Ransomware attribution: Missing the true perpetrator?
Headlines following recent ransomware attacks paint a landscape that acknowledges the true impact of such threats. Historical focus solely on attribution has made way for consideration of the human and financial toll that ransomware can have, not only to an organization but also to wider society.
Admittedly, this does lead to doomsday scenarios offered up by authors on the multitude of platforms sharing doomsday scenarios, with weak attribution included to suit their own narrative.
While commentary on the impact of such a scenario is generally to be welcomed, the focus of attribution remains. Recent events have introduced the world at large to ransomware variants previously only discussed within the information security industry. However, one has to question whether their inclusion is even remotely accurate.
As has been documented, we live in a world where anybody with access to a computer can be a player in the ransomware industry. Through ransomware-as-a-service (RaaS) there exists a business model that supports ‘partners’ to carry out attacks against victims, and to share the profits with the developers of the ransomware. In return for this arrangement, such partners or affiliates are offered a dashboard and a sizeable share of profits, in a relationship that appears to suit both parties based on the rise in use of such a model.
And herein lies the issue.
Recent ransomware attacks, using tools such as DarkSide, were indeed carried out by such partners. Celebrations over the retirement of certain ransomware variants appear to be premature, with GandCrab serving as an indication of what may actually occur. The group behind GandCrab, which was incredibly active and claimed to have made $2bn, announced its retirement in 2019.
While this announcement was greeted positively at the time, questions were raised about why the number of affiliates dropped sharply a few short months earlier. Fast forward a few months and the growth of Sodinokibi may have answered those questions, while confirming that rumours of senior partners’ retirement from the ransomware scene may have been greatly exaggerated.
However, and this is the critical component, it is the affiliates that break into organizations, and it is these same people that deploy ransomware within the environment, while all the time the ire remains solely fixated on the ransomware developer.
While the developer(s) should not escape the ferocity of anger placed upon them, it seems the affiliates continue their activities and can simply move to any number of other schemes should actions lead to the disruption of the ransomware group they have agreed to work with.
In our continued focus toward holding those accountable for the disruption they cause, closer attention must be paid to such mercenaries who are largely responsible for the exponential growth of such attacks. It is their involvement and capabilities that have allowed such attacks to adapt and become so much more crippling than ever before.