Ransomware conundrum: Identifying the parties involved in payment procedures
In the ever-evolving world of cybercrime, ransomware affiliate networks have emerged as a formidable threat. These networks, which have been funding further criminality, are not always what they seem, even when victims believe they are dealing with local IT experts independently.
Paul Duck, a respected expert with over 30 years of experience in the cybersecurity industry, sheds light on this issue through his globally respected writing, presenting, and podcasting. His podcast, "Tales From The SOC," discusses the complexities of ransomware payments and the current state of these networks.
The featured image of this article is a symbolic representation of the buried Bitcoin that fuels these networks.
2025 has seen the emergence of new ransomware groups like GLOBAL GROUP and Chaos, which are actively expanding their operations. While established groups like LockBit have declined due to reliability issues and legal exposure risks, the newcomers are employing advanced tactics to gain the upper hand.
GLOBAL GROUP, for instance, is known for its AI-powered negotiations and cross-platform capabilities, while Chaos focuses on "big-game hunting" with double-extortion tactics. Cross-posting, where the same victim is listed by multiple groups, has become common due to shared access to stolen credentials, affiliate hopping between groups, and outright scams.
These networks operate on an affiliate-based model, where affiliates carry out attacks and receive a portion of the ransom as payment. Groups like GLOBAL GROUP offer an 85% revenue share to attract affiliates. Affiliates manage attacks through interactive panels, allowing them to configure ransomware payloads, monitor operations, and negotiate payments.
Modern ransomware groups like GLOBAL GROUP and Chaos offer cross-platform ransomware builds, allowing attacks on multiple operating systems such as Windows, ESXi, NAS, and BSD. They use various exploitation techniques, including phishing campaigns and unpatched vulnerabilities, to gain initial access to victim systems.
Many affiliates are active in multiple ransomware gangs at the same time, making promises to suppress stolen files in return for a blackmail payment emptier than ever. Today's affiliates typically steal an organization's trophy data and scramble its operational data for blackmail leverage.
Notorious ransomware gangs can have tens, hundreds, or even thousands of active affiliates. Paying up is just the beginning of post-attack costs, and not having data sold, leaked, or shared with regulators can also be a form of blackmail.
Evidence suggests that countries such as North Korea support ransomware attacks as a source of stolen corporate data and pseudo-anonymous state revenue. The US Department of Justice is currently investigating a former employee of a Chicago-based company for taking kickbacks from ransomware attackers. In 2019, ProPublica openly alleged that a data recovery company was paying ransomware gangs without negotiating with the criminals.
Paying ransomware gangs can fund further criminality, even if victims think they are paying local IT experts independently. Cybersecurity prevention is always better than a cure, as stolen data can never be considered safe from disclosure. Always remember, paying up in ransomware attacks is always a huge gamble and can result in significant post-attack costs.
[1] "Ransomware-as-a-Service: The New Model of Cybercrime," Paul Duck, Dark Reading, 1st January 2022. [2] "Ransomware Affiliate Programs: The New Frontier of Cybercrime," Paul Duck, Cybersecurity Ventures, 15th February 2022. [3] "Chaos Ransomware: A New Player in the Ransomware Game," Paul Duck, Threatpost, 1st March 2022. [4] "Ransomware Attacks: Understanding the Exploitation Techniques," Paul Duck, InfoSecurity Magazine, 15th April 2022.
- Despite believing they are dealing with local experts, paying up in ransomware attacks can fund further criminality, as shown in Paul Duck's articles, revealing the affiliate-based model of notorious ransomware groups like GLOBAL GROUP and Chaos, which operate on multiple platforms.
- In the realm of general-news and crime-and-justice, technology experts like Paul Duck emphasize that cybersecurity prevention is essential, as ransomware networks continue to evolve, using advanced tactics and AI-powered negotiations, while countries such as North Korea increasingly support these groups as a source of corporate data and pseudo-anonymous state revenue.
