Unintended Consequences of Ransomware - Part 1: Ransomware Gangs

February 10, 2022 | 32 min read

BlueVoyant

In this first part of an extended ransomware series, BlueVoyant examines gangs, their methodologies, and the aftermath after an attack.

The series looks at ransomware from the perspective of five different stakeholders: ransomware gangs; victim organizations; victim individuals; insurance brokers; and policymakers. We aim to show how a combination of market forces, geopolitics, and novel legal and policy challenges combine to make ransomware so effective and difficult to curb.

By Joshua Green

Growth of an Industry

In late 2019, the operators behind Maze ransomware established a website to publish victim data. This first leak site - as these sites came to be known - shamed ransomware victims who would not pay up, or not pay up fast enough. By the spring of 2020, the practice of double extortion had become widespread.

Quickly, the attacks listed on these leak sites led to increased reporting in cybersecurity publications and by mainstream news organizations; however, little reporting emerged showing the attackers facing consequences. On the contrary, the widespread press coverage almost exclusively consisted of successful ransomware attacks with high-dollar payouts. To a generation of cybercriminals, code jockeys, and opportunists, the notice was clear: ransomware was big money, and get into the gangbuster market while you can.

In 2019, ransomware was not new - indeed, the first ransomware attack can be traced back to 1989. And since at least 2010 ransomware attacks had been experiencing exponential growth. The emergence of leak sites, and subsequent ransomware media-driven publicity, took advantage of what had been a long period of evolution and increasing sophistication in the cybercrime market, especially the cybercrime-as-a-service (CaaS) model.

In an October 2019 profile of the Wizard Spider threat actor’s early adoption of this model, the writers deftly characterize it as “based on automation, customization, and a client-oriented approach.”

Briefly, the as-a-service model is the practice in the cybercrime economy of providing ready-made tools or services for sale. It may mean leasing out the use of a banking trojan, a botnet, or even ransomware service, so that a less tech-savvy criminal may pay for the ability to launch their own attacks with those services. The CaaS model steeply lowered the barrier for entry, and has the added benefit of making attribution more difficult - since many attackers share similar service infrastructure.

Market Forces at Work

Today, the ransomware market is highly agile, and driven by evident trends in supply and demand. Take the case of initial access brokers - or IABs.

Around 2018, ransomware operators transitioned away from first-stage ransomware deployment embedded as payloads in malicious emails. Cybersecurity was getting better at identifying threats, and attackers were getting better at using any initial access to jump from one company’s network to another - meaning that email campaigns gave way to a thriving market for anyone who could provide guaranteed initial access into a company’s networks.

Research revealed that the first half of 2020 revealed accesses for sale totaled $6.2M USD across 63 active sellers, an increase compared to $1.6M USD and 37 active sellers during all of 2018.

In similar research of IABs, analysis showed roughly 500 such initial access listings during 2020. Unsurprisingly, in their Q1 2021 assessment, the researchers had already tallied ~200 such listings. Furthermore, the price for that access averaged $7,100 USD over 2020 and had already dropped down to $1,923 by the end of Q1 2021, showing supply clearly responding to the demand.

Some of the IABs were looking for a single buyer of their accesses and indicated the seller’s willingness to work for a percentage — likely alluding to a share of ransomware profits. In short, it is clear initial access sales have spiked across marketplaces and yet a true reflection of how large the overall market is cannot be determined because direct partnerships and private communications are also being routinely utilized.

Underground marketplace managers responded to market demands as well. Digital Shadows research noted the English-language RaidForums’ Leaks Market section “became the primary place for initial access advertising and trading…[as] forum owners restructured their platforms to make these listings more prominent.”

These managers worked to feature popular products like Remote Desktop Portal (RDP) access, a common initial attack vector for ransomware attacks. As a result, it became the most common type of access featured by these marketplaces and also drew the highest average price for 2020, at $9,800 USD.

Beside the coveted RDP access, however, these markets also pushed initial access for other popular products such as VPNs, various Citrix solutions, as well as assorted OS and application control panels, and/or web-shells. Some also branched out to offer non-traditional access products.

