How ransomware runs the underground economy

How ransomware runs the underground economy

Ransomware gangs are adopting all the core elements of legitimate businesses—including defined staff roles, marketing plans, partner ecosystems, and even venture capital investments.

Credit: ID 72775991 © Ducdao

The unwanted attention attracted by ransomware attacks recently have caused several of the top cybercrime forums to ban ransomware discussions and transactions on their platforms earlier this year. While some hoped this might have a significant impact on the ability of ransomware groups to organise themselves, the bans only pushed their activity further underground, making it harder for security researchers and companies to monitor it.

If anything, the attacks in the months that followed the forum bans then have been more potent and audacious than ever. The truth is that ransomware is the life blood of the cybercrime economy and it will take extraordinary measures to put an end to it. The groups coordinating the attacks are highly professionalised and in many ways resemble modern corporate structures with development teams, sales and PR departments, external contractors and service providers that all get a cut from the illegal proceeds. They even use business lingo in their communications with victims, referring to them as clients who buy their data decryption services.

"The way I describe it is: You have the business world that we all know. The criminals have a parallel one that's like the Upside Down from Stranger Things. It's the exact same world, only darker and twisted," Steve Ragan, security researcher at Akamai, tells CSO.

An underground economy relying on ransomware

By looking at what's involved in ransomware operations and how the groups are organised, it's easy to see that ransomware is at the center of the cybercrime economy. Ransomware groups employ people who:

  • Write file-encryption programs (the development team)
  • Set up and maintain the payment and leak sites, and the communication channels (the IT infrastructure team)
  • Advertise the ransomware service on forums (the sales team)
  • Communicate with journalists and post messages on Twitter and announcements on their blogs (the PR and social media team)
  • Negotiate the ransom payments (the customer support team)
  • Perform the manual hacking and lateral movement on victims' networks to deploy the ransomware program for a part of the profit (external contractors known as affiliates or penetration testers)

The affiliates often buy access into networks from other cybercriminals who already compromised systems with Trojan programs or botnets or through stolen credentials. These third parties are known as network access brokers. Affiliates might also buy data dumps that contain stolen account information or internal information that could help with target reconnaissance. Spam email services and bulletproof hosting are also often used by ransomware gangs.

In other words, a lot of parties are in the cybercrime ecosystem that directly or indirectly earn money thanks to ransomware. So, it's not unusual for these groups to become more professional and operate similar to companies with investors, managers, product marketing, customer support, job offerings, partnerships and so on. It's a trend that has been slowly building up over the years.

"The cybercrime underground has become essentially an economy unto itself where you have service providers, product creators, financiers, infrastructure providers," Brandon Hoffman, CISO of security firm Intel 471, tells CSO. "It's an economy just like ours where you have all these suppliers and buyers of different things. Just like in our free market economy, as you have all these different types of service providers and product providers available it's natural for them to start to come together and build a business together to offer a package of services and goods, just like we do here in the standard economy. So, I 100% agree that it is going that way. It's just really hard for us to prove it."

"We've known for years that criminals have a software development lifecycle just like the rest of us," Ragan says. "They have marketing, PR, middle management. They have people responsible for lower-level criminals who report to bigger-level criminals. It's not new. It's just that more people are starting to hear it and are paying attention to the parallels."

Ransomware groups adapt to market pressures

Ransomware attacks have crippled many hospitals, schools, public services, local and state government institutions and even police departments over the years, but the attack in early May on Colonial Pipeline, the largest pipeline system for refined oil products in the US, was a milestone.

The breach, attributed to a Russia-based ransomware group called DarkSide, forced the company to shut down its entire gasoline pipeline system for the first time in its 57-year history to prevent the ransomware from spreading to critical control systems. This resulted in fuel shortages across the US East Coast. The incident received widespread attention in the media and in Washington as it highlighted the threat that ransomware poses to critical infrastructure, spurring debates on whether such attacks should be classified as a form of terrorism. 

Even the operators of DarkSide understood the seriousness of the situation and announced the introduction of "moderation" for its affiliates—the third-party contractors that actually do the hacking and deployment of the ransomware—claiming they want "to avoid social consequences in the future." But the heat was already too much for the group's service providers.

Only days after the attack, the administrator of XSS, one of the largest Russian-language cybercrime forums, announced the banning of all ransomware-related activities on the platform citing “too much PR” and heightening of law enforcement risks to “hazardous level,” according to a translation by cybercrime intelligence firm Flashpoint.

Other high-profile ransomware groups including REvil, immediately announced similar moderation policies for its affiliates prohibiting attacks on healthcare, educational and government institutions, in an attempt to control the PR damage. That too wasn't enough. Two other big cybercrime forums, Exploit and Raid, soon followed with bans on ransomware activities.

In the aftermath, DarkSide announced that it was going to shut down its operations after also losing access to its blog, payment server, Bitcoin wallet and other public infrastructure it had, claiming its hosting provider responded only with "at the request of law enforcement agencies." One month later, the FBI would announce that it managed to recover the US$4.4 million in cryptocurrency that Colonial Pipeline was forced to pay the hackers to decrypt its systems and resume normal operations.

The banning of ransomware activities on the most popular cybercrime forums was a significant development because for many years these forums served as the primary place where ransomware groups recruited affiliates. These forums offer an easy means of public and private communication between cybercriminals and even provide money escrow services for transactions where parties don't know and trust each other.

The bans also affected, to some extent, the cybersecurity firms who monitor these forums to collect intelligence on threat actors and new threats. While most cybercrime researchers knew the forum bans would not stop ransomware operations overall, some did wonder what their next move would be. Would they migrate to less popular forums? Would they set up their own websites for advertising and communicating with affiliates? Would they move to real time chat programs like Jabber or Telegram?

"What that did was move those discussions to other private groups," Ragan says. "They're not going away. What they did was go out of the public spotlight. For the longest time, you could see their recruiting, their development, their discussions, what sort of features they were working on. Now that's gone.... You're not going to be able to predict a lot of changes. Unfortunately, that means you won't know about new variants or a new function that got added until the first victim gets hit."

According to Ondrej Krehel, the founder and CEO of incident response and digital forensics firm LIFARS, ransomware operations were not impacted by the forum bans because most of the actors involved in such activities were already communicating via private groups on Telegram and Threema that had existed for two or three years.

There was still some traction on the forums, as part of the marketing efforts, but if you really wanted to get something more concrete, you would have to be part of these groups already and some require paying a fraction of a Bitcoin with a wallet that has been associated with known criminal activities to prove yourself, Krehel tells CSO. "This rate of growth [of ransomware] will continue," he says.

Read more on the next page...

Tags ransomware


Show Comments