Ransomware Evolves: Affiliates Set to Wield Greater PowerOperators Left Exposed After Overreaching, Says McAfee Enterprise’s John Fokker Mathew J. Schwartz (euroinfosec) • November 1, 2021
How is the ransomware ecosystem set to evolve?
Since ransomware-wielding attackers overreached - in particular after DarkSide hit Colonial Pipeline this past summer - the administrators of those groups have been banned from leading cybercrime forums, says John Fokker, the principal engineer and head of cyber investigations for Advanced Threat Research at McAfee Enterprise. And that change has affected ransomware operators' ability to recruit affiliates via forums and to use their malware against victims in exchange for a cut of every ransom a victim paid.
As a result, "what we're seeing, and what we think is going to happen, is that there is going to be a power balance shift," Fokker says. As detailed in a new report he co-authored, McAfee Enterprise predicts that experienced affiliates will more often be calling the shots and selling access to a victim to the highest ransomware operation bidder. Unfortunately, he adds, this more decentralized approach may also make it much more difficult to track ransomware operations, not least for law enforcement agencies.
In a video interview with Information Security Media Group, Fokker discusses:
- How and why the ransomware-attacker balance of power has been shifting to favor affiliates;
- Attackers' ongoing use of business email compromise and CEO fraud;
- Likely changes in extortion and data breach tactics being wielded by criminals.
Fokker is the principal engineer and head of cyber investigations for Advanced Threat Research at McAfee Enterprise. He was previously the project leader for the cybercrime threat intelligence team for the Dutch Police.
Mathew Schwartz: How can we expect to see cybercrime evolve over the next year? Hi, I'm Mathew Schwartz, executive editor with information Security Media Group. And to help me answer that question and share his prognostications, I am joined by John Fokker, McAfee Enterprise's principal engineer, and also head of cyber investigations for its Advanced Threat Research group. John, great to have you back.
John Fokker: Great to see you again, Mathew. Always a pleasure.
Mathew Schwartz: Thank you. Well it's always great, interesting, fascinating and sometimes horrifying, to talk ransomware with you, and you've been looking at the state of play, and where you think this whole little ransomware thing is going to be going in the future? If you please, share some of your findings.
John Fokker: Yeah, and it's no secret that I have an interest for ransomware, that's kind of obvious, that's been pretty obvious for the last recent years. And every year from McAfee Enterprise, we bring out our threat predictions. So we look: what can we expect ahead? And actually, it was, maybe you can say I'm cheating or not, because it's already happening, as we can say, but still, when we wrote this up, it wasn't going on at that time. So we're, we can still call it a prediction. But anyways, what we're seeing and what we think is going to happen, that there is going to be a power balance shift. So historically, and we've reported on this, and I think it's been explained in the media quite often is that if you look at ransomware as a service, it was pretty much from the beginning, when it started with CTB-Locker, like, like years back, a pretty — how would you say? — there was a strict hierarchy, it was kind of a pyramid type of structure, where you have the ransomware developer at the top, or the admin system, I call it, and they would say: OK, I need people to distribute my ransomware. So that could be in this case where people who own the botnets, or could do spamming runs and things like that, and they would get a percentage and it worked all the way down. And if you do not perform, so you do not send out X amount of installs or whatever, they'll kick you out. This kind of evolved, and it went on that model was something that we saw with GandCrab, really, really obvious because they have had a lot of like job interviews, and it transitioned over into REvil. And the funniest thing was happening, actually is a, we think it's part of a result of like, the things happening with the Colonial Pipeline attack and all the major attacks happening in the U.S. where, at a certain moment, ransomware was always had a safe haven on cybercriminal forums. So there's a couple of top-tier Russian-speaking cybercriminal forums where ransomware actors could actually open up shop, they could present what they had, and they could invite people to join their ransomware gang in order to infect people. And what we saw that as a result of basically the political reaction to the very impactful ransomware attacks, they banned the sale of ransomware. So inevitably, what they did, they made sure that these ransomware actors did not have a shop. They're probably still around on the forums, but not as obvious. So you see it: they're not really portraying that top-tier place that they usually have. They lack arbitration, for instance. So if you're not, if you're an affiliate, and you got scammed by a ransomware actor, there's no way to complain. Because the forum would do that for you, you would have that, you would see if a ransom actor would come on a forum, or ransomware group, if they made a deposit. So how trustworthy are they? They were being somewhat held accountable by the other set of cybercriminals that are on the forum. And that whole power balance, because they were bad, is starting to shift. And not only that, we saw some other things happening that in spite of, and it's funny, because I come from organized crime. And if there's a lot of money involved, there's always people unhappy. I guess it's not only crime, but it's probably also true in business. And there's always people that feel that they are entitled to more. And in this case, it was the same thing with I believe, with Conti ransomware where an affiliate — somebody who actually worked and did the installs did the intrusions on the network — wasn't happy with the amount of pay that he received. So they were attacking organizations, extorting them for millions of dollars, and all he saw was a $1,500 paycheck every week. Well, mind you, it's a decent pay but it's not in balance to, or according to him, it was not balanced to the income or the profits the ringleaders made. So he decided, like, Oh, I'm