For example, researchers observed one actor hocking access for Zoho’s Desktop Central remote monitoring and management solution for 18 different organizations over Q4 2020; yet another offered DX NetOps Spectrum access to an airport managing company that sold within four days.

Aside from little “a” accesses, underground forums and marketplaces offer the ability for would-be attackers to jump in with little skill because of the community’s embrace of the “as-a-service” model. In a tale - were it not for its dubious ethical bent - that may rival human-interest against-all-odds stories, a 21-year-old Indonesian man was arrested in October 2019 for running a single-person ransomware operation that had reportedly earned him more than $2M USD over five years.

Consider also the story of Sébastien Vachon-Desjardins, a Canadian man in 2015 who was sentenced to three-and-a-half years in prison for drug trafficking while holding a government position with the National Research Center for Canada. When Vachon-Desjardins was arrested just a few years later in January 2021 for his role as an affiliate of Netwalker ransomware, he had reportedly earned more than $27M USD from his cyber criminal exploits.

Vachon-Desjardins served as an affiliate for Netwalker ransomware. As an affiliate, he was permitted to use the ransomware, execute attacks with it, and split the proceeds with the ransomware operators. It was in this capacity he brought in more than $27 million. That isn’t even the highest reported. In an interview given by a REvil ransomware gang spokesperson who went by the UNKN moniker, UNKN noted one of their affiliates had earned $50M USD before calling it quits and retiring - although that affiliate’s retirement only lasted four months. These affiliates are playing a key role in growing the ransomware-as-a-service (RaaS) model.

As it has grown, the RaaS model has become quite varied depending on the operation and its level of maturity. There may be buy-in or lease requirements to use the service; potential affiliates may be vetted for skills and/or by country of origin; and/or affiliates may be required to prove prior work or a constant stream of potential accesses for exploitation.

The affiliate programs themselves offer a certain degree of anonymity, since affiliates share the same RaaS infrastructure as others, making it more difficult to pinpoint a specific attacker. But there is stiff competition among the ransomware operators for affiliates. Some operations provide onboarding documentation containing step-by-step guides; some offer dashboard solutions for managing and responding to their attacks; some insist on managing ransom negotiations and payment; some advertise the features of the software itself (i.e., encryption speed, encryption method); and some negotiate various terms for splitting profits. REvil’s UNKN said in the interview how some affiliates had left because “they [went] to competitors who dump the rates (up to 90% and so on).”

When responding to a question of what makes their operation special, the same REvil spokesperson said:

“I think it’s all of that working together. For example, this interview. It seems like, why would we even need it? On the other hand, better we give it than our competitors. Unusual ideas, new methods, and brand reputation all give good results. As I said, we are creating a new branch of development for extortion. If you look at the competitors, unfortunately, many people simply copy our ideas and what is most surprising — the style of the text of our messages. It’s nice — they try to show that they are as good as us, trying to reach the level and even striving to surpass in some things.”

The statement emphasized a not-so-insignificant level of market competition as its delivery carries notes of a well-worn marketing message utilized to establish brand identity and loyalty to close potential affiliates. It also acknowledges the fact that affiliates may be fluid and some top affiliates are likely being “wined and dined” by some operations.

There have also been innovations in the extortion side of the operations themselves. Since the Maze operators hit paydirt with stealing victim data and employing naming-and-shaming, double-extortion tactics to increase pressure on victims, there has been a constant attempt among ransomware operations to take it to the next level.

In September 2020, the Suncrypt ransomware operators incorporated distributed-denial-of-service (DDoS - flooding a website/network connection with traffic to render it inaccessible) attacks as part of a new tactic to further increase pressure. As of June 2021, the actors behind Avaddon, Darkside and REvil ransomware had also employed DDoS attacks.

In March 2021, the Darkside operators had incorporated a sort-of call center feature into their dashboard that would allow an affiliate to order up calls meant to pressure victims during negotiations. Similarly, the Cl0p and REvil gangs had incorporated email notifications sent to organization employees or customers to urge them to pressure the organizations to pay as well. Cl0p has also moved to target the devices of top executives during its data heist in order to incorporate that presumably high-value data in the pressure application phase.

