Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware gangs that often takes place. However, this level of difficulty doesn’t mean the pressure should be relieved.
However, whether or not LockBit and the others return to operation is almost a side note. The fact is these groups must be constantly confronted and forced to spend time, energy, and financial resources to stay active, essentially expend the same level of effort as any legitimate organization when taken down by a threat actor. Additionally, these actions help expose a gang’s inner workings and its leadership’s thought process as it tries to recover or evade further detection.
After all, high-level ransomware and ransomware-as-a-service groups are no different from Colonial Pipeline, Maersk, the city of Atlanta, or any other organization taken offline by a cyberattack. In this case, it’s just the good guys doing the takedown.
What happens to gangs when Interpol or the FBI strikes is not dissimilar to any other enterprise that has been attacked. What law enforcement does is present the threat actors with a dose of their own medicine.
The threat actors come into work one morning and discover their server infrastructure is wiped out; their command-and-control capability is gone, which means they’ve lost access to all their endpoints, not to mention the computers and systems compromised during their attacks.
Once law enforcement is inside the threat group’s server network, it also often finds encryption keys, stolen credentials, and bank and cryptocurrency account information, all of which are seized and used to help the gang’s victims.
Ironically, it’s just as difficult and expensive for an adversary to rebuild their infrastructure as for a school, hospital, or auto manufacturer.
Threat actors also face issues unique to their trade. A company taken down by ransomware does not have to worry about police officers kicking in its doors and arresting everyone. Law enforcement does not freeze its bank accounts or attempt to extradite them to a friendly country for prosecution, which is a fear for any threat group.
This doesn’t mean the BlackCats of the world aren’t prepared for such eventualities.
These groups operate like an enterprise. They take in tens if not hundreds of millions of dollars and likely have a disaster recovery plan in place.
This planning is why it’s not unheard of for a group to be disrupted by law enforcement only to reappear several weeks or months later. Sometimes, it operates under a different name or by different people. What they do can be lucrative, so it behooves them to return to work.
As we see it now, several weeks after the initial BlackCat/ALPHV takedown announcement, there is some anecdotal evidence that the group is still critically damaged and the recent Change Healthcare attack, for which it took credit, could have been accomplished before its demise. The group already had the stolen data in hand and waited until now to prove to the world and the cybercrime community that it is still active.
Or it could be something entirely different.
The current incarnation of BlackCat previously underwent a rebranding process, as many of the BlackCat operators are assessed to be previously affiliated with the DarkSide and BlackMatter ransomware groups (Colonial Pipeline), so a rebrand is something the operators have experience doing successfully, according to another news source.
Then, there is the possibility that BlackCat’s exit was self-imposed.
The most recent takedown of BlackCat, which appeared to be a government-based takedown on the surface, is widely regarded as an exit scam conducted by the operators after the Change Healthcare ransomware attack. Many analysts agree that this was done by the group for two main reasons:
1. The increased scrutiny the group was receiving from government entities based on the victimology (Healthcare, MGM) and TTPs that the group was targeting, according to a published report. The increased scrutiny can also be seen in the bounty placed on information related to the group by the US Government, $10 million for direct members and $5 million for affiliates.
2. The group received its demanded $22 million ransom by Change Healthcare. This payout allowed the group members to feel comfortable walking away from the “ALPHV/Blackcat” brand, knowing they had just received a massive influx of funds and had no intention of paying out the affiliate whom they worked with in the attack.
The reason behind the gang’s claim to be functional is interesting. There is a great deal of propaganda that takes place in threat group circles, and it can be quite reputationally embarrassing for a gang to be caught and disrupted.
So, the group will take steps to prove it’s still “operating” even if that is not really the case, perhaps to keep a competitor from moving in on its territory.
Some evidence that may support a rival ransomware group attempting to poach another gang’s victims can be found in this article, where LockBitSupp (operator of LockBit) was seen recruiting affiliates and developers of gangs experiencing law enforcement-related outages.
Here is an example of what can take place.
Governments and law enforcement also play the propaganda game. It behooves them to play up or possibly overstate the amount of damage a takedown operation did to a group to appease public opinion that nothing is being done to stop these crimes and to put some fear in other threat groups.
In addition to the reasons stated above, the other reason attacking cyber gangs is important is that they often cannot recover. There is a long list of operators that law enforcement has taken permanently offline.
The botnet Quakbot saw the US Justice Department seize its 700,000-strong computer botnet army and $8.6 million in cryptocurrency, effectively halting a group that had taken more than $58 million in ransom payments. The Hive ransomware group suffered a similar fate, along with fellow travelers REvil and Conti.
The only conclusion to draw is there is no negative side to taking down a threat group. Sure, while some gangs may have the financial and technical resources to recover from an attack, it’s imperative they remain under pressure. Every minute a LockBit or BlackCat spends worrying about staying out of jail and being able to function, is a minute not spent attacking an organization.
Craig Searle is Director, Consulting & Professional Services in Pacific at Trustwave with over 15 years of experience in the security industry working in the finance, government, telecom and infrastructure sectors. Follow Craig on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.