Dive Brief:

• As the ransomware economy expands, it is becoming more evident some affiliates take their expertise and experience to new gangs as the groups retire, Raj Samani, fellow and chief scientist at McAfee, during a virtual webcast by the Chamber of Commerce Tuesday. 
• The ransomware as a service model enables affiliates, those associated with the gangs, to follow the business as it evolves. For example, one of the most dangerous ransomware groups of 2018 and 2019, GandCrab, targeted large enterprises before its affiliates began to "drop off" in spring 2019, said Samani. "Two to three weeks later, the GandCrab crew actually announced that they retired," he said.
• REvil adopted GandCrab's affiliates upon its retirement, a familiar business move among ransomware operators and partners. "If we talk about cutting the head off the snake of ransomware, well, there are hundreds of snakes out there," said Samani.

Dive Insight:

The group behind the Colonial Pipeline ransomware attack had operations that employed affiliates, a common business model for ransomware gangs with decentralized operations. 

DarkSide's operations went dark after the Colonial attack, and experts speculate the group might be rebranding itself to resurface as a new gang, The Record reported. But the group claimed it "lost access to the public part of our infrastructure." 

Ransomware groups often rebrand to evade law enforcement, just as GandCrab did. Because of the dispersed nature of the operation, when law enforcement pursues a ransomware gang, "we can end up in a game of whack-a-mole," said Nitin Natarajan, deputy director at the Cybersecurity and Infrastructure Security Agency (CISA). "It's a never ending game." 

It is possible law enforcement intervened with DarkSide's servers and payments, but it's not the first choice of the Ransomware Task Force, said Megan Stifel, executive director of the Global Cyber Alliance and member of the task force, during the panel. "The first step is to have an international coalition built to take preventative measures." 

The task force prefers to reduce the frequency of ransomware attacks and the need for military involvement. The task force's recommendations include a White House-led and government-wide strategy, embrace diplomatic enforcement globally and reduce safe havens for criminals operating in a nation's borders. 

To take down a cybercriminal enterprise, it takes a combination of efforts from law enforcement, intelligence communities, and international allies to deal with the whole ecosystem. 

Natarajan did not say if the government was involved in dismantling DarkSide, as CISA is part of the defensive component of cybersecurity. 

If law enforcement seizes funds from ransomware groups, groups will reinvent themselves and their business models. This was the case for NetWalker in 2019 — the ransomware group overhauled its business model and made $25 million in five months, according to research from McAfee. 

To prevent ransom payments, the federal government has to follow cryptocurrency transactions, a largely unregulated space. 

"We have to stop blaming technology for criminal intent," said Samani. Just as phishing is not an email problem, ransomware is not a cryptocurrency problem — cybercriminals will pivot to another form of payment even if cryptocurrency is locked down. 

If the entire cryptocurrency ecosystem became totally transparent, gangs would still find a way to get paid. Still, the government is addressing the ever-expanding crypto ecosystem. The Treasury Department proposed last week businesses must report cryptocurrency transactions of $10,000 or more to the IRS.