RaaS groups increasing efforts to recruit affiliates

Smaller RaaS groups are trying to recruit new and “displaced” LockBit and Alphv/BlackCat affiliates by foregoing deposits and paid subscriptions, offering better payout splits, 24/7 support, and other “perks”.

Cybercriminals wanted

RaaS operations usually consist of a core group that develops the ransomware and mantains the underlying infrastructure for its deployment, and affiliates that leverage it after breaking into target systems and networks and give the core group a percentage of the ransom as payment for their services.

“There appears to be a shake-up happening in the ransomware-as-a-service (RaaS) ecosystem, largely focused around affiliate structures,” Drew Schmitt, Practice Lead for the GuidePoint Research and Intelligence Team, told Help Net Security.

After analyzing forums and underground marketplaces on the dark web in the wake of Operation Cronos, which struck a considerable blow against the LockBit gang, the analysts have noticed an uptick in advertisements for affiliates.

Three RaaS groups, in particular, are trying to attract affiliates by taking different approaches.

“As objective outside reviewers, we considered Medusa’s post particularly appealing, as the group claims a sliding payout scale, starting at a 70/30 affiliate/core split, increasing up to 90/10, dependent on the size of the ransom payment obtained; only affiliates in receipt of a $1 Million+ ransom is eligible for a 90/10 split, likely incentivizing or creating the appearance of high ransom demands,” the analysts noted.

Medusa also offers help with OSINT, “media advertising” and negotiations, accepts affiliates from all over the world, and offers a premium membership once the affiliate surpasses $1 million in paid ransoms.

Medusa Raas gang ad for affiliates (Source: GuidePoint Security)

RansomHub, on the other hand, is apparently trying to rebuild some of the trust RaaS gangs in general have lost due to the latest takedowns and possible exit scams, by saying that its affiliates will be allowed to collect ransom payments themselves before paying the “service fee” and that affiliates with be premitted to participate in multiple RaaS groups.

A third group – Cloak – opted for a 85/15 affiliate/core ransom split, and asks no deposit or payment for joining – just an interview. The group also highlights its ransomware’s capability and the possibility for affiliates to ask for additional features.

A loss of confidence in the RaaS model?

The advertisements from less known RaaS groups without a well established reputation are being met with doubts, but that’s not unusual.

“Although there doesn’t appear to be any more skepticism than we normally observe with these types of posts, we believe that there has definitely been an impact on cybercriminal’s confidence in affiliate-based ransomware groups,” Schmitt commented.

Trust is quickly lost and slowly gained. When law enforcement hit Lockbit, they managed to get their hands on a list of its affiliates. And though they were listed by nickname, it seems likely that some may have been rattled by the revelation and might choose not to continue with their criminal activities (or their cooperation with Lockbit).

RaaS groups also seem to be dealing with a problem that many legitimate organizations often face: a limited pool of skilled human operators that can do the work.

Symantec researchers have recently pointed out a possible skill disparity between Lockbit’s and Alphv/Blackcat’s affiliates, with the latter seemingly being more likely to reach the ransomware deployment stage.