The Demise of Traditional Ransomware-as-a-Service (RaaS) & Responding to Threat Actor Fluidity

We are living in a new era of ransomware, where the once-thriving RaaS ecosystem has decayed to a landscape of adversary deception, half-baked ransomware code, and increasingly poor outcomes for victims who pay. The brand loyalty that once existed between affiliates and administrators is now the exception, not the rule, and identifying the IOCs/TTPs of a given threat actor group requires defenders now dig past the parent group brand, the encryption used, down to the individual affiliate. This attribution process is necessary to forecast outcomes of an extortion, as well as surfacing sanctioned actors that are attempting to circumvent payment restrictions by obfuscating their identity behind these layers. This discussion will walk through a few cases studies of how disparte IOC’s, TTP’s and behavioral patterns are mosaic’d together to gain attribution conviction.