More recent, the operators behind Ryuk ransomware started targeting web servers in their attacks, defacing a victim organization’s sites to display a ransom note. As a result, every visitor to the company’s site sees the ransom note thereby increasing public exposure and adding to the pressure for a victim to pay. As one last finger to the eye of a victim, the Ryuk encryption execution concludes by printing out dozens of copies of the ransom note to a victim’s default printer.

The operators have explored other revenue options as well. In June 2020, REvil operators advertised an auction for victim data of a Canadian agricultural company after it had refused to pay. In short, ransomware operators are working all the angles to pressure victims into paying and squeeze every last cent from their attacks. Undoubtedly, they will continue to innovate their tactics and incorporate their innovations into easy-to-use features for affiliates.

Calling a Spade

As noted above, some ransomware operations restrict affiliates to those within certain geographic borders. Others base selection criteria on the language a potential affiliate may speak. Many ransomware strains themselves build a check to ensure they do not target certain “national” entities into the code itself, constructing the code so it does not deploy if cyrillic-based font is the default keyboard setting.

As actors weigh risks, government attitudes and capabilities to counter their efforts certainly play a role; however, reporting unsurprisingly suggests not all nation-state attitudes toward ransomware are adversarial. Certain countries undoubtedly view it as a feature, not a bug. North Korea, Iran, and China are reported to have state-sponsored actors executing such attacks.

The cyrillic font carve-out, however, hints at a different sort of situation in Russia. It’s been reported that most of the large RaaS operations are based in Russia. While affiliates may originate from all over, the central hub behind the most serious operations is usually Russian-based.

In a 2021 Crypto Crime Report, Chainanalysis concluded the threat group Wizard Spider (operators behind Trickbot botnet and Ryuk ransomware) earned a third of all ransoms during 2020; the top 10 ransomware group earners were all tied to Russia as well.

In its press release establishing recent (April 2021) sanctions against Russia, the U.S. Department of Treasury enumerated the ways in which Russia cultivates/coopts criminal hackers and provides them safe harbor, directly calling out the cozy relationship between the FSB and Evil Corp (aka Indrik Spider).

Maxim Yakubets, a high-ranking member of Evil Corp, was indicted by the U.S. Department of Justice in late 2019 and for whom the FBI has a $5M USD reward for his arrest. Evil Corp manages the Dridex banking trojan malware and has been linked to the BitPaymer, WastedLocker, and Hades ransomware strains. However, the Russian government has not arrested or extradited Maxim; reporting from July 2020 labeled Maxim as “untouchable” in Moscow and that he “regularly films himself performing doughnuts around police in one of his fleet of supercars.”

Maxim’s father-in-law is a former Federal Security Services (FSB) special forces officer. Community reporting also revealed Evil Corp has overlaps with an espionage actor identified as SilverFish and that Wasted Locker and Hades operations may be cover for espionage operations. Wasted Locker had not built a leak site by the fall of 2020 like every other major ransomware operation and reporting from an early Hades attack revealed the victims had issues contacting the ransomware operators to negotiate the ransom.

Still, Russian threat actors definitely understand their advantaged position with the state. Criticism broke out in 2021 when Netwalker ransomware became the target of a U.S.-Bulgarian crackdown that seized their servers and led to one arrest (affiliate Vachon-Desjardins from above). A Netwalker linked operator under the name “Bugatti” was harangued by members on a Russian-language dark web forum for sloppiness; one member indicated the ransomware servers seizure could have been avoided if they had been in Russia, adding, “Mother Russia will help. Love your country and nothing [will] happen to you.”

Despite the potential setback of having a critical member arrested, it is very likely the remaining members would be able to retool and once again terrorize organizations globally. The same holds true for Netwalker’s operators.

In an interview with Aleks from the LockBit ransomware operation, Aleks summarized “for a cybercriminal, the best country is Russia.“

These recent law enforcement operations in Ukraine are evidence that maybe some of the previously acceptable areas of operation are no longer hospitable. But changes are not new; ransomware operators have tested limits to feel out what is acceptable and unacceptable, defining a Goldilocks zone for their activities.

