View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Sloppy security from cybercriminals is creating a new generation of ransomware gangs

Leaked source code from Babuk and LockBit has been detected in a wave of cyberattacks from neophyte criminal enterprises.

By Claudia Glover

Malicious source code leaked from established cybercriminal enterprises like LockBit and Babuk is breeding a new generation of rough and ready ransomware gangs, says a new report from Cisco Talos. According to a new report from the threat intelligence team, code that has been dispersed across dark web forums has been detected in dozens of cyberattacks against companies perpetrated by criminal enterprises that are sometimes only weeks old. Such leaks, the report argues, ‘are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.’
Leaked malicious code directly contributing to more RaaS gangs using code they couldn’t create themselves. (Photo by IanRedding/Shutterstock)

Dragon’s teeth

Ransomware is not easy to build. Indeed, writing software designed to evade complex corporate cybersecurity defences, exfiltrate data and then automatically demand a payment for its release is usually the preserve of talented software engineers. As such, explains the report, leaks of existing source code from major ransomware gangs ‘allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.’

According to the Cisco Talos report, at least four major ransomware gangs – Babuk, Conti, LockBit and Chaos – have seen valuable code published on dark web forums in recent years. Some of this has been intentional, says the authors, the product of one affiliate’s disgruntlement with another within the overall group. Many examples of leaks, however, have arisen as a result of operational error. Such was the case with the ransomware group Babuk in September 2021, when a series of internal mishaps released enough source code to power a fully functioning ransomware operation in its own right. Novice cybercriminals pounced. Babuk’s leaked source code has appeared in attacks perpetrated by at least ten new ransomware gangs.

It’s not the only example of leaked source code spawning new ransomware operations. According to the Cisco Talos report, a spate of recent ransomware attacks can be traced back to the leaking of a ransomware builder called Yashma in May 2022, itself a rebranded version of a program leaked from the Chaos gang. A type of program that allows the user to customise ransomware, builder programs also afford the opportunity for neophyte cybercriminals to create their own variants with minimal effort. 

Another group called Buhti, meanwhile, has successfully deployed code leaked from both LockBit and Babuk to target Windows and Linux systems. New operations like these tend to charge smaller ransoms to release corporate data back to its owners, according to Cisco Talos, with sums ranging from a mere $3.50 to $4,390 in Bitcoin. According to the threat intelligence provider, this could be because such gangs are effectively ‘lone wolf operators,’ reluctant to make elaborate demands from their victims before they have fully tested the capabilities of the ransomware they have adapted from the leaked source code from larger rivals. 

How to mitigate these new risks

The fact that new groups are mushrooming as a consequence of leaked code shouldn’t be surprising, argues Vasileios Karagiannopoulos, co-director of the Centre of Cybercrime and Economic Crime at the University of Portsmouth. Nevertheless, it’s a useful reminder of how quickly the ransomware ecosystem can evolve – and how dangerous that process is for companies that neglect their cyber-defences.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Such risks can be mitigated, argues Karagiannopoulos, but only through a combined effort from both the private and public sectors. “Cybersecurity organisations and companies, ethical hackers and even governments can gain access to the code and try to provide patches and generate defensive measures in their software and security tools to counter the effects of new ransomware,” he says. “It is therefore important that the security community works together to tackle new code that comes to light quickly – ideally with investment from governments and international organisations.”

New solutions coming from the cybersecurity landscape, such as zero-trust, can also be used to counter the risks from the new ransomware gangs. Other solutions, says Karagiannopoulos, like “segmented structures, monitoring use patterns across all levels and layers, and regular and up-to-date cyber awareness training, are also important in order to reduce vulnerable attack vectors and become aware of the problem early on and minimise its impact.”

Read more: Ransomware groups are getting smaller and smarter

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.