The effects of law enforcement takedowns on the ransomware landscape

While the results of law enforcement action against ransomware-as-a-service operators Alphv/BlackCat and LockBit are yet to be fully realized, the August 2023 disruption of the Qakbot botnet has had one notable effect: ransomware affiliates have switched to vulnerability exploitation as the primary method of delivering the malware.

The switch is obvious to Symantec’s Threat Hunter Team but, unfortunately, it hasn’t been accompanied by a fall in the number of ransomware victims.

“Analysis of data from ransomware leak sites shows that attackers managed to hit significantly more victims last year (4,700) compared to 2022 (2,800),” they pointed out.

Ever-changing techniques

One of the characteristics of successful cyber attackers is their ability to adapt their techniqes to the changing conditions “on the ground”. When one proverbial door closes, they search for – and find – another.

For example, malicious macro-enabled documents were, for a time, one of the main vehicles for ransomware delivery, until Microsoft’s implemented default protections that made this approach considerably less successful and forced them to change their approach.

The researchers pointed out other current trends related to ransomware attacks: the attackers’ use of vulnerable drivers (e.g., for disabling security software), legitimate remote desktop tools (AnyDesk, Atera, etc.), custom data exfiltration tools (e.g., Lockbit’s StealBit), and abuse of built-in Windows utilities (e.g., Esentutl, DPAPI) to steal credentials.

Ransomware affiliates: Skills and allegiances

Symantec’s threat hunters have also noted a curious thing that seems to be pointing to a skill discrepancy between Lockbit’s and Alphv/Blackcat’s affiliates.

“There are significant disparities between overall, publicly claimed activity levels and ransomware activity investigated by Symantec. While LockBit was responsible for over 21% of the 4,700 attacks claimed in 2023, they were only identified as being involved in around 17% of the attacks Symantec investigated. Conversely, [Alphv/BlackCat] claimed 9% of all attacks in 2023 but it was involved in a little over 20% of all attacks Symantec investigated,” they shared.

“For Symantec to positively identify an attack as associated with a certain ransomware family, the attack has to advance to the stage where the attackers attempt to deploy a payload. This suggests that [Alphv/BlackCat] affiliates are more likely to advance their attacks at least to the payload deployment stage.”

Symantec’s 2023 figures are unlikely to reflect the current situation, though: Alphv/BlackCat is apparently pulling off an exit scam and cheating some of its affiliates, and LockBit ransomware gang’s main operator has been trying to reassure affiliates spooked by law enforcement action to stay and continue their collaboration.

In the meantime, the (relative) vacuum in the ransomware landscape created by those two group’s troubles has – according to cybersecurity firm RedSense – been partly filled by the Akira ransomware collective and associated “ghost groups” like Zeon.

“In December, we obtained credible primary source intelligence (…) indicating that Zeon is operating as a group of elite pentesters for both Akira and LockBit, with the latter being their main focus,” RedSense co-founder Yelisey Bohuslavskiy shared.

“The LockBit takedown had a major impact on Zeon, which is now moving its pentesters to work primarily for the Akira brand.”