The opposite end of the Goldilocks zone is not necessarily too big; rather, it is any target that draws too much scrutiny. The review comes, in part at least, from dark web forum admins and the participants themselves. Forum posters are on a thread where Suncrypt ransomware operators had advertised for affiliates started turning on the operators for targeting a New Jersey hospital. Suncrypt representatives attempted to defend themselves and said that the attack was carried out by an affiliate who was punished afterward, then insisted “we don’t do hospitals, government agencies, airports, and so on.”

Further complainants came forward and one forum member shared a technical analysis of the ransomware itself, to which the Suncrypt operators appealed to the forum’s administrator for it to be removed. Shortly thereafter, Suncrypt operators took down their leak site around September and did not show any updates again until last February.

The decision to lay low for a few months may have been impacted by the hit to their reputation caused by attacking a hospital. To be sure, some ransomware operations did announce they would not attack medical facilities while others made no such promises, so there are likely other reasons the underground community opted to make a stink out of this instance. Nevertheless, the reputation hit did occur and the operators reacted.

Perhaps no better example of crossing the line exists than the Darkside ransomware attack of the Colonial Pipeline on May 7 last year. Widely reported in the press because of the fuel shortages it caused along a large swath of the eastern United States, the attack itself also fueled outrage across the cybercrime community.

By May 10, after a high level of backlash erupted, the ransomware gang attempted damage control by indicating it was an affiliate that carried out the attack and they would be establishing an approval process for all attacks moving forward. A big line had been crossed, however, and the Darkside operators reportedly had some of their cryptocurrency seized by the U.S. government and the gang announced some of its servers were compromised. On May 14, the operators announced they were shutting down operations and closing up shop.

The attack also forced many others in the cybercriminal ecosystem to respond. By mid-May, three popular dark web forums/marketplaces decided to ban ransomware advertising across their platforms.

REvil continued to press its luck and test the Goldilocks zone upper limit in the aftermath of Colonial Pipeline. In late May, it was labeled the culprit in the attack against global meat supplier JBS Foods that earned it an $11M USD ransom payout. Then, on July 2, REvil launched a supply-chain-styled ransomware attack against IT solutions developer Kaseya. The attack abused a vulnerability in its IT-management and remote monitoring software to push the ransomware to Kaseya customers, with some estimates that 1,500 medium-sized companies may have been affected.

The large Kaseya incident came on the heels of a presidential summit discussion between Joe Biden and Vladimir Putin in June on ransomware. Biden reportedly asked Putin to take measures. On July 13, the REvil dark web site and its payment method went down and another related REvil site stopped responding to DNS requests. It is unclear who acted to shutter these sites, the U.S, or Russian government or even the operators themselves. Earlier this year, the Russian government reported its law enforcement arrested several members behind REvil. As such, it is clear the Goldilocks zone upper limit is becoming more defined and possibly a little tighter, especially given recent geo-political tensions.

The cybersecurity community remains skeptical as a whole as they’ve seen this movie before. Ransomware operators have been known to shutter for a while before popping up again, as in the case of Suncrypt above.

Industry expert Dmitry Smilyanets warned the Darkside shutdown may have even been a ruse known as an “exit scam,” wherein the operators used the cover of the news media and U.S. government reaction as an excuse for not paying affiliates to make off with all the profits. Additionally, rebranding under a new name occurs frequently. The same forums above that have removed ransomware advertising are still hosting ads from IABs. Like clockwork, security researchers reported in early September the REvil infrastructure and their Happy Blog leak site became operational once again.

Approximately 4,000 ransomware attacks occur daily in the U.S., according to the U.S. Department of Justice, and that number has grown annually over the past few years. One of the key factors that have affected that growth have been the successful implementation of ransomware leak sites, which brought transparency to these attacks and publicly disclosed more victims.

Another important domino was the wholesale embodiment of the as-a-service model that spurred market innovations and led to ease of access to take part in the criminal ecosystem of such attacks at scale. Of course, Russia’s reported role in providing safe haven for key ransomware operations has enabled bolder targeting by these groups and raised the profile of success, further contributing to the overall “advertising” of such attacks as high-reward/low-risk. The high-profile attack against Colonial Pipeline and subsequent reactions to REvil operators, however, did cause some market disruption that will likely impact operational decisions for these threat actors moving forward as they seek to find the Goldilocks zone and continue making money hand over fist.

