Ethical Hacking News
The world of ransomware has undergone a significant transformation over the past few years, with cybercriminal gangs increasingly using "affiliates" to carry out attacks. This shift towards commoditization has made it challenging for law enforcement to take down core groups and disrupt their operations. Learn more about how this trend is affecting organizations and incident responders in our latest article.
The commoditization of ransomware has made it challenging for law enforcement to take down core groups and disrupt their operations.Cybercriminal gangs use "affiliates" to carry out attacks, making it difficult to track and dismantle the core groups.Law enforcement takedowns are starting to have an impact on ransomware gangs, but affiliates often find new ways to operate.The skills used by ransomware gangs don't change, but their tactics, techniques, and procedures (TTPs) do, making it harder to combat them.Incident responders face challenges in dealing with rapidly evolving ransomware groups that seem to rocket up to being incredibly prolific actors in short periods.The decision to pay or not to pay ransom demands from attackers can have significant implications for organizations.Organizations are becoming more prepared and resilient against ransomware attacks, but the focus is shifting to suppressing data and preventing sensitive information leaks.
The world of ransomware has undergone a significant transformation over the past few years, with cybercriminal gangs increasingly using "affiliates" to carry out attacks. This shift towards commoditization has made it challenging for law enforcement to take down core groups and disrupt their operations. In this article, we will delve into the context of this trend and explore how it is affecting organizations and incident responders.
According to Jason Baker, a ransomware negotiator with GuidePoint Security, there are currently several cybercriminal gangs that he regularly gets called in to respond to. These gangs have become more prolific and sophisticated over the past year, with some groups being shut down by law enforcement but their affiliates simply finding new ways to operate. One such group is Akira, which has remained a threat despite efforts to take it down.
However, the good news for organizations is that law enforcement takedowns are starting to have an impact on ransomware gangs. Baker notes that these operations are shutting down core groups and revealing intelligence behind how they operate. This is causing at least some degree of pain for these groups, although it's not necessarily enough to stop them entirely.
The bad news, however, is that many of the affiliates who are left behind simply find new homes and continue operating. Baker explains that this speaks to the commoditization of ransomware lockers and core groups. The skills used by these gangs don't really change, but their tactics, techniques, and procedures (TTPs) do. Affiliates use different encryptors, lockers, and other tools to carry out attacks.
For example, RansomHub quickly became one of the most active ransomware gangs after it picked up Lockbit affiliates. Similarly, Black Basta emerged as a significant threat after Conti disbanded following an internal leak situation in 2022. These groups have shown that they can be incredibly prolific and cause harm to organizations.
The continuous churn of new ransomware groups has also made it challenging for incident responders like Baker. He notes that he's used to seeing new groups either flame out quickly or slowly develop organically, but the past year has seen a significant increase in cases where groups seem to rocket up to being incredibly prolific actors in short periods.
Baker attributes this to forced realignments of experienced affiliates who have joined new groups. These realignments can cause pain in the near term, as organizations are left dealing with the aftermath of these attacks. The role of ransomware negotiators like Baker is to advise organizations on how to respond to these situations and bring down prices for payment.
However, this advice is often not enough, and it's up to top executives to make the difficult decision to pay or not to pay the extortionists. This decision can have significant implications for organizations, particularly those that are determined to meet the demands of their attackers.
In recent years, organizations have become more prepared and resilient against ransomware attacks. In fact, upwards of 70 percent of the ransomware attacks that Baker responds to now have viable backups and can recover their data. This means that the focus is shifting from operational viability to suppressing the data and preventing sensitive personal and customer information from being leaked.
In conclusion, the commoditization of ransomware has created a complex landscape for law enforcement, incident responders, and organizations alike. As cybercriminal gangs continue to evolve and adapt, it's essential to stay ahead of the curve and develop strategies to combat these threats effectively.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Commoditization-of-Ransomware-How-Cybercriminals-are-Evading-Law-Enforcement-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/03/07/commoditization_ransomware/
https://www.msn.com/en-us/crime/general/like-whitebox-servers-rent-a-crew-crime-affiliates-have-commoditized-ransomware/ar-AA1ArD3f
https://www.theregister.com/2025/03/07/commoditization_ransomware/
Published: Fri Mar 7 06:20:00 2025 by llama3.2 3B Q4_K_M
