Around a decade ago, the bad people who make ransomware had an idea that proved so successful it helped fuel a crime boom that still haunts us to this day: hide the technical complexity of ransomware behind simple web platforms so that any criminal can launch attacks.
Better known as ransomware-as-a-service (RaaS), after a slow start it’s come to dominate this type of cybercrime, responsible for thousands of attacks since the pandemic alone.
Ransomware attacks make a lot of money in ransoms when victims pay up, but a lot of human effort is also involved in pulling off these attacks. Targets must be found, access brokers paid for stolen credentials, and then there’s the drawn-out ransom negotiation stage.
This is more work and effort than even the most workaholic ransomware criminal can handle. But by getting other criminals to conduct the attacks using RaaS in return for a healthy commission, suddenly the profits far exceed what a standalone crime group can do on its own.
Now for the catch
If this all looks too good to be true, it’s become clear that in recent months it is. The crime ecosystem comprising big RaaS platforms and hundreds of affiliates that use it only works as long as the RaaS platform itself isn’t compromised.
For years that possibility seemed like a long shot hope but the 2024 takedowns of Lockbit and ALPHV/BlackCat by police show that these platforms are mortal after all.
The police spotted this weakness years ago, which is why they have quietly devoted significant resources to disrupting these platforms and the people accused of building them.
But it’s not just a matter of putting criminal infrastructure out of action. In a speech in June 2024 Bryan Vorndran, assistant director of the FBI’s Cyber Division, revealed that the LockBit disruption had given the Agency access to more than 7,000 decryption keys which could be used to unlock victim data.
Exactly how many victims those keys were related to probably depended on a variety of factors, but in theory it could be one per victim.
“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov,” said Vorndran.
It’s not clear how easy it will be to relate specific decryption keys to each victim, or even how many will take them up on the offer possibly years after they suffered an attack.
However, the capture of decryption keys from the world’s most prolific ransomware platform is still a coup.
Getting hold of a cache this large would have been unthinkable in the pre-RaaS era when keys were held by multiple smaller groups. But this is the advantage of building a platform – everything you need is in one place.
If you’re a past victim, or if you become a victim in future, the message is not to give up on your data. It can’t be un-stolen but at least now there’s a decent chance it might one day be decrypted.
