Researchers Uncover Affiliate Network for Ransomware

Ransomware crime bosses are shopping for affiliates to help them infect victims.

Ransomware as a business is maturing and nowhere is that better illustrated than in Russia, according to Flashpoint researchers. The security firm released two reports on Thursday, one on a burgeoning ransomware-as-a-service business model (PDF) in Russia and the second on new developments in Russian ransomware kingpins targeting hospitals (PDF).

Researchers conclude, the ransomware industry is getting more brazen, coordinated and surprisingly is struggling with issues of ethics. Both reports unearth some interesting tidbits of the Russian ransomware business such as the average yearly income for a ransomware crime boss in Russia is $90,000.

Flashpoint discovered, in the case of ransomware-as-a-service, the market is quickly evolving to where seasoned ransomware criminals are now actively seeking new recruits in hopes of rapidly growing their business.

“Previously ransomware gangs were groups of highly vetted criminals. But now they have significantly lowered the bar and are actively recruiting rookie cybercriminals who want to learn the ropes of ransomware, no experience necessary,” said Vitali Kremez, a cybercrime expert at Flashpoint, in an interview with Threatpost.

In one solicitation on the Russian dark web, Flashpoint stumbled upon an ad that starts out, “Good day, This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path.” The short advertisement promises no gimmicks, no upfront costs and instead a steady stream of income. And if you don’t have any previous experience, “It is not a problem… You will receive detailed instructions on how and what to do – even a schoolboy could do it; you need only time and desire,” read the ad.

Kremez said that old-school ransomware bosses are targeting younger, hipper and junior cybercriminals adept at luring victims via social media platforms, dating apps and file sharing networks, but don’t know how to pull off a soup-to-nuts ransomware attack. Recruits earn about $600 a month for trolling the Internet and infecting victims with their crime boss’s ransomware.

Typically one ransomware boss works with 10 affiliates, according to Flashpoint. Average payout per infected computer is $300 against 30 ransomware payouts a month. The split is 60 percent of proceeds to the crime boss and 40 percent to affiliates. Victims are typically based in the US or other Western, English-speaking countries.

“Our findings dispute the common perceptions of cybercriminals as being larger-than-life, smart, well off, unreachable, undoxable, and unstoppable,” Flashpoint researchers wrote its report.

By comparison these ransomware campaigns are similar to other ransomware-as-a-service initiatives such as GinX and Ranstone. Typically the ransomware does not rely on a command-and-control backend. Instead, Russian ransomware affiliates researched by Flashpoint, used custom ransomware that encrypts the files and drops a text file containing an email address that the victim needs to reach out to obtain a decryption key to retrieve the encrypted data.

But Kremez said he was surprised to discover a morality or code of conduct shared among ransomware criminals. For starters, that honor among thieves began with an affiliate having to put faith in the crime boss to deliver payments based on how many of his ransomware infections were successfully installed.

“Notably however, this campaign relied on personal relationships between affiliates and the boss without a centralized command and control technical infrastructure,” noted researchers in their report.

However, ethically divided were Russian ransomware criminals when it came to whether to target hospitals. “While hospitals have become easy targets for cybercriminals who want to cripple critical systems in exchange for large payouts, we are seeing an internal debate among ransomware crime bosses,” Kremez said.

Flashpoint found a posting on a Russian cybercrime forum from a “reputable member” who wrote: “From the bottom of my heart I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with it [the malware].”

On the flipside, Flashpoint reported there were just as many ransomware criminals that identified hospitals as ripe targets. One hacker bragged in the same forum, “I compromised an entire clinic group recently by pulling RDP credentials out of cleartext while being on the guest wifi.”

Researchers say they have also spotted ransomware for sale called BitcoinBlackmailer marketed specifically for hackers targeting hospitals. The ransomware is a variant of the Jigsaw ransomware, according to Kremez.

The advertisement for BitcoinBlackmailer reads: “Hacker holds Hollywood Hospital to ransom for $3.6 million in Bitcoin in Ransomware Cyber Attack” What if you was that hacker? I bet he was just a 16 years old kid in the right place at the right time. Just like you are now.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.