Ransomware attacks have affected practically every sector of society, including healthcare, government, education, and business. Recently, within the Nordics, Tietoevry, a Finnish based cloud hosting services provider announced they were subject to a ransomware attack that affected many of their customers in Sweden including a widely used payroll and HR company, universities and over 30 government authorities.
Here at NTT Security , our Cyber Threat Intelligence team continually monitors the threat landscape to produce valuable and actionable insights, a key facet to our services. One aspect is routine monitoring of posts made by ransomware groups on their leak sites. In this blog post we highlight the growth in ransomware groups and postings in 2023 and touch on the business model and playbooks adopted.
Ransomware groups are criminal groups that attempt to monetarily extort their victims through use of ransomware to encrypt and steal data from an organization, rendering the data inaccessible. The criminals then demand a ransom in exchange for decryption of the data, additionally they may also attempt double extortion by threatening to leak the stolen data if the ransom is not paid. Ransomware group leak sites are typically located on the dark web, however in order to bring news of their conquests to a broader audience some ransomware groups are increasingly making use of social media channels to put more pressure on victims to pay.
RaaS Business Model used by ransomware groups
Many ransomware groups make use of Ransomware as a Service (RaaS). The first discovered RaaS was Tox, created by a hacker of the same name in 2015 and has now evolved into a lucrative business model. RaaS is a business model in which ransomware developers or operators package their tools into RaaS kits that they then sell to other hackers or groups called affiliates. The RaaS operators dictate the operating model which ranges from monthly subscriptions to profit sharing where any ransom obtained from the victim organization is distributed between the operator and the affiliate.
Chimera, one of the earliest ransomware groups to provide RaaS, held its affiliate share of the ransom at 50%. Other ransomware groups such as Revil, which was active between 2019 and 2022 held their affiliate profit shares at 70%, and 80% for Lockbit2.0 in 2021.
BlackCat ransomware group third highest number of victims
After Lockbit3.0 and CL0P, the ransomware group BlackCat (aka ALPHV), which had the third highest number of victims in 2023, used to vary its affiliate share by 80%, 85%, or 90% depending on the value of the ransom. However, in December 2023, ALPHV announced that it would change its rules to a flat 90% affiliate share and launch a dedicated program for VIP affiliates – likely to incentivize existing affiliates, attract new and also in response to a take down by the FBI.
An FBI operation in December resulted in the seizure of ALPHV’s darknet site. ALPHV responded by temporarily ’unseizing’ the site and announced the 90% commissions to affiliates. ALPHV is now continuing its activities on their newly launched leak site.
In general the profit share for affiliates from RaaS has been increasing year by year, to the point where special treatment is granted based on their success.
Ransomware Activity in 2023: Monthly Analysis of Leak Site Posts
From our research we determined a monthly summary of the total number of leak site posts about victims made by all ransomware groups in 2023 as shown in (Figure 1).
The previous year, 2022, we saw an average of around 200 posts per month. But in 2023 there was an increase throughout the year, with over 300 posts per month becoming the norm since March.
Figure 1. Total number of posts about victims made by ransomware groups per month in 2023
Ransomware Groups on the Rise: Exploring Monthly Patterns in 2023
Monthly trends in the total number of ransomware groups posting to leak sites in 2023 are summarized in (Figure 2). In January and February, only about 20 ransomware groups posted to leak sites, but the increase became clear from March, and from June onwards, the number of ransomware groups regularly exceeded 30. Ransomware source code, builders, and attack manuals have been leaked from groups such as Conti and Lockbit3.0 in the past. The use of this information has lowered barrier to entry for many criminals and fueled the increase in ransomware groups and attacks.
Figure 2 Trends in the total number of groups whose posts were confirmed on leak sites
There is no doubt ransomware groups and attacks increased in 2023 and will continue. With ease of entry through RaaS, competition among operators has also increased, competing on the basis of platform performance and as highlighted, profit sharing. Affiliate dominance is expected to continue, and group operators are expected to strengthen their support systems for affiliates. In addition, in order to increase the probability that a victim organization will pay a ransom, operators are emulating typical business models and leveraging legitimate services to communicate, market and enhance its ‘brand’ strength.
About Cyber Security Insights
This blog post is part our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment
Graham Cluley “Come to the dark side. Chimera ransomware asks victims to become affiliates”
White Hat IT Security, The revil is in the details
KELA LockBit 2.0 Interview with Russian OSINT
SOCRadar Dark Web Profile: BlackCat (ALPHV)
Krebs on Security “BlackCat Ransomware Raises Ante After FBI Disruption”
Want to know more about how we can help you with your cybersecurity?
NTT Securitys Managed and Detection service creates the visibility you need to detect and respond to cyber attacks in their earliest stage. Our cyber analysts are always awake and ready to protect and defend you. Reach out.