A new model for understanding extortion groups

To help organizations judge if and how they should interact with cyber criminals during an extortion attack, Accenture Cyber Intelligence (ACI) has developed a new Extortion Group Maturity Model (EGMM) that assesses the credibility and stability of ransomware and data extortion groups.

Increased complexity in the extortion ecosystem

Many extortion groups operate on a ransomware-as-a-service (RaaS) model, in which groups lease or sell their malware to affiliates for ransomware or data extortion attacks. In recent months, two of the most notorious RaaS groups, ALPHV-ng (a.k.a. BlackCat) and LockBit, were affected by law enforcement takedowns and accusations of scamming their affiliates, leading many cybersecurity researchers to speculate whether it is the end of the RaaS model.

Recent events have affected how the extortion ecosystem works, resulting in a rising complexity that involves new relationships between threat actors, new threat groups and a recruitment race among groups to hire malicious talent. As a result, ACI assesses data extortion and ransomware will continue to be major threats to enterprises throughout 2024 and 2025.

These events have introduced new extortion techniques targeting C-suites (such as releasing sensitive information about executives’ families or compensation packages), an increased propensity for harassing victims and a heightened focus on the theft and leaking of highly sensitive personally identifiable information, such as healthcare data.

Combined, these changes have raised the extortion threat level across geographies and operating industries. 

ACI’s extortion group maturity model

Given the current state of ransomware and data extortion, ACI suggests organizations leverage an Extortion Group Maturity Model (EGMM) as standard practice. The EGMM is an analytical tool to help assess the credibility, stability and anticipated behavior of active ransomware and data extortion groups. When applied, the model can help decision makers judge if and how they should interact with a malicious group, as well as indicate the group’s anticipated behavior.

ACI did not develop the EGMM concept to replace the technical analysis of a group’s tactics, techniques and procedures (TTPs)—nor is it a traditional threat actor profile focused on victimology, targeting trends or timelines. Instead, the EGMM helps organizations assess a threat group’s predictability and stability based on 19 unique data points. The model then uses those data points to plot a group on a scatter graph along two axes: chaotic to stable, and predictable to unreliable.

This approach effectively divides extortion groups into 4 categories—credible, reliable, volatile and unreliable/unpredictable—each with individual risks and suggestions.

ACI’s analysis also indicated that the causes of re-extortion events (when a group targets the same victim again with the same data) overwhelmingly fit into one of five categories: greed, a pending exit, internal conflict (loss of internal cohesion), hybrid motivation (if the group is motivated not just by financial gain but also politics, ideology, revenge and/or notoriety) or incompetence.

ACI therefore designed the EGMM to incorporate these five categories, ensuring they are reflected on either of the two axes.

Exhibit 1 shows the current plotting of some key active ransomware and extortion groups on ACI’s EGMM.

Stability

A group's placement on the stable–chaotic axis indicates the likelihood the group will continue operations as it has, without changes. Stable groups typically face low pressure from outside forces, such as law enforcement, and have strong internal cohesion within their ranks, such as affiliates adhering to outlined rules. These groups usually have steady behavior with few fluctuations.

ACI’s data points for assessing stability include:

• Level of outside pressure (such as from law enforcement)
• Widespread media coverage (beyond cyber threat intelligence media)
• Indiscriminate targeting
• Internal cohesion
• Recent behavior
• Any significant shift in TTPs
• Hybrid motivation
• Whether the group’s ransomware strain has been leaked or decrypted
• Recent large ransom payouts

Predictability

A group’s placement on the predictable–unreliable axis indicates how well victims and professionals can understand and, to some degree, anticipate a group’s behavior. Essentially, a group’s placement on this axis indicates whether it will likely honor its commitments during negotiations.

A high predictability score suggests the group is more reliable and therefore a reasonable entity to engage with, whereas a low predictability score indicates a less-reliable threat group and increases the likelihood the group will engage in re-extortion or resell a victim’s data.

ACI’s data points for assessing predictability include:

• Technical capabilities
• Accuracy of the group’s past claims
• Outlined affiliate rules
• Dark web reputation
• Known ecosystem partners
• Brand recognition
• Any significant shift in TTPs
• History
• Lifespan
• Leaked negotiation chats
• Who negotiates for the group
• Whether the group uses cheap or reused ransomware

Case studies

The demise of ALPHV-ng

Applying the tool retroactively to the extortion group ALPHV-ng can help illustrate the utility of the model (Exhibit 2).

Using the EGMM to assess ALPHV-ng from 2022 to mid-2023, ACI categorized the group as predictable and stable, dictating a credible position. However, in November 2023, ALPHV-ng began to exhibit increasingly erratic behavior, with multiple data points showcasing overall decreased predictability and stability. The EGMM followed the group’s falling stability toward the end of 2023, at which point ACI categorized it as volatile.

The group continued to rapidly decline in stability at the beginning of 2024, when the group displayed strong signs of outside pressure and rapidly falling internal cohesion; this ultimately culminated in an exit scam in February 2024—where the group cheated an affiliate out of their share of a $22 million ransom payment—and a re-extortion attack against Change Healthcare in April 2024.

As such, the model suggested organizations avoid making payments or engaging in negotiations with ALPHV-ng at that time, while also indicating the increased likelihood of the group reusing stolen data in further attacks or reselling it due to a pending exit.

