Security professionals need to understand the actors behind ransomware threats, how they operate and how they continuously find new victims to target

Bart Lenaerts-Bergmans, Senior Product Marketing Manager, Threat Intelligence,CrowdStrike

January 25, 2022

4 Min Read
Dark network with glowing red node targeting a hacker information security 3D illustration.
Source: BeeBright via Shutterstock

Ransomware incidents have increased dramatically over the past few years. Complaints about ransomware attacks to the FBI’s Internet Crime Complaint Center surged 62% in the first half of 2021 compared to a similar time frame in 2020, according to the Cybersecurity and Infrastructure Security Agency. To blunt this growing threat, security professionals need to understand the actors behind ransomware threats, how they operate and how they continuously find new victims to target.

Closer analysis of high-profile ransomware campaigns like REvil and Thanos shows that organized partnerships between ransomware operators and affiliates, each playing to their strengths, help execute cybercrimes at scale and for maximum payout.

The Operator-Affiliate Collaboration

In carrying out ransomware campaigns at scale, operators and affiliates (sometimes referred to as “enablers”) divide and distribute the work needed for maximum damage.

Operators ensure that the ransomware package can be customized, downloaded and tracked when packages get installed. Ransomware operators also take on the job of extortion enforcers, making sure that systems for payouts are fully functional. CrowdStrike research shows that 96% of those who paid the initial ransom also had to pay extortion fees.

Affiliates are more adept at finding the victims to target and employing social engineering tactics that convince victims to download the malicious package. The scale of the attack, as measured by the number of victims targeted, usually rests on the affiliate’s shoulders.

To ensure the widest reach, affiliates use distribution services, a specific set of technologies deployed to obtain initial access, compromise and target victims, and move laterally to reach the critical assets and data that are the targets of the attack. Distributed services can take a number of forms — from stolen credentials acquired from access brokers to social engineering campaigns and exploit kits targeting specific software and systems.

Sometimes multiple affiliates work together to wreak havoc to drive up the ransom and extract maximum payment. Affiliates and operators also share the final payout, so it is in each party’s vested interests to complete their portion of the job effectively.

A Perfect Storm

This well-oiled business model between ransomware operators and affiliates using distributed services is a perfect storm because it lowers the barrier for entry for both types of malicious actors. Affiliates, for example, need not know how to code malicious programs. They only need to focus on choosing victims and getting them to bite. Each threat actor plays to individual strengths in a well-choreographed partnership.

Since operators and affiliates are responsible for only part of the ransomware campaign, it becomes more difficult to pin a crime on one specific threat actor. Both ransomware operators and affiliates protect each other in the dark ecosystem.

This style of ransomware campaign is also especially problematic as the sophistication with which each set of actors carries out their work makes it easier for a breach to go undetected for months. For example, distribution tools can even come with built-in anti-forensic capabilities. The nature of the operator-affiliate relationship also keeps evolving, making malicious actors that much harder to trace.

How Defenders Can Avoid the Perfect Storm

Security teams can seek shelter by first tapping into threat intelligence to understand the actors and the dark web. Tracking who is at the top of the eCrime food chain will be critical to your defenses and in crafting an intelligent security strategy.

Understandably, information about the operators and affiliates alone is not enough. You also need to understand the distribution services they are using and if specific ransomware campaigns are dormant or active.

Scanning the dark web for malicious access brokers who might be selling your data also helps strengthen the adversarial response. Subscribe to alerts on criminal posts that mention your geographical region or industry vertical so security teams can get immediate intelligence and gauge potential threats.

Finally, security teams need to conduct post mortems on malicious files left behind by ransomware operators. Since distribution services and operators frequently reuse attack tools, understanding malware behavior will help craft appropriate defenses.

The takeaway for security teams is that ransomware campaigns might come and go, but if not caught, the human actors behind them never go away. They typically reinvent themselves and plot new modes of attack using sophisticated operators and tools in their ecosystem.

Profitable partnerships between ransomware operators and affiliates make for crafty opponents that seriously test security teams. Their use of distributed services to deliver their weapon of choice adds another layer of complexity to an already dangerous situation. Security professionals can lean on multiple threat intelligence services to unearth the complex dark web, identify these operator-affiliate partnerships and stop malicious threat actors in their tracks.

About the Author(s)

Bart Lenaerts-Bergmans

Senior Product Marketing Manager, Threat Intelligence,CrowdStrike

Bart is a Senior Product Marketing Manager of Threat Intelligence at CrowdStrike. After military duty as a signals officer, he started his career as a network security operations analyst at a Belgian financial organization. In early 2000, Bart moved to the US East Coast to join the 3Com networking product team. Prior, to his current role, Bart worked at multiple cybersecurity companies such including Tippingpoint, RSA, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.

Outside of work Bart, enjoys flying gliders and bush planes around New England.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights