After LockBit, ALPHV Takedowns, RaaS Startups Go on a Recruiting Drive

High-profile takedowns of brand-name ransomware operations are starting to have a real impact, sowing discord among hackers and causing major shifts in the cyber underground.

The US and European Union governments have ramped up efforts to disrupt ransomware-as-a-service (RaaS) operations in recent months, most notably with headline-grabbing coordinated actions against the infamous LockBit and ALPHV/BlackCat groups. Police have identified ringleaders, seized malicious infrastructure and data — including information about affiliates — and even trolled adversaries with messages posted to their leak sites.

Though well-intentioned, these missions tend to receive criticism when, inevitably, remnants of such large, diffuse groups pop up days or weeks after their reported demise. After all, if the threat actors aren't being eradicated, what's the point?

A new report from GuidePoint Security on the current state of the ransomware ecosystem supplies that answer.

Thanks to the drama surrounding household RaaS groups, affiliates — the hackers who actually carry out attacks on their behalf — have increasingly moved away from them, toward lesser-known RaaS upstarts offering what they couldn't: trust.

"The question has been for years: How do we stop ransomware?" says Drew Schmitt, practice lead for the GuidePoint Research and Intelligence Team (GRIT). "One of the pieces of the answer could be creating distrust between groups and their affiliates."

How LockBit and ALPHV Lost Their Cred

"At first glance, if you don't really dive into the details, you might say that law enforcement was unsuccessful in their operations," Schmitt admits.

"But when you dive a little bit deeper, you realize that there are quite a few consequences for the ransomware groups that weren't really about taking down their infrastructure permanently," he adds. "And I think the biggest one is influencing these bigger groups to make decisions or take actions that ultimately hurt their credibility."

The strangest instance of this occurred following ALPHV's takedown last December. After an effort to rebuild its infrastructure and its reputation — offering affiliates a greater cut of their winnings, and lifting certain targeting restrictions — the group found a way to actually capitalize on its loss, using an exit scam. When one of its affiliates pulled off a $22 million dollar heist of United Healthcare a few weeks back, the group disregarded its profit-sharing agreement, keeping the entirety of the winnings and claiming that they were defeated by law enforcement yet again. The affiliate has published chat logs and blockchain data to suggest otherwise.

Affiliate exposes ALPHV's exit scam. Source: GuidePoint Security

In LockBit's case, even law enforcement's petty trolling has had a material reputational impact. As part of Operation Cronos, law enforcement posted to LockBit's leak site that "LockbitSupp has engaged with Law Enforcement ☺," which dented the RaaS leader's street cred, and, if true, put all its affiliates at risk as well.

As trust wanes in the formerly most-trusted names in ransomware, other groups are attempting to step in and take their place.

RaaS Startups Want YOU

In the vacuum left by larger groups, Schmitt has observed, "We see a kind of back-and-forth between some of these smaller groups, like LockBit and ALPHV had in the years past, competing against one another. This is very similar in my mind to how many different emerging companies in the same type of product or area in the market compete with one another, always trying to change and evolve and really make themselves a standout."

The startup RaaS Cloak, for example, recently posted to the underground forum UFO Labs offering an above-average 85/15 profit sharing split, with no upfront payment required to access its purportedly strong and modifiable signature malware.

The midmarket RaaS group Medusa is trying to sweep up former ALPHV and LockBit affiliates by offering 24/7 access to its administrative, advertising, and negotiating teams, and a sliding scale payment sharing model which starts at 70/30, but rises to 90/10 for ransoms in excess of $1 million.

Another upstart group called "RansomHub," recruiting from the same Russian-language underground forum as Medusa — RAMP — advertises a flat 90/10 split and a policy that affiliates can freely contract with other groups, as well. But its core value proposition is about trust.

RansomHub's RAMP recruitment post. Source: Guidepoint Security

"We have noticed that some affiliates have been seized by the police or have escaped from fraudulent activity causing you to lose your funds," the group wrote online. To assuage any concerns that they'll do the same, RansomHub has reversed the traditional model: Instead of controlling all the funds and paying out affiliates their share, affiliates control their own wallets and pay RansomHub.

Evidently, Schmitt notes, "There's a kind of pendulum shift happening right now, where these groups are trying to figure out where they can capitalize on the distrust in bigger groups like LockBit and ALPHV."

"Ransomware has traditionally been a very reactive type of cybercrime," he says, "and this is where we're at now. It's all very volatile, and we'll have to see how this plays out."