Breaking the economy of trust: How busts affect malware gangs
It's hard to track down individuals, so why not disrupt the underground market itself?
Feature Some of the world's most notorious ransomware and malware-as-a-service (RaaS/MaaS) operators have shut up shop in the past 12 months thanks to international law enforcement efforts, but just because household names like Conti, LockBit, and ALPHV/BlackCat are on the ropes, it doesn't mean we're free from the threat of commodity malware.
That's not to say disrupting key RaaS and MaaS operators isn't integral to global efforts to stem the tide of such criminal behavior – it's just that the big gangs are only a small part of the overall cybercrime economy.
While there might be one gang operating a criminal infrastructure and supplying the code, coming along with each of these are also countless affiliates who treat their illicit kit like any other piece of enterprise or SMB software. A recent Europol report suggests those affiliates are increasingly turning toward smaller operators, or going it alone, to avoid digital dragnets.
So, how do the good folks get the upper hand? It's all about understanding how the shadow economy that's grown up around commodity malware operates and destroying its weakest and most essential link: Trust between malware operators and affiliates.
There's a whole world underground
When Ukrainian security researchers leaked source code, chat logs, and a bunch of other data belonging to Russian RaaS in early 2022, one of the most surprising discoveries was how sophisticated and business-like the group's operation was, Intel 471's executive editor of cyber threat intelligence Jeremy Kirk told The Register.
"It ran like a tech company – a poorly run tech company – but it was really organized cybercrime," Kirk told The Register. "You had HR people, malware coders, administrators, managers grinding employees and getting them to work harder, and things like that."
Top to bottom, that sounds a lot like your average startup – complete with competition between operators to win more customers (i.e. affiliates) and promote their brand.
"Something we've seen for a long time is that affiliates keep most of the ransom," Bitdefender's technical solutions director, Martin Zugec, told The Reg.
Zugec said that affiliates and operators have traditionally split their ill-gotten gains at a roughly 70:30 ratio, but over time it has shifted to the point where affiliates are getting around 90 percent of the proceeds. He says there are a number of reasons for this, including affiliates realizing they're the ones doing most of the work, and the realization that they can easily work with multiple operators.
LockBit, Kirk noted, even had the strategy of letting affiliates collect ransoms without having to cut the group in until afterward, eliminating fears that operators could make off with ransoms and not pay affiliates their share. Once LockBit got big, the Medusa ransomware group began offering higher ransom shares to affiliates to steal customers; others have tried similar tricks.
"There's a lot of drama on the underground forums," Kirk said. "Cybercriminals make alliances, break alliances, and cheat each other out of money."
While one could argue that legitimate tech businesses cheat their customers too, in the Raas/MaaS underground economy it's a feature of business, not a bug – no honor among thieves, after all.
With modern languages making ransomware easier to build than ever before, the software itself has become the commodity, Zugec told us. That means RaaS and MaaS "vendors" will quickly be abandoned by affiliates for new operators with new products – as the Europol report suggested – but Zugec contends groups aren't necessarily going solo.
"There's a lot of groundwork you have to lay to go from being an affiliate to standing up your own infrastructure," Zugec said. He suspects most affiliates, who aren't savvy, sophisticated operators but opportunistic criminals, will be unable to become independent actors.
"It's not difficult to be an affiliate," Zugec said.
Like any small business with limited resources, not everyone is going to be able to afford their own hardware stack, nor will they want to invest so much for uncertain returns.
And isn't that what the cloud is for, after all?
Malware devs are even harder to pin down
Speaking of expensive, hard-to-find resources, if you thought it was hard to hire good developers in the world of legitimate business, it's even harder to find a coder able to build a decent bit of malware.
"There's always a healthy demand for malware and also a somewhat limited pool of people who have the skills to create it and have loose ethical boundaries," Kirk said, and Zugec agreed.
"The whole RaaS is a gig economy," Zugec said. "How the money flows, how it's arranged, how the business model works – it's exactly the same thing."
