Ransomware groups are learning from the business models of legitimate companies. Not only that, they are constantly innovating to divide tasks and seek out market niches. Now it appears that two prominent gangs are imitating platforms such as YouTube and TikTok through affiliate models. Attackers can release their own branding and end product via existing systems and networks.
Ransomware-as-a-service has been popular for some time. A threat actor sells or rents the tools that less experienced cybercriminals (known as affiliates) need to carry out a ransomware attack. The affiliates then share the proceeds with the operator. Secureworks, part of Sophos, published research this week on the extensive affiliate models of two RaaS groups: DragonForce and Anubis. Both have set up new affiliate models. The flexibility is great; you can even carry out attacks without having your own malware. The reverse is also possible: if you have your own malware, bring it with you, the groups say.
DragonForce’s strategy: Bring Your Own Malware
DragonForce emerged in August 2023 as a traditional RaaS player, but last month rebranded itself as a “cartel.” In a post on a Dark Web hack forum on March 19, DragonForce advertised that affiliates can create their own “brand,” allowing them to use their own malware while leveraging the infrastructure provided by DragonForce.
“In this model, DragonForce provides its infrastructure and tools but doesn’t require affiliates to deploy its ransomware. Advertised features include administration and client panels, encryption and ransom negotiation tools, a file storage system, a Tor-based leak site and .onion domain, and support services,” according to Secureworks.
Secureworks does not mention it as such, but we expect that a “Bring Your Own Malware” concept could become popular within the cybercriminal circuit. After all, people learn not only from legitimate organizations, but also from each other.
The new approach differs from other RaaS models and may be attractive to attackers who have their own malware but lack the technical knowledge or support to reliably manage other aspects of the infrastructure. This is a daunting task if you want to avoid detection. The “ideal scenario” is a huge distributed network that is ready and waiting to serve as an attack path. DragonForce has this at its disposal. However, the Secureworks researchers warn that this approach also carries risks: “If one affiliate is compromised, other affiliates’ operational and victim details could be exposed as well.”
Anubis’ triple revenue model
Anubis has been offering three different affiliate models since February. These include a traditional RaaS model where affiliates receive 80 percent of the ransom, a “data ransom” option where Anubis helps extort money after data exfiltration, and an “access monetization” option. The latter is a service that helps attackers extort victims they have already compromised. Affiliates receive 50 percent of the ransom in a successful operation. The data theft option offers affiliates 60 percent of the net proceeds.
The “data ransom” option is reminiscent of content marketing, Dark Reading notes, but for cyber attackers. The “data ransom” option involves publishing a detailed “investigative article” to a password-protected Tor website,” Secureworks explains. This article explains in detail what data is of interest. This allows interested parties to assess the value of their potential purchase. If no buyer can be found, the attackers leak the data via the Anubis leak site.
The attackers increase the pressure by publishing the names of victims via an X account. They also claim that they will inform the victims’ customers, as well as regulators in the US, the UK, and Europe. This is becoming more common: given the strict requirements for reporting ransomware and other incidents, organizations are feeling the heat from both regulators and hackers.
Professionalization of cybercrime
The approach taken by DragonForce and Anubis shows that cybercriminals are becoming increasingly sophisticated in the way they market their services to potential affiliates. This marketing approach, in which DragonForce positions itself as a fully-fledged service platform and Anubis offers different revenue models, reflects how ransomware operators behave like “real” companies. Recent research has also shown that some cybercriminals even hire pentesters to test their ransomware for vulnerabilities before deploying it.
So it’s not just dark web sites or a division of tasks, but a real ecosystem of clear options for “consumers.” We may also see a modernization of dark web forums, which currently resemble the online platforms of the 2000s.
Recommendations for defenders
Although these developments in the ransomware landscape are worrying, Secureworks researchers also offer practical advice for organizations to protect themselves. Above all, defenders must take “proactive preventive” action. Fortunately and unfortunately, this mainly involves basic measures. Fortunately, because the policies to be implemented are manageable; unfortunately, because there is still a lack of universal awareness of such security practices.
In addition, organizations must develop and regularly test an incident response plan to quickly remediate ransomware activities. Figures show that 61 percent of affected organizations pay ransom after a ransomware attack, which perpetuates the revenue model of cybercriminals. If that money no longer flowed to attackers, only state actors would have the resources to strike.