Ransomware-as-a-service business model takes a hit in the aftermath of the Colonial Pipeline attack

Cybercrime gangs are finding it harder to recruit partners for the affiliate programs that power ransomware attacks.

Abstract Malware Ransomware virus encrypted files with keypad on binary bit red background. Vector illustration cybercrime and cyber security concept.

Image: iStockphoto/nicescene

The best way to stop the ever-increasing wave of ransomware attacks is to take away the financial incentive behind these cyber crimes. The response to the Colonial Pipeline ransomware attack may be the first step in doing just that. Both governments and hacker forums have made it harder for ransomware gangs to use the ransomware-as-a-service (RaaS) model. This scalable business model requires several groups: engineers to write encryption software, network penetration experts to find and compromise targets and professional negotiators to ensure maximum payout. 

More about cybersecurity

Bryan Oliver, a senior analyst at Flashpoint said that the response from governments in the wake of the Colonial Pipeline attack has made it harder for ransomware groups to recruit partners.

“The main result of government action has been the banning of ransomware group recruitment from the top tier underground Russian forums,” Oliver said.  

Oliver said this change will not end ransomware attacks any time soon, but it is a significant step because it makes the ransomware-as-a-service model less profitable.

“The Exploit and XSS forums were the recruiting grounds for these ransomware groups, and losing access to those means losing access to new partners,” he said.

Oliver said that the administrators of these forums also banned the DarkSide collective in mid-May and distributed their deposit of roughly $1 million to DarkSide “partners” who claimed they had not been paid by DarkSide. 

“They have also since removed posts from their forums related to ransomware recruitment,” he said.

Amit Serper, Guardicore’s vice president of research for North America, said that he hopes to see a change in ransomware attacks with the U.S. and other national governments stepping up their fight against bad actors.

“The fact that the U.S. government managed to seize some of the funds that were paid by Colonial sets an interesting precedent,” he said. “If governments will be able to ‘deanonymize’ cryptocurrency transactions and seize stolen funds, ransomware attacks suddenly become unsustainable financially.”

SEE: The many ways a ransomware attack can hurt your organization (TechRepublic) 

Thomas Olofsson, CTO of FYEO, said the ransomware organizations seem to be self-governing a bit more, also as a result of the response to the Colonial Pipeline attack.

“Several of the groups have said, ‘We don’t want to target healthcare, especially during a pandemic, so you won’t get our license to install ransomware on those targets,” he said.

FYEO monitors about 13 groups that are significant players in the ransomware area. Olofsson also said that ransomware groups are now vetting targets before starting an attack in response to what happened to the DarkSide ransomware group after the Colonial Pipeline attack.  

“These ransomware groups don’t want to become the next target,” he said. “They want to be seen as the Robin Hoods that just attack the banks and the big corporations.” 

Olofsson said the DarkSide group thought they were hitting a big oil company and didn’t consider how the attack would affect end users. 

“If you hit the little guy, it doesn’t look good because you become the target yourself,” he said. 

Oliver of Flashpoint said some ransomware groups, such as REvil, have responded to this by claiming they will operate in “private mode” as opposed to RaaS but others may have called it quits. 

“Other groups have also emerged since then, such as Grief and Prometheus, but without the ability to recruit from a pool of highly skilled threat actors in a relatively secure environment, ransomware will likely be less dynamic and effective,” he said.

Oloffson said that bad actors also have changed their most common targets from low-hanging fruit to being more selective about who to attack.

“It used to be a botnet infecting random hosts, but bad actors are now putting in more effort, such as setting up fake domains to get into an email thread and infecting people via trusted channels,” he said. 

Olofsson said that cyber defenses have been stronger over the last year but that attackers are still one step ahead. 

“It is becoming more common for groups to attack backups and target central infrastructure as well,” he said. “They are starting with the backup and then encrypting the host.”

Olofsson said that companies should use a layered approach to defending against attacks, such as using more than one gateway and not having everything connected to the same network. He’s also seen attacks coming in via VPN concentrators.

“Security teams should monitor what is accessible on the internet and make sure you don’t have any VPN concentrators or things reachable from the internet because everything that is connected is scanned at least 10 times per day,” he said. 

Also see