In this first part of an extended ransomware series, BlueVoyant examines gangs, their methodologies, and the aftermath after an attack.

The series looks at ransomware from the perspective of five different stakeholders: ransomware gangs; victim organizations; victim individuals; insurance brokers; and policymakers. We aim to show how a combination of market forces, geopolitics, and novel legal and policy challenges combine to make ransomware so effective and difficult to curb.

By Joshua Green

Growth of an Industry

In late 2019, the operators behind Maze ransomware established a website to publish victim data. This first leak site - as these sites came to be known - shamed ransomware victims who would not pay up, or not pay up fast enough. By the spring of 2020, the practice of double extortion had become widespread.

Quickly, the attacks listed on these leak sites led to increased reporting in cybersecurity publications and by mainstream news organizations; however, little reporting emerged showing the attackers facing consequences. On the contrary, the widespread press coverage almost exclusively consisted of successful ransomware attacks with high-dollar payouts. To a generation of cybercriminals, code jockeys, and opportunists, the notice was clear: ransomware was big money, and get into the gangbuster market while you can.

In 2019, ransomware was not new - indeed, the first ransomware attack can be traced back to 1989. And since at least 2010 ransomware attacks had been experiencing exponential growth. The emergence of leak sites, and subsequent ransomware media-driven publicity, took advantage of what had been a long period of evolution and increasing sophistication in the cybercrime market, especially the cybercrime-as-a-service (CaaS) model.

In an October 2019 profile of the Wizard Spider threat actor’s early adoption of this model, the writers deftly characterize it as “based on automation, customization, and a client-oriented approach.”

Briefly, the as-a-service model is the practice in the cybercrime economy of providing ready-made tools or services for sale. It may mean leasing out the use of a banking trojan, a botnet, or even ransomware service, so that a less tech-savvy criminal may pay for the ability to launch their own attacks with those services. The CaaS model steeply lowered the barrier for entry, and has the added benefit of making attribution more difficult - since many attackers share similar service infrastructure.

Market Forces at Work

Today, the ransomware market is highly agile, and driven by evident trends in supply and demand. Take the case of initial access brokers - or IABs.

Around 2018, ransomware operators transitioned away from first-stage ransomware deployment embedded as payloads in malicious emails. Cybersecurity was getting better at identifying threats, and attackers were getting better at using any initial access to jump from one company’s network to another - meaning that email campaigns gave way to a thriving market for anyone who could provide guaranteed initial access into a company’s networks.

Research revealed that the first half of 2020 revealed accesses for sale totaled $6.2M USD across 63 active sellers, an increase compared to $1.6M USD and 37 active sellers during all of 2018.

In similar research of IABs, analysis showed roughly 500 such initial access listings during 2020. Unsurprisingly, in their Q1 2021 assessment, the researchers had already tallied ~200 such listings. Furthermore, the price for that access averaged $7,100 USD over 2020 and had already dropped down to $1,923 by the end of Q1 2021, showing supply clearly responding to the demand.

Some of the IABs were looking for a single buyer of their accesses and indicated the seller’s willingness to work for a percentage — likely alluding to a share of ransomware profits. In short, it is clear initial access sales have spiked across marketplaces and yet a true reflection of how large the overall market is cannot be determined because direct partnerships and private communications are also being routinely utilized.

Underground marketplace managers responded to market demands as well. Digital Shadows research noted the English-language RaidForums’ Leaks Market section “became the primary place for initial access advertising and trading…[as] forum owners restructured their platforms to make these listings more prominent.”

These managers worked to feature popular products like Remote Desktop Portal (RDP) access, a common initial attack vector for ransomware attacks. As a result, it became the most common type of access featured by these marketplaces and also drew the highest average price for 2020, at $9,800 USD.

Beside the coveted RDP access, however, these markets also pushed initial access for other popular products such as VPNs, various Citrix solutions, as well as assorted OS and application control panels, and/or web-shells. Some also branched out to offer non-traditional access products.

For example, researchers observed one actor hocking access for Zoho’s Desktop Central remote monitoring and management solution for 18 different organizations over Q4 2020; yet another offered DX NetOps Spectrum access to an airport managing company that sold within four days.

