Ransomware-as-a-service (RaaS) operators are evolving their tactics yet again in response to more aggressive law enforcement efforts, in a move that is reducing their profits but also making affiliates harder to track, according to Coveware.
The security vendor’s Q2 2022 ransomware report revealed that concerted efforts to crack down on groups like Conti and DarkSide have forced threat actors to adapt yet again.
It identified three characteristics of RaaS operations that used to be beneficial, but are increasingly seen as a hinderance.
The first is RaaS branding, which has helped to cement the reputation of some groups and improve the chances of victims paying, according to Coveware. However, branding also makes attribution easier and can draw the unwanted attention of law enforcement, it said.
“RaaS groups are keeping a lower profile and vetting affiliates and their victims more thoroughly,” Coveware explained.
“More RaaS groups have formed, resulting in less concentration among the top few variants. Affiliates are frequently shifting between RaaS variants on different attacks, making attribution beyond the variant more challenging.”
In some cases, affiliates are also using “unbranded” malware to make attribution more difficult, it added.
The second evolution in RaaS involves back-end infrastructure, which used to enable scale and increase profitability. However, it also means a larger attack surface and a digital footprint that’s more expensive and challenging to maintain.
As a result, RaaS developers are being forced to invest more in obfuscation and redundancy, which is hitting profits and reducing the amount of resources available for expansion, Coveware claimed.
Finally, RaaS shared services used to help affiliates with initial access, stolen data storage, negotiation management and leak site support.
However, this required a large wage bill to support and ran the risk of malicious insiders infiltrating RaaS operator groups. That means affiliates are increasingly required to handle initial access, stolen data storage and negotiations alone, which is likely to reduce their profits.
Overall, fewer victims are choosing to pay their extorters, especially among large enterprises. However, the threat actors are responding by focusing more effort on the mid-market. That may explain why the median of ransom payments fell by 51% from the previous quarter to $36,300.