Holding data hostage for money through ransomware campaigns is becoming an increasingly lucrative business for cybercriminals on the Dark Web, according to a report by cybersecurity intelligence firm Flashpoint. Following a five-month study of an organised ransomware operation out of Russia, the report examines how cybercriminals use ransomware as a service (RaaS) target and exploit their victims.
According to the Flashpoint report, released on 2 June, Russian "ransomware bosses" – hackers who organise and manage campaigns as well as hire affiliates to distribute ransomware samples – make an average 'salary' of about $90,000 per year, about 13 times the average current wage in Russia. Their hired affiliates who actually distribute the malware and infect victims' computers make about $600 per month.
After monitoring a Russian ransomware campaign since December 2015 Flashpoint analysts said they "were able to gain significant visibility into the tactics, techniques, and procedures" employed by the campaign boss.
The report says a ransomware boss first recruits affiliates by offering "lot of money via, shall we say, not a very righteous path" to newcomers. No previous hacking skills or experience is required for the 'job.'
The crime boss then hands out custom ransomware samples to the new recruits in his network, who then start trying to spread malware and infect victims' computers using email and social media phishing campaigns, malicious servers, botnets as well as dating, torrent and file-sharing websites.
Once the ransomware is successfully deployed and a victim's files are encrypted, the boss then communicates with the victim via email demanding a Bitcoin payment in exchange for a decryption key. However, not every victim agrees to cough up the ransom. Still, the crime boss does stand to rake in more money depending on how many computers his affiliates have successfully compromised.
After the ransom payment is received, the boss launders the money through Bitcoin exchangers before paying his recruits from a clean Bitcoin wallet.
"Bitcoin is most often utilised because of its ability to partially obfuscate the true identity of the Bitcoin wallet owner ― making the tracking of transactions very difficult for law enforcement and security researchers," the report says.
There is also no guarantee that a victim will get his or her files back either, even if a payment has been made. The report notes that the boss monitored by Flashpoint did demand additional payments on at least one occasion before sending the victim a decryption key, even after he already received a ransom payment.
"Though the loss of data can be devastating, Flashpoint has observed that sending ransom payments does not always work," the report says. "In the case of this particular criminal enterprise, this group often prefers to collect payments without ever providing decrypting tools or methods for affected victims."
In an average month with about 30 ransom payments of about $300 each, a ransomware boss could stand to make $7,500. His affiliates receive about 40% of the collected ransoms.
"Ransomware is clearly paying for Russian cybercriminals," Flashpoint cybercrime intelligence analyst Vitali Kremez said in a statement. "As Ransomware as a Service campaigns become more widespread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks."
Although ransomware hackers do typically focus on regular people as opposed to corporations or government entities, the report does note that cybercriminals are gradually realising the potential of targeting hospitals and the healthcare industry that are more likely to pay up.
"With recent, highly publicised ransomware attacks on several hospitals and health networks resulting in large payouts to retrieve critical files, cybercriminals are clearly beginning to recognize that holding the data hostage is often more lucrative than simply stealing the data and selling it on the black market," the report says.
The firm also found "affiliate ransomware targeting hospitals and healthcare networks" advertised on the Deep and Dark Web market and forums. However, analysts note that the digital thieves who purchase such malware do use it across various industries beyond the health sector.
Flashpoint's report follows a slew of extortion attacks using ransomware against the healthcare industry this year, including Hollywood Presbyterian Medical Centre, MedStar Health, the Chino Valley Medical Centre and the Desert Valley Hospital.
It also showcases the rising threat of ransomware as a potentially profitable business model for both cybercrime bosses and newcomers whilst disrupting critical networks and infrastructure.