WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
February 20, 2024
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Getting started in any business is a tricky affair. While estimations may vary, it’s widely believed that around 9 in 10 startup businesses fail within the first ten years of their establishment. Having enough money to get started, getting the right employees in, and navigating global conditions can be enough to knock over even the most robust of business models; we’ve recently reported that the latter is also causing cybercriminals a few headaches. Despite this, ransomware remains a highly profitable endeavor for its proponents, with dozens of currently active groups taking profits from their victims each week. So how do these groups get started, and what constitutes a working ransomware team? Check out the insights from our recent investigation below.
In short, it depends. As you’d imagine, the world of cyber criminality brings as much diversity in talent and approaches as you’d expect in the corporate world. While we all have this idea in our heads of a hoodie-bound, Russian-speaking threat actor sitting in their apartment in Siberia, the truth is cybercriminals involved in ransomware operations come from all parts of the world. The makeup of an individual ransomware team depends on the specific operation. Some groups get by with just a handful of individuals, while your more successful and active groups can involve hundreds of individuals, all with distinct roles and responsibilities.
At the very top, there’s likely an individual—or a handful of individuals—in overall charge of the group, running the direction and strategy of the group, much in the same way as a Chief Operating Officer (COO) might do at a legitimate company. This might be someone with previous experience in running a ransomware operation, or it might be the actual developer of the malware that’s being used—more on that later.
The majority of the work is of course conducted by your specialists within the group. This can include but is not limited to;
In short, there’s a lot to do and plenty of room for different skill sets. The bigger the group, the more specialized the roles will be. For example, in the largest groups, the reconnaissance roles could be split into active and passive; with one member responsible for gathering victim identity information such as employee names and email address from publicly available sources, and another member covering port knocking and vulnerability scanning on the victim’s network. Likewise, in a smaller group, fewer people could cover many roles. At McDonalds, you wouldn’t expect the janitor to double task as a cook and recipe creator, but at your mom-and-pop restaurant, the owner might also act as a stand-in electrician. While the makeup of these groups does vary, the majority of ransomware operations will have many individuals tasked with distinct roles.
Perhaps the most common approach for starting a ransomware operation is to purchase a pre-made ransomware build; this refers to a working piece of malware capable of encrypting data, that is ready for use. This is a cheap and effective way to start a low-level ransomware operation, permitting a cybercriminal to target individual computers, with users impacted by this activity having their files automatically encrypted and directed to a payment system. This type of operation will however be fairly unsophisticated and will likely not have success in targeting business its use will likely be restricted to personal computers. In short, a threat actor will purchase a ransomware build—or indeed use one that’s available for free—create an infection mechanism, and then sit back and wait for the profits, in a “hands off” approach.
A good example is the cryptolocker ransomware, which has been around for many years. This method involves fairly unsophisticated methods, being delivered via spam, drive-by downloads, or through the sharing of malicious torrents. This typically goes after the most computer illiterate and results in the charge of smaller amounts of money. There often is no support available to victims and it’s realistically possible that the victim may not be able to make a payment, if the proponent of the ransomware has since abandoned their operation.
The most impactful type of ransomware operation is of course those involved in big game hunting; i.e. those specifically targeting enterprise or business networks. Within this category of ransomware outfit, we’re referring to the big names we frequently mention on our blogs. REvil, Conti, Lockbit, Cuba, or ALPHV, all fall under this classification.
Within big game hunting operations, the leading figures within the organization is often the developer of the malware or an individual with significant experience from working on other operations. In terms of the team they build around them, it probably works much in the same way as the corporate world, it’s not what you know, but who you know. Networking probably goes a long way, and many of the individuals working within ransomware syndicates are likely to be compatriots who have worked on similar projects in the past.
In big game hunting operations, there will likely be significant day-to-day management, with shift patterns, leave days, and rewards systems in place to encourage hard work. Our previous blog covering the Conti leaks identified many of these insights, including a distinct lack of work on weekends, the office chatterboxes, and working practices.
