One of the fastest-rising and newest ransomware strains dubbed Jaff has been found to have links with a "refined" dark web marketplace that trades stolen credit card and other financial data. Both Jaff ransomware and the unnamed underground cybercrime marketplace share the same server space, according to security researchers. The ties between the malware and the dark web store hint at the way cybercriminals are evolving.
The dark web market tied to Jaff was found to provide access to "tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address". Researchers at Heimdal Security, who first discovered Jaff's association with the dark web store, said that the marketplace has a relatively low barrier for entry. In other words, unlike other high-profile and exclusive dark web communities, this particular marketplace allows low-level hackers entry.
"Banks from all over the world are listed, ranging from German financial institutions, to US and Australian ones. The highest volume of compromised records appears to originate from these countries: USA, Germany, France, Spain, Canada, Australia, Italy and New Zealand," Heimdal security researcher Andra Zaharia said.
Server located in Russia
Researchers noted that Jaff ransomware and the dark web market's shared server is located in St Petersburg, Russia. This indicates that the ransomware developers as well as the administrators of the dark web store are likely Russian.
"As we know, a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim," Zaharia said. "By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment."
In other words, cyberciminals are evolving to ensure that they reap the maximum profits from attack campaigns. Researchers said that credit card data is one of the "hottest commodities" in the malware economy and that hackers are highly likely to target card data since they can turn it into "untraceable bitcoins".
"This discovery shows once more that cyber criminal operations focus on diversifying their assets and revenue channels so they can play an increasingly larger role in the malware economy," Zaharia said.