As the threat of ransomware continues to grow, cybercrime gangs are taking a page out of the corporate America marketing playbook: branding. Similar to the corporate world, where companies merge, talent moves from established businesses to shiny new startups, or companies like Intel Security (formerly McAfee) rebrand themselves, ransomware gangs are mirroring these methods more than ever before in order to reposition themselves in the marketplace and become the cyber mafia of the 21st century. However, this trend of cybersecurity gangs or Ransomware as a Corporation (RaaC) groups rebranding themselves is not new, nor is it uncommon, especially in the current security environment.
In the past, cybercriminals were predominantly focused on out-dueling each other to build as much clout and publicity for themselves as possible. However, there was a seismic shift in 2012 when the Reveton ransomware was noted to have great success extorting victims across Europe. This was followed almost immediately by the infamous CryptoLocker ransomware that was estimated to have extorted over $3 million before it shut down. Since then, these cybercriminal groups have realized the true power of ransomware: financial gain. As such, they’re now laser focused on making as much money as possible by avoiding detection and media attention.
The use of rebranding to obfuscate their operations is one of their newest tools to stay under the radar. By rebranding, gangs are able to avoid U.S. government-imposed sanctions. Therefore, their victims will be tricked into thinking that they will not be prosecuted or fined when paying a ransom to a group that has been sanctioned. Also, by agreeing to not attack governments, schools, hospitals or other critical functions that will result in an in-depth investigation, they become much harder to detect, since organizations won’t want to publicize a breach. Some groups even have ties to nation-state actors, although it’s speculated that certain governments allow criminal activity to continue as long as they don’t target certain countries. Additionally, by targeting small and medium sized businesses (SMBs) instead of large corporations, ransomware groups have found it to be much more lucrative. They have found that by attacking these types of businesses, they can keep a lower profile, and smaller businesses tend to pay out faster because they do not have the capital or ability to survive unless they’re back up and running in short order.
Just like the mafia gangs of old, it has been observed that these new-age cyber gangs battle each other over access to lucrative targets and other assets. This cyber turf war consists of disrupting each other’s operations by stealing code, releasing rivals encryption keys and even deflecting blame to rivals. This has led to ransomware gangs closing up shop and then reemerging under a rebranded name elsewhere. This helps to keep governments and law enforcement off their scent and allows them to set up new infrastructure and business models in place.
The BlackMatter ransomware gang mantra states it best: “We are a team that unites people according to one common interest — money.” A few recent, major cyberattacks are great examples of rebranded ransomware gangs that were ultimately successful in their mission. The DarkSide gang was able to exploit a former employee's VPN access to breach the Colonial Pipeline and receive nearly $4.5M in ransom demands. Although a portion of it was eventually recovered by the authorities, the gang got too much heat from the attack, went underground, and later popped up again as BlackMatter. Lockbit 2.0, formerly known as ABCD, was recently responsible for taking more than 6 TB of data and $50M in ransom from Accenture, and the REvil gang demanded $70M following the devastating Kaseya breach, where they were able to exploit a five-year-old vulnerability. Although these attacks are “over” in the minds of some, that’s far from reality, as company wallets are still up for grabs.
Stand your ground
For many organizations and business leaders, the question of how to prevent these attacks in the first place remains top of mind. Here are a handful of best practices that are both easily implemented and also greatly enhance a security posture:
- Plan for attacks in advance by having an incident response plan ready to go at a moment’s notice, and test protocols annually
- Enforce multi-factor authentication (MFA) on all systems and don’t allow the use of a single password on multiple systems
- Limit your attack blast zone by having a solid backup option, employing network segmentation, patching vulnerabilities and staying up-to-date on operating systems, software and firmware
- Require annual security awareness training for all employees and enable strong spam filters to prevent phishing emails from reaching end users
- Limit false positives in order to reduce alert fatigue and consider cyber insurance coverage
A handful of ransomware gangs might eventually fold because of government pressure, successful investigations by law enforcement or even internal leadership changes and power struggles. But after a week, a month or even a year, they’ll likely pop again under a new guise, given the amount of money at stake. Regardless of what they call themselves, the latest “marketing efforts” of the 21st century cyber mafia ultimately boils down to one thing — money.