Larger ransomware groups operate more like small- to medium-sized businesses than drug dealers. They place help wanted ads. They have web design teams. They hold conferences. They communicate over Slack. And it's been a boom year for those businesses, netting multimillion-dollar paydays from several high-profile events and even more that go unreported. So, what happens when ransomware as a business starts acting like other businesses with huge influxes of capital? What happens if they reinvest, and treat a windfall as a series A financing round?
Asked differently by Alastair Paterson, CEO and co-founder of Digital Shadows, during a one-on-one meeting with SC Media at Black Hat: “What happens [when] these exceptionally well-financed groups have bigger offense budgets than you've got defense budgets?”
The money certainly is there. The groups behind the attacks against Colonial Pipeline, and JBS and Kaseya, have rebranded, but still exist. In 2020 — before any of those — Chainalysis estimates that ransomware actors took in at least $350 million.
A large cut of that sum went to the designers of ransomware; the criminals we traditionally think of as ransomware groups. But ransomware, like any business, is a complex economy. The well-organized designers let stables of contractors use their ransomware on commission, those contractors purchase pre-hacked access to systems from a third group: initial access brokers. The rising tide of ransomware payments would float all boats.
"In some cases, they're running, they actually have offices, they're running help desks, they have HR and all the things you expect to have a miniature organization," said Adam Meyers, senior vice president of intelligence for Crowdstrike.
Reinvestment and growth: A history
Traditionally, said Meyers, reinvestment in ransomware was spent increasing the frequency of the same basic cycle of attacks. More profits meant more money for the contractors to spend on initial access to launch more attacks. More money for the designers meant more money for support services and more money to incentivize new affiliate contractors.
Money has not historically needed to go too far into revolutionizing many of the technical aspects of the attack because the crime is opportunistic, and there have always been enough targets making common mistakes to meet the demands of the criminals.
"At the end of the day, they tend to be fairly low-cost operations, so they don't really need to invest that much in R&D," said Meyers.
In lieu of massive R&D budgets, reinvestment can still go in a variety of different directions to try to build up the infrastructure behind an attack. Ransomware groups often park money in criminal escrow services to demonstrate to affiliates they can make payments, said James Chappell, co-founder and chief innovation officer at Digital Shadows. More profits can mean more money in escrow, which can increase the comfort affiliates will have in launching more attacks.
A new pattern may be emerging
There are the same kinds of efforts for ransomware groups to continuously improve the efficiency of the less glamourous aspects of the software that you might see at any legitimate developer, said Chappell.
"There's all sorts of improvements: the speed of encryption, the ability to communicate files back and forth," he said. And there are efforts to expand the tactics behind the attacks. "We've seen a couple using virtual machine hijacking. That requires engineering and debugging,"
But the success of the Kaseya attack infecting targets in bulk in one weekend may be leading to a change in strategy.
"There's a lot of interest among ransomware actors in carrying out another Kaseya style attack, so there's a lot of interest in underground forums and in private chats where they talk about looking at remote monitoring and management [RMM] tools as a way to deliver force multipliers," said Allan Liska, senior security architect at Recorded Future.
Targeting RMM allowed affiliates of the REvil group to infect a number of managed services providers at the same time, in turn infecting all of the clients using those managed providers' services.
That kind of attack might require more capital to pull off. The Kaseya attack relied on a zero-day, which either required internal vulnerability research or flat out purchasing the vulnerability from another party. It is a different approach than searching for a well-known yet still unpatched vulnerability in a corporate VPN or phishing — less opportunistic, more deliberate.
Reinvestment is attractive for more reasons than one
Reinvestment is not just a matter of expanding the market or the market share within it, said Chappell.
"All criminals have a problem in removing from funds out of their enterprise into their personal pockets. The minute you have any kind of payment, there is a breadcrumb trail. It makes sense to rather than put it in your pocket, to invest it, and have a regenerative effect," he said.
Strengthening a ransomware group's human and technical infrastructure might not mean bigger attacks. The ransomware groups that have been forced to rebrand, have been forced to do so because the attacks they were involved in drew too much attention. It is hard to, for example, interrupt the gas supply chain without drawing significant ire from national governments.
So efficient building might mean increasing the number of midsized victims rather than those on the top end.
It also might mean better-orchestrated attacks when they are big. The Kaseya attack could have been more profitable if the attackers were better prepared to bill every individual clients of the managed service providers it infected.
"The last few years have been really horrible for ransomware," said Chappell. "All that money has to go somewhere."