Ransomware group maturity should influence ransom payment decision

Your organization has been hit by ransomware and a decision has to be made on whether or not to make the ransom payment to get your data decrypted, deleted from attackers’ servers, and/or not leaked online.

The decision will depend on a variety of factors but, according to GuidePoint Security, an important one should be the overall maturity and prominence of the ransomware operators who pulled off the attack.

Immature ransomware groups: A distinct threat

While law enforcement and governments around the world advise organizations not to pay the ransom, we all know that many do and will, despite knowing that paying may not result in a hoped-for resolution of the problem.

GuidePoint researchers have offered additional advice: “Consider the known history, credibility, and plausibility of ransomware groups and the claims of their operators in order to reach an informed decision regarding ransom payment or non-payment.”

Unlike established RaaS outfits like LockBit, Alphv, or Black Basta, immature, opportunistic groups are more likely to lie, re-extort victims, and not deliver functioning recovery tools (e.g., decryptors).

“We note that re-extortion may be driven by greed, but also as a means to cover up technical shortcomings, such as an inability to decrypt encrypted files – if the threat actor can continue demanding payment until the victim declines, a plausible explanation exists that avoids ‘tipping the hand’ of a technically inept actor,” they noted.

Based on previous experiences and discussions with peers, the researchers found that while mature RaaS groups work to have a solid reputation so victims are more likely to pay the considerable ransoms the group and its affiliates demand, the smaller, less known groups are much less incentivized to play by the rules they set out.

Opportunistic ransomware operators are generally more likely to:

• Target smaller, less well-defended victims (think SMBs)
• Gain access to company systems via less sophisticated techniques (exposed ports, compromised credentials, phishing, brute-forcing instead of zero-day exploitation)
• Use rudimentary or “second-hand” infrastructure (including negotiation infrastructure), leaked or cracked tools, have no dedicated leak site, nor the resources/time to follow through with additional threats (calls to affected customers, repeated attacks, etc.)
• Lie about their capabilities (decryption of encrypted data, access to specific documents, data exfiltration)
• Ask for smaller ransom sums / lower the sum considerably after negotiation, but then often don’t keep their word and ask for more

The near certainty of re-extortion

The researchers have shared specific case studies involving Phobos and DATA LOCKER groups/affiliates, which seem particularly prone to re-extortion after negotiating the ransom amount.

“Without a brand to build or defend, or with a name that can be changed at a moment’s notice, there is little to no risk for an immature ransomware group to re-extort victims until they refuse to pay any further. Community information sharing on the topic is low and this class of threat actor attracts less security reporting or scrutiny in general,” the researchers noted.

They also argue that, “when threat modeling or response planning for ransomware incidents, unbranded or immature ransomware groups should be considered as a distinct threat as opposed to larger, more established ransomware groups.”