Up-and-coming ransomware gangs are on a dark web recruitment drive to attract affiliates looking for work after authorities busted two of the biggest extortion operators: LockBit and ALPHV/BlackCat.
The ransomware-as-a-service (RaaS) criminal ecosystem has been left reeling from major blows delivered by international law enforcement agencies over the past few months — along with one claimed takedown that didn’t really happen.
Authorities are believed to have temporarily taken down ALPHV/BlackCat’s operations in December. The gang was back in business with new infrastructure weeks later, making headlines for its Change Healthcare attack.
It then disappeared, claiming authorities shut it down, but the move was most likely an exit scam so its leaders could keep all of the $22 million Change Healthcare ransom, rather than sharing it with the affiliate who carried out the attack.
Meanwhile, LockBit’s operations were shuttered (temporarily) in February by a multinational law enforcement operation.
Upheaval leaves RaaS affiliates looking for work
Both gangs had networks of affiliates — hackers who used their malware to carry out attacks in return for a share of the ransom payout.
“These disruptive events have resulted in distrust towards the most Established RaaS groups in the ransomware ecosystem today, including LockBit, and will almost certainly lead to the displacement of some portion of the associated affiliate corps,” GuidePoint Security researchers said in a March 20 post.
The researchers said several smaller RaaS groups “likely seeing a recruitment opportunity emerging out of recent disruptions” had posted openings for affiliates on dark web forums.
GuidePoint Security believed the postings “may indicate continued limitations in available human resources, growing distrust in particular RaaS groups or the RaaS operating model, or impacted groups that do not intend to continue operations.”
RaaS gangs make their pitches
The researchers said postings from three emerging RaaS groups — Medusa, RansomHub and Cloak — indicated different approaches by the gangs to entice new affiliates into the fold.
An invitation to partner with Medusa was “particularly appealing,” they said, with the gang offering a sliding payout scale depending on how large a ransom the affiliate could extort from their victim. The affiliate would initially get 70% of the take, but that would rise to 90% for ransoms above $1 million.
Medusa also offered its affiliates 24/7 support including access to an “admin team,” a “media advertising team,” and the gang's own ransom “negotiators.”
“RansomHub, by comparison, appears to have taken a less materialistic approach and opted to rely on contemporary events as a persuasive tool,” the researchers said.
In a forum post that appeared to reference ALPHV/BlackCat’s sudden disappearance, RansomHub told prospective partners: “We have noticed that some affiliates have been seized by the police or have escaped from fraudulent activity causing you to lose your funds.”
RansomHub said its affiliates collected ransom payments themselves and then passed a 10% share on to the group.
“This approach is likely intended to assuage concerns of ‘exit scams’ or other deceits that have been circulating as gossip and accusations around the proverbial cybercrime watercooler as of late,” the researchers said.
They described a post by the Cloak gang as offering a working arrangement that was “the least remarkable, with few unique features that would entice a potential affiliate.”
While Cloak let affiliates keep a “respectable” 85% of the ransoms they collected, payments had to be made in Monero cryptocurrency, rather than Bitcoin. While Monero was favored by cybercriminals because transactions were more difficult to trace, the researchers said ransomware victims were more likely to pay up if Bitcoin was demanded.
