In the latter months of 2021, Ankura observed a reduction in the prevalence of ransomware. The ransomware landscape for 2022 is off to a very intriguing start, between threat actor betrayal, Russian government interference, and increased sanctions from the United States. Threat actors have really had to buckle down and ensure they are operating the way they intended. CTIX analysts expect there to be a rise in ransomware cases during 2022 following this recent lull. The brief slowdown is providing ransomware operators the time they need to re-work their organization structure, ensure their affiliates are correctly aligned, and ensure contingency plans are in place in case of government action.
Threat Actor Betrayal
Since its initial creation by the Babuk ransomware group, RAMP (Ransomware Marketplace) has been a controversial forum where those who want to deal within the world of ransomware can congregate, discuss ideas, and freely advertise for ransomware affiliates, which has not been allowed on top tier forums like Exploit.in and XSS.is since the summer of last year.
Snippet of LockBitSupps’s response in LockBitSupp vs KAJIT thread on XSS
CTIX analysts have observed signs of a general distrust among the ransomware community. This has been signified by a number of events, including a ransomware group releasing the results of a privately conducted investigation into a key player in the ransomware scene. There are many reasons as to why tensions have risen however, they have been on the rise for months and the boiling point was finally reached through the combination of key discoveries, press releases, and ransomware affiliates' drunken Twitter rants.
Russian Interference in Criminal Activity
With the much more active and public involvement from the Russian government, it has once again certainly stirred the pot. The last well-known Russian interference into criminal activities was quite some time ago, all the way back in 2017 when Russian authorities took down RAMP (Russian Anonymous Marketplace) There has been speculation that the arrests which happened in Russia are in fact not actually members of REvil. This has yet to be proven, however, following the money does end up leading you to the threat actors behind it all. Therefore, arresting the money launderers and lower-tier affiliates increases the chances of catching the organizers. The Russian government's interference with these groups does not stop with just ransomware actors. On February 8th, the Russian government took down three notorious carding forums, in which they left a note in the source code of the sites stating, “WHICH ONE OF YOU IS NEXT?” in Russian. These are significant takedowns as Russia tends to turn a blind eye to operations that exist on behalf of the state and those who do not work within CIS countries. This is also due in part because of the tensions rising on the border of Ukraine. CTIX Analysts sNouspect these takedowns have occurred to appease the United States and its allies, in hope to limit sanctions and pressure for the actions which have been taking place on the Ukraine Border.
Russian government darkweb site takedown notice (translated)
The Impact of US Sanctions on Ransomware Groups
With the increased attribution of nation-state actors, the United States government has been imposing sanctions of specific ransomware groups. This has become a recent focal point for threat groups, forcing them to be more in-depth while hiring affiliates, and “re-interviewing” current affiliates to ensure an affiliate is not associated with a nation-state. If one affiliate is caught and linked to nation-state activity, that is enough for the United States to impose sanctions. Therefore, making the ransomware operation no longer effective as the facilitators of the payments would be subject to significant fines hence, not willing to make the payment. This is the core goal of any ransomware operation, money.
Recently added ransomware related sanctions
The ransomware landscape has certainly been slowing down the past few months however, that does not mean it has stopped or has plans of slowing down. Analysts expect there to be a rise in ransomware cases after this recent lull that has occurred. It has given operators the time they need to re-work their organization structure, ensure affiliates are correctly aligned and ensure contingency plans are in place in case of government action.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
