Now that ransomware has been thrust into the limelight, cybercriminals are adjusting their business models. Here is what businesses need to know.
Editor’s note: The following is a guest article from Robert McArdle, director of cybercrime research at Trend Micro.
Ransomware attacks have made a lot of headlines lately, spurring unwanted awareness on several ransomware actors. This has had an immediate impact on ransomware groups and their affiliate models, changes to underground forums, and political responses.
It’s not showing any signs of slowing down, political pressure or not, and it will likely have a lasting impact on cybercriminal businesses, which in turn will impact how companies globally defend against cyberattacks.
So, how have recent events impacted criminal businesses? There are three key ways:
These three levels of change will happen over time. Here’s how it will evolve.
Since the fallout of the DarkSide Ransomware in the U.S., following Colonial Pipeline and the takedown of the healthcare system in Ireland by Conti ransomware, discussions in cybercriminal underground forums have undergone major changes.
Both DarkSide and Avaddon have shut down. Whether these were exit scams or related to excessive political heat they endured is not known. Several other ransomware groups have gone through several rounds of rebranding as well. This is an effort to distance their current and ongoing criminal activities from their past activity. Groups have had varying degrees of success with this approach.
Either way, this led to several affiliates filing on key forums for repayment. Meaning, they requested the actors behind the ransomware pay them back for their buy in to operate as affiliates in the ransomware as a service model. This refund has been visibly received by some.
Additionally, the XSS forum announced a ban on all ransomware-related activity on the forum on May 13. This is the main forum where DarkSide and several other ransomware affiliate programs, such as REvil, were advertised. Initially, some users moved their ads to Exploit – another similar, popular forum – until the forum announced a similar ban on May 14.
Since then, the Groove Gang has spun up a new dedicated forum called RAMP, which is purely dedicated to ransomware discussion.
There can be several implications of these changes and the shift to private models. The remaining groups may likely continue their work exactly as it was, just without relying on forum ads to recruit. While they are likely to use affiliates, they will be recruited directly.
Some mature groups have gone truly independent – essentially taking the role of affiliates internal to their organization in the form of pen-testing sub teams that provide initial access to victim organizations.
The pressure and attention from recent attacks has clearly made several modern ransomware groups uncomfortable. However, the business model of ransomware is simply too profitable to vanish right now. Some of the major gangs have built themselves up as mini corporations.
Like it or not, when that happens you have staff to support, and at least some level of ethical commitment to keep the business trading.
To continue operating in the current political environment, groups will shift their tactics in a few ways.
First, there will be an increase in “triple” or “quadruple” extortion models. While this has already been implemented by some groups, it will increase to add pressure on victims to pay. The added pressure may be needed as many governments are taking a stronger stand against ransomware.
Data leak extortion allows attackers to target off-limits industries like healthcare and CNI, and while many people believe this will be the model going forward, it might not be the case. Blackmail is a critical part of this business, but it’s actually the weaker extortion ploy compared to preventing a company from working.  There’s no guarantee that attackers will delete any stolen data
Cybersecurity insurance also adds a whole new layer to the current ransomware environment. Some have theorized that ransomware gangs could specifically target organizations that they know have ransomware insurance coverage – because the likelihood that the victim will pay is high.
However, to date we have seen little evidence of this. In addition, there is concern that by covering ransomware payments, cybercriminal activity is being accepted. Recent declarations by the U.S. of sanctions on certain ransomware groups and the bitcoin exchanges they use further complicated matters.
So, where do we go from here? Will cyber insurance firms stop covering ransomware payments?
In fact, recently the opposite effect has been occurring – the Grief ransomware group recently threatened to permanently delete recovery keys if the victim brings in the service of professional negotiators. Such negotiators can lead to lower payments for the victims and help to buy the victim more time to put a recovery plan in place – neither of which is welcome news for the attacker.
The situation continues to be in flux with ongoing political conversations and changes in cyber risk management at the highest levels. So, what can you do to keep your organization protected?
The threat landscape continues to evolve, but that doesn’t mean security teams have any additional resources to stop or identify criminal activity faster.
To navigate this ongoing challenge, here are three things security leaders can prioritize:
Again, this sounds simple on paper, but we know it is not that simple in practice.
Many companies are consolidating security vendors to eliminate gaps in visibility and protection and make it easier for their analyst team to make sense of fewer security logs.
Get the free daily newsletter read by industry experts
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Share your announcement
Corporate boards are no longer rubber-stamping assurances from CIOs or CISOs but are bringing in outside experts, asking more questions and preparing for the risk of personal liability.
The pandemic created more business opportunity, but malicious actors dogged the company's technology stack. Now, the very same products touted as security defense tools are under fire. 
The free newsletter covering the top industry headlines

source