not so happy with this. I'm doing all the heavy lifting. Why don't I just, like, dump the whole attack playbook, everything, how we do it on the internet, so we can explain how everything's done. And I'll, I'll spill the beans. So that to me is obviously a godsend because it's very handy for us from an intelligence perspective, learning from the adversary in this case. But it is a sign on the wall that people are not happy with the current way they're doing business. And this slowly progressed on to that you're seeing more autonomous groups that are well trained, they really, really know how to, like infiltrate, and do, basically a CNE into — like, a computer network exploitation tactic. And they're really good at breaking in and compromising the whole network, getting the domain admin credentials, basically doing 99% of the work, and they have access to these systems. And then the last 90% of the work or the last 1% of the work as they see it is installing the ransomware. So what we will see or what we think, is that, because the heavy lifting is done from these affiliate groups, that by the lack of visibility on the forums, these affiliate groups are still present there. Because the guys who are doing the, or the guys and girls, so the people doing the infiltrations, are still there, are going to play a more important role than the actual ransomware actors. That they're going to control who they are going to sell their access towards. And that could even be by a public auction, saying like, well, actually, we have access to top-tier organization X with a revenue of whatever, who's interested? What do you have to offer? Who makes us the best deal to work with us as a ransomware team with your code, in order to make a, well, which percentage-wise and all that stuff? Which is basically different from what we saw in the last years, where you had to apply for a job to get into the team to be, work hard, and then you get a part of the pay. The pay was good for a lot of folks and for some, less. But still, it was a different dynamic, you really had to apply for it. Whereas now it's the other way around, or we expect it to be the other way around, more often.
Mathew Schwartz: Fascinating. So we've seen so many shifts in the ransomware ecosystem, like you said, it seems to have been this maybe mafia-esque sort of thing where you would have the developer, who was the don, calling the shots.
John Fokker: Yeah.
Mathew Schwartz: Yeah, recruiting the business partners, you know, the muscle, basically. And then we've spoken about this before, you saw the rise of much more skilled affiliates, who were very good at getting in, and then deploying ransomware. And I've heard that different affiliates would sometimes work with multiple ransomware operations at once, depending on the cut, maybe they were getting, you know, 70% for the affiliate, 30% for the operator not being unusual, which might be what angered the Conti employee. So, but now that ransomware has lost, lost its platform, as you say, you see affiliates becoming likely, much more powerful. How exactly do you think they might be working with these ransomware operations though? Because, I mean, they'll still be developing the crypto-locking malware. I mean, that was always their not secret sauce, but, you know, the thing they brought to the equation?
John Fokker: Yep.
Mathew Schwartz: Are affiliates just going to be demanding more and more money to work with these operators, do you think?
John Fokker: Well I think they'll probably be in a situation where they could pick and choose which one they want to work with. So who do they trust the most? And that trust can be built up of, OK, what kind of reputation do you have? That could be like, how they're perceived by other criminals? Do they have a track record? Basically, you're applying for a job and the ransomware actor has to overhand his resume or give his resume. But it could also be like, Okay, if I go and work with this person, how can I trust him that he's not double crossing me? How can I trust that his systems are safe? How can I trust that his ransomware is actually foolproof, as we currently saw with BlackMatter, where Emsisoft was able to break the encryption and secretly handed out decryptors and alerted a network including us as well of this is great news, and you can kind of circumvent the effect. Because the last thing you want as a powerful affiliate or hacking team is that yeah, you have worked really hard to get this access and then you go do business with a ransom actor that doesn't really know how to do their business. So and yeah, lastly, with the payout that's a that's a large portion. So what's in it for them? What can I expect because it's the way I see it more I think the ransomware actors are going to shift towards more that platform. So it's the the, the binary, the negotiation, the payment structure, all that stuff, all post-encryption, that is going to be part of the the ransomware core, as we might say. But we saw it with with Groove gang, that that was an offshoot of Babuk ransomware, that we we can attribute to like the Metropolitan Police hacks, I think the Houston Rockets and some other ones. And and they basically set Ramp, a forum. It's now questionable what the status is of RAMP. But that's more of like what's happening at the last moment. But still, what they envisioned was a place for their own, where ransomware actors and powerful affiliates could mingle and then work together to make something nice. But we saw that funny enough that Groove, they they worked in the past with Babuk, and now we saw with BlackMatter, and then we saw something posted on their own website. So it is a very interesting dynamic going on. And I would not be surprised in the future that we can see that affiliate groups will work with, like you said, with multiple ransomware teams. And then historically, yeah, the pyramid structure is easy to investigate. It's, uh, it makes it a lot easier, also, for law enforcement, for instance, it's like, OK, we got this is the ransomware name, and we have to figure everyone is below that, or all the affiliates are affiliated with this. OK, that's the whole group. Whereas now it's not, it's just an element. And it's more like an opportunistic network type of collaboration, where, yeah, for this attack, this affiliate group might actually work with this ransomware and for the other attack something else. So it's, it's not making it easier, per se.
