Ransomware Evolves: Affiliates Set to Wield Greater PowerOperators Left Exposed After Overreaching, Says McAfee Enterprise’s John Fokker
How is the ransomware ecosystem set to evolve?
Since ransomware-wielding attackers overreached - in particular after DarkSide hit Colonial Pipeline this past summer - the administrators of those groups have been banned from leading cybercrime forums, says John Fokker, the principal engineer and head of cyber investigations for Advanced Threat Research at McAfee Enterprise. And that change has affected ransomware operators' ability to recruit affiliates via forums and to use their malware against victims in exchange for a cut of every ransom a victim paid.
As a result, "what we're seeing, and what we think is going to happen, is that there is going to be a power balance shift," Fokker says. As detailed in a new report he co-authored, McAfee Enterprise predicts that experienced affiliates will more often be calling the shots and selling access to a victim to the highest ransomware operation bidder. Unfortunately, he adds, this more decentralized approach may also make it much more difficult to track ransomware operations, not least for law enforcement agencies.
In a video interview with Information Security Media Group, Fokker discusses:
- How and why the ransomware-attacker balance of power has been shifting to favor affiliates;
- Attackers' ongoing use of business email compromise and CEO fraud;
- Likely changes in extortion and data breach tactics being wielded by criminals.
Fokker is the principal engineer and head of cyber investigations for Advanced Threat Research at McAfee Enterprise. He was previously the project leader for the cybercrime threat intelligence team for the Dutch Police.