If you’re one to keep up with the latest cyber security news, you may have seen headlines regarding the disappearance and re-emergence of ransomware-as-a-service (RaaS) groups. Lately, RaaS has become the attack vector of choice amongst cyber criminals and they’re always finding new ways to profit. In 2019, 62% of global organizations were the victims of ransomware – that’s a 56% increase from 2018. The increase is more than likely due to victims paying attackers ransom, which has also increased by 45% from 2018.
The top three reasons why ransomware is still a preferred attack vector for cyber criminals are:
Unlike previous years, RaaS gangs have a lot more to consider when attacking critical infrastructure like the health care or energy industry. Law enforcement and the FBI have recently started to crack down on RaaS gangs and they consistently put out messaging discouraging organizations from paying ransom. Now that countries like Russia are starting to cooperate with the United States in regard to shutting down ransomware operations, threat actors are acting accordingly. Instead of sticking around to do more damage and gain more money, threat actors are going off the grid until they are no longer seen as a threat, then re-emerging months or years later. Let’s look at threat actors who have disappeared and re-emerged or joined other threat actor groups.
If you recall, we published a Threat Actor Profile on BlackMatter in August 2021 questioning the identity of the group. BlackMatter began making its presence known in July 2021. They were suspected to be members of REvil and Darkside who went dark after they executed two of the largest ransomware attacks in cyber security history. Darkside was behind the attack on major the U.S fuel pipeline, Colonial Pipeline. This attack led to a supply disruption that made national headlines and caused the company to shut down its operational technology network, cutting off much of the gasoline supply to the United States. REvil was responsible for the attacks on Kaseya, a U.S based software provider. The heist affected 60 of Kaseya’s managed service provider customers and more than 1,000 small and medium-sized enterprises.
The attack on Kaseya was so devastating that it had the attention of law enforcement and the Biden Administration. President Biden demanded that Russian President Putin shut down all ransomware groups. This demand caused REvil to keep a low profile and take their infrastructure offline. It wasn’t until September 2021, after the heat died down, that researchers discovered their re-emergence. REvil operators were found posting on Exploit, a well-known forum, explaining that the group was back in operation.
Image 1: REvil's Site Goes Offline
When REvil went dark, many hackers were turning to LockBit (RaaS gang) for ransomware attacks. Researchers noticed that after REvil went dark, LockBit started recruiting heavily on the dark web. It was suspected that REvil joined LockBit until the news surrounding Kaseya subsided. Researchers noted that LockBit uses the same tactics, tools, and procedures they were using in attempts to deliver the REvil ransomware to victims, they just switched the payload.
The methods they use include:
They also use tools like Mimikatz and Netscan to help establish the access to the network required to install ransomware.
In early November of 2021, the United States arrested a Ukrainian hacker named Yaroslav Vasinksyi, in connection with a string of REvil ransomware attacks, including one that happened over the Fourth of July weekend (Kaseya). Vasinksyi was arrested when he traveled from Russia to Poland and is currently awaiting extradition from Poland. In addition, a Russian national named Yevgeniy Polyanin, was also arrested and separately charged for stealing $6.1 million by conducting over 3,000 ransomware attacks on companies across the United States (including law enforcement agencies and local governments in Texas). He is also said to be affiliated with the RaaS gang, REvil.
Both men yielded at least $200 million in ransom payments from attacking Kaseya and JBS SA (the world’s largest meat processor). Lately, law enforcement has been making it a point to bring down cyber-criminal gangs and keep them from attacking enterprises, as well as critical infrastructure. This feat can sometimes be difficult because the majority of cyber criminals operate in countries that don’t extradite their own citizens to the United States for prosecution. Cyber laws are fairly lenient in other countries or even non-existent, but the United States and other countries quietly keep watch of cyber criminals until they make a mistake. In the instance of Vasinksyi, he made the mistake of traveling to another country where law enforcement was able to arrest him.
Vasinksyi and Polyanin were not the only members of REvil who were arrested. The 17-nation operation has had a total of seven members arrested since February 2021. As stated previously, these arrests are rare due to weak cyber security laws in other countries. The United States cannot legally go into another country and arrest cyber criminals even if they do have evidence. It takes the cooperation of these countries in order to issue arrests. Analysts are hopeful that the Russian government will continue to do everything in their power to keep threat actors from gaining steam and report them to the proper authorities.
Arrests haven’t been exclusive to REvil. The ransomware gang, Cl0p also had its members arrested just three days before the REvil take down. The first slew of arrests for the gang happened in June 2021 after a 30-month long investigation. Cl0P is responsible for a spree of breaches on IT provider, Accellion. Attackers were able to exploit flaws in Accellion’s software and stole data from dozens of customers including the University of Colorado and cloud security vendor, Qualys.
Before being arrested, Cl0p was posting around 15 leaks per month on their leaks page. Since being arrested, their leaks have dropped to eight. As news broke about arrests, cyber criminals were discussing it within their own networks via underground forums. Some start to see the groups who have had members arrested as tainted and jump ship.
