Ransomware operators and where to find them

No one is a stranger to the word ‘ransomware' anymore. As we continue to work from home, cybercriminals have been relentlessly attacking organisations and their attacks are just getting more and more complex by the day. To help organisations understand how ransomware ecosystems operate and how to fight it, Kaspersky researchers took a deeper look at ransomware gangs like REvil and Babuk and others to uncover a tonne of information.

Like any industry, the ransomware ecosystem comprises of many players that take on various roles. These gangs have a significant number of different actors – developers, botmasters, access sellers, ransomware operators – involved in most attacks, supplying services to each other through dark web marketplaces. These actors meet on specialised darknet forums and this is where you can find regularly updated ads offering services and partnerships.

Prominent big-game players in ransomware usually do not frequent such sites, however, as Kaspersky's research points out - well-known groups such as REvil that have increasingly targeted organizations in the past few quarters, use darknet forums to publicise their offers and news on a regular basis using affiliate programs. This publicising usually means a partnership between the ransomware group operator and the affiliate with the ransomware operator taking a profit share ranging from 20-40%, while the remaining 60-80% stays with the affiliate.

The selection process to pick such partners is finely tuned and there are ground rules set by the ransomware operators from the start. These include geographical restrictions and even political views. And on the other hand, ransomware victims are selected opportunistically.

As the people who infect organisations and the ones who actually operate ransomware are different groups, only formed for profit, the organisations infected most are often low-hanging fruit - essentially ones where the attackers were able to gain easier access to. both the groups working within the affiliate program and also independent operators could sell access to the breach to others, auction it or fix a deal, and prices start as low as $50 ( ₹3,663 approx).

Kaspersky states that these attackers, more often than not, are botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, and access sellers on the lookout for publicly disclosed vulnerabilities in internet-facing software, such as VPN appliances or email gateways, which they can use to infiltrate organisations.

Ransomware forums are home to other types of offers too, Kaspersky states. Some ransomware operators sell malware samples and ransomware builders for anything from $300 to $4,000 ( ₹21,983 to ₹293,116 approx), others offer Ransomware-as-a-Service (the sale of ransomware with continued support from its developers), which can range from $120 per month to $1,900 ( ₹8,793 to ₹139,230 approx) per year packages.

“The ransomware ecosystem is a complex one with many interests at stake. It is a fluid market with many players, some quite opportunistic, some – very professional and advanced. They do not pick specific targets, they may go after any organization – an enterprise or a small business, as long as they can gain access to them. Moreover, their business is flourishing, it is not going away anytime soon,” said Dmitry Galov, security researcher at Kaspersky's Global Research and Analysis Team.

“The good news is that even rather simple security measures can drive the attackers away from organizations, so standard practices such as regular software updates and isolated backups do help and there is much more that organizations can do to secure themselves,” Galov added.

"Effective actions against the ransomware ecosystem can only be decided once its underpinnings are truly understood. With this report, we hope to shine a light on the way ransomware attacks are truly organized, so that the community can set up adequate countermeasures,” said Ivan Kwiatkowski, senior security researcher at Kaspersky's Global Research and Analysis Team.