Introduction
The inaugural Ransomware Task Force (RTF) report, published in April 2021, recommended a series of actions to mitigate the ransomware threat, including disrupting the ransomware business model by targeting its payment ecosystem. To further understand the ecosystem and how it operates, the Institute for Security and Technology (IST) in November 2022 released Mapping the Ransomware Payment Ecosystem, a comprehensive visualization of the six stages of the ransomware payment lifecycle—attack, negotiation, payment, obfuscation, cash-out, and resourcing—and the various entities involved. IST followed up on this research with the release of Mapping Threat Actor Behavior in the Ransomware Payment Ecosystem: A Mini-Pilot in May 2023. The mini-pilot provided greater detail on these six stages and highlighted the resourcing phase—during which ransomware groups use money and cryptocurrency from past criminal profits to reinvest in the technical infrastructure needed to scale and improve future attacks—as a major, cyclical component of the ransomware payment ecosystem. This blog introduces new strategies for targeting the resourcing phase through enhanced information-sharing efforts, with the goal of disrupting the infrastructure that ransomware groups rely on to scale and execute their attacks effectively.
What is the Resourcing Phase?
During the resourcing phase of the ransomware payment ecosystem, threat actors actively acquire, enhance, and invest in tools, online services, and strategies that enable the proliferation and persistence of the RaaS ecosystem. Ransomware gangs reinvest funds from successful ransom payments back into the ecosystem, particularly into malicious attack infrastructure such as bulletproof hosting services and web shell vendors. The resourcing phase occurs after the obfuscation process, during which ransomware actors use methods like peer-to-peer (P2P) exchanges, cryptocurrency mixers, and over-the-counter (OTC) brokers to evade law enforcement efforts to trace funds across the blockchain.
As a key element of the RaaS business model, the resourcing phase plays a crucial role in sustaining and scaling RaaS activities. RaaS operators are responsible for developing and maintaining their ransomware kits, and often provide the knowledge and technical infrastructure needed to support attacks. Larger, well-established groups have hired other cybercriminals to maintain various aspects of the resourcing phase, such as setting up and managing attack infrastructure. Some even go a step further by mirroring the legitimate Software-as-a-Service (SaaS) model on which RaaS is based, offering 24/7 tech support, user reviews, online forums, and more. RaaS operators then seek out cybercriminal customers or affiliates, who are individuals or groups looking to use ransomware code to initiate their own attacks. In return, affiliates pay the ransomware group a fee for their services—either a monthly subscription, a one-time fee, a share of the profits earned, or some combination. For example, Hive used a particularly sophisticated RaaS model which included a portal, allowing customers access to tooling and data from ongoing attacks. RaaS operators then reinvest these funds into aspects of their malicious attack infrastructure such as enhancing command-and-control (C2) systems, acquiring bulletproof hosting services, and developing other obfuscation and infiltration techniques to sustain the resourcing phase and continue launching ransomware attacks with more frequency and sophistication.
However, not all entities identified in the resourcing phase are created equal. Some directly cater to criminal activities, while others offer legitimate services that are co-opted for malicious purposes. When considering how information-sharing efforts can lead to more strategic disruptive actions, it is crucial to distinguish between these types of entities.
Follow the Money: The Obfuscation Phase
Tracking ransom funds into the resourcing phase depends on following the money to understand what funds are being paid out to individuals, and what funds are being used to scale ransomware operations. This process must include carefully considering how actors obfuscate and subsequently reinvest payments. As described in Mapping the Ransomware Payment Ecosystem, cybercriminals use mixers, tumblers, and other cryptocurrency services to obscure the flow of money from ransom payments into payouts for individuals (the cash out phase) or reinvestment into attack infrastructure (the resourcing phase). Many of these services have legitimate uses, but are also abused by malicious actors. In order to better target the ransomware resourcing ecosystem, governments and private sector actors need better visibility into the cryptocurrency services being used in the obfuscation phase.
Countering the malicious use of cryptocurrency businesses for money laundering is a critical part of reducing the profitability of ransomware, and the U.S. and other governments are taking action to prevent these systems from abuse by malicious actors. For example, in 2023, the Department of the Treasury’s Office of Foreign Asset Control (OFAC) levied financial sanctions against Sinbad, a virtual cryptocurrency mixer. According to Chainalysis, the action, along with other law enforcement and regulatory efforts, likely contributed to a decrease in funds sent to mixers from illicit addresses that year. In 2023, the Department of Justice (DOJ) and German law enforcement authorities led the takedown of ChipMixer, a cryptocurrency mixing service, seizing two domains, multiple back-end servers, and approximately $46 million in Bitcoin, as well as arresting the operator in Philadelphia, Pennsylvania.
