[Etude] Who is behind ransomware?

Kaspersky researchers looked at forums hosted on the darknet and investigated some ransomware criminal groups. They publish this Wednesday, May 12 the results of this work in a report entitled “Ransomware world in 2021: who, how and why”.

As a reminder, ransomware is a computer virus that paralyzes an information system by encrypting all of the data contained therein. Cybercriminals offer their victim a decryption key in exchange for a ransom that can sometimes reach several million dollars, payable in Bitcoin and therefore impossible to cancel once paid.

Ransomware explodes

This type of cyberattack is increasing year by year. In 2020, in France, ransomware reports increased by 255%, according to the National Information Systems Security Agency (Anssi). Hackers target both small businesses and multinationals. Latest example: the Colonial Pipeline group, the main pipeline operator in the United States, which was the victim of ransomware a few days ago.

In his study, Kaspersky wants to put an end to some myths about ransomware. “It is clear that the ransomware industry is complex and involves many players with varying roles.“, summarizes Craig Jones, Cybercrime Director at Interpol.

A myriad of actors

The Russian cybersecurity firm claims that hackers are not “tight-knit groups” that obey one leader. The reality is quite different: “most attacks involve a large number of different actors – developers, botmasters, access vendors or ransomware operators – who render each other a service via marketplaces hosted on the darkweb “.

These different actors interact on specialized forums. Criminal group REvil, which recently attacked Taiwanese contractor Quanta, regularly posts offers and news through affiliate programs. Contracts of this type in practice involve a partnership between the operator of the ransomware and an affiliate. The first receives a margin of 20 to 40% and the second the remaining 60 and 80%.

Well-oiled cogs

“Botmasters and account resellers” are responsible for providing initial access to the victim’s network. Other members of this ecosystem, dubbed “the red team” by Kaspersky, use this initial access to gain full control over the target network. During this process, they will collect information about the victim and steal internal documents.

These documents can then be passed to a team of analysts who will attempt to determine the actual financial health of the target, in order to set the highest possible ransom price. They will also stay on the lookout for any sensitive or incriminating information that could be used to support their blackmail strategies.

When “the red team” is ready to launch the attack, they will purchase the appropriate malware from a developer operating on the darknet. Negotiations with victims can be handled by another team. If the ransom is paid, experts will be responsible for laundering the amount obtained.

The study indicates that the various actors of this “value chain” do not know each other personally in the majority of cases. They also communicate as little as possible to prevent investigators from being able to trace the chain.

Target the most vulnerable companies

Victims are chosen opportunistically, researchers say. Thus, the easiest to reach companies are selected. Note that the criminals who gain access to the victim’s network are not necessarily those who deploy the malware. These may be independent operators who then resell access to the network through auctions or at a fixed price starting at $ 50, the study said.

The forums have many offers. Some operators sell virus samples and design software for amounts ranging from $ 300 to $ 4,000. Others offer “Ransomware-as-a-Service” (RaaS) packages that include purchase of the ransomware and technical support from developers, at rates ranging from $ 120 per month to $ 1,900 per year.

The ransomware ecosystem is complex (…) Given the success of their successes, cybercriminals will not disappear overnight“, concludes Dmitry Galov, cybersecurity researcher with the Global Research and Analysis Team of Kaspersky. It is therefore essential that public bodies and companies protect themselves against these attacks which can be very expensive.

Back to top button