Security News > 2024 > March > The effects of law enforcement takedowns on the ransomware landscape
While the results of law enforcement action against ransomware-as-a-service operators Alphv/BlackCat and LockBit are yet to be fully realized, the August 2023 disruption of the Qakbot botnet has had one notable effect: ransomware affiliates have switched to vulnerability exploitation as the primary method of delivering the malware.
The researchers pointed out other current trends related to ransomware attacks: the attackers' use of vulnerable drivers, legitimate remote desktop tools, custom data exfiltration tools, and abuse of built-in Windows utilities to steal credentials.
"There are significant disparities between overall, publicly claimed activity levels and ransomware activity investigated by Symantec. While LockBit was responsible for over 21% of the 4,700 attacks claimed in 2023, they were only identified as being involved in around 17% of the attacks Symantec investigated. Conversely, claimed 9% of all attacks in 2023 but it was involved in a little over 20% of all attacks Symantec investigated," they shared.
"For Symantec to positively identify an attack as associated with a certain ransomware family, the attack has to advance to the stage where the attackers attempt to deploy a payload. This suggests that affiliates are more likely to advance their attacks at least to the payload deployment stage."
Symantec's 2023 figures are unlikely to reflect the current situation, though: Alphv/BlackCat is apparently pulling off an exit scam and cheating some of its affiliates, and LockBit ransomware gang's main operator has been trying to reassure affiliates spooked by law enforcement action to stay and continue their collaboration.
In the meantime, the vacuum in the ransomware landscape created by those two group's troubles has - according to cybersecurity firm RedSense - been partly filled by the Akira ransomware collective and associated "Ghost groups" like Zeon.
News URL
https://www.helpnetsecurity.com/2024/03/13/law-enforcement-action-ransomware/