As a result of these actions, ransomware actors have shifted to a smaller pool of available cryptocurrency mixers. Narrowing the ecosystem of mixers available to ransomware actors—and requiring all mixers to meet Know Your Customer and other anti-money laundering requirements—would help law enforcement better target RaaS operators. Yet, the mixer ecosystem in particular remains complex: a U.S. Appeals Court recently overturned the 2022 OFAC sanctions against the Tornado Cash mixer and researchers have pointed to potential legitimate uses for the privacy and anonymity that crypto mixers can offer.
In 2024, the National Crime Agency (NCA) announced Operation Destabilise, an NCA-led global effort disrupting a multi-billion-dollar Russian money-laundering network. Although it is too early to gauge the long-term impact, the Ryuk ransomware group—which used the Russian network in 2021 to launder more than $2.3 million in suspected ransom payments—may face immediate operational setbacks. This disruption could also affect other ransomware groups that rely on the same Russian laundering network.
However, when it comes to legitimate services used by the general public, taking direct disruptive action can affect customers and limit an organization’s ability to provide online services. As a result, a different approach is required to disrupt malicious activities targeting these entities.
Entities with Possible Visibility Into the Resourcing Phase
Understanding how ransom payments get into the hands of cybercriminals is step one (the obfuscation phase). Next, we need to turn our attention to where that money goes once it has been laundered and rinsed. Different entities have different levels of potential visibility into ransomware criminals’ activities during the resourcing phase, depending on what types of services they provide. Below, we articulate the types of visibility that might be possible in certain scenarios and where there is sufficient information shared with these actors.
Ransomware actors use a set of service providers that include DNS hosting providers and Virtual Private Networks (VPNs). For example, government cybersecurity agencies have demonstrated how ransomware actors exploit legitimate service providers like MEGA.io, a cloud service provider, to exfiltrate stolen data and support other components of the RaaS ecosystem. Ransomwares actors also use DNS hosting providers to create fake domains and websites that mimic trusted organizations or resources, and then use them in phishing attacks to compromise an organization. Attackers use VPNs to anonymize their location and communications, or they exploit vulnerabilities in an organization’s external VPN to gain initial access and launch attacks. By monitoring suspicious activity on these platforms—such as repeated access from known malicious IPs, unusual network traffic, or large volumes of encrypted data—the entities providing these services can look for patterns and understand how ransomware actors are using these services as part of their overall RaaS ecosystem. For example, these entities can often suspend suspicious accounts, block flagged IP ranges, or restrict abnormal data transfers, reducing attackers’ ability to establish malicious infrastructure. The Terms of Service that users must accept to access these platforms typically support such actions.
However, the approach to disruption can vary significantly depending on the organization, influencing how effectively these entities respond to cybercriminal activity. For example, Microsoft invests significant resources into disrupting cybercriminals and protecting the integrity of its online services largely through its specialized Digital Crimes Unit. The company also takes a firm stance against illicit activities on its platform by strictly enforcing its Terms of Service. Similarly, Google’s Threat Analysis Group (TAG) combats cyber threats by collaborating with law enforcement agencies, industry partners, and international organizations to identify and mitigate cybercriminal activities. Google enforces its Terms of Service rigorously by suspending accounts involved in malicious activities and removing harmful content, thereby maintaining the security and trustworthiness of its services. By contrast, researchers have linked Cloudzy, which presents itself as a legitimate Virtual Private Server (VPS) service, to potentially malicious activity. A report released by Halcyon estimated that between 40% and 60% of the total servers hosted by Cloudzy “appeared to be directly supporting potential malicious activity.” The report also noted that Cloudzy claims VPS services suspended for misuse or illicit activity could be reinstated after users pay a “fine.” Cloudzy firmly denies these allegations.
