In the cybercriminal underground, ransomware samples and builders are going for anywhere between $300 to $4,000, with ransomware-as-a-service rentals costing $120 to $1,900 per year.
That’s according to an analysis by Kaspersky of the three main underground forums where ransomware is circulated.
They found that the general economy of ransomware is well-developed and complex, with “several actors supplying services to one another.” For instance, botmasters offer access to already-compromised devices; software developers improve the malware; and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).
“This access can be sold in an auction or as a fixed price, starting as low as $50,” Kaspersky researchers said, in a recent posting. “The attackers who create the initial compromise, more often than not, are either botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, or hackers who are constantly on the lookout for publicly disclosed software vulnerabilities to exploit as soon as they are announced and before a patch is applied.”
The forums host hundreds of various advertisements and offers, for everything from the sale of source code to regularly updated recruitment advertisements for affiliates, available in English and Russian.
“Sale of ransomware source code or the sale of leaked samples is the easiest way of making money off ransomware in terms of technical proficiency and effort invested by the seller,” according to the analysis. “However, such offers also make the least money, as source code and samples quickly lose their value. There are two different types of offers – with and without support. If ransomware is purchased without support, once it is detected by cybersecurity solutions, the buyer would need to figure out on their own how to repackage it, or find a service that does sample repackaging – something that [is] still easily detected by security solutions.”
Offers with support, meanwhile, usually offer regular updates.
The Affiliate Phenomenon
There are also affiliates, who sign up with an operator gang to do the actual dirty work of carrying out an attack. The ransomware operator takes a profit share ranging from 20 to 40 percent, while the remaining 60 to 80 percent stays with the affiliate, researchers said.
“These actors meet on specialized darknet forums where one can find regularly updated ads offering services and partnerships,” according to Kaspersky. “Well-known groups, such as REvil, that have targeted a growing number of organizations in the past few quarters, publicize their offers and news on a regular basis using affiliate programs.”
Affiliates are carefully vetted, and are taken on based on geographical preference, political views and more.
“Additionally, operators screen potential partners to reduce the chances of hiring an undercover official, for instance, by checking their knowledge of the country they claim to be from,” the report noted.
However, researchers highlighted that ransomware victims are selected opportunistically – as in the case of Colonial Pipeline, not necessarily with much vetting: “The organizations infected the most are often low-hanging fruit – essentially, the ones that the attackers were able to gain easier access to.”
How to Defend Against Ransomware
The report offered some tips for defending against ransomware:
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet.
- Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
- Set up offline backups that intruders cannot tamper with. Make sure you can quickly access them in an emergency when needed.
- Enable ransomware protection for all endpoints.
- Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.
- Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training.
“Effective actions against the ransomware ecosystem can only be decided once its underpinnings are truly understood,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research and Analysis Team.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!