Ransomware Gangs Evolve With New Affiliate Models and Strategies

Article Highlights
Off On

Recent developments in the world of ransomware emphasize how cybercriminals are perpetually adapting their strategies to maintain efficacy and maximize financial gains. The evolution of ransomware-as-a-service (RaaS) models and the innovative techniques adopted by notorious ransomware gangs like DragonForce and Anubis are at the forefront of this transformation. These shifts significantly alter the cyber threat landscape, making it easier for less technically skilled criminals to partake in ransomware activities by leveraging the infrastructure and tools provided by more experienced threat actors.

Innovation in Ransomware-as-a-Service Models

The rise of ransomware-as-a-service (RaaS) has fundamentally transformed the modus operandi of cybercriminals. By lowering entry barriers, this model enables a broader spectrum of individuals, even those with limited technical expertise, to engage in sophisticated ransomware attacks. Through RaaS, aspiring cybercriminals can now purchase or lease the necessary tools and infrastructure from established threat actors. This democratization has resulted in a proliferation of ransomware attacks, making them a more substantial and pervasive threat to organizations globally. The increased accessibility of these tools has led to a corresponding surge in ransomware incidents, amplifying the challenges faced by cybersecurity professionals. Secureworks, a prominent extended detection and response vendor, has conducted comprehensive research into emerging affiliate models introduced by various threat actors. One revealing finding is the shift towards more sophisticated affiliate structures that allow for greater customization and autonomy. This evolution has been a critical factor in making ransomware attacks more adaptable and harder to counter. Affiliates can now tailor their ransomware campaigns while still benefiting from the robust infrastructure provided by RaaS operators. This flexibility has attracted a wider array of cybercriminals, further intensifying the ransomware threat landscape.

DragonForce’s Rebranding and New Approach

DragonForce, a major player in the ransomware arena, exemplifies this innovation through a strategic rebranding and the introduction of a novel affiliate program. In September 2023, DragonForce rebranded itself as a “cartel” and unveiled an affiliate program on a Dark Web hacking forum. This new program allows affiliates to use their own malware while leveraging DragonForce’s robust infrastructure, which includes encryption and ransom negotiation tools, among other resources. This rebranding marks a significant shift in the operational dynamics of ransomware groups. By enabling affiliates to create their own brands, DragonForce has introduced a model that offers both opportunities and risks. The opportunities are evident in the increased appeal to potential affiliates who may have their own malware but lack the necessary infrastructure to run complete ransomware campaigns. However, this model also introduces significant risks. The intertwining of various affiliates within the same infrastructure means that if one affiliate is compromised by law enforcement or security researchers, it could expose the operational and victim details of other affiliates. This interconnectedness raises the stakes and highlights the delicate balance ransomware groups must maintain between expanding their reach and safeguarding their operations.

Anubis’s Three Affiliate Models

Anubis, another prominent threat actor, has introduced a trio of distinct affiliate models, showcasing yet another innovative approach to ransomware operations. As of February, Anubis’s models include a traditional RaaS framework where affiliates earn a substantial 80% of the ransom, a data ransom option focusing on data extortion, and an access monetization option designed to help threat actors monetize already compromised victims. Each model is tailored to different operational tactics, reflecting the versatility and sophistication of modern ransomware strategies. The data ransom option from Anubis is particularly sophisticated. It involves publishing detailed investigative articles on a password-protected Tor website, analyzing the victim’s sensitive data. If the victim does not pay the ransom, the article is subsequently published on the Anubis leak site and promoted via social media channels. This approach exerts additional pressure on victims by threatening to notify regulators and the victim’s clients, thereby increasing the likelihood of ransom payments. This multi-faceted extortion strategy underscores the evolving nature of ransomware tactics, emphasizing psychological manipulation alongside technical prowess.

Business-Like Operations of Ransomware Gangs

Ransomware gangs are increasingly adopting business-like operations to optimize their revenue streams. This trend is evident in the sophisticated affiliate programs marketed by both DragonForce and Anubis. By offering increased flexibility and potential financial gains, these ransomware groups aim to attract more affiliates and expand their operational reach. This business-oriented approach reflects a broader behavior among ransomware groups, including the now-defunct Maze group, which similarly operated with a corporate-like efficiency. Rafe Pilling, Secureworks’ director of threat intelligence, underscores the importance of understanding ransomware operators as businesses. This perspective aids in comprehending their motives and adapting defensive strategies accordingly. Pilling notes that the new affiliate models are a reaction to various environmental changes, including enforcement disruption operations and a potential decline in ransomware payment rates. By offering more flexible and attractive affiliate programs, ransomware operators aim to enhance the overall success of their operations, despite increased scrutiny from law enforcement and cybersecurity professionals.

Defensive Strategies and Best Practices

Recent advancements in ransomware highlight how cybercriminals are constantly evolving their tactics to maintain effectiveness and maximize profits. The rise of ransomware-as-a-service (RaaS) models and the sophisticated methods employed by well-known ransomware groups like DragonForce and Anubis exemplify this shift. These changes profoundly impact the cyber threat environment, lowering the entry barriers for less technically skilled criminals. By utilizing the infrastructure and tools provided by more seasoned cybercriminals, these less experienced actors can easily engage in ransomware activities.

Moreover, the RaaS model enables amateur hackers to purchase ready-made ransomware kits, complete with customer support, while more skilled cybercriminals provide updates and ensure the ransomware remains undetectable. This democratization of cybercrime allows a wider range of individuals to participate in ransomware attacks, significantly increasing the overall number of attacks. The changing landscape underscores the importance of robust cybersecurity measures and constant vigilance to combat the ever-evolving threat of ransomware.

Explore more

Service Gaps Are Stalling Embedded Finance Growth

Financial institutions and tech enterprises are discovering that the glittering promise of a friction-free digital economy is often overshadowed by the harsh reality of systemic service failures. While the market for embedded finance across Western Europe is projected to soar past the €100 billion mark by 2030, the distance between technical potential and operational execution remains vast. For many organizations,

AI Code Generation Creates a New DevOps Bottleneck

The seamless integration of artificial intelligence into the modern software development lifecycle has effectively eliminated the traditional typing speed of a programmer as the primary limiting factor in technological innovation. While a software engineer can now utilize an AI assistant to generate a fully functional microservice in less time than it takes to prepare a morning meal, this efficiency is

How Will AI and Private Markets Redefine Wealth Leadership?

The traditional image of a wealth manager holding the keys to exclusive financial kingdoms is rapidly fading into obscurity as sophisticated algorithms and retail-friendly private assets reshape the power dynamics of global finance. For decades, the industry relied on information asymmetry and restricted access to justify premium fees, but that protective moat has finally evaporated. In this new landscape, the

How Is the Wealth Management Industry Transforming?

Sophisticated global investors have fundamentally moved away from the traditional obsession with beating market benchmarks toward a holistic strategy that emphasizes long-term stability and life-cycle management. The wealth management sector is witnessing a historic pivot as the focus on aggressive portfolio optimization is replaced by a trust-based model designed to weather global volatility. This transition reflects a new reality where

Trend Analysis: Integrated Wealth Management Models

The traditional firewall between a client’s corporate empire and their personal checkbook is rapidly dissolving, giving rise to a new era of borderless financial services. In an increasingly complex global economy, High-Net-Worth (HNW) and Ultra-High-Net-Worth (UHNW) individuals are demanding a unified approach that synchronizes investment banking, private wealth management, and legal governance. This article examines the strategic shift toward integrated