HomeSecurity ArchitectureTakedowns ignite affiliate bidding war among ransomware groups

Takedowns ignite affiliate bidding war among ransomware groups

Published on

spot_img

The dark web has become a hot spot for recruitment drives by up-and-coming ransomware gangs looking to attract affiliates seeking work following the busting of two major extortion operators, LockBit and ALPHV/BlackCat, by international law enforcement agencies. These recent crackdowns have sent shockwaves through the ransomware-as-a-service (RaaS) criminal ecosystem, leading to a scramble among affiliates to find new opportunities.

Authorities were believed to have temporarily taken down ALPHV/BlackCat’s operations in December, only for the gang to resurface with new infrastructure shortly after, hitting the headlines with the Change Healthcare attack. However, the gang then mysteriously vanished, claiming authorities had shut them down, in what experts suspect was an exit scam aimed at pocketing the $22 million ransom from the Change Healthcare attack without sharing it with the affiliate responsible.

Similarly, LockBit was temporarily shuttered in February by a multinational law enforcement operation. Both LockBit and ALPHV/BlackCat had networks of affiliates who carried out attacks using their malware in exchange for a portion of the ransom payout. However, the disruption caused by the takedowns has created distrust towards established RaaS groups, leading to affiliates seeking new opportunities.

In response to the vacuum left by these major players, smaller RaaS groups are seizing the opportunity to recruit new affiliates. Several emerging groups, including Medusa, RansomHub, and Cloak, have been actively posting openings for affiliates on dark web forums. These recruitment efforts may be driven by a shortage of human resources, growing distrust in established RaaS groups, or impacted groups looking to continue operations through new affiliates.

The researchers at GuidePoint Security noted that the recruitment pitches from these new RaaS groups varied in approach. Medusa, for example, offered generous payout scales based on the size of the ransom collected by affiliates, with potential earnings increasing for larger payouts. The group also provided 24/7 support and access to various teams to assist affiliates in carrying out attacks.

On the other hand, RansomHub took a different approach, leveraging contemporary events to persuade potential partners to join their ranks. By referencing the sudden disappearance of ALPHV/BlackCat, RansomHub sought to reassure affiliates by emphasizing that they would collect ransom payments directly and pass on a share to the group, reducing the risk of scams or fraudulent activity.

Meanwhile, the Cloak gang’s recruitment post was described as offering the least enticing features for potential affiliates, with payments in Monero cryptocurrency rather than Bitcoin, which could impact victim payment compliance. While affiliates could keep a significant portion of the ransoms collected, the use of Monero may present challenges in getting victims to pay up due to the relative popularity and traceability of Bitcoin in ransom demands.

Overall, the upheaval caused by the recent takedowns of LockBit and ALPHV/BlackCat has created a shift in the RaaS landscape, with new players vying for affiliates and seeking to capitalize on the uncertainty and distrust in the aftermath of these enforcement actions. As the ransomware ecosystem continues to evolve, the recruitment drives and tactics employed by these emerging groups will be closely monitored by security experts and law enforcement agencies to prevent further attacks and disruptions in the future.

Source link

Latest articles

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

More like this

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...
en_USEnglish