Decoding Ransomware Affiliates: Perspectives from an Industry Insider

The landscape of ransomware trends has changed drastically over the past several years. The image of individuals in basements creating one-off code is antiquated. These organizations are much more sophisticated, and the fact that ransomware attacks nearly doubled in a year proves it. But what’s really going on here? Drawing from the detailed research presented in our comprehensive State of Ransomware Report 2024: A Year of Surges and Shuffling, and as the head of the research team that created it, here’s my perspective on the data and unfolding dynamics of ransomware actors.

The power has shifted to affiliates.

After tracking ransomware operators and affiliate activity over the last year, we’re seeing a power shift. Traditionally, ransomware operators held the power, dictating terms to their affiliates and ensuring that affiliates only worked with them. However, new research shows that times have changed. Ransomware affiliates are freely moving between operators, and operators are competing to attract affiliates.

What is driving this transformation? In my opinion, it’s simple: profit. Affiliates are shopping around to get the highest commission from operators. Affiliates are now choosing the targets but rely on operators for the ransomware software (the weapon to carry out their attacks) and guidance on how to deploy it (the Ransomware as a Service (RaaS) model). Once armed, the affiliate can very quickly encrypt terabytes of their target’s data and hold it for ransom.

Yes, ransomware operators could carry out attacks on their own since they have all the resources to do it, but they want to scale. The more ransomware affiliates they bring in, the more opportunities they have to make money. It’s a business model that works much like a (legitimate) company’s channel partner program – a channel partner will work with multiple companies, including competing companies. Ransomware operators will compete for opportunities that affiliates are shopping around and will start to compromise on their commission to win the affiliate’s business.

Off-limits is now on.

This new power dynamic changes everything, including how operators conduct business. In the past, operators set the rules of engagement, preventing ransomware affiliates from attacking certain companies like children’s hospitals or nonprofits. But as operators are losing that power, the affiliates are now deciding who to target. If a ransomware operator doesn’t give them the tools they need to do it, they will move on to another operator who will. 

For example, in 2023 LockBit attacked The Hospital for Sick Children (SickKids) and later apologized and provided a free decryptor. These types of things happened very sporadically, maybe two or three times a year. But what we see now is that ransomware affiliates are making excuses for going after nonprofit companies, blaming them for outrageous things like laundering money. Ransomware operators are taking the bait and helping affiliates to carry out the attacks. Again, it’s an affiliate market. They have the power, because the affiliates are the real engine of the operator’s business. 

So one of the key ransomware trends we are seeing is that organizations that have previously been considered off limits are now being targeted in greater numbers. For example, the share of healthcare industry ransomware victims increased by 0.6% more this year, with 78 attacks on smaller practices (that often lack the robust cybersecurity defenses of larger hospitals nearly reaching parity with the 82 attacks on larger hospitals and medical organizations.

Of course, the data is still too early to say for certain that attacks on previously “off-limits” organizations will continue to rise, but based on the new dynamics and what we’ve seen to date, unfortunately, my expectation is that this will keep happening. 

Operators care less about protecting their image.

In the LockBit example above, I explained how they backtracked on an attack to a children’s hospital. This was done in large part to help protect their image from a public relations perspective. They wanted to be seen as cybersecurity vigilantes, not victimizers of cherished institutions. Today, they care less about their business image than they do about getting affiliates to work with them.

One reason for this is the FBI operational shutdown of the ransomware operator groups AlphV (AKA BlackCat) and LockBit. The FBI was able to disclose all of LockBit’s affiliates’ names. Whether they were involved or not, ransomware affiliates got spooked, and ransom events dropped for a time, not just from LockBit but across the board. Notably, the LockBit takedown continues, as just days ago officials ​​revealed the identity of its ringleader as Russian national Dmitry Yuryevich Khoroshev, AKA LockBitSupp.

This is a lesson for all ransomware operators. Without the affiliates, they cannot run their business. That’s why affiliates have gained more power, and we’re seeing the effects of that shift, including the number of attacks and attacks on previously protected industries. It’s a more brutal playing field than before.

Read the research and be prepared.

Download the full report, State of Ransomware Report 2024: A Year of Surges and Shuffling, to learn more about the ransomware trends, data, and insights behind my interpretations. And get ready for a potentially ruthless ransomware year ahead by knowing where you and the companies in your supply chain stand in terms of your ransomware risk susceptibility, and find the vulnerabilities you need to address to help prevent them. For further reading, check out my blog, Are You a Prime Ransomware Target? Consider These Risk Factors. In the meantime, my team and I will continue to vigilantly follow this dark underworld of cybercriminals and publish our findings as FocusTags^TM in the Black Kite platform’s and in our Focus Friday blog series that highlights key FocusTags each week.