The future of Qilin after the synnovis attack

ACI’s EGMM can also help organizations understand how significant events can affect an extortion group's anticipated behavior. For example, the EGMM indicates the Qilin extortion group may likely become increasingly unstable and unpredictable following its very high-profile attack against London-based healthcare provider Synnovis on June 3, 2024.

This attack caused widespread disruption across London’s hospitals, resulting in more than 1,600 canceled operations and an increased need for blood donations. The United Kingdom (UK) government declared the attack a critical incident, and the international media widely covered it.

The attack’s extremely high profile, along with its real physical consequences for patients across London, has likely greatly increased law enforcement’s focus on Qilin, especially within the UK. As a result, the group is likely experiencing significant rising outside pressure, especially considering law enforcement’s recent increased focus on disrupting extortion groups.

Moreover, following the Synnovis hack, Qilin spoke with several media outlets to attempt to justify the attack as a form of geopolitical protest against an unspecified war. When a UK media outlet asked whether Qilin knew the attack would disrupt healthcare in London, the group said, "Yes, we knew that. That was our goal."

However, ACI is skeptical of this alleged justification since extortion groups like Qilin routinely lie about their reasons. However, Qilin does feature some of its victims on a data leak site aimed at disclosing governmental and corporate secrets, which could indicate the group harbors an increasingly hybrid motivation.

Overall, Qilin’s attack against Synnovis negatively impacted several of the group’s Stability data points on the EGMM, including displaying hybrid motivation, elevated outside pressure, indiscriminate targeting and widespread media attention. Based on these factors, Qilin could move in multiple directions on the EGMM, as shown in Exhibit 3. ACI assesses the group will likely fall within the volatile segment, or the lower end of reliable, as the group’s stability drops.

On June 20, 2024, Qilin released 400 GB of Synnovis data—affecting 300 million patients—for free via Telegram. This strongly suggests Synnovis did not pay a ransom, and ACI assesses it is unlikely the company will pay one in the future. Qilin also confirmed a breakdown in negotiations.  the group's security and therefore stability.

If Qilin feels significant law enforcement pressure and given that it likely failed to obtain a ransom from Synnovis, the group may be more inclined to attempt an exit, and in doing so may conduct unsavory attacks, such as re-extortion events or reselling data for which it has already received a ransom, to secure a sizable sum before ceasing operations.

However, Qilin could also remain at their current placement or even improve slightly if they become the de-facto dark-web RaaS brand.

Notably, a significant mitigating factor for Qilin that could prevent them from destabilizing is the widespread notion touted in Western media that the group is affiliated with a wider pro-Russian initiative and sanctioned by the Russian government to target Western healthcare and CNI, with some outlets stating that the group is “are part of a wider cyber army working under the Kremlin’s protection”.

Some investigators investigating the incident claim that Qilin is merely one arm of a much wider web of hacking affiliates made up of more than 100 independent groups.

While this loosely affiliated syndicate, is assessed to be directly controlled by the Russian government, but is rather viewed a useful tool of disruption, tolerated by the Kremlin.

ACI has long followed a ‘false persona’ grading scale, grading groups from 1-4 depending on how tightly controlled by state-actors they are assessed to be. Within this the RaaS groups operating in the ransomware ecosystem are most commonly rated by ACI as a grade 2 or 3 - dictating that they are not directly controlled by state actors but may take some targeting parameters from state directions.

Ciaran Martin, former chief executive of the National Cyber Security Centre (NCSC), said: “The Russian state does not control or direct criminal cyber groups, but it does in effect set the parameters of who they are allowed to attack.” Attacks on other nation’s healthcare services were traditionally seen as “off limits” however the attack on Synnovis may represent a loosening of the reins.

Importantly, internal messages between the perpetrators, seen by iNews, show members of the loosely affiliated hacking syndicate asking an unknown higher authority from the group’s leadership for permission to attack specific targets in the UK on previous occasions. If that is merely a RaaS core leader or someone above that is unknown.

Although Qilin’s relationship with state-actors are unknown and speculative, should the group be covertly greenlighted by the Russian state to target CNI, the group may be sheltered from Western law enforcement pressure and be unfazed by widespread media attention as it is unlikely to have an effect on the group's security and therefore stability.

Outlook

Ransomware and extortion are not going away in 2024. Instead, they are evolving and rising in complexity due to multiple overlapping dark web trends. Understanding the anticipated behaviors of a perpetrating group is therefore increasingly crucial for analysts and decision- makers, who can leverage a tool like the EGMM for this purpose. It is important to stress that the EGMM is not capable of predicting the future.

However, using as many unique data points as possible, it can help provide a deeper understanding of a group’s anticipated behavior and credibility during an engagement.

For example, the model suggests organizations avoid engaging with an unreliable group due to the high risk of secondary exposure, while it also suggests they could conceivably engage with a credible group depending on the organization’s risk appetite, specific circumstances and local regulations.

ACI designed its model to provide a point-in-time snapshot of a group’s stability and predictability, making it most useful for offering insights and assistance during a ransomware or data extortion event. Organizations can also use the EGMM to prime their situational awareness prior to an event and better understand their adversaries.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture.

Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Thanks to Accenture Cyber Intelligence Analyst Thomas “Mannie” Willkan for his contributions to the blog.