Aside from little “a” accesses, underground forums and marketplaces offer the ability for would-be attackers to jump in with little skill because of the community’s embrace of the “as-a-service” model. In a tale - were it not for its dubious ethical bent - that may rival human-interest against-all-odds stories, a 21-year-old Indonesian man was arrested in October 2019 for running a single-person ransomware operation that had reportedly earned him more than $2M USD over five years.

Consider also the story of Sébastien Vachon-Desjardins, a Canadian man in 2015 who was sentenced to three-and-a-half years in prison for drug trafficking while holding a government position with the National Research Center for Canada. When Vachon-Desjardins was arrested just a few years later in January 2021 for his role as an affiliate of Netwalker ransomware, he had reportedly earned more than $27M USD from his cyber criminal exploits.

Vachon-Desjardins served as an affiliate for Netwalker ransomware. As an affiliate, he was permitted to use the ransomware, execute attacks with it, and split the proceeds with the ransomware operators. It was in this capacity he brought in more than $27 million. That isn’t even the highest reported. In an interview given by a REvil ransomware gang spokesperson who went by the UNKN moniker, UNKN noted one of their affiliates had earned $50M USD before calling it quits and retiring - although that affiliate’s retirement only lasted four months. These affiliates are playing a key role in growing the ransomware-as-a-service (RaaS) model.

As it has grown, the RaaS model has become quite varied depending on the operation and its level of maturity. There may be buy-in or lease requirements to use the service; potential affiliates may be vetted for skills and/or by country of origin; and/or affiliates may be required to prove prior work or a constant stream of potential accesses for exploitation.

The affiliate programs themselves offer a certain degree of anonymity, since affiliates share the same RaaS infrastructure as others, making it more difficult to pinpoint a specific attacker. But there is stiff competition among the ransomware operators for affiliates. Some operations provide onboarding documentation containing step-by-step guides; some offer dashboard solutions for managing and responding to their attacks; some insist on managing ransom negotiations and payment; some advertise the features of the software itself (i.e., encryption speed, encryption method); and some negotiate various terms for splitting profits. REvil’s UNKN said in the interview how some affiliates had left because “they [went] to competitors who dump the rates (up to 90% and so on).”

When responding to a question of what makes their operation special, the same REvil spokesperson said:

“I think it’s all of that working together. For example, this interview. It seems like, why would we even need it? On the other hand, better we give it than our competitors. Unusual ideas, new methods, and brand reputation all give good results. As I said, we are creating a new branch of development for extortion. If you look at the competitors, unfortunately, many people simply copy our ideas and what is most surprising — the style of the text of our messages. It’s nice — they try to show that they are as good as us, trying to reach the level and even striving to surpass in some things.”

The statement emphasized a not-so-insignificant level of market competition as its delivery carries notes of a well-worn marketing message utilized to establish brand identity and loyalty to close potential affiliates. It also acknowledges the fact that affiliates may be fluid and some top affiliates are likely being “wined and dined” by some operations.

There have also been innovations in the extortion side of the operations themselves. Since the Maze operators hit paydirt with stealing victim data and employing naming-and-shaming, double-extortion tactics to increase pressure on victims, there has been a constant attempt among ransomware operations to take it to the next level.

In September 2020, the Suncrypt ransomware operators incorporated distributed-denial-of-service (DDoS - flooding a website/network connection with traffic to render it inaccessible) attacks as part of a new tactic to further increase pressure. As of June 2021, the actors behind Avaddon, Darkside and REvil ransomware had also employed DDoS attacks.

In March 2021, the Darkside operators had incorporated a sort-of call center feature into their dashboard that would allow an affiliate to order up calls meant to pressure victims during negotiations. Similarly, the Cl0p and REvil gangs had incorporated email notifications sent to organization employees or customers to urge them to pressure the organizations to pay as well. Cl0p has also moved to target the devices of top executives during its data heist in order to incorporate that presumably high-value data in the pressure application phase.

