Flashpoint, a threat intelligence firm that studies the so called ‘Deep and Dark Web’, has spent five months studying an organized Russian ransomware campaign. It concludes that ransomware is joining other cyber criminal activities by becoming a service – in this case, ‘ransomware-as-a-Service’. This particular campaign uses the proven business affiliate model.
The worrying aspect is that the model lowers the entry barrier for would-be criminals. The Ransomware Boss recruits team members who need have little more than script kiddie abilities. A recruitment message quoted by Flashpoint starts, “This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path. No fees or advance payments from you are required, only a large and pure desire to make money in your free time.”
The message goes on to add that “some minimal” experience is desirable, but “if you have no experience, it is not a problem.” The job is effectively software distribution.
The Boss provides the recruited affiliates with the malware, and the affiliates infect as many targets as they can by whichever means they choose. They could try direct, or hire any one or more of the other available criminal services: such as hiring a botnet or spam run.
For his part, the Boss doesn’t specify or care how much ransom is demanded. “The Boss only provides the malware on a profit-share basis,” explains Andrei Barysevich, Director of Eastern European Research and Analysis. “He doesn’t care if the victim pays $200 or $2000 provided he gets his share. Every distributor sets custom parameters for each dissemination campaign.”
The ransomware in question does not rely on standard malware C&C servers. Rather, once an affiliate infects a target, it drops an email instructing the victim to contact the Boss for resolution. Once the ransom has been paid (in bitcoin), the Boss sends 40% of the revenue to the affiliate as his cut.
Flashpoint notes (PDF) that the campaign is similar to two other campaigns it has monitored: GinX and Ranstone. This one, however, is as yet unnamed. Vitali Kremez, Cybercrime Intelligence Analyst at Flashpoint, told SecurityWeek, “It is a private campaign ransomware/locker-type of malware. It has not been yet classified. The ransomware encrypts the files on the victims host and drops a text file containing an email address the victim needs to reach out to obtain a decryption key. In essence, this ransomware establishes email-response communications between victims and its campaign leader and walks victims through paying and restoring their data once it affects them.”
Flashpoint suggests that the Ransomware Boss is Russian. He speaks fluent Russian with basic use of English. Russian cybercriminals operating from within Russia generally take care not to infect people living within the Commonwealth of Independent States (CIS). It is not specifically known whether or how this Boss ensures this. However, Barysevich told SecurityWeek, “The Boss has access to full statistics of each infected machine, and in case he implicitly prohibited the attacks against the Commonwealth Of Independent States, the license could be revoked.”
This campaign is not – or at least, not yet – as profitable for the criminals as some of the other more publicized campaigns. During the observed period, the average monthly income for the affiliates was just $600. The Boss earned $7,500 per month. Although low in comparison to many media estimates on the profit of crime, it nevertheless represents something like 13 times the average Russian income. And it has the potential for almost limitless growth.