Ransomware incidents have increased dramatically over the past few years. Complaints about ransomware attacks to the FBI’s Internet Crime Complaint Center surged 62% in the first half of 2021 compared to a similar time frame in 2020, according to the Cybersecurity and Infrastructure Security Agency. To blunt this growing threat, security professionals need to understand the actors behind ransomware threats, how they operate and how they continuously find new victims to target.
Closer analysis of high-profile ransomware campaigns like REvil and Thanos shows that organized partnerships between ransomware operators and affiliates, each playing to their strengths, help execute cybercrimes at scale and for maximum payout.
The Operator-Affiliate Collaboration
In carrying out ransomware campaigns at scale, operators and affiliates (sometimes referred to as “enablers”) divide and distribute the work needed for maximum damage.
Operators ensure that the ransomware package can be customized, downloaded and tracked when packages get installed. Ransomware operators also take on the job of extortion enforcers, making sure that systems for payouts are fully functional. CrowdStrike research shows that 96% of those who paid the initial ransom also had to pay extortion fees.
Affiliates are more adept at finding the victims to target and employing social engineering tactics that convince victims to download the malicious package. The scale of the attack, as measured by the number of victims targeted, usually rests on the affiliate’s shoulders.
To ensure the widest reach, affiliates use distribution services, a specific set of technologies deployed to obtain initial access, compromise and target victims, and move laterally to reach the critical assets and data that are the targets of the attack. Distributed services can take a number of forms — from stolen credentials acquired from access brokers to social engineering campaigns and exploit kits targeting specific software and systems.
Sometimes multiple affiliates work together to wreak havoc to drive up the ransom and extract maximum payment. Affiliates and operators also share the final payout, so it is in each party’s vested interests to complete their portion of the job effectively.
A Perfect Storm
This well-oiled business model between ransomware operators and affiliates using distributed services is a perfect storm because it lowers the barrier for entry for both types of malicious actors. Affiliates, for example, need not know how to code malicious programs. They only need to focus on choosing victims and getting them to bite. Each threat actor plays to individual strengths in a well-choreographed partnership.
Since operators and affiliates are responsible for only part of the ransomware campaign, it becomes more difficult to pin a crime on one specific threat actor. Both ransomware operators and affiliates protect each other in the dark ecosystem.
This style of ransomware campaign is also especially problematic as the sophistication with which each set of actors carries out their work makes it easier for a breach to go undetected for months. For example, distribution tools can even come with built-in anti-forensic capabilities. The nature of the operator-affiliate relationship also keeps evolving, making malicious actors that much harder to trace.
How Defenders Can Avoid the Perfect Storm
Security teams can seek shelter by first tapping into threat intelligence to understand the actors and the dark web. Tracking who is at the top of the eCrime food chain will be critical to your defenses and in crafting an intelligent security strategy.
Understandably, information about the operators and affiliates alone is not enough. You also need to understand the distribution services they are using and if specific ransomware campaigns are dormant or active.
Scanning the dark web for malicious access brokers who might be selling your data also helps strengthen the adversarial response. Subscribe to alerts on criminal posts that mention your geographical region or industry vertical so security teams can get immediate intelligence and gauge potential threats.
Finally, security teams need to conduct post mortems on malicious files left behind by ransomware operators. Since distribution services and operators frequently reuse attack tools, understanding malware behavior will help craft appropriate defenses.
The takeaway for security teams is that ransomware campaigns might come and go, but if not caught, the human actors behind them never go away. They typically reinvent themselves and plot new modes of attack using sophisticated operators and tools in their ecosystem.
Profitable partnerships between ransomware operators and affiliates make for crafty opponents that seriously test security teams. Their use of distributed services to deliver their weapon of choice adds another layer of complexity to an already dangerous situation. Security professionals can lean on multiple threat intelligence services to unearth the complex dark web, identify these operator-affiliate partnerships and stop malicious threat actors in their tracks.