While this type of extortion is not completely novel, with AlphV/BlackCat reportedly disclosing an incident to the U.S. Securities and Exchange Commission after a victim refused to make a ransom payment, Secureworks said it has not seen other incidents of ransomware groups attempting to abuse regulatory or compliance entities for extortion purposes. Much like their counterparts in legitimate commerce, ransomware enterprises are continuing to develop new services to increase their market share and profits, and are taking advantage of recent disruptions to the ecosystem by offering hackers new ways to collaborate with them. These tactics have been used by multiple ransomware groups,” wrote Secureworks, noting that the Anubis operators “threaten to take the notifications a step further” by submitting reports themselves to various regulators. If successful, the new business models could reshape the ransomware ecosystem in the same way LockBit’s affiliate model helped that scheme become the market-leader, before it was effectively shuttered following a law enforcement disruption operation last year. Rafe Pilling, the director of threat intelligence at Secureworks’ Counter Threat Unit, said it was unsurprising that in the wake of the LockBit takedown he and his team were seeing "wider experimentation with different operating models” among ransomware groups. Anubis, which researchers started tracking in December, is offering three monetization schemes for its customers, from traditional encryption attacks that see the affiliates pocket 80% of the ransom through to data extortion attacks (60% of the ransom) and simple access monetization (50% of the ransom). As detailed by Secureworks, DragonForce and Anubis are attempting to entice hackers to come and work with them by adopting affiliate models that would increase the volume of incidents their services can be used in. Disrupting the most successful groups and driving decentralization across the ransomware ecosystem has been a major focus for officials attempting to tackle the ransomware problem. “Disruption operations have been really key to making this harder for certain groups to really get deeper and more specialized and mature, and makes the organizations a little bit more chaotic, which ends up being helpful because it takes more time for them to reconstitute and have successful operations in the future,” she said. The operators behind the DragonForce and Anubis ransomware-as-a-service schemes are launching new business models to attract affiliates, according to research published Wednesday. The “cartel” model would allow DragonForce to provide its own established infrastructure and operation management tooling to hackers, but not necessarily force those service users to attack victims using DragonForce’s own encryptor. Laura Galante, a former director for cyber at the Office of the Director of National Intelligence, told journalists last September that disruptions such as those by the FBI and Britain’s National Crime Agency were intended to have a strategic effect. According to a report by Chainalysis, the extortion payments that have been funding the criminal ecosystem dropped last year. Anubis includes various tactics for increasing pressure on victims to pay, including threatening to publish stolen data as well as naming them on social media.
This Cyber News was published on therecord.media. Publication date: Wed, 23 Apr 2025 15:45:11 +0000