David Papp Blog

How the Ransomware World Works

One of the prominent problems in the cybersecurity world that is proliferating is ransomware. The reason for this is so simple – it makes a lot of money for those black hat developers and the entire ecosystem of players who comprise this economy.

In order for small and medium-sized businesses to tackle this – as well as any other individual, it’s key that we understand the scope and scale of this entire economy. And the only way that’s possible is for us to be looking at the ecosystem, who is involved, the threats businesses face and financial footprint of ransomware.

Top Ransomware Syndicates Today

The first thing to understand about cybercriminals is who they are. Often we label them as “gangs” though the term is in the loosest of terms. They’re not nefarious coders who type away in dark warehouses on the edge of town or alleyways.

They’re more likely to be people who are in business offices. Most ransomware brands are more likely to be found in more complex organized crime syndicates that have an entire business model.

In fact, it’s more apt to see these individuals as business people. Their brand – as dangerous as it is to everyone else – has the same worries as any other brand. They’re worried about their own product of course, but they also have a care about user experience and customer service as well for example.

Beyond that aspect, ransomware operators are usually synonymous with software variants that they brand, sell, and execute. There have been many to rebrand over the years or splinter from the main organization, but there are several big players in the market. Some examples are:

  • Conti/Ryuk/Wizard Spider
  • Maz/Egregor
  • LockBit
  • Cuba
  • DopplePaymer/BitPaymer
  • CLoP TA505
  • PYSA Mespinoza

As the economy expands, there are more companies that continue to emerge day after day. They also function similar to small businesses in that many operate for a brief period of time and bubble up before going bust and reorganize, changing the industry’s tides as it were.

Though the upside in all of this is that the list of possible ransomware syndicates is also obsolete because of this aspect. As brands fluctuate year after year, month after month, there is only a small group that actually sticks around.

How the Syndicates Work

At first glance, it can seem like these operators are single entities, however a single look at the inner workings will reveal a complex ecosystem of suppliers and providers behind the team.

The reality is that operators need to rely on a team that comprises of the following:

  • Developers
  • Packer developers
  • Analysts
  • Access sellers
  • Botmasters
  • Negotiating agents
  • Operators
  • Affiliates
  • And have in place a laundering service (usually a cryptocurrency exchange)

The Workers

With a general sense of who’s involved, now would be a good time to explain what everyone does. First of all, why haven’t these individuals been caught in the first place?

The reason for why these large “gangs” are tough to apprehend is that they’re difficult to track down. Unlike David Levi’s Phishing Gang that was investigated and prosecuted in 2005, it’s harder or even impossible to get the same results using those same methods now.

There is a decentralized system to everything at this point. The group doesn’t have to be operating in a single location allowing the group to “meet up” somewhere in the dark web rather than somewhere physical. The other aspect is cryptocurrencies. With the ransom being paid, it’s impossible to track since these decentralized currencies are all about hiding one’s identity.

With that covered, who gets paid through these crypto transactions? What do the workers provide to the whole syndicate? Here is a rundown of the services:

  • Botmasters: They create networks of infected computers that they then sell access to syndicates.
  • Access Sellers: Are the ones to exploit vulnerabilities, creating infected servers before the vulnerabilities are fixed. They then advertise and sell access to syndicates.
  • Operators: The people that carry out the attack either through the work of botmasters or access sellers. They’ll also have software that can be purchased or developed. The operators could also hire other people to cover customer service, IT support, marketing, and more depending on how sophisticated the company is.
  • Developers: are those who write the ransomware software and sell it for a cut.
  • Packer developers: Pack in layers to the software giving extra protection and making it tougher to detect.
  • Analysts: will be looking at the financial health of the individual they’re attacking to advise what amounts of ransom would be ideal to hit them with.
  • Affiliates: are those who buy the service from operators/developers who then get a cut of the ransom.
  • Negotiating agents: are the ones who interact with victims.
  • Laundering services: platforms that exchange cryptocurrency for fiat currency on exchanges. Any service that turns ransom payments into a functional asset.

A Look on the Victim Side

While there is a lot going on, on the operators side, there is a lot happening on the victim side as well. Not every person is complicit and pays the ransom immediately. There are other people involved in the process in most cases.

Looking at small businesses, the players on the victim side that typically get involved are:

  • Incident response firms: consultants that help in response and recovery
  • Ransomware brokers: who negotiate and handle payment on the victim’s behalf
  • Insurance providers: who cover for damages in the event of cyber attacks.
  • Legal counsel: manage the relationship between everyone else while advising on ransom payment decision-making.