Mathew Schwartz: It is a lot more difficult if they're working with self-motivated contractors, basically, who will take their accesses and like you say, perhaps sell to the highest bidder. One thing that we saw with RAMP, it sounded from the communications, like they were envisioning a non-ransomware exclusive sort of environment, maybe looking at other ways of monetizing attacks, like you said, maybe stealing data. It seemed like, I don't know if they were envisioning the future, but if ransomware attacks should become less lucrative, what are some of the other paths that we can pursue, which I think is a really pertinent question these days, when governments might be involved in disrupting some of these operations more directly.
John Fokker: Correct. In all honesty, ransomware is shifting in a way that it's, I think it's, maybe it's basically we no longer call it ransomware, but extortion, because that's basically what it is. The fact that we saw the double extortion with the data exfiltration and trying to leak sensitive data. There's no ransomware involved in that. That's basically extortion. So I think we can expect — and I don't know what is going to be across the horizon — but we'll try to do our best to figure out. But yeah, they will come up with new ways to extort folk. And that could be, we see it already: direct calling of high individuals within the companies like the C-level suite, because you have all that data already. It's already in your possession. So you know exactly who to approach by combining not only the business information or personal information of a CEO, but also doing some open source research on the CEO, you might actually get a very interesting social profile. And, yeah, that almost comes into a realm that was usually used by also organized crime, the mobsters, but also by nation states, just to put pressure on people, because you try to blackmail folks with sensitive information. So we can see, I think, a whole scale of things: we saw the DDoS attacks happening. That's one of the things. Yeah, I wouldn't be surprised if some business email compromise comes around the corner, because that's also a very lucrative thing, even though that's not extortion, but you still have the same level of access to all that data. And let's face it, a lot of the victims that are hit with ransomware are finding out because either their name is on the internet, or their computers don't work, and they get a splash screen. So it's not often that they won't, if they notice it and notice it early on, they will probably not become a victim because they can mitigate the risk or they mitigate the threat. But a lot of these organizations find out the hard way.
Mathew Schwartz: Ransomware is really noisy, I know that it definitely lowers the average for the time it takes a victim to discover an intrusion. Because if you can't use your system, obviously something has gone wrong. So —
John Fokker: Yeah the 90 days from the old days, it's it's now back to a couple of hours sometimes.
Mathew Schwartz: Pros and cons I suppose, fascinating what you say about business email compromise because I think if you look at FBI statistics, that's actually more damaging than ransomware in the aggregate. But I think if you're an individual business that gets hit with ransomware, obviously, that can be a business, business-disrupting or business-stopping sort of event.
John Fokker: Yeah, that's an interesting point, I was looking at the same statistics. One of the things is that I think there's less of a threshold for organizations to report business email compromise. That's one of the things, because there's not necessarily a data breach, you got scammed out of money. So what business email compromise could be, it could be a data breach or not, or you could just be tricked out with CEO fraud, they kind of put those things together. So it doesn't necessarily mean that you have sensitive data being leaked, or all these things. You transferred money to a foreign account, and a large sum. And that is also the loss. That's the exact loss limited to that. Whereas if you look at ransomware, the only thing that the FBI could actually accumulate, or the Treasury Department, was the, the amount of payments they could have 100% attribute ransomware. There's a lot of payments they could not have, or they haven't attributed yet, or they they weren't able to attribute. And in addition, the ransom amount is only one part of the damage. The damage is much faster, it's much greater. Because even if a company pays for the ransom — which we discourage, but if they have no other choice, they'll do it — they still need to fix the root cause, they still need to overhaul their complete IT systems. And that's only the technical solution. They have need to invest a lot of time and money in decent security to make sure it doesn't happen again. And then there's the media attention, the how that impacts, there's customers that might go away, loss of business, all these things factor in, there's a lot of indirect costs, that are not attributed obviously in the Treasury Department's calculations, because that's fairly hard to attribute that have almost like an afterburner effect or like an extra kick that you get with ransomware, which you don't have with this business email compromise. But yeah, I agree. If you look at the absolute numbers that they present, like on two pieces of paper, then the BEC fraud is bigger in numbers.
Mathew Schwartz: But obviously, you've got ransomware as this — not only noisy but messy — in terms of the incident and the response sort of thing, which obviously likely we won't be seeing change anytime soon, despite these other trends that you've been articulating, which we will we will likely see.
John Fokker: Yes, yeah.
Mathew Schwartz: Wonderful. Well, always fascinating to speak ransomware. Thank you so much, John, for sharing your insights about where things are headed.
John Fokker: My pleasure, Mathew. It's uh, I'd like to be the bearer of good news, but it's not always the case. But we'll stay vigilant and we'll we'll keep a close eye on what's going on.
Mathew Schwartz: That's it: Stay, yes, stay tuned, stay alert. I think the message is, is clear here. So thank you very much. I've been speaking with John Fokker: of McAfee Enterprise. I'm Mathew Schwartz with ISMG. Thanks for joining us.