Ransomware gangs care about one thing: Stealing money.
Over time, their craven, cybercriminal efforts have toppled businesses, destabilized hospitals, and ruined lives. Worst of all, they show no sign of slowing down, and their extortion attempts—which no longer focus on ransomware delivery alone—are getting bolder, meaner, and uglier.
As Allan Liska, intelligence analyst at Recorded Future, recently said on the Lock and Code podcast, times have changed.
“There are no protections anymore,” Liska said. “For a while, some ransomware actors [said] ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”
Considering all this, it’s pretty damn nice to see ransomware gangs lose.
As the holidays put people closer to family and friends (and ransomware gangs closer to attacking—seriously, watch out for that), Malwarebytes Labs is sharing some of the brighter moments of 2023 in which ransomware gangs didn’t get what they wanted. And while some of these “victories” still include an unfortunate ransomware deployment, they all have the same result for the ransomware gangs involved: A lost payday.
Here are four times ransomware gangs failed in 2023.
1. The Royal Mail ransomware attack
On January 11, the Royal Mail service in the United Kingdom publicly announced that it had suffered a “severe service disruption” due to a cyber incident. Until the incident was cleared, customers were asked to not send packages or letters overseas.
Within days of Royal Mail’s announcement, news outlets began linking the alleged cyber incident to the ransomware gang LockBit, which, oddly, denied the attack.
But underneath the public reporting, a fascinating negotiation between the cybercriminal gang and its victim would play out for weeks.
On January 12, a representative for Royal Mail makes contact with a cybercriminal for LockBit on a chat hosted in the dark web. The Royal Mail rep is direct, says they work in IT, and, curiously, has a deft command of flattery, referring to LockBit’s work as “pen-testing.” More impressively, the Royal Mail rep immediately takes control of the conversation by implementing one of the most effective strategies in ransomware negotiations: Stalling for time.
Despite LockBit’s constant pushes for urgency, the Royal Mail rep grinds the conversation to a halt, at one point raising a thus-unheard-of concern with LockBit’s decryption key: Yes, it may work on a few sample files, but will it work on really big files?
“My management have heard that your decryptor might not work on large files,” the Royal Mail rep says, deploying yet another stunning negotiation tactic by trying to invoke a manager to deliver difficult news.
After days of back and forth, the LockBit rep returns to the most important issue—payment. LockBit had asked for an astounding $80 million ransom, and, after enough delay, it is time to talk money.
But again, Royal Mail’s rep turns the tables. Yes, the Royal Mail service could possibly make a payment that large, but there is only one problem, the representative says: We’re not Royal Mail.
Shock. Horror. Utter embarrassment. According to the Royal Mail rep, LockBit had attacked the wrong Royal Mail, instead deploying ransomware for a Royal Mail subsidiary, where a more reasonable starting point in ransomware demands should be about $4 million.
At this point, the LockBit rep accepts defeat.
“You are a very clever negotiator,” the LockBit agent says. “I appreciate your experience in stalling and bamboozling.”
We’ll take that as a win.
2. MGM bounces back 10 days after ransomware siege
In Sin City, the house always wins, even when it loses $100 million.
In the late hours of September 11, customers and hotel guests at the Las Vegas resort MGM Grand noticed something was off—literally. On TikTok, a user shared a video showing rows of digital gambling machines with blank, non-functional screens. On the MGM Grand website, online reservations had become inaccessible. And for some unfortunate guests, even their room keys didn’t work.
“Digital keys weren’t working,” said the same TikTok user who shared video of the hotel’s broken digital slot machines. “Had to get physical keys printed.”
MGM Grand had been hit by a ransomware gang named Scattered Spider, a group of cybercriminals that, it would turn out, had already found some luck on the Las Vegas strip.
On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.
MGM Grand, however, chose a different path. Across 10 hectic days—which included equipping hotel elevators with handheld, two-way radios in case guests encountered any problems—the MGM Grand became operational once more, all without paying a ransom.
MGM Resorts International later provided a sober estimation of the cost of the recovery effort, expecting a $100 million loss to its third-quarter results, and valid criticism about the hotelier’s security vulnerabilities remain, but in the land of vice and greed, stopping a ransomware gang is a feat that few have accomplished.
3. Qakbot shot down
Duck hunting season came early this year.
In August, an international investigation led by US law enforcement agencies nearly wiped Qakbot from the internet, shutting down a large part of the botnet’s infrastructure, retrieving $8.6 million in cryptocurrency, and removing the botnet’s associated Qakbot malware from hundreds of thousands of infected machines around the world.
When infected with the Qakbot malware, computers would join the Qakbot “botnet,” an army of devices that could be controlled by a cybercriminal gang and pilfered for login credentials. The infected machines would also be susceptible to additional malware, and in the case of Qakbot-infected computers, that additional malware was often the ransomware variant called Black Basta.
Because of this enormous reach, Black Basta consistently appeared in Malwarebytes’ monthly Ransomware Reviews that record the most active ransomware variants across publicly-recorded attacks.
In April, Black Basta was responsible for at least 40 attacks. In September, just one month after Qakbot’s announced takedown, that number dropped to six.
4. ALPHV tattles on its victim to little success
A new wrinkle about modern ransomware attacks is that some of them don’t involve any ransomware at all.
That’s because, years ago, ransomware gangs learned that their malware of choice wasn’t the sole reason that victims paid ransoms. Rather, the ransomware that was deployed was just a digital representation of a highly effective, criminal lever: Extortion.
Since at least 2020, ransomware gangs have implemented a “double-extortion” technique against victims, stealing an organization’s files and threatening to publish them online before also deploying ransomware to encrypt the original copies left behind. More recently, however, ransomware gangs have resorted to just stealing a victim’s data without detonating any ransomware afterwards. The State of Maine, for instance, likely suffered such an attack this year in a data breach that impacted 1.3 million people.
But in November, the ransomware gang ALPHV, also known as BlackCat, tried something different.
Earlier in the month, ALPHV attacked the company MeridianLink. After a few days, MeridianLink showed no sign of paying the ransom, so ALPHV upped the pressure by reporting MeridianLink to, of all places, the US Securities and Exchange Commission (SEC).
To hear ALPHV tell it, MeridianLink was required to report ALPHV’s attack to the SEC because of newly-announced rules from the federal agency that mandate the reporting of any “material cybersecurity incident” within four days.
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” ALPHV allegedly wrote in their complaint to the SEC.
MeridianLink, however, was unimpressed. After confirming “a” cybersecurity incident, a spokesperson with the company downplayed its severity.
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” the MeridianLink spokesperson said. Further, the rules cited by ALPHV were not even in effect, yet, so noncompliance would be impossible.
To date, MeridianLink has not reportedly paid the ransom. More importantly, ALPHV may have learned something the rest of the world already knows: Criminal tactics only gain sympathy within criminal enterprises. Next time, complain to your coworkers, not the federal government.
How to avoid ransomware
- Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
- Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
- Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
- Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
