Ransomware-as-a-service (or RaaS gangs) are creating new affiliations to split profits obtained in outsourced ransomware attacks that target high profile public and private organizations. RaaS services are a ransomware renting service where the hackers who successfully breach a targets’ networks pay a fee to use the RaaS crew’s malicious code.
Most of the more well-known ransomware gangs run affiliate programs where prospective partners submit applications and resumes to apply for membership. The ransomware developers receive a 20-30% cut of profits, and the affiliate gets 70-80% of the ransom payments they collect.
As of late 2020, over two dozen active ransomware-as-a-service gangs were actively looking to outsource extortion attacks to affiliates. According to threat intelligence firm Intel 471, there were also “known private gangs operating in tight, close-knit criminal circles using direct and private communication channels that we have little visibility into.”
The ransomware gangs Intel 471 observed from late 2019 to late 2020 were classified into tiers based on notoriety and longevity. They range “from well-known groups that have become synonymous with ransomware, to newly-formed variants that have risen from the failures of old, to completely new variants that may have the ability to unseat the current top-level cabals.”
TIER 1 gangs have successfully collected hundreds of millions in ransoms over the past several years. The majority of them use additional extortion schemes such as stealing sensitive information from their victims’ networks to be blasted on leak sites if victims fail to pay.
Tier 1 groups include DopplePaymer, Egregor, Netwalker/Mailto, REvil/Sodinokibi and Ryuk.
Tier 2 groups include SunCrypt, Conti, Clop, Ragnar Locker, Pysa/Mespinoza, Avaddon, DarkSide, and more.
Other smaller RaaS operations that were left outside of Intel 471’s tiers but are nonetheless dangerous are Ragnarok, CryLock, ProLock, Nefilim, and Mount Locker, with all of them being recently involved in hacking attacks.