As ransomware attacks have quickly morphed over the past few years into a billion-dollar business, the groups behind them are increasingly adopting the practices and tactics of the corporate businesses they target.
More and more, ransomware groups (and some argue the larger cybercrime ecosystem) are gravitating towards joint partnerships and profit sharing arrangements with other hacking groups, introducing tools to measure the efficiency of their work, creating playbooks and scripts during the negotiation phase, and adopting customer service and PR tactics from the corporate world.
This shift in behavior, compared to even a few years ago, is manifesting itself in a number of ways, from establishing cooperative partnerships to taking a customer-friendly tone when negotiating with victims to writing and distributing press releases designed to market their latest successful compromise or build their brand to the broader public.
“You’ll get better service from some ransomware groups than the IRS, though that’s a fairly low bar,” said Brett Callow, a threat analyst Emsisoft. “They are absolutely becoming more professional and some of the operations are quite slick, [offering features like] guaranteed response times for customer support questions and automatic decryption as soon as the payment is processed.”
While there are likely a number of explanations for why criminal groups are adopting many modern business tactics and practices, money is almost certainly one of the most important. Just a few years ago, these groups were mostly running low-stakes operations, demanding a few thousand dollars in ransom, targeting small businesses and running “amateurish” operations, Callow said.
All of that has changed as more money has flowed into the system. His firm estimates that approximately $1.4 billion was paid to ransomware groups last year, and the average payday has shot up from about $84,000 per operation to $200,000 today. It’s no longer small mom and pop businesses with little or non-existent IT security getting hit, but huge, multinational conglomerates worth billions of dollars. Those higher stakes and higher returns have brought with them a more professional veneer and a public consciousness to doing business. It also created less room for freelancing or rogue behavior by individual operators.
There’s also a psychological motivation for any operation – even criminal ones – to appear professional and conscious of their image and reputation. They set up user-friendly websites to announce a breach, leak data or issue press releases. Alec Alvarado, threat intelligence team lead for Digital Shadows, said that these small actions can signal to victims that they are dealing with a professional organization.
“The more legitimate they appear, the more trustworthy they come across to both victims and potential affiliates,” Alvarado said. “Increasing apparent legitimacy and trust means victims will feel more comfortable paying ransom and that they will be given the tools to decrypt.”
One of the most notable examples of this customer-centric behavior can be found in undeleted chat logs between a ransomware group and travel management company CWT that were obtained by Reuters earlier this year. In the logs, the operator goes by the handle “Support” and adopts a cheery, almost customer service-like tone, at one point thanking the victim for their “patience” and discussing the contours of a “special deal” if CWT contacted the group within 48 hours. After informing the company that the initial $10 million demand was “an adequate price” and “this is the market,” they eventually negotiated the figure down to $4.5 million under the condition that CWT pay up within 24 hours. The operator even offered to decrypt two random files as a show of good faith that their decrypter worked as intended.
Kurtis Minder, CEO of GroupSense, a company that offers ransomware negotiation services, told SC Media that most large ransomware groups with multiple concurrent victims deploy automatic, pre-determined answers through the early stages of a negotiation until it progresses far enough to warrant human interaction. Similar to the business world, ransomware managers are seemingly looking to make sure their workers’ time is being spent wisely.
“It’s actually rather robotic. When I say they have a playbook, it’s not just a playbook; it’s often a script,” said Minder. “Sometimes you’ll get these templated responses for a while before get somebody who actually puts in time into typing on a keyboard for you.”
Another group uses an internal tool during intrusions that is designed in part to determine the potential return on investment from infecting a targeted network. New research released this week from Sophos Labs detail how LockBit – a relative newcomer group that has quickly become a major player in the ransomware space – leverages automation in many of its attacks on smaller businesses.
After gaining an initial foothold, the group deploys an automated scanning tool, in part to find and disable anti-malware tools, but also to search for very specific pieces of software, such as tax or point of sale systems, that are particularly valuable to an organization. Sean Gallagher, a senior threat researcher at Sophos and lead author on the research, told SC Media it was likely done to determine the likelihood of an organization paying up and prioritizing the workloads of human operators who are responsible for closing a deal.
“These guys do operate as a business and one of the things they have to be concerned about is how much customer service they can handle. They want to make sure they can maximize the return on these ransomware attacks because they require actual human interaction to get payments,” Gallagher said. “And if you want to do a ransomware attack and get paid you want to make sure you’re hitting people who have the highest incentive to pay.”
Like many legitimate companies, these criminal groups are constantly searching for ways to yield greater efficiencies, packaging as much of their work as possible into an automated script or franchising their operations and tools out to third parties for a fee.
“These are businesses and they are increasingly automating their business…or outsourcing it,” said Gallagher. “So, in the case of Dharma, they’re outsourcing to young, wannabe ransomware operators who pay them for the privilege of hacking people.”
A veneer of respectability
More recently, one group has seemingly responded to widespread negative press about ransomware attacks the same way many companies do when faced with a public relations crisis: throw money at a good cause. That’s what hackers from the DarkSide group apparently did recently in sending $10,000 in stolen Bitcoin proceeds to two charities, Children International and The Walter Project, according to BBC News. In a statement the group posted on the dark web along with receipts for the donation, operators for the group wrote that it was “fair that some of the money the companies have paid will go to charity” and that “no matter how bad your think our work is, we are pleased to know that we helped changed [sic] someone’s life.”
The $10,000 they claim to have sent represents just a tiny fraction of the tens of millions of dollars group has stolen from businesses. One of the charities, Children International, told BBC they would not accept the donation.
Another example of this strategy can be found in the (largely false) pledges made earlier this year by some ransomware groups to avoid targeting hospitals during the COVID-19 pandemic, something many observers at the time said smacked of a public relations move rather than a genuine desire to avoid harm.
Despite these tactics, experts who study the fallout of ransomware attacks say no one should be fooled by the veneer of respectability these groups are attempting to create or be confused about their motives or ethics.
“At the end of the day they are simply criminal extortionists and every single one of their attacks has a big impact on people’s lives,” Callow said. “Companies have gone bust as the result of their attacks, people have become unemployed, IT employees have been fired for failing to protect their networks. So they really are conscious-less criminals, despite the image they try to create for themselves.”