Why ransomware gangs love rebranding
Few ransomware gangs have existed for longer than 18 months. It's not because criminals disband.
Few ransomware gangs have existed for longer than 18 months. It's not because criminals disband. Instead, a trend to rebrand ransomware cartels has taken hold.
Being an infamous criminal is a double-edged sword. While notoriety signals success on the dark side, at the same time, it's a cause for concern.
Alvin Karpis, the last American Public Enemy Number #1 and the brains behind the bank-robbing Karpis-Barker gang, was acutely aware of the burden's stardom carries.
"To be a celebrity, you have to be known. And you can't do that kind of business without going to jail," Karpis said in an interview after spending 33 years in prison for the kidnapping of businessmen and subsequent money extortion, the analog version of ransomware.
It seems that cybercriminals, the data kidnappers, took this lesson to heart. For example, researchers at Kaspersky noted recently that the lifespan of a ransomware gang has shrunk to less than 18 months.
Most cybercriminals, however, do not simply go away. The same people who use the same tools do the same jobs albeit under a different name. Enter: ransomware rebranding. The time-tested practice of hiding in plain sight.
Cloak of invisibility
A cyberattack against the Colonial Pipeline facility in Alabama was one of the biggest cyber stories this year. Hackers forced a pipeline covering 45 percent of the East Coast's fuel supplies to shut down over a ransomware attack, causing fuel shortages in the American Southeast.
Days later, the FBI confirmed that the Darkside ransomware gang was behind the attack. The group has been operating since August 2020, yet it was the gangs' biggest score to date. So big, in fact, the group announced it was shutting down only a week after the attack.
According to the Cybersecurity and Infrastructure Agency (CISA), the shutdown was short-lived. Two months later, another group, BlackMatter, emerged, widely believed to be a rebranded version of Darkside.
A similar story goes for another notorious ransomware group REvil, also known as Sodinokibi. Even though operating since 2019, the group made headlines in 2021 with attacks against meat supplier JBS and software company Kaseya. It, too, tried to swallow more than it could take, going offline after the attack.
That would not be the first time for REvil. The group is widely believed to be an offshoot of GrandCrab ransomware, which shut down after netting $2 billion in ransom payments from January 2018 till May 2019.
These two are not isolated cases since recently Avaddon became Haron, DoppelPaymer is now Grief, and SynAck changed to El Cometa.
No honor among thieves
Humans usually operate malware for extortion themselves. This means it's not automated, and there's always somebody at the other end of the digital ransom note.
As much as cybercriminals would like a rebrand to go unnoticed, security researchers have tools to identify the link between old and new groups.
"Developers, like writers, have styles that persist across their output. Not conclusive but indicative," Brian Chappell, Chief Security Strategist EMEA &APAC at BeyondTrust, told CyberNews.
After all, at its core, malware is just a human-written text. And people leave traces. Detailed code analysis allows to spot functional similarities and extrapolate whether the group's core remains the same.
"You can change your name relatively easily, but a successful strategy for your business is much harder to change," Chappell explained.
The strategy is not foolproof, though. As James Maude, Lead Cyber Security Researcher at BeyondTrust, pointed out, that's because there's no honor among thieves.
"Malware authors will steal each other's code and ideas, so it is often hard to distinguish a copycat from a rebrand. From internal disagreements to out and out hacking of competitors, there are many ways these rebranded versions can appear," Maud said.
The most apparent reason behind rebranding is to avoid detection. For example, Russian-speaking hackers of Darkside and REvil drew so much attention that US President Joe Biden discussed ransomware with his counterpart in Moscow, Vladimir Putin.
Rebranding, Charles Denyer, a veteran cybersecurity expert, suggests, is meant to take the heat off criminals that find themselves in precisely such a situation. Going silent, in theory, should allow ransomware gangs to hide their digital and real-world presence.
"The going dark strategy is quite effective, making authorities work even harder to connect the dots and who they are and where they came from," Denyer told CyberNews.
Interestingly, going dark might not have been enough for every REvil member, as one of its affiliates, a 22-year-old Ukrainian national Yaroslav Vasinkskyi, was arrested in Poland. Another REvil-linked hacker, Yevgeniy Polyanin, ended up on the FBI's wanted list.
The desire for notoriety rarely holds up to the test of the attention from law enforcement agencies and security researchers. Craig Glatt, a Lead Cybersecurity Analyst at AGIO thinks that name changing can simply be a distraction for survival of the group.
“They think that if they can reinvent their identity, they'll be able to throw analysts off the trail and become notorious all over again,” Glatt told CyberNews.
Having your gang's name linked with the FBI's most wanted severely hinders continuing the business model ransomware cartels operate.
People behind the extortion malware are rarely the ones who carry out the attacks. Employing the Ransomware-as-a-Service (RaaS) model 'brains' of the operation lease access to the tools for a cut of the ransom, usually around 20-30% of the extortion money victims pay.
Having agents of the international law enforcement services combating a specific strain of malware will discourage affiliates from touching the 'hot' malware, making rebranding a lucrative way to start fresh.
"Rebranding could involve location moves, new communication channels, and fresh accounts to receive payments – a clean start in a dirty world or as clean as one can get. I suspect it's also more prevalent among gangs who are financially motivated, less ego, more earning," Chappell explained.
According to Mathieu Gorge, IT security expert, founder, and CEO of VigiTrust, pleasing affiliates is likely the top reason why ransomware gangs rebrand.
"The authorities are no fools; they know hackers rebrand. They can also recognize the tell-tale hallmarks of hacker groups, even if they change their names. So, the rebranding is for affiliates and, ironically, for their customers," Gorge told CyberNews.
Experts we've talked to offered a somewhat surprising reason why ransomware gangs might start looking for a new name - ethics. Similar to legitimate businesses wanting to distance themselves from unsavory past practices, cybercriminals follow the same path.
"While you might think that threat actors wouldn't care, many do and have codes of conduct and even terms and conditions criminal partners agree to, such as no hospitals or schools," Maude explained.
Reputation matters because being associated with causing death can backfire in multiple ways. Affiliates might look for a safer bet, while victims could refuse to pay on principle, no matter the fallout.
"The groups have to decide what is more important: money or reputation. The money they can get back in another hack, but if they keep messing with life-or-death consequences, victims will eventually get angry and refuse to pay," Gorge said.
Stepping over a 'red line' can unleash fury not only from law enforcement but from within the hacker community as well. According to Gorge, a cyberattack that paralyzed the Irish health system is a good example.
Conti ransomware gang demanded a ransom of $20 million at first yet decided to offer the software to decrypt data after a fallout over an attack on the health system amidst a pandemic.
"The hospital hackers decided they couldn't afford to have a civil war between hackers, so they provided the decryption keys before the victims paid, even when the victims were willing to pay," Gorge said.
No matter the reason for rebranding, Gorge says it's better for ransomware gangs to rebrand than splinter.
"In Greek mythology, if somebody cut off one of the Hydra's heads, two would grow back in its place. […] We prefer a group to rebrand rather than become a snake that grows more heads after you cut one-off. It's much easier to manage," he said.