If it’s not broken, don’t fix it. Of course, many ransomware operations are not established from scratch, with many of the main groups tracked by Digital Shadows (now ReliaQuest) operating as either a rebrand or an alternative established by former members of another ransomware operation. There are a number of reasons why rebranding takes place. Many occur immediately in the aftermath of law enforcement operations, or as a result of significant scrutiny due to the impact of a certain attack; yes REvil and Darkside, we’re looking at you.
Starting your own operation does however create a number of inherent challenges. An actor will need to decide whether they will develop their own malware—which from scratch is likely incredibly time-consuming and challenging—and of course will need to recruit a supporting cast behind them. To the security community, it often appears that many of the rebrands are merely a name change and a refresh of infrastructure being used. Many of the same tactics will be the same, and often the malware used in attacks will be identical to what has been observed with other operations.
A couple of recent examples include Conti’s apparent rebranding to “BlackBasta” and “Monti”. Investigations of the latter have led researchers to a couple of conclusions; it is unclear whether Monti is a rebranded iteration of Conti or merely a new variant based on leaked Conti ransomware source code. It’s very difficult to distinguish between groups that copy each other and which simply flew too close to the sun.
While the ransomware scene of 2022 is far more active than only a few years prior, it still exists as a fairly unsaturated market; there are far more potential victims to target than current victims, with significant room for further groups to enter the space. This is why the likes of Digital Shadows (now ReliaQuest) is needed to track the activity and tactics, techniques, and procedures (TTPs) of these groups. Even for sectors that aren’t currently a favorite target of ransomware activity, they very well may be in the not-so-distant future.
We’ll end by touching on RaaS, which is an area that’s been discussed at length, however still worth briefly mentioning. RaaS of course is a subscription-based model that enables affiliates to use already-developed ransomware tools to execute ransomware attacks. Many of the major ransomware groups operate such models, including the likes of Conti, REvil, and also Lockbit, which has raced ahead as the leader of the pack by fine tuning their RaaS program. Each of these groups takes different approaches on RaaS. Lockbit takes a more controlled approach to their affiliates strategy and daily running of operations.
An example of a smaller but persistent RaaS operation is “Ranion”, which is believed to have been in existence since at least 2017, offering cybercriminals a cheap way into launching their own operations. This likely represents the middle ground between a basic cryptolocker type service and the RaaS that is being offered by the likes of Lockbit.
Ranion offers a number of packages that users can select, with a standard 6 month package purchasable for as little as $590 for 6 months. The test package would also be 100% hands off, with no involvement from the Ranion development team. So a threat actor could essentially gain access to a ransom executable and direct it to whatever target they desire for as little as $150.
Typically in a RaaS model, the malwares operators/developers will take a cut of 20-40% of any ransoms taken from victims identified and encrypted by affiliates. In Ranion’s business model this is quite different, with users of the service able to collect 100% of the ransom, without tipping the developers a middleman fee. In essence they are purchasing a service to proceed however they want. There is also no screening, no scrutiny of potential users of the service, which allows inexperienced threat actors to enter the ransomware scene. Ranion can represent a genuinely useful entry point for new threat groups to gain experience of running their own operations, before moving onto more professional services later on.
Ransomware is arguably the biggest threat facing business in 2022, which is almost certainly going to continue in the medium term future (3-6 months). As we commented earlier in the blog, while the number of active groups has increased dramatically, there will always be a market for potential victims. Some of the sectors which are not frequent targets of ransomware could be in the future.
How can you best prepare for this risk? Well the most effective method is receiving up to date information on the evolving landscape, allowing companies to make change proactively, rather than reactively when it’s too late. Ransomware groups are opportunistic in nature, targeting the lowest hanging fruit and taking the path of least resistance; in other words, if you’re trying to outrun a bear, you simply need to be faster than the guy running next to you.
Ransomware in 2023 is almost certainly going to continue to become more organized, with newer groups entering the scene. That’s why it’s as important as ever to stay one step ahead of the game. You can get a comprehensive look at the data that we used to build this blog and our quarterly ransomware reporting with a free demo request of SearchLight here. You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures, including access to a finished threat intelligence library with MITRE associations and mitigations from Photon Research.