Members may also start to get nervous depending on how the arrests were orchestrated. In the case of Cl0p, the arrests took place after a 30-month long investigation that will more than likely continue. Long, continuing investigations are not common for ransomware investigations.
Typically, ransomware investigations are one and done, then on to the next. However, in this case, the long investigation introduces a different era of cyber-criminal investigations – sending the message that cyber criminals are being carefully watched and more arrests will happen.
The Cl0p arrests focused on the supplier of the ransomware, but if law enforcement wants to truly keep track of ransomware gangs, they will need to do more than take down large gangs.
Law enforcement will need to also take down bottom feeders as it is not unusual for a ransomware gang to disband and join a smaller, lesser-known group to continue their mayhem.
Cl0p is still an active group and recently attacked the Pacific offshore marine service provider, Swire Pacific Offshore (SPO). The company didn’t confirm if the attack was ransomware based, but Cl0p published a statement on their blog claiming that it breached SPO’s systems. The data stolen includes full names, addresses, bank details, passport scans, and phone numbers. Employees affected by the attack are based in Singapore, Malaysia, UK, China, and the Philippines.
Ryuk is a threat actor who takes pride in putting healthcare organizations at risk. This is different for threat actors because most don’t wish to attack critical infrastructure. Ryuk was suspected of being the culprit of a baby’s death in 2019 after ransomware was deployed on a hospital’s system. They are also responsible for locking up Universal Health Services’ systems for days in September 2020, which resulted in delayed lab results.
Between April and August of 2020, Ryuk went dark. It was assumed that the ransomware gang was no longer a threat…until recently. According to Emsisoft, after Ryuk’s activity dropped, Conti ransomware emerged using a similar malware code to the second version of Ryuk. In Early 2021, researchers found a wormable, Ryuk-like strain, which hints at a rebrand. Conti is a ransomware gang who also attacks critical infrastructure like hospitals and government organizations.
Emsisoft stated that two things are likely: Conti is a splinter group of Ryuk and is giving operators time to develop a new strain or Conti and Ryuk are separate groups with incredibly coincidental timing. Conti has continued to be active with their attacks, but Ryuk is still quiet and staying under the radar.
"We must focus on disrupting these groups as much as possible. If they're constantly having to rebrand, they will be less focused on attacking us." – John Shier, Senior Security Advisor at Sophos
In November 2021, shortly after members of REvil were arrested, BlackMatter announced their plans to shut down their RaaS portal (where criminal groups register to get access to the BlackMatter ransomware strain). The group stated that they were shutting down due to “pressure from the authorities”. They also stated that part of their team was no longer available and that the project was closed.
BlackMatter was responsible for a ransomware attack on the Japanese tech giant, Olympus. Olympus is known for manufacturing optical and digital technology for the medical and life sciences industry. BlackMatter encrypted the company’s programs and left a ransom note demanding payment through their TOR website. After encryption, the company had to shut down their European, Middle East, and Africa network. BlackMatter has been responsible for at least 40 ransomware attacks since June 2021, with ransom demands ranging from $80,000 to $15 million in cryptocurrency.
Many believe that the arrests of Vasinksyi and Polyanin, amongst other cyber criminals, were enough for BlackMatter to reconsider their operation. They shut down after a 48-hour notice and offered to decrypt companies affected by their attacks. Analysts also suspect that BlackMatter shut down due to an article that was published by the New York Times. The article announced that the United States and Russia started collaborating in order to track cyber-criminal organizations in Russia. Additionally, CISA, the NSA, and the FBI published a document warning that BlackMatter has targeted multiple organizations considered to be critical infrastructure.
Brett Callow, an Analyst at Emsisoft, stated that it’s impossible to say whether or not the group is permanently gone or if they’ll simply rebrand, but he’s hoping for the former.
RaaS gangs go dark, re-emerge, or join other ransomware gangs for a few reasons:
The last reason is probably the most interesting because it is not common for cyber criminals to make a ton of mistakes, but when they do, they have major consequences. BlackMatter is a good example of this point. They made an error when attacking the security company, Emsisoft. While BlackMatter was deploying malware, they gave the company the opportunity it needed to return much of their encrypted data without the company paying the ransom. This mistake is why analysts are hopeful that this could be the end of BlackMatter. REvil is also a good example of members making careless mistakes – like Vasinksyi traveling from Russia to Poland where one can be arrested for their cyber-crimes.
Right now, major threat actors like BlackMatter and REvil are quiet, but it won’t be long before they re-emerge, come back under a different name, or join another ransomware gang that isn’t well-known. Avertium is here to help protect your organization from ransomware attacks that could cost you.
If your organization is impacted by a ransomware attack, the FBI and CISA recommend the following:
Ransomware-as-a-service (RaaS) – A subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Affiliates earn a percentage of each successful ransom payment. Ransomware as a Service (RaaS) is an adoption of the Software as a Service (SaaS) business model.
Ransomware – malicious software that infects a device and stops users from accessing data and files until a ransom is paid.
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.