More recent, the operators behind Ryuk ransomware started targeting web servers in their attacks, defacing a victim organization’s sites to display a ransom note. As a result, every visitor to the company’s site sees the ransom note thereby increasing public exposure and adding to the pressure for a victim to pay. As one last finger to the eye of a victim, the Ryuk encryption execution concludes by printing out dozens of copies of the ransom note to a victim’s default printer.

The operators have explored other revenue options as well. In June 2020, REvil operators advertised an auction for victim data of a Canadian agricultural company after it had refused to pay. In short, ransomware operators are working all the angles to pressure victims into paying and squeeze every last cent from their attacks. Undoubtedly, they will continue to innovate their tactics and incorporate their innovations into easy-to-use features for affiliates.

Calling a Spade

As noted above, some ransomware operations restrict affiliates to those within certain geographic borders. Others base selection criteria on the language a potential affiliate may speak. Many ransomware strains themselves build a check to ensure they do not target certain “national” entities into the code itself, constructing the code so it does not deploy if cyrillic-based font is the default keyboard setting.

As actors weigh risks, government attitudes and capabilities to counter their efforts certainly play a role; however, reporting unsurprisingly suggests not all nation-state attitudes toward ransomware are adversarial. Certain countries undoubtedly view it as a feature, not a bug. North Korea, Iran, and China are reported to have state-sponsored actors executing such attacks.

The cyrillic font carve-out, however, hints at a different sort of situation in Russia. It’s been reported that most of the large RaaS operations are based in Russia. While affiliates may originate from all over, the central hub behind the most serious operations is usually Russian-based.

In a 2021 Crypto Crime Report, Chainanalysis concluded the threat group Wizard Spider (operators behind Trickbot botnet and Ryuk ransomware) earned a third of all ransoms during 2020; the top 10 ransomware group earners were all tied to Russia as well.

In its press release establishing recent (April 2021) sanctions against Russia, the U.S. Department of Treasury enumerated the ways in which Russia cultivates/coopts criminal hackers and provides them safe harbor, directly calling out the cozy relationship between the FSB and Evil Corp (aka Indrik Spider).

Maxim Yakubets, a high-ranking member of Evil Corp, was indicted by the U.S. Department of Justice in late 2019 and for whom the FBI has a $5M USD reward for his arrest. Evil Corp manages the Dridex banking trojan malware and has been linked to the BitPaymer, WastedLocker, and Hades ransomware strains. However, the Russian government has not arrested or extradited Maxim; reporting from July 2020 labeled Maxim as “untouchable” in Moscow and that he “regularly films himself performing doughnuts around police in one of his fleet of supercars.”

Maxim’s father-in-law is a former Federal Security Services (FSB) special forces officer. Community reporting also revealed Evil Corp has overlaps with an espionage actor identified as SilverFish and that Wasted Locker and Hades operations may be cover for espionage operations. Wasted Locker had not built a leak site by the fall of 2020 like every other major ransomware operation and reporting from an early Hades attack revealed the victims had issues contacting the ransomware operators to negotiate the ransom.

Still, Russian threat actors definitely understand their advantaged position with the state. Criticism broke out in 2021 when Netwalker ransomware became the target of a U.S.-Bulgarian crackdown that seized their servers and led to one arrest (affiliate Vachon-Desjardins from above). A Netwalker linked operator under the name “Bugatti” was harangued by members on a Russian-language dark web forum for sloppiness; one member indicated the ransomware servers seizure could have been avoided if they had been in Russia, adding, “Mother Russia will help. Love your country and nothing [will] happen to you.”

Despite the potential setback of having a critical member arrested, it is very likely the remaining members would be able to retool and once again terrorize organizations globally. The same holds true for Netwalker’s operators.

In an interview with Aleks from the LockBit ransomware operation, Aleks summarized “for a cybercriminal, the best country is Russia.“

These recent law enforcement operations in Ukraine are evidence that maybe some of the previously acceptable areas of operation are no longer hospitable. But changes are not new; ransomware operators have tested limits to feel out what is acceptable and unacceptable, defining a Goldilocks zone for their activities.

