The ransomware-as-a-service (RaaS) groups LockBit and ALPHV (aka BlackCat), among others, have been the focus of distributed denial-of-service (DDoS) attacks targeting their data leak sites, causing downtime and outages.
The attacks have been monitored by Cisco Talos since Aug. 20 and include a wide range of other RaaS groups, including Quantum, LV, Hive, Everest, BianLian, Yanluowang, Snatch, and Lorenz.
Forum posts by the LockBit gang’s technical support arm, “LockBitSupp,” indicate that the attacks have had a significant impact on the group’s activities, with nearly 1,000 servers targeting the leak site with close to 400 requests per second, researchers said.
“Many of the aforementioned groups are still affected by connectivity issues and continue to face a variety of intermittent outages to their data leak sites, including frequent disconnects and unreachable hosts, suggesting that this is part of a sustained effort to thwart updates to those sites,” a Talos blog post explained this week.
The groups have responded in different ways, with some sites simply redirecting web traffic elsewhere, as in the case of the Quantum group, while others have beefed up DDoS protections.
“Given that this activity is continuing to interrupt and hinder the ability for these affiliates and operators to post new victim information publicly, we will likely continue to see various groups respond differently, depending on the resources available to them,” the blog post authors noted.
Shutdowns Offer Respite to Targeted Groups
Aubrey Perin, lead threat intelligence analyst at Qualys, says in the case of a DDoS attack on RaaS leak sites, victims of criminal hacking gang activity would clearly benefit. Perin notes that the report showcases how effective these attacks are at halting ransomware operations, with outages allowing defenders precious time to investigate.
“If the leak sites are shut down, the victim’s infrastructure cannot be announced,” Perin says. “The purpose of these types of attacks is to interrupt the gangs’ activities,” adding that if gangs cannot list victim information, then extortion tactics become far more difficult, and in some cases benign.
However, Perin adds today’s bad actors are growing increasingly sophisticated and learning from mistakes on the fly, so they may find workarounds rather quickly.
“More mature gangs have exemplified their agility to quickly re-organize and launch more sophisticated countermeasures for DDoS attacks,” Perin explains. Where initial ransomware authors used “spray-and-pray” methods, Perin points out that today’s bad actors carry out ransomware attacks as professional operations, with each applying their own “special sauce.”
“Organizations each have their own strategies and protocols they follow, and RaaS is no different. Each gang finds what works best, develops strategy, and executes,” Perin says. “Each gang’s operations are unique to that of other gangs.”
Thus, Perin says, without a deeper understanding of a specific gangs’ operating schedule and strategy, it is next to impossible to know the real impact to their operations.
“That being said, these attacks certainly have the power to tarnish their reputations,” Perin notes.
Rival Extortion Groups, Government Agencies Could Benefit
When it comes to who’s behind the DDoS efforts, Rick Holland, CISO and vice president of strategy at Digital Shadows, says rival extortion crews and government agencies are two possible beneficiaries of attacks against data leak sites.
“There is no honor among thieves, and there is a history of groups targeting each other,” he says. “On the government side, US Cyber Command commander General [Paul] Nakasone admitted to targeting ransomware groups last year, so it would be reasonable to assume that the US government has continued efforts to disrupt the adversaries.”
Holland says extortionists need to think about their site’s resilience, just like legitimate businesses.
“There are other ways for ransomware victims to interact with the actors,” he explains. “RaaS representatives are available on forums, and victim negotiations can still be taken offline through various messaging applications.”
Andrew Hay, COO at LARES Consulting, adds that the targeted gangs are likely actively combatting the issue.
“We’ll likely see the threat groups relocate their servers and services to a more distributed infrastructure to maintain availability, just like any organization would to stay operational,” he says.
From Hay’s perspective, the report suggests that attacks directed at RaaS data leak sites are likely not going to fade away anytime soon, which could lead to a sort of underground competition for affiliates.
“You don’t need to be the best, you just have to be better — or more available — than the other guy,” he says.