Why Ransomware Groups Are Rebranding Their Operations

chameleons

In October 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that added a new dimension to the debate surrounding whether to pay ransomware attackers. The advisory noted that OFAC has designated ransomware attackers and other malicious actors under its cyber-related sanctions program and other sanctions frameworks. It clarified that OFAC may subsequently impose civil penalties on U.S. persons who violate those sanctions programs by making payments to designated individuals. In accordance with the strict liability of those programs, U.S. persons may incur a penalty even if they didn’t know or hadn’t reason to know that they were making a payment to a designated individual. 

OFAC’s advisory gave the U.S. government another avenue by which it could raise the costs of fulfilling ransomware groups’ payment demands. Several months later, the U.S. government focused in on ransomware even further following the Colonial Pipeline incident. Indeed, DarkSide’s disruption of a major pipeline attracted the attention of the FBI and the U.S. Cybersecurity & Infrastructure Security Agency (CISA), among other public entities. It was a short time later when the REvil ransomware group announced that DarkSide had closed its doors after someone had stolen access to its servers and made off with its profits. 

A Rebranding Wave 

Taken together, OFAC’s announcement and the attention generated by the Colonial Pipeline incident made it more difficult for ransomware groups to continue doing business in their existing operations. This helps to explain why some ransomware gangs spent the summer of 2021 rebranding themselves. Provided below are a few of those ransomware groups that assumed a different name to avoid sanctions and draw less attention to themselves: 

Evil Corp Impersonates the Babuk Operation 

In the beginning of June, Bleeping Computer discovered a new ransomware sample called “PayloadBIN.” The computer self-help website assumed that the malware was related to the rebranded Babuk operation and that those attackers had lied about their intention to move away from ransomware by focusing on data theft. But after analyzing the malware, security researchers Fabian Wosar and Michael Gillespie confirmed that PayloadBIN was a rebranded version of Evil Corp’s ransomware operations. Wosar noted to Bleeping Computer that Evil Corp had likely impersonated Babuk to masquerade as an unsanctioned ransomware group. 

DoppelPaymer Becomes Grief 

Less than two months later, Zscaler wrote that DoppelPaymer ransomware activity had dropped in May 2021. The security firm reasoned that the DoppelPaymer gang might have decided to lay low following the Colonial Pipeline attack. Whatever the reason, the ransomware group used that break to rebrand itself as Grief. Zscaler confirmed that the two threats are the same, noting that a Grief sample compiled on May 17 still pointed to DoppelPaymer’s ransom portal. 

BlackMatter Incorporates DarkSide, REvil, and LockBit 

Around the same time that news of Grief first emerged, The Record wrote that a new Ransomware-as-a-Service (RaaS) affiliate program called “BlackMatter” had emerged. Those behind the operation told The Record that it had “incorporated in itself the best features of DarkSide, REvil, and LockBit.” DarkSide went offline following the Colonial Pipeline incident, as discussed above, while the REvil group’s websites went dark shortly after the Kaseya supply chain attack. LockBit is the only one of those three ransomware groups that’s still in operation. (In fact, its attackers recently announced LockBit 2.0.) 

Synack Morphs into El Cometa 

In mid-August, the SynAck ransomware gang released decryption keys for the victims that it had affected between July 2017 and 2021. The ransomware group was in the process of rebranding itself as El Cometa at the time of the release. A member of SynAck allegedly stole the decryption keys and then provided them to The Record. 

Ransomware Defense as an Ongoing Process 

As the examples discussed above illustrate, ransomware groups will continue to try to evade the gaze of the U.S. government and perpetuate their malicious activities. That’s why organizations need to focus on preventing a ransomware infection as an ongoing process. One of the ways they can do that is by augmenting their ability to defend against email attacksone of the most common delivery vectors for ransomware

Learn how Zix | AppRiver can help.