The Ransomware Ecosystem: 

RaaS, Extortion and the Impact on Your Business

“Ransomware continues to be the most significant, serious and organised cyber crime threat faced by the UK.” – James Babbage, NCA Director 

Over the last few years, there has been a dramatic rise in ransomware, to the point where it feels like every week there’s a new variant or group making its debut. This article is going to tell you why this is the case, explaining how the dark web operates, the ‘business’ models available to threat actors and exactly what Ransomware as a Service (RaaS) is. 

Here’s a graph showing how many data breach victims have been shared on ransomware groups’ sites, which are commonly known as leak sites (a report by the NCSC and NCA). Taking into account the last few years, this image alone emphasises how new groups emerge and then withdraw while some, many being RaaS, groups continue to develop their techniques overtime.  

Recent Ransomware Threat Findings 

Below we have summarised four key ransomware groups including two that aren’t as well-known but are significant due to emerging trends and methods used. Three of the following (8Base, Clop and LockBit) were actually responsible for 48% of all recorded cyberattacks in July 2023 alone according to the US Government’s Office of Information Security (HHS).  

Clop 

RaaS tool known to be agile and responsive to new vulnerabilities. Clop (also known as CLOP and Cl0p) is a variant of CryptoMix Ransomware that encrypts data, then it renames each file by appending the ‘.clop’ extension to encrypted files. There are different variants of Clop, where technical delivery methods become more sophisticated with each new version. 

LockBit 

An actively developed RaaS platform, dating back to early 2020, with multiple variants including LockBit 3.0/Black, LockBit Green and LockBit Linux-ESXi Locker. Originally, LockBit targeted only Windows platform, however the threat actor group has now also added Linux/VMware/ESXi and macOS. LockBit uses a dual extortion tactic, demanding victims to pay a ransom to recover their files and to stop the group from releasing stolen data to the public. 

8Base 

The details around the 8Base ransomware group has remained relatively unknown despite the massive spike in activity throughout the summer (2023). Multiple sources have identified similarities to the RansomHouse group but nothing further has been confirmed. They use a variety of ransomware strains and vary in distribution methods such as phishing emails, exploit kits and drive-by downloads. An interesting statement made by the Office of Information Security is that they are a data-extortion operation rather than a typical ransomware operation.  

Cactus 

This new ransomware operation has been exploiting vulnerabilities in VPN appliances for initial access to networks and is believed to have been active since March 2023. To prevent detection via anti-virus software, the ransomware encryptor encrypts itself and requires a key to decrypt the binary for execution. 

Here is a simplified ransomware workflow from the NCSC’s recent report – this highlight the ecosystem of the dark web where each function within this workflow can be offered by a different threat actor. Alternatively, depending on the skills of the group or threat actor, multiple functions can be offered together.   

1. The left side of the diagram primarily deals with gathering initial accesses to targets and the trade of this information. 
2. Credentials can be sold to Initial Access Brokers (IABs) instead of selling the data on marketplaces. IABs buy large volumes and filter for the highest value victims to resell at a higher cost.  
3. The right side of the diagram reflects the ransomware ‘business’ model. Options available are ‘Buy-a-Build’ where actors can purchase ransomware code at a relatively low cost, ‘In-House’ meaning the threat group responsible for developing the ransomware conducts most of the attack and ‘Ransomware as a Service’ where a portal is usually given to affiliates to customise the ransomware and acquire new builds if needed. 

Example: According to Fortinet’s research, LockBit offer affiliates a range of options to split the ransom fee (typically, 1:4 between LockBit and affiliates). 

LockBit offer affiliates the ability to: 

• Create private chat rooms to communicate with victim organisations 
• Use custom “StealBit” stealers for data exfiltration 
• Upload images, data, and communication history with victim organizations to the LockBit blog (data leak site) 
• Set exceptions for computer names, file names, and file extensions that are not to be encrypted 
• Shut down and remove Windows Defender 
• Run the ransomware in SafeMode 
• Delete shadow copies 

How does this impact your organisation?  

The threat landscape is ever-evolving and ransomware groups are no different, criminals follow the trends which see the most success. For example, due to the pressure put on breached organisations, many groups focus solely on stealing data and the extortion factor, rather than encryption. 

The good news is that most ransomware attacks are opportunistic rather than based on sophisticated attack methods. By having a good level of cyber hygiene and maturing your security processes / technology stack, you can dramatically reduce your organisation’s cyber risk. This means your staff will be well equipped to deal with phishing attempts and gaps in your security will be identified and remediated in a timely manner. 

Our vSOC managed services have been designed taking into account the common pitfalls and security challenges faced by organisations. For example:

• vSOC Recon enables you to assess, prioritise and manage software and configuration vulnerabilities across your organisation all in one sleek dashboard.  
• vSOC CERT not only helps you achieve Cyber Essentials but supports you in staying compliant and secure all year round.  
• vSOC Alert is a powerful and comprehensive 24×7 service rolling EPP, EDR, MDR, XDR, SIEM and SOAR technology into one package. 

If you have any questions around ransomware or our vSOC managed services, please get in touch.