Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Excerpts from The Ransomware Economy: Emergence and Innovation

cb-ransomware-06
Rick McElroy
sean_blanton
October 26, 2017 / Rick McElroy Sean Blanton

Carbon Black recently published an investigative report on the Dark Web marketplace for ransomware. This is an excerpt from that report, which you can find here. For more information about the rise of ransomware, and what you can do about it, check out the Future-Proof Your Ransomware Prevention webcast hosted by Scott Hanson, Senior Managing Consultant, Cyber Security and Investigations at Kroll.

Underground Ransomware Market: Emergence and Innovation

The 2,502% growth in the dark web ransomware economy has been aided by:

  • Bitcoin and Tor, which allow for pseudoanonymous activities.
  • Proliferation of service providers, which allow anyone to get in the business of ransomware.
  • A lack of fundamental security controls such as backups, testing, restoration, patching, visibility, and out-of-date prevention strategies.

 

While ransomware has existed for some time, the proliferation of Bitcoin and Tor have lowered the risk and driven down the barrier to entry for ransomware perpetrators. You no longer need to know how to anonymize your traffic or make and receive payments. These services already exist and can be purchased.

The availability of these services has allowed underground ransomware to hide effectively, making attribution and takedowns by law enforcement extremely difficult. If takedowns do happen, they happen over months or years of hard work.

Not only have the dark web marketplaces evolved to better support high-risk, low-trust transactions through escrow systems, but the requirement for ransoms to be paid over the Tor network has ensured there’s no centralized endpoint to investigate with traditional geo-based law enforcement approaches.

As a result of the maturity with these innovations, the underground ransomware economy is now an industry that resembles commercial software — complete with development, support, distribution, quality assurance and even help desks.

We should also consider consumers’ willingness to pay ransoms. In a recent Carbon Black survey, we asked participants if they would personally be willing to pay ransom money if their personal computer and files were encrypted by ransomware. 52% said “yes.”

______________________________________________

 

For more information about the rise of ransomware, and what you can do about it, check out the Future-Proof Your Ransomware Prevention webcast hosted by Scott Hanson, Senior Managing Consultant, Cyber Security and Investigations at Kroll.

Watch Now

______________________________________________

The Underground Ransomware Economy and Supply Chain

Based on our research, the dark web ransomware market currently consists of the following tiers and players:

TIER 1: AUTHORS

Authors are responsible for:

  1. Creation of new ransomware for sale
  2. Advanced coding skills
  3. Training and support

Think of authors as the “weapons makers.” They never use what they create. They only sell their code. They also sell support or changes to the code.

Authors make money (sometimes $100,000+ per year, according to our research) by: selling the ransomware code itself; selling a platform to author code (for others who don’t actually have coding skills); and / or teaching others to code.

Authors can sell the specialized components of ransomware in the supply chain (creation, distribution, encryption, payment, C2) or they can sell an entire kit to a buyer. These kits contain everything you need to build and customize your ransomware.

TIER 2: RANSOMWARE-AS-A-SERVICE (RaaS)

In some cases, ransomware authors will stand up ransomware-as-a-service (RaaS) platforms. In others, buyers will purchase the platform from an author and stand up their own service.

In this area, a ransomware author might decide to begin an “affiliate” program to earn money while minimizing risk.

An “affiliate” will look to utilize existing infrastructure to achieve speed to market, minimize and share risk amongst affiliates, and provide target lists.

Here’s how the process generally works:

  1. Distributors buy “shares” in a ransomware campaign. The revenue split is usually agreed upon at the beginning.
  2. The service owner embeds the split in their distribution servers. The distribution servers are then used to track the campaign (metrics, etc). In most cases, the revenue share favors the distributors because they do the distribution. The distributor takes on the most risk because they have to make changes to make the code less detectable and preventable.
  3. RaaS providers perform campaign tracking as a service, Bitcoin transaction monitoring and Bitcoin distribution.

Metrics from campaigns are used to make the next campaign more successful/profitable than the last one. (i.e. What country should we target based on pay rates?)

The service owners provide the necessary platforms and infrastructure to distributors.

There are two types of programs that exist. The “trusted-and-verified” distributor model, where someone knows you as a criminal and vouches for you. Think of this as the premium model.

The standard model is for anyone with a target list. (NOTE: Due to the success of ransomware-as-a-service, the third tier below is starting to collapse.)

TIER 3: DISTRIBUTORS

There is high profit but also high risk at this tier. Distributors are responsible for:

  1. Distributing ransomware themselves via spam campaigns, social engineering, targeted hacks or exploit kits.
  2. Leveraging ransomware-as-a-service. RaaS makes ransomware available to even novice criminals.

Additional Resources

 

For more information about the rise of ransomware, and what you can do about it, check out the Future-Proof Your Ransomware Prevention webcast hosted by Scott Hanson, Senior Managing Consultant, Cyber Security and Investigations at Kroll.

Watch Now

TAGS: Carbon Black / ransomware / Threat Analysis Unit / threat research

Related Posts