What effect did last year’s high-profile police disruption of the world’s two foremost ransomware groups have on the wider criminal industry surrounding them?
It’s been an open question ever since the infrastructure of ALPHV /BlackCat was targeted in December 2023, followed a few weeks later by a similar action against LockBit.
Eventually security companies, that track trends and behavior among ransomware groups, started to come up with some answers.
The most interesting data was from Coveware, a ransomware response company that recently issued its stats for Q1 2024, the period of the initial impact of the police takedowns.
The good news is that the police takedowns appeared to work as intended. For the first time, criminals involved in ransomware were gripped by uncertainty.
Flailing around
According to Coveware, the biggest cause of this was the ripple of chaos that resulted from the takedowns themselves. Affiliates wondered whether the police might be able to identify them through their forensic connections to these groups and whether it was now too risky to continue in the game.
It didn’t help that ALPHV/BlackCat executed what looked to be an exit scam on its ransomware affiliates, refusing to hand over ransom funds as they normally do. Lockbit was accused of perpetrating something similar. Worst of all, Lockbit appeared to be flailing around, boasting about resurrecting itself, and then failing to stand up this claim.
As Coveware wrote:
“Both the LockBit and BlackCat actions have caused a mass diaspora of ransomware affiliates that are deciding where to go and what to do with themselves.”
Significantly, amidst the instability, the average ransomware payment dropped by 32% to $381,980 in Q1 2024 compared to the final quarter of 2023. After rises throughout 2023, this represented a sharp fall, albeit after a period of probably unsustainable inflation.
Coveware’s figures suggest that other groups decided to be less ambitious in their demands after the percentage of victims paying up dropped to 28%.
Why might payment behavior have changed? Most likely because paying was making less difference than before. Criminals were ransoming data while still leaking it even when a ransom was paid. As to the issue of criminal encryption:
“Enterprises large and small are increasingly able to withstand an encryption attack, and restore their operations without the need for a threat actor decryption key.”
These events underline that cybercrime is not immune to countermeasures. Police actions don’t necessarily stop criminals but they can force them to adjust how they operate.
The question is whether police can keep up the good fight. With ALPHV/BlackCat and Lockbit in decline, the next in line in terms of market share during 2024 was the Akira ransomware.
Perhaps not coincidentally, the FBI revealed that Akira ransomed at least 250 organizations during 2023, netting itself $42 million in extortion payments.
Law enforcement must now contend with what in pop and rock music is referred to as the ‘difficult second album’ phenomenon. The police have had a big success, but that’s served mainly to raise expectations. At least nobody can be in doubt about the next group in the crosshairs of the law.