Rising Ransomware Issue: English-Speaking Western Affiliates
Fraud Management & Cybercrime , Ransomware
Domestic Teen Groups Demand ‘Nip the Bud’ and ‘Alternative Pathways,’ Experts Say
Western law enforcement agencies are battling a rising ransomware threat: attackers not based in unreachable Russia, but inside their own borders.
See Also: Live Webinar | Human Detection & Response: Exploring Three Security Awareness Realities
Given the coalition of Western governments targeting ransomware and law enforcement agencies’ appetite for justice, enlisting into a ransomware crew from your home North American or the United Kingdom might seem foolhardy.
Enter teenagers, illusions of invincibility and the lure of extreme profits.
Security experts say Western teenagers comprise a number of active affiliate groups, many with ties to the cybercrime community that calls itself “The Community,” aka the Com or Comm. In recent years, as SentinelOne has reported, that Community spawned groups as Lapsus$ and Scattered Spider. The latter has been tied to a number of rapidly executed, high-profile attacks that often lead to victims getting their systems crypto-locked with BlackCat – aka Alphv – ransomware.
“The majority of the Las Vegas hacks that happened recently were affiliates that were part of Com,” said Marc Rogers, chief technology officer for the AI observability startup nbhd.ai, and an adviser to the Institute for Security and Technology, during a Monday webinar hosted by the organization. “These are domestic teenagers attacking major domestic corporations.”
In the big picture, a lot of cybercrime originates in jurisdictions where it’s tough for Western law enforcement to reach, said ransomware expert panelists during the webinar hosted by IST, which in 2020 launched the public/private Ransomware Task Force, which has issued guidance that’s being used to combat ransomware.
“Pound for pound, the majority of groups and affiliates are still foreign,” said panelist Jason Kikta, an IST adviser who’s CISO at Automox. Even so, the rise of Western affiliates working with groups is something “we want to nip it in the bud,” not least to discourage others.
Scattered Spider’s Bite
Since mid-2022, Scattered Spider – also tracked as UNC3944 and Roasted 0ktapus – has been tied to attacks against over 130 organizations. They include customer engagement platform Twilio, email service provider Mailchimp and MGM Resorts, which last summer opted to rebuild from scratch rather than pay a ransom. Another target, Caesars Entertainment, reportedly paid the group a ransom worth about $15 million.
Western ransomware affiliates’ secret sauce is that unlike their Eastern European partners, they often speak English natively.
“That’s opened up the attack surface to more and more effective social engineering attacks,” which appears to have been key for successfully attacking MGM Resorts, Caesars and many more targets, said panelist Allan Liska, an intelligence analyst at Recorded Future.
Western law enforcement agencies haven’t been standing still. The FBI said it’s devoting “significant” resources to squishing Scattered Spider. In January, U.S. federal prosecutors charged Floridian Noah Michael Urban, 19, with stealing at least $800,000 in cryptocurrency while working as a member of the group (see: Florida Teen Faces Federal Charges in $800,000 Crypto Theft).
Liska said that arrest happened “really fast” – as far as investigations go – following the alleged crimes. The FBI isn’t an outlier, with the Royal Canadian Mounted Police busting at least six domestic cybercriminals in the past two years.
Economic Incentives
The ransomware elephant in the room remains Russia, which never extradites citizens to face foreign charges. Possibly by design, Moscow seems inclined to look the other way so as Russian cybercriminals sow disruption inside Western adversaries’ infrastructure and refrain from local targeting. Kremlin hackers also look to the cyber gangs for hosting infrastructure and tools. The cybercriminal underground is also a talent pool for hackers carrying out intelligence missions as contractors (see: The Global Menace of the Russian Sandworm Hacking Team).
Ongoing sanctions against Russia continue make cybercrime an economically attractive endeavor for locals. Barriers to entry are low, not least thanks to numerous online tutorials about how to maintain operational security – OPSEC – and ready access to free or low-cost tools, including ransomware builders.
Even so, experts see ongoing advancements in law enforcement’s ability to upset the business model, including disruptions of such high-flying ransomware operations as BlackCat last December and LockBit in February. While the disruptions, coordinated by multiple international law enforcement agencies, didn’t deliver knock-out blows – only arrests of key players might do that – experts say they’ve sown discord, eroded morale and disrupted the flow of profits.
Rogers said law enforcement agencies have gotten much cannier at “sweating the assets” through infiltration, intelligence-gathering and running psychological operations – including recently against several hundred LockBit affiliates. Those tactics are a step up from merely swooping in and seizing servers.
Case in point: After the U.K. National Crime Agency spearheaded the seizure of LockBit’s infrastructure, the cops took a page from attackers’ playbook and trolled the group’s hundreds of affiliates via a lookalike data leak page: “You can thank LockBit and their flawed infrastructure for this situation.” They promised affiliates: “You may be hearing from us very soon,” and that “Until then, we hope they have a nice day.”
Police have put ransomware affiliates on notice that they’re actively attempting to unmask, and then arrest and prosecute them, Rogers said.
“That, to me is the future of this kind of work,” he said. “If we sweat the assets that we gain, that gives us an upper hand in identifying who they are and breaking their OPSEC. That opens the door to more prosecutions.” All of that also hopefully helps drive at least some of them to quit the life, and others to never sign up.
Needed: More ‘Safe Pathways’
Closer to home, rather than trying to lock up cyber-skilled teenagers who make bad decisions, panelists said they want to see more campaigns designed to deter young people from such criminality.
“If someone came along and started offering them really nice, shiny opportunities to go down safer pathways, sure, you’re not going to get all of them, because there’s always going to be the group that wants to drive away a Lambo for doing virtually nothing,” said Rogers.
But others may be more suggestible, and if properly induced, decline get-rich-quick schemes with poor long-term outcomes. “You can start giving people an alternative pathway, and that will damage the conveyor belt that brings new ones in, when you start taking the top ones out,” he said.