransomware as a service (RaaS) created a faster and more profitable business model for cyber gangs with lower barriers to entry. RaaS also contributed to the professionalization of the ransomware industry, complete with customer service teams and reputation management, as well as additional resources to sink into initiatives such as R&D.
Like Icarus, ransomware gangs are flying too close to the sun -- and they will soon get burned.
Playing it fast and loose
The Colonial Pipeline attack in May 2021 is just one example of a ransomware gang running too fast and loose. The ransomware incident -- which triggered gas shortages and an official government mandate to stop cybercrime -- created more blowback than expected. DarkSide, the group behind the attack, admitted it didn't mean to create problems for society, and its only goal was to make money.
Another side effect of the Colonial Pipeline attack was an increased difficulty in recruiting partners, as governments' actions banned ransomware group recruitment from top-tier Russian underground forums.
Enter the smash-and-grab approach
Ransomware gangs are feeling the ripple effects of major, politicized attacks. In the future, more ripples may form. Recruitment challenges and political pressure could disrupt operations and ultimately lower profits, causing ransomware gangs to resort to more caustic smash-and-grab methods.
As the pace of ransomware operations intensifies, cyber gangs may increasingly find themselves trapped in a corner, and the victims of ransomware will feel those effects, too. For example, the period between initial infection and encryption could dramatically decrease, and there could be less room for negotiation.
Whatever the outcome, enterprises should be prepared for threat actors to drop the decorum that characterizes the current RaaS industry.
About the author
Mike Behrmann is the manager of digital forensics and incident response at Antigen Security. He worked at the National Security Agency for seven years, where he focused on leading computer network exploitation operations, and was later deployed to the FBI Detroit Division's Cyber Task Force as a threat analyst. In 2015, he entered the private sector by joining NetWorks Group, where he helped establish the company's managed detection and response SaaS offering and later became the MDR team lead. Most recently, he served as director of security at Blumira, an automated threat detection and response SaaS startup. Behrmann has earned numerous global information assurance certifications and holds advanced degrees in international affairs and information assurance.