While there are these players that help the victim recover, it also is to their own benefit that their services be needed as well. In fact, ransomware attacks only make these individual’s businesses continue to grow when you think about it.

A victim gets hit with a ransomware attack and is asked to pay up for it. They then turn to these companies for help who ask for fees only to tell you in the end to pay the ransom anyway.

In the minds of the companies, it’s better to pay now to minimize downtime as it can be more costly to not have access to files than it is to pay the ransom. However this depends on how much the ransom demand is and what your cash situation is. This is a big sudden decision you need to weigh.

That whole cycle doesn’t help though for two reasons:

  • Paying the ransom is you telling the operators and all the other players involved to continue doing what they’re doing.
  • The other aspect is what if the access key to get in exchange of your payments doesn’t fix the problem? Colonial Pipeline suffered that fate when their gas pipes were attacked and shut down. They then paid $4.4 million for a decryption tool only for their CEO Joseph Blount to testify that after a month, they still haven’t fully recovered their files. After that, they went back to their backups anyway.

Ransomware as a Service (RaaS)

By looking at the roles above, the people that get the ball rolling are the operators and their affiliates. The affiliate model is one of the growing threats these days because selling ransomware as a service is very appealing.

Cybercrime syndicates have realized that they’ve reached a point where they could essentially license and sell the tech to affiliates who’ll then carry out their own plans. From there, the syndicates, affiliates, and other entities will get a portion of the ransom.

Operators closely monitor these programs on the dark web thoroughly as well to ensure individuals aren’t law enforcement posing as low-level criminals. Some of those techniques stem from asking key questions. REvil syndicate noted once they employ the following method:

“No doubt, in the FBI and other special services, there are people who speak Russian perfectly, but their level is certainly not the one native speakers have. Check these people by asking them questions about the history of Ukraine, Belarus, Kazakhstan or Russia, which cannot be googled. Authentic proverbs, expressions, etc.”

While the companies that offer RaaS aren’t as notorious in terms of their virus, the fact amateur cybercriminals can effortlessly carry out attacks in this manner is concerning. Through these services, it’s easy for these individuals to attack the easiest prey out there – small businesses who lack the resources to put in place any protection.

The upside to all of this is that when it comes to RaaS, since the attacks aren’t as sophisticated, these attacks are much lower quality and can be picked up easily since they’re widely distributed. As such, any top-rated anti-virus protection and detection software can pick up these kinds of ransomware attacks. Having these in place can increase your odds of catching the attacks significantly.

The Financial Side

With RaaS being offered and with more attacks occurring year after year, it’s worth asking how much money do these companies actually make. Well the answer is hard to say as not every ransomware attack is reported.

That being said, we can still get some clear ideas through other means.

Chainalysis is a company that tracks transactions to blockchain addresses that are linked to ransomware attacks in order to get an idea of the revenues. In their regular reporting, the company revealed that there was a 311% increase in 2020 to reach close to $350 million. In May 2020, they found more addresses and bumped it up to $406 million.

And they only expect the number to keep growing.

This makes sense, when the entire process is funneled all through the criminal market and is used to pay for other criminal services or cashed out through cryptocurrency exchanges. The process goes like this:

  • Victim pays broker.
  • Broker converts the cash into crypto.
  • Broker pays ransomware operator in crypto.
  • Operator sends crypto to a laundering service
  • Laundering service exchanges coins for fiat currency.

Some of these steps can also be overstepped as well. For example, many ransomware syndicates do ask their victims to pay in cryptocurrency from the start.

How to Better Protect Yourself from Ransomware

While this is a current understanding of the ransomware economy, it is ever-changing and it’s important to have awareness of where attacks occur. Furthermore, it helps to have an understanding of who you are up against as well.

Ransomware operators aren’t always single entities or low-level criminals. There is an entire system built behind them that they have access to. Many of them are highly sophisticated in nature.

The idea of this article isn’t to instill fear, but to help you get a better understanding of what organizations are up against. It’s key to take preventative measures to stop these attacks. The following are some good ideas:

  • Have two-factor authentication for your passwords
  • Back-up your computer regularly through cloud services and physical drives
  • Change passwords regularly.
  • Installing and update antivirus software.
  • Update apps and your computer whenever those options are available.
  • Review your insurance policy to ensure it covers cyber attacks including ransomware and the amount of coverage.
  • Any have more backups. Oh ya… did I mention Backups! That is going to be key. Test your backups. Ensure you have backups that are immutable or disconnected. Ensure you are backing up everything. And then run more backups. Yes, that is what will save your organization. Seriously, the one takeaway you should have now is to go review your entire backup strategy.

These won’t prevent attacks from ever happening, however you will be in a much better position to deal with any issues that arise.