Shades of Grey: Entities’ Varying Approach to Combating Malicious Actors
The entities used by criminal actors in the resourcing phase have a range of commitment to ensuring that their services are only used by legitimate actors or for legitimate purposes. Legitimate-use entities have a robust desire and follow through to remove malicious actors from their services, whereas malicious entities are unwilling to take any steps to combat malicious use of their services. While these two extremes do not represent all companies, using these two fairly stark categories illustrates two different approaches to effectively disrupt the resourcing phase.
Malicious entities exist solely to conduct harmful activities and are not generally known or used by the public. These entities cater primarily to cybercriminals by providing services that facilitate illicit activities, a core component of the resourcing phase. Entities like these exist and advertise almost exclusively on the dark web, which cybercriminals leverage for its anonymity and relative inaccessibility.
Entities such as bulletproof hosting providers and malware crypting services are intentionally designed to facilitate cybercriminal activity and often play a direct role in a ransomware attack. Bulletproof hosting services provide a much higher level of anonymity and are usually willing to turn a blind eye to certain types of illicit behavior. Ransomware actors use these services to host their C2 infrastructure, which allows them to coordinate attacks, exfiltrate data, and manage ransomware deployments. They are also used by a variety of other criminal enterprises, as these companies can support dark web marketplaces, anonymous chat services, and other platforms commonly found on the dark web. Attackers use malware crypting services to encrypt or obfuscate their malicious code, making it harder for cybersecurity systems to detect and block the payload. These entities rarely cooperate or share information with other entities, and are unlikely to comply with legal requests for data or shut down users for malicious activity, thereby shielding their users from law enforcement.
Shutting down malicious entities through direct, disruptive actions such as taking servers offline, blocking domains, executing targeted takedowns, or imposing financial sanctions forces ransomware actors to move their operations, adding friction to the ecosystem and making it harder for RaaS actors to operate.
Legitimate-use entities, on the other hand, have a valid purpose, are often well known to the public, and yet can be exploited—frequently in violation of their platform’s Terms of Service—to facilitate malicious activity. Examples of these entities include DNS providers, remote management tools, and cloud service providers. Many of these organizations’ customers use their services for various legal and accepted reasons, such as building and maintaining a website, remotely controlling personal devices, or securely storing and accessing important information from anywhere with an internet connection. These legitimate entities may offer cryptocurrency payment options for their efficiencies (lower transaction fees, possible reduced risks of inflation, etc.), unintentionally attracting cybercriminals due to the added benefit provided by these currencies’ pseudonymity.
Direct disruptive actions by law enforcement that target legitimate businesses can inadvertently affect innocent customers, damage reputations, and disturb essential services. To facilitate meaningful disruption of ransomware actors who exploit these platforms, public and private sector organizations must create better mechanisms for sharing timely information, so that legitimate entities with visibility into the resourcing phase can either alert law enforcement agencies with the authorities to conduct disruptive operations or otherwise add friction into the ecosystem. This collaboration is crucial to accurately identify and dismantle actors conducting ransomware attacks using legitimate online infrastructure.
Right now, we do not have sufficient information sharing and reporting mechanisms to enable efficient disruption activities. This may stem from several perceived or real legal limitations, including a lack of understanding about what information sharing entails or how to report an incident. Victims may also fear civil or criminal consequences associated with reporting to law enforcement. Legitimate service providers, such as DNS and CSP companies, may be concerned about the potential regulatory ramifications of sharing threat intelligence that exposes sensitive information or violates user privacy. Perceived or actual legal limitations can also discourage information sharing. When organizations do share timely threat intelligence, they often do not hear back from law enforcement, which can further reduce their desire to collaborate in the future.
To address these issues, it is crucial to establish an information-sharing framework that educates legitimate entities within the resourcing phase of the ransomware payment ecosystem on best practices for securely and legally sharing indicators of RaaS threat infrastructure. Facilitating this sharing will support law enforcement’s ability to target the technical infrastructure enabling these attacks.
Conclusion
IST’s Ransomware Task Force (RTF) continues to explore disruptive tactics and collaborative opportunities to target not only the resourcing phase but also the entire ransomware payment ecosystem and the RaaS model. Law enforcement, private entities, and other stakeholders must prioritize the resourcing phase in their efforts to disrupt and break the cyclical nature of the RaaS model.
IST’s research is driven by voluntary contributions from experts across the public and private sectors. We are grateful to the RTF Ransomware Payment Ecosystem Working Group members and others who have contributed their expertise and thought leadership to this research. The views expressed in this blog do not necessarily reflect those of any working group member.