Recent developments in the world of ransomware emphasize how cybercriminals are perpetually adapting their strategies to maintain efficacy and maximize financial gains. The evolution of ransomware-as-a-service (RaaS) models and the innovative techniques adopted by notorious ransomware gangs like DragonForce and Anubis are at the forefront of this transformation. These shifts significantly alter the cyber threat landscape, making it easier for less technically skilled criminals to partake in ransomware activities by leveraging the infrastructure and tools provided by more experienced threat actors.
Innovation in Ransomware-as-a-Service Models
The rise of ransomware-as-a-service (RaaS) has fundamentally transformed the modus operandi of cybercriminals. By lowering entry barriers, this model enables a broader spectrum of individuals, even those with limited technical expertise, to engage in sophisticated ransomware attacks. Through RaaS, aspiring cybercriminals can now purchase or lease the necessary tools and infrastructure from established threat actors. This democratization has resulted in a proliferation of ransomware attacks, making them a more substantial and pervasive threat to organizations globally. The increased accessibility of these tools has led to a corresponding surge in ransomware incidents, amplifying the challenges faced by cybersecurity professionals. Secureworks, a prominent extended detection and response vendor, has conducted comprehensive research into emerging affiliate models introduced by various threat actors. One revealing finding is the shift towards more sophisticated affiliate structures that allow for greater customization and autonomy. This evolution has been a critical factor in making ransomware attacks more adaptable and harder to counter. Affiliates can now tailor their ransomware campaigns while still benefiting from the robust infrastructure provided by RaaS operators. This flexibility has attracted a wider array of cybercriminals, further intensifying the ransomware threat landscape.
DragonForce’s Rebranding and New Approach
DragonForce, a major player in the ransomware arena, exemplifies this innovation through a strategic rebranding and the introduction of a novel affiliate program. In September 2023, DragonForce rebranded itself as a “cartel” and unveiled an affiliate program on a Dark Web hacking forum. This new program allows affiliates to use their own malware while leveraging DragonForce’s robust infrastructure, which includes encryption and ransom negotiation tools, among other resources. This rebranding marks a significant shift in the operational dynamics of ransomware groups. By enabling affiliates to create their own brands, DragonForce has introduced a model that offers both opportunities and risks. The opportunities are evident in the increased appeal to potential affiliates who may have their own malware but lack the necessary infrastructure to run complete ransomware campaigns. However, this model also introduces significant risks. The intertwining of various affiliates within the same infrastructure means that if one affiliate is compromised by law enforcement or security researchers, it could expose the operational and victim details of other affiliates. This interconnectedness raises the stakes and highlights the delicate balance ransomware groups must maintain between expanding their reach and safeguarding their operations.
Anubis’s Three Affiliate Models
Anubis, another prominent threat actor, has introduced a trio of distinct affiliate models, showcasing yet another innovative approach to ransomware operations. As of February, Anubis’s models include a traditional RaaS framework where affiliates earn a substantial 80% of the ransom, a data ransom option focusing on data extortion, and an access monetization option designed to help threat actors monetize already compromised victims. Each model is tailored to different operational tactics, reflecting the versatility and sophistication of modern ransomware strategies. The data ransom option from Anubis is particularly sophisticated. It involves publishing detailed investigative articles on a password-protected Tor website, analyzing the victim’s sensitive data. If the victim does not pay the ransom, the article is subsequently published on the Anubis leak site and promoted via social media channels. This approach exerts additional pressure on victims by threatening to notify regulators and the victim’s clients, thereby increasing the likelihood of ransom payments. This multi-faceted extortion strategy underscores the evolving nature of ransomware tactics, emphasizing psychological manipulation alongside technical prowess.
Business-Like Operations of Ransomware Gangs
Ransomware gangs are increasingly adopting business-like operations to optimize their revenue streams. This trend is evident in the sophisticated affiliate programs marketed by both DragonForce and Anubis. By offering increased flexibility and potential financial gains, these ransomware groups aim to attract more affiliates and expand their operational reach. This business-oriented approach reflects a broader behavior among ransomware groups, including the now-defunct Maze group, which similarly operated with a corporate-like efficiency. Rafe Pilling, Secureworks’ director of threat intelligence, underscores the importance of understanding ransomware operators as businesses. This perspective aids in comprehending their motives and adapting defensive strategies accordingly. Pilling notes that the new affiliate models are a reaction to various environmental changes, including enforcement disruption operations and a potential decline in ransomware payment rates. By offering more flexible and attractive affiliate programs, ransomware operators aim to enhance the overall success of their operations, despite increased scrutiny from law enforcement and cybersecurity professionals.
Defensive Strategies and Best Practices
Recent advancements in ransomware highlight how cybercriminals are constantly evolving their tactics to maintain effectiveness and maximize profits. The rise of ransomware-as-a-service (RaaS) models and the sophisticated methods employed by well-known ransomware groups like DragonForce and Anubis exemplify this shift. These changes profoundly impact the cyber threat environment, lowering the entry barriers for less technically skilled criminals. By utilizing the infrastructure and tools provided by more seasoned cybercriminals, these less experienced actors can easily engage in ransomware activities.
Moreover, the RaaS model enables amateur hackers to purchase ready-made ransomware kits, complete with customer support, while more skilled cybercriminals provide updates and ensure the ransomware remains undetectable. This democratization of cybercrime allows a wider range of individuals to participate in ransomware attacks, significantly increasing the overall number of attacks. The changing landscape underscores the importance of robust cybersecurity measures and constant vigilance to combat the ever-evolving threat of ransomware.