Ransomware has showed no signs of slowing down in the face of unprecedented law enforcement efforts, begging the question: do sanctions and takedowns actually work?
Information Age spoke with Shannon Davis, principal security strategist at Surge, the security research team of data analytics company Splunk, to clarify how ransom gangs survive after having their infrastructure gutted by law enforcement.
Davis explained many gangs owe their resilience to a ‘Ransomware-as-a-Service’ (RaaS) model, where ‘affiliates’ conduct ransom attacks for a cut of the profits.
Much like a legitimate business, RaaS gangs set up underlying infrastructure for affiliates to launch ransomware from and often arrange redundancy or restoration measures in the event of a law enforcement takedown.
“Takedowns do work for a period, but it depends on the ransom group and how mature they are,” said Davis.
“They’re businesses – bad businesses – but they’re businesses at the end of the day.
“They can then go and spin up yet another series, we've seen it every time.”
While LockBit, for example, has certainly slowed, it has continued to post new victims following Operation Cronos.
Conversely, rival gang AlphV/BlackCat is entirely defunct after suffering a similar police effort in December 2023 – though it is unclear whether it was legitimately dismantled or simply decided to cash in on its criminal efforts.
Intel471 notes competing ransom groups such as RansomHub, Black Basta and Medusa have become more active following these efforts against LockBit and AlphV, suggesting even if a dominant brand is disrupted, affiliates are happy to continue their exploits elsewhere.
Indeed, targeted police efforts can hamper an individual gang’s output and reputation for a time, but when affiliates and gang members have the ability to jump ship to better-performing RaaS platforms, its clear takedowns are not enough to halt the ransomware scene.
Do sanctions make a difference?
Following Cronos, an admin-level member of LockBit was sentenced to four years in prison and ordered to pay out nearly $1 million in restitutions to victims.
This sentence was only possible because the LockBit criminal lived within the jurisdiction of a sentencing Canadian court, but other key members such as alleged LockBit leader Dmitry Khoroshev have benefited from the protection of Russia’s state-sponsoring approach to cyber crime.
“It's hard, especially when groups are ‘nation-state sponsored’ or ‘nation-state ignored’ as they say, because they're happy for these groups to be creating chaos,” Davis explained.
“Criminals are potentially being let go to do what they're doing and are only pulled in once they’ve achieved results.”
Often times, the only alternative is to deploy sanctions – typically in the form of travel bans and financial restrictions.
Australia recently applied its first use of a cyber sanctions framework against a Russian man allegedly responsible for the 2022 data breach at health insurer Medibank, before leveraging a similar financial sanction and travel ban at LockBit’s Khoroshev.
The efficacy of such sanctions remains murky, with Davis explaining some hackers actually view them as a reputational boon among their affiliates.
“For a lot of these criminals, who are often quite young as well, it's like a badge of honour,” said Davis.
“How often are they actually travelling out of their country anyway? Maybe you will manage to catch them en route to a beach holiday or something, but like I said, sometimes it's almost like they're looking for that notoriety.
“I don't know how long they would actually be scared because there's nothing their government's going to do to them.”
Testing new tactics
Authorities in the US, UK and EU seem to have acknowledged the need for a novel approach via Operation Endgame; the “largest ever” law enforcement action against ransomware-deploying botnets.
In addition to conducting arrests and taking down over 100 malicious servers, Operation Endgame saw law enforcement use the same threatening language as ransomware gangs while warning cyber criminals to willingly come forward.
The Endgame website displays a countdown timer much like a dark web leak page, teasing new releases for an episodic series of videos which boast its crackdown efforts.
The most recent ‘episode’ of Endgame saw law enforcement tease at contacting the family of one Alexey T, a Russian national and suspected developer of notorious malware strain Emotet, all-the-while flaunting a bizarre mix of anime visuals and dubstep music.
When asked whether this unusual approach to combatting ransomware is effective, Davis suggested Europol and allies are simply trying to “take a different approach and see if it works.”
“I think it's just getting creative… trying to bring attention to law enforcement capabilities,” said Davis.
“When they're creating the same-looking site as ransom operators, yeah, it could be funny, but I'm not sure of the impact.
“Does it work? Or are these guys are sitting back in whichever country they’re operating from, laughing at the agencies using this approach?”
In spite of unprecedented sanctions, arrests, cryptocurrency freezes, server takedowns and widespread distribution of decryption keys to affected victims, Davis suggested ransomware is not going away any time soon, and that law enforcement agencies should continue to make cyber crime as difficult a task as possible.
“Even if law enforcement methods aren’t quite fair, I say go for it,” said Davis.
“I think as much pain as we cause them, whether it's pain in terms of fear of travel, or making whatever they're trying to do more difficult because they're having to spend more time recovering and hiding their identities, the more difficult we can make things in whatever way, the better.”
Leonard Bernardone attended the .conf24 conference in Las Vegas as a guest of Splunk.