Ransomware gangs of 2024: The rise of the affiliates

The last 12 months have brought big news on the ransomware front, with law enforcement announcing the takedowns of major ransomware gangs including LockBit and ALPHV/Black Cat.

But despite the success of the FBI and its allies in tackling some of the biggest threat actors, businesses find themselves no safer from cyber-attacks than in previous years.

Security firm WithSecure says the frequency of attacks and ransom payments collected in the first half of 2024 was still higher than over the same periods in 2022 and 2023.

So, has the disbandment of two of the most dominant and well-known ransomware gangs done nothing to make enterprises more secure? Or is something else going on?

Emerging data from reports such as WithSecure’s indicate a shifting trend: affiliates once aligned with LockBit and ALPHV are now avoiding the big-name gang. Trust in a larger group has waned, with many members opting for smaller, more nimble groups.

A shift in the landscape

Since the downfall of LockBit in February, cybersecurity experts are still evaluating the long-term impact on the ransomware ecosystem – however, the prevailing consensus is that affiliates are adopting a more “nomadic” approach.

Affiliates are smaller criminal enterprises that lease a ransomware operator’s malware, techniques, stolen passwords etc in return for paying a monthly fee and share a percentage of any ransom payments.

“Through the data, the FBI identified 190 affiliates using LockBit’s service in February,” says Tim Mitchell, a security researcher at Secureworks.

“By May, following sanctions and indictments against LockBit’s admin, only about 60 affiliates remained active,” presenting a dramatic two-thirds reduction in those affiliated following the initial action.

With new sanctions in place, it has become illegal for companies in the US and the UK to pay ransoms to the gang, cutting off its primary revenue stream and attracting affiliates to other gangs.

“It’s surprising that they’re still active, albeit at a much lower rate,” says Mitchell. “March saw a significant surge in victim names, around 170 in one month (though many were possibly rehashed victims from earlier), but by June or July, the number had plummeted to about 12-15 victims.”

Before the exposure of its admin, its leader Dmitry Khoroshev, declared the gang to be the “eternal” group – however, Mitchell believes that without a rebrand, it’s looking unlikely that LockBit will remain as disruptive as before.

For ALPHV, while the FBI disrupted its site in December 2023, the gang continued operating until early this year when it revealed responsibility for the Change Healthcare attack that crippled pharmacies across the US, including those in hospitals.

Allegedly, although not publicly confirmed by Change Healthcare, the gang received a $22 million ransom payment. However, in this case the affiliate who executed the attack did not receive the share, and ALPHV went on to cease operations entirely – suggesting an exit scam.

This incident has eroded trust from both sides of the attack. Despite the large payment from Change Healthcare, the firm has not seen the stolen data, and affiliates left homeless may have lost their confidence in the well-known group.

Fragmentation

Following LockBit’s takedown, the number of ransomware groups listing victims has risen from 43 to 68, according to Secureworks data.

“For affiliates, it’s becoming clear that they might not get what they promised from larger groups, which may be driving them towards smaller, more reliable groups,” says Mitchell.

“After BlackCat’s impact on the marketplace, affiliates were left without a platform, and no obvious successor emerged,” he added.

According to cybersecurity firm Mandiant, some threat actors claim to use multiple ransomware families simultaneously, providing them with some level of stability to weather possible disruptions to ransomware-as-a-service (RaaS) offerings.

It expects that “the threat actors impacted will likely in time be able to recover and continue to engage in ransomware and extortion activity.”

Going underground

“While government efforts slowed down well-known operators, other groups like Blacksuit, Medusa, and PLAY have filled the void LockBit left,” says Tyler Reese, director of product management at Netwrix.

For instance, according to a report from researchers at GuidePoint security, Medusa is offering generous profit-sharing percentages, with up to 90% going to the affiliates – this is a much better deal than in the past when affiliates were obliged to part with up to 40% of the ransom profits which went to the gangs.

Another smaller gang called Cloak is offering an 85% profit share, with no initial payment needed to become an affiliate – something that appears to have worked for the gang Medusa as victim numbers have surged since February according to WithSecure.

Similarly, Mitchell adds, Qilin – responsible for recently publishing NHS data it attained, and also caught stealing credentials stored in Google Chrome – has stepped up, though it’s not to the same scale as LockBit.

As well as this, RansomHub, which provides infrastructure and features top of Ransomware Groups by number of victims in August this year according to BitDefender, is attempting to recruit affiliates that have been impacted by recent shutdowns or exit scams.

“RansomHub became a bit of a place for homeless ransomware operators,” says Mitchell.

According to WithSecure, it is choosing to attract new recruits by letting them accept payment from the victims directly, before sending their share to the RansomHub – something WithSecure reports to be a possible attempt to reassure those who were spooked by ALPHV’s exit scam, which was only able to occur because the gang controlled payments.

“In terms of top groups, there’s no clear leader, but there are a lot more schemes operating than ever before,” says Mitchell.

To gain access, “it’s still largely through old vulnerabilities in internet-facing services, and reusing stolen credentials,” he adds.

Ransom-where?

Determining where in the world an affiliate is located is also harder if acting alone as most use the same tools and will use a Virtual Private Server (VPS) to make it look as if they are in another country.

“These groups are focused on making as much money as possible, focusing on critical infrastructure like hospitals and government agencies to cause major disruption,” says Kevin Curran, senior member of IEEE and professor of cybersecurity at Ulster University.

“AI-enhanced cyber-attacks are a serious concern for the near future. Authorities like the UK’s National Cyber Security Centre (NCSC) are focusing on ensuring AI systems are secure-by-design and continue to urge organisations to adopt robust cybersecurity,” he adds.

Ransomware remains a significant, and costly threat. According to Netwrix 2024 research, 45% of organisations that experienced a cyberattack have had to deal with unplanned expenses to fix security gaps.

Alongside this, 16% faced a decrease in company evaluation, and 13% had to deal with lawsuits compared to only 3% a year ago.

“There is no single solution or ‘magic bullet’ to eradicate ransomware entirely,” says Reese.

“Regular data backups, timely software and system patching, robust endpoint and network protection, and strong identity protections with multi-factor authentication are significant steps toward cyber resilience in the era of inevitable attacks.”