The effects of the recent high-profile disruptions of LockBit’s and BlackCat ransomware operations by law enforcement agencies are rippling through the dark web, with smaller threat gangs looking to scoop up the larger groups’ disaffected affiliates.

Law enforcement agencies in the United States, the UK, and elsewhere in recent years have aggressively targeted the most prolific ransomware-as-a-service (RaaS) groups in hopes of stemming the still-rising tide of attacks, and over the past few months have bagged LockBit and BlackCat, among the best known of the bunch.

While both groups were able to rally after the takedowns, some of the damage was done, according to threat intelligence researchers with GuidePoint Security. In such situations, affiliates – who use a core group’s ransomware to launch attacks with the promise of sharing in the profits – can become disenchanted and start looking around for other gangs to latch onto.

Also, in the aftermath of the most recent takedowns, the researchers have seen three smaller RaaS groups in particular looking to recruit new affiliates in a market that has a relatively shallow talent pool.

“Recent increases in advertisements for affiliates may indicate continued limitations in available human resources, growing distrust in particular RaaS groups or the RaaS operating model, or impacted groups that do not intend to continue operations,” Justin Timothy, a threat intelligence consultant for GuidePoints Research and Intelligence Team (GRIT), wrote in a report this week.

The LockBit, BlackCat Operations

In Operation Cronos earlier this year, investigators seized LockBit’s public-facing websites – replacing some of with messages taunting the group – took control of servers run by the group’s administrators and used to host LockBit’s “StealBit” platform, and grabbing decryption keys to help some victims regain access to their data.

Similarly, late last year law enforcement officials announced they had infiltrated BlackCat – also known as ALPHV – shut down operations, and created a decryption key.

Both LockBit and BlackCat rallied after their respective takedowns. Investigators appeared to try to sow discord among LockBit’s affiliates, implying in various disclosure that they knew who “LockbitSupp” – the tag given to LockBit’s administrator – and that they had “engaged with Law Enforcement.”

BlackCat reacted by increasing the split of ill-gotten gains for affiliates to 90% and lifting some restrictions on what entities could be targeted. However, BlackCat appears to have shut down after the recent headline-grabbing attack on Change Healthcare, a subsidiary of health care insurance provider UnitedHealth. BlackCat apparently grabbed the $22 million ransom that was paid without splitting the money with an affiliate that actually ran the attack using BlackCat’s ransomware, which many cybersecurity pros tagged as the group’s exit strategy.

Affiliates on the Move

“LockBit is likely to continue operations with some affiliates in the near term, but we expect the total number of affiliates to decrease,” Timothy wrote. “These disruptive events have resulted in distrust towards the most established RaaS groups in the ransomware ecosystem today, including LockBit, and will almost certainly lead to the displacement of some portion of the associated affiliate corps.”

Affiliates may leave for a range of reasons, including distrust, disillusionment, or work with another group. Others that have worked primarily with one ransomware group may have to leave if a law enforcement takes down the group.

Other RaaS groups – and there are more than 40 of them of varying sizes, with some claiming dozens of victims while others showing none – see situations like those of LockBit and BlackCat as opportunities to expand. GRIT researchers have seen three of these groups, Medusa, Cloak, and RansomHub, trying to “attract or recruit new members through advertisements on Deep and Dark Web illicit forums. Each of these groups falls within different levels of GRIT’s Ransomware Taxonomy, indicating that RaaS groups of varying maturity levels are seeking to take advantage of circumstances,” Timothy wrote.

The Business of Ransomware

The ads for affiliates showcase again the business-like nature of today’s cyberthreat groups. Cloak has been posting ads on the UFO Labs illicit forum, while the other two are advertising on the Russian-language RAMP forum. Each contain routine information, such as a short description of the group, ransom split rates, and details for communicating over the TOX instant messaging app. They also talk about the strength of their encryption codes, how easy their panels are to use, and opportunities for affiliates.

Medusa is making a particularly strong pitch, with a sliding payout scale that starts at 70% of the ransom for affiliates to 90% for ransoms of more than $1 million. The RaaS group also offers access to their administrative and media advertising teams as well as the group’s own negotiators. They also stressed in a March 12 posting that they accept affiliates that don’t speak Russian.

A key part of RansomHub’s message is trying to ease affiliates’ concerns, understanding that some have been seized by police or lost their funds. Its affiliates can collect ransom payments themselves and pay the core group its 10%, and approach that Timothy said “is likely intended to assuage concerns of ‘exit scams’ or other deceits that have been circulating as gossip and accusations around the proverbial cybercrime watercooler as of late.”

RansomHub also is letting its affiliates work with other RaaS groups, which GRIT researchers said not all affiliates do.

Cloak’s efforts don’t show as many enticements, stating an 85%-15% split for affiliates and no need to pay to join the group, and while boasting of the strength of its ransomware, it says information on other features are available upon request.

GRIT researchers also have seen other attempts by other groups to attract affiliates by offering “access to the latest tools and techniques” and the “most favorable conditions on the market and dynamic raites [sic] for each advert.,” according to Timothy.

Wait and See

It’s still to be seen how successful these recruitment efforts will be.

“If affiliates were to migrate to other RaaS groups, we would expect to see a decrease in posted victims from the losing RaaS groups and an increase in posted victims from gaining RaaS groups,” Timothy wrote. “We would also expect to see higher-profile victims attributable to historically less mature RaaS groups.”

He added that from a “Law Enforcement and policy lens, murmurs within the RaaS ecosystem and its component members likely represent an opportunity to encourage discord, amplify skeptical messaging, and solicit collaborators with unique access or connections.”