The opposite end of the Goldilocks zone is not necessarily too big; rather, it is any target that draws too much scrutiny. The review comes, in part at least, from dark web forum admins and the participants themselves. Forum posters are on a thread where Suncrypt ransomware operators had advertised for affiliates started turning on the operators for targeting a New Jersey hospital. Suncrypt representatives attempted to defend themselves and said that the attack was carried out by an affiliate who was punished afterward, then insisted “we don’t do hospitals, government agencies, airports, and so on.”

Further complainants came forward and one forum member shared a technical analysis of the ransomware itself, to which the Suncrypt operators appealed to the forum’s administrator for it to be removed. Shortly thereafter, Suncrypt operators took down their leak site around September and did not show any updates again until last February.

The decision to lay low for a few months may have been impacted by the hit to their reputation caused by attacking a hospital. To be sure, some ransomware operations did announce they would not attack medical facilities while others made no such promises, so there are likely other reasons the underground community opted to make a stink out of this instance. Nevertheless, the reputation hit did occur and the operators reacted.

Perhaps no better example of crossing the line exists than the Darkside ransomware attack of the Colonial Pipeline on May 7 last year. Widely reported in the press because of the fuel shortages it caused along a large swath of the eastern United States, the attack itself also fueled outrage across the cybercrime community.

By May 10, after a high level of backlash erupted, the ransomware gang attempted damage control by indicating it was an affiliate that carried out the attack and they would be establishing an approval process for all attacks moving forward. A big line had been crossed, however, and the Darkside operators reportedly had some of their cryptocurrency seized by the U.S. government and the gang announced some of its servers were compromised. On May 14, the operators announced they were shutting down operations and closing up shop.

The attack also forced many others in the cybercriminal ecosystem to respond. By mid-May, three popular dark web forums/marketplaces decided to ban ransomware advertising across their platforms.

REvil continued to press its luck and test the Goldilocks zone upper limit in the aftermath of Colonial Pipeline. In late May, it was labeled the culprit in the attack against global meat supplier JBS Foods that earned it an $11M USD ransom payout. Then, on July 2, REvil launched a supply-chain-styled ransomware attack against IT solutions developer Kaseya. The attack abused a vulnerability in its IT-management and remote monitoring software to push the ransomware to Kaseya customers, with some estimates that 1,500 medium-sized companies may have been affected.

The large Kaseya incident came on the heels of a presidential summit discussion between Joe Biden and Vladimir Putin in June on ransomware. Biden reportedly asked Putin to take measures. On July 13, the REvil dark web site and its payment method went down and another related REvil site stopped responding to DNS requests. It is unclear who acted to shutter these sites, the U.S, or Russian government or even the operators themselves. Earlier this year, the Russian government reported its law enforcement arrested several members behind REvil. As such, it is clear the Goldilocks zone upper limit is becoming more defined and possibly a little tighter, especially given recent geo-political tensions.

The cybersecurity community remains skeptical as a whole as they’ve seen this movie before. Ransomware operators have been known to shutter for a while before popping up again, as in the case of Suncrypt above.

Industry expert Dmitry Smilyanets warned the Darkside shutdown may have even been a ruse known as an “exit scam,” wherein the operators used the cover of the news media and U.S. government reaction as an excuse for not paying affiliates to make off with all the profits. Additionally, rebranding under a new name occurs frequently. The same forums above that have removed ransomware advertising are still hosting ads from IABs. Like clockwork, security researchers reported in early September the REvil infrastructure and their Happy Blog leak site became operational once again.

Approximately 4,000 ransomware attacks occur daily in the U.S., according to the U.S. Department of Justice, and that number has grown annually over the past few years. One of the key factors that have affected that growth have been the successful implementation of ransomware leak sites, which brought transparency to these attacks and publicly disclosed more victims.

Another important domino was the wholesale embodiment of the as-a-service model that spurred market innovations and led to ease of access to take part in the criminal ecosystem of such attacks at scale. Of course, Russia’s reported role in providing safe haven for key ransomware operations has enabled bolder targeting by these groups and raised the profile of success, further contributing to the overall “advertising” of such attacks as high-reward/low-risk. The high-profile attack against Colonial Pipeline and subsequent reactions to REvil operators, however, did cause some market disruption that will likely impact operational decisions for these threat actors moving forward as they seek to find the Goldilocks zone and continue making money hand over fist.

Related Reading