After LockBit, ALPHV Takedowns, RaaS Startups Go on a Recruiting Drive

  /     /     /  
Publicated : 23/11/2024   Category : security


After LockBit, ALPHV Takedowns, RaaS Startups Go on a Recruiting Drive


Law enforcement action hasnt eradicated ransomware groups, but it has shaken up the cyber underground and sown distrust among thieves.



High-profile takedowns of brand-name ransomware operations are starting to have a real impact, sowing discord among hackers and causing major shifts in the cyber underground.
The US and European Union governments have ramped up efforts to disrupt ransomware-as-a-service (RaaS) operations in recent months, most notably with headline-grabbing coordinated actions against the infamous
LockBit
and
ALPHV/BlackCat
groups. Police have identified ringleaders, seized malicious infrastructure and data — including information about affiliates — and even trolled adversaries with messages posted to their leak sites.
Though well-intentioned, these missions tend to receive criticism when, inevitably, remnants of such large, diffuse groups
pop up days or weeks after their reported demise
. After all, if the threat actors arent being eradicated, whats the point?
A new report
from GuidePoint Security on the current state of the ransomware ecosystem supplies that answer.
Thanks to the drama surrounding household RaaS groups, affiliates — the hackers who actually carry out attacks on their behalf — have increasingly moved away from them, toward lesser-known RaaS upstarts offering what they couldnt: trust.
The question has been for years: How do we stop ransomware? says Drew Schmitt, practice lead for the GuidePoint Research and Intelligence Team (GRIT). One of the pieces of the answer could be creating distrust between groups and their affiliates.
At first glance, if you dont really dive into the details, you might say that law enforcement was unsuccessful in their operations, Schmitt admits.
But when you dive a little bit deeper, you realize that there are quite a few consequences for the ransomware groups that werent really about taking down their infrastructure permanently, he adds. And I think the biggest one is influencing these bigger groups to make decisions or take actions that ultimately hurt their credibility.
The strangest instance of this occurred following
ALPHVs takedown last December
. After an effort to rebuild its infrastructure and its reputation — offering affiliates a greater cut of their winnings, and lifting certain targeting restrictions — the group found a way to actually capitalize on its loss, using an exit scam. When one of its affiliates pulled off a $22 million dollar heist of United Healthcare a few weeks back, the group
disregarded its profit-sharing agreement
, keeping the entirety of the winnings and claiming that they were defeated by law enforcement yet again. The affiliate has published chat logs and blockchain data to suggest otherwise.
In LockBits case, even law enforcements petty trolling has had a material reputational impact. As part of
Operation Cronos
, law enforcement posted to LockBits leak site that LockbitSupp has engaged with Law Enforcement ☺, which dented the RaaS leaders street cred, and, if true, put all its affiliates at risk as well.
As trust wanes in the formerly most-trusted names in ransomware, other groups are attempting to step in and take their place.
In the vacuum left by larger groups, Schmitt has observed, We see a kind of back-and-forth between some of these smaller groups, like LockBit and ALPHV had in the years past, competing against one another. This is very similar in my mind to how many different emerging companies in the same type of product or area in the market compete with one another, always trying to change and evolve and really make themselves a standout.
The startup RaaS Cloak, for example, recently posted to the underground forum UFO Labs offering an above-average 85/15 profit sharing split, with no upfront payment required to access its purportedly strong and modifiable signature malware.
The midmarket RaaS group Medusa is trying to sweep up former ALPHV and LockBit affiliates by offering 24/7 access to its administrative, advertising, and negotiating teams, and a sliding scale payment sharing model which starts at 70/30, but rises to 90/10 for ransoms in excess of $1 million.
Another upstart group called RansomHub, recruiting from the same Russian-language underground forum as Medusa — RAMP — advertises a flat 90/10 split and a policy that affiliates can freely contract with other groups, as well. But its core value proposition is about trust.
We have noticed that some affiliates have been seized by the police or have escaped from fraudulent activity causing you to lose your funds, the group wrote online. To assuage any concerns that theyll do the same, RansomHub has reversed the traditional model: Instead of controlling all the funds and paying out affiliates their share, affiliates control their own wallets and pay RansomHub.
Evidently, Schmitt notes, Theres a kind of pendulum shift happening right now, where these groups are trying to figure out where they can capitalize on the distrust in bigger groups like LockBit and ALPHV.
Ransomware has traditionally been a very reactive type of cybercrime, he says, and this is where were at now. Its all very volatile, and well have to see how this plays out.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
After LockBit, ALPHV Takedowns, RaaS Startups Go on a Recruiting Drive