Ransomware Operators Scramble to Shore Up RaaS Business Model


March 20, 2024

World map

Researchers have observed RaaS groups increasing efforts to recruit affiliate attackers who may be looking for new ransomware attack infrastructure platform partners following major disruptions to two of the most prolific groups, LockBit and BlackCat/ ALPHV.

In early December, reports circulated that law enforcement may have been the cause of a website outage impacting the BlackCat/ALPHV ransomware gang’s leaks site.

The takedown attempt may have failed as the group appeared to have regained control of the websites, then claimed responsibility for attacks on Trans-Northern Pipelines, Prudential Financial, LoanDepot, and finally an attack against Change Healthcare.

Then researchers suggested BlackCat/ALPHV platform operators may be using law enforcement action as cover for an exit scam designed to deny the affiliate attackers who participated in the Change Healthcare attack out of their share of a potential $22 Million payday.

This perceived betrayal has seriously undermined trust in the illicit ransomware economy.

Based on recent postings by some established players like Medusa, RansomHub and Cloak, some RaaS groups are now “foregoing deposits and paid subscriptions, offering better payout splits, 24/7 support, and other perks” in order to bolster confidence in the profit-sharing business model HelpNet Security reports.

“Although there doesn’t appear to be any more skepticism than we normally observe with these types of posts, we believe that there has definitely been an impact on cybercriminal’s confidence in affiliate-based ransomware groups."

Takeaway: Ransomware is a business model, and a very lucrative one at that. Ransomware-as-a-Service (RaaS) platforms are more or less run like legitimate Software-as-a-Service (SaaS) companies, with R&D, recruiting, tech and negotiation support, and more.

The affiliate programs generally run like channel sales programs in legitimate SaaS companies. The affiliates are partners who carry out attacks using the RaaS platform and the RaaS providers take a cut and payout a percentage to the affiliates.

If a RaaS group pulls an exit scam to defraud their affiliates, this would be the equivalent of a major SaaS company screwing their channel partners out of their share of a sale from a big enterprise account.

This betrayal of confidence could have a significant impact across the entire RaaS ecosystem, as affiliate attackers working with other RaaS providers are understandably nervous about the stability of their business relationships.

While the potential fallout from this betrayal of trust is hard to predict, it has no doubt created a lot of animosity between affiliates and RaaS providers, and we can only hope this breakdown of trust spills over into all RaaS operations.

While that would not put an end to all ransomware attacks, it certainly would reduce the number of potential attackers to those with the requisite skillsets to develop and maintain attack infrastructure and payloads, which represents just a fraction of the potential attackers we are seeing today.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.