Flashpoint, the "global leader in Deep & Dark Web data and intelligence" has spent the past five months studying an organised Russian ransomware campaign. In the scenario being investigated, Flashpoint found the proliferation of "Ransomware as a Service" which enables affiliates to obtain ransomware from a crime boss and push it out to victims as they see fit.
A particularly common target has been the healthcare industry – an area that tends to be low on funds for technology and even lower on broad technical skills.
Another Russian cybercrime forum member commented: "Dirt bags, the move is completely unethical. Do not touch hospitals!"
According to the research into one particular ransomware boss who had been active since at least 2012, there were between 10 and 15 affiliate partners who were actually performing the infections, although the contact with infected sites was handled by the boss alone.
Once payment was received in Bitcoin, the boss would make use of a variety of Bitcoin exchangers to launder the money; additionally, he would pay the affiliate from a separate "clean" wallet.
How was affiliate recruitment handled? The boss would simply post (relatively) openly in Deep Web Russian-language forums. One particular message, captured by Flashpoint, is on the next page.
The message went like this:
This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path. No fees or advance payments from you are required, only a large and pure desire to make money in your free time.
I propose mutually beneficial cooperation in the sphere of distribution of my software.
It is desirable, of course, that you have already had some minimal experience in this business.
But if you have no experience, it is not a problem. In addition to the file, you will receive detailed instructions on how and what to do - even a schoolboy could do it; you need only time and desire. The scheme is simple, and tested and working 100%, revenue yields are decent.
So, what kind of money was this particular boss earning? Not so much as one might expect.
The report suggests that from an average of 30 payments per month (spread across 10-15 affiliates) and a typical US$300 payment, he was earning $US7500 per month, which is around 13 times the typical Russian monthly wage. The affiliates were earning $600 – the average wage!
According to Vitali Kremez, cybercrime intelligence analyst, of Flashpoint, "Ransomware is clearly paying for Russian cybercriminals. As Ransomware as a Service campaigns become more wide-spread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks."
Most of this ransomware avoids any form of command-and-control infrastructure, instead including payment and decryption instructions in a text file included with the infection. Thus payments outside of the typical $250-$500 range noted earlier must have been premeditated – there have been many reports of hospitals being asked for tens of thousands of dollars or more.
Is there no honour amongst thieves?