Names such as Conti, Ryuk, Babuk, and Darkside have permeated into public consciousness, linked to disruptions of critical services worldwide. And with good measure, since the cybercriminals behind these groups, as well as others, have been successful at extorting millions (and according to some, billions) of dollars for their personal gain. Yet, the reality is that the criminal eco-system within the realm of digital extortion omits a key player who should at least be held equally responsible for the trail of destruction left behind.
Barriers to entry
It has been said that cybercrime requires no technical skills, only a means to pay, and this statement certainly held true in the past. The ability for individuals to become part of a ransomware operation afforded those without the technical capability the opportunity to get access to the malware, and a working dashboard to manage their victims.
By 2020, however, individuals looking to operate in the middle of an extortion scheme suddenly required a much fuller resume demonstrating specific technical skills that ransomware operators would test and demonstrate in technical interviews.
Otherwise known as affiliates these individuals, whose roles often go unnoticed, are effectively the malicious actors that will break into an organization, steal any necessary data to drive up extortion demands, and deploy ransomware. Their role is so critical in making attacks more damaging that the ransomware developers themselves will offer higher shares of the profits to attract the most successful affiliates.
The not-so perfect union
The division of the roles and responsibilities within ransomware groups have historically appeared harmonious. However, in recent months we have seen a fracturing of these profitable relationships. Affiliates have not hesitated to roast each other, as well as leak code, tools and playbooks from ransomware operators, to display their frustrations related to perceived injustices, which invariably relate to monies they feel they are owed.
More recently we have seen the rise of gangs of criminals (affiliates) that appear to be taking control of the relationship between affiliates and ransomware operators. What this means is that the ransomware gangs themselves could find themselves in a bidding war for the best affiliates and, in effect, see their work by and large commoditized.
It remains to be seen whether this breakdown of criminal relationships will prove to be a positive or negative change, though it certainly suggests the RaaS market is saturated to the point of not being able to support as many groups as we have seen in 2020-21. Either way, seeing the pain experienced by some of these groups right now brings a strange sense of satisfaction.