That goes for both affiliates, who "work" using the resources owned by malware operators, and developers, who often do short-term work for a criminal outfit before moving on to another underground project.
Workers who develop payment systems, manage infrastructure, and handle day-to-day operations are often part of the gangs themselves, but those building the actual malware are more often than not freelancers who work alone.
That's not always the case, of course, with the developer suspected of coding Conti and LockBit malware arrested in Ukraine and believed to be affiliated with both gangs, but it's just as common for a developer to be a lone wolf working for the highest bidder.
One example of a lone developer is Evgeniy Mikhailovich Bogachev, the man suspected of being behind the Zeus botnet. Still at large, Bogachev was the sole person behind Zeus, Kirk said.
- Ransomware infection cuts off blood supply to 250+ hospitals
- Five months after takedown, LockBit is a shadow of its former self
- 'LockBit of phishing' EvilProxy used in more than a million attacks every month
- Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability
"He sold his kit for three grand, and sometimes even more," Kirk explained. "People who had those skills or crews that had those skills are always going to be in demand."
Relying on law enforcement operations to go after those developers won't be easy, though.
One of the biggest problems when it comes to apprehending malware developers, Kirk said, is countries like Russia, who don't extradite anyone charged with crimes in places like the United States, and who generally protect cybercriminals willing to attack their enemies.
In many cases the developers behind commodity malware might not even know what they're building, or for whom.
"For many of these people, they had a choice: Work professionally in IT, or use the same skills and the same tools for cybercrime and my salary will be ten times what I could make," Zugec said. "In many cases, we've seen the sentiment like, I know these are bad guys, but I'm not working on a bad code, so it's OK."
In other words, for a lot of commodity malware and ransomware, it'd be downright impossible to figure out who made it and how to catch them.
How to breach trust in the cybercrime world
It's worth asking whether it would even be worth tracking down malware developers, especially if their piece of the puzzle is such a small one compared to how important the relationship between affiliates and operators is.
That's what law enforcement needs to target, said Zugec, and it's not a far-fetched proposition to say it works – just look at CrowdStrike.
Since pushing a bad update that crippled millions of Windows machines around the world, the company's value has plummeted. As of writing, CrowdStrike shares are down 40 percent in the last month, and most of that loss came after the global outage.
Shake trust between companies and customers, and even the mightiest of juggernauts can fall.
"We should be targeting the relationship between affiliates and operators … with everything we do," Zugec said.
So far, it seems to be working.
Zugec said law enforcement's use of threat actor psychology shown in some of the recent mega-busts – like posting LockBit affiliate and operator info on the group's leak site after the domain was seized – is a master stroke in destabilizing the gang-affiliate relationship.
"Now the criminals are kept guessing: Was it operational security? Some sort of software bug? A mole?" Zugec said, noting Bitdefender had seen such talk on underground forums it monitors after major busts.
While the internet cops continue their crusade, Kirk pointed to recent research he said proves that, along with the success of busts slowing the spread of ransomware, base company resiliency levels are increasing too.
According to cyber insurer Howden Group, the average cost of a cyber insurance policy has fallen 15 percent since peaking in 2022.
"Companies that have invested in risk controls and crisis management are now less susceptible to material impacts," Howden said. "Furthermore, the growing prevalence of double and even triple extortion has undermined the assumption that paying a ransom will put a stop to the hack."
That's during a 12-month period in which Howden said ransomware activity surged while the number of payouts also decreased.
So shore up your defenses and keep your systems safe, but take heart in recent news about law enforcement operations busting malware and ransomware operators: Their affiliates are beginning to scatter, meaning today's big threats may be on the way out.
Don't assume the underground economy will go away, though, especially with countries like Russia willing to harbor cybercriminals.
"Some of these people won't be deterred," Kirk said. "What [law enforcement] is hoping is that maybe there is a small slice … that will be." ®