How Russian cybercrime bosses crafted a ransomware empire out of an economic crisis

Russia is in dire economic straits.

Amid a crashing ruble and shaken markets due to global sanctions over Russian president Vladimir Putin's annexation of Crimea, wages have stagnated and many normal Russians have sought new and often less-than-moral methods of earning a living.

Ransomware as a Service (RaaS) has increasingly become one of these dubious and criminal methods. Ransomware, or software which locks data and operating systems while demanding often exorbitant payouts, has targeted more and more corporations and individuals despite all attempts by cybersecurity firms to stop its advance.

Over the past several months, new and unique variants of ransomware have made their debut. In March, the Russian ransomware software Petya was shown to encrypt entire hard drives rather than individual files. And days ago, Microsoft warned of self-reproducing ransomware which is able to move from one computer to another via flash drives and network drives.

A new report by data intelligence firm Flashpoint details an organized Russian ransomware campaign which has targeted thousands of Westerners and Western companies. The campaign, which has netted ringleaders exorbitant salaries - 13x the salary of the average Russian - has targeted thousands of systems across the Western world, from hospital data sets to the computers of unsuspecting end users.

According to Flashpoint, Russian ransomware bosses reached out to low level cyber-criminals on the deep web, offering lots of money for just a little work. The following message was distributed to forums and users across the deep web by members of the Russian digital underground:

Good day,

This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path. No fees or advance payments from you are required, only a large and pure desire to make money in your free time. I propose mutually beneficial cooperation in the sphere of distribution of my software. It is desirable, of course, that you have already had some minimal experience in this business. But if you have no experience, it is not a problem. In addition to the file, you will receive detailed instructions on how and what to do - even a schoolboy could do it; you need only time and desire. The scheme is simple, and tested and working 100%, revenue yields are decent. Thus, you are not risking anything in particular (money being the most important), and are getting valuable experience, and if you succeed - a good cash reward. At the same time, you do not need to bother looking or work ideas, encryption software, nor for receipts and processing of payments. Details - for all correspondence, write in this topic or personal message or Jabber.

After affiliates are targeted and agree to participate in the ransomware campaign, they can immediately begin distributing the software via several means, including botnet installs, email and social media spam, compromising dedicated servers, and distribution via torrent and file-sharing websites.

According to Flashpoint, the Russian ransomware campaign they uncovered does not utilize a command-and-control infrastructure. Rather, it utilizes custom ransomware that encrypts the files on the infected machine and drops a text file containing an email address that the victim needs to reach out to obtain a decryption key to retrieve the encrypted data.

Ransomware bosses handle the legwork of collecting the payments and decrypting the files, and as a result, keep roughly 60% of the ransom paid. In several cases, bosses skimmed off the top, refusing to unlock software and data until the victim paid an additional ransom directly to the boss.

Ransomware bosses collected payments via Bitcoins, then laundered the money and distributed 40% of the ransom to affiliates from an unattributable clean Bitcoin wallet.

According to Flashpoint, this ransomware campaign - and its Russian ringleader - has been active since at least 2012. Metrics collected on activity of the ransomware campaign showed motivation behind the campaign, as well as the most likely times individuals are targeted, which correlates to sleep/wake cycles and indicates the campaign's national origins.

“Ransomware is clearly paying for Russian cybercriminals. As Ransomware as a Service campaigns become more wide-spread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks,” said Vitali Kremez, Flashpoint's Cybercrime Intelligence Analyst. "As a result of their participation in such campaigns, low level Russian cybercriminals gained a fruitful understanding of the inner workings of ransomware campaigns. It is not particularly hard for newcomers to start spreading ransomware quickly and attack corporations and individuals."

But despite the common perception that these ransomware campaigns fund a lavish life of mink coats and summers in Sochi, such campaigns are borne out of economic distress, and provide only a slight respite from the harsh financial prospects of Russian life.

Flashpoint found that while the ransomware boss in this campaign earned 13x the salary of the average Russian, that figure only amounted to $90,000 a year, or around $7,500 a month.

And yet even here, there is honor among thieves.

For example, Eastern European cybercriminals are generally prohibited by an unwritten moral code of conduct from targeting other citizens of the Commonwealth of Independent States (CIS), an organization of former Soviet Socialist Republics which formed in the aftermath of the Soviet Union's collapse. This is due in part to lack of financial benefit from targeting members of developing nations, but also because it is more morally palatable to target a transcontinental audience.

Still, many members of Eastern Europe's underground cybercrime community on the deep web expressed discontent at some of the larger and more high-profile ransomware actions which targeted civil institutions.

When Hollywood Presbyterian Hospital in Los Angeles, California faced a ransomware attack in February, members of Russian cybercrime forums revealed their dismay at the target. According to Flashpoint's analysis of such forums, "Eastern European cybercriminals reacted coldly to the news of the attack against Hollywood Presbyterian which was regarded as a reckless and unacceptable move."

"With the exception of a handful of supporters, the general consensus within this segment of the underground was highly negative, condemning the unknown assailants."

One reputable, high-profile member of a Russian cybercrime forum spoke out against the incident:

"From the bottom of my heart I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with it," the user said.

"From the bottom of my heart I sincerely wish that the mothers of all ransomware distributors end up in the hospital"Other users showed immediate support, expressing similar dismay at the target of the attack.

"Dirt bags, the move is completely unethical. Do not touch hospitals!"

A 'notorious ransomware developer' also commented on the issue, saying he believes this attack means there will be more high-profile attacks in the future targeting similar institutions.

"I'm afraid it is [a pre-cursor to future operations]. They scored. It means everything was done properly."

On the deep web marketplace AlphaBay, users immediately flooded to talk pages to discuss the attack. One user took the news event as opportunity to sell his "easy-to-use" ransomware program.

"What if you was that hacker? I bet he was just a 16 years old kid in the right place at the right time. Just like you are now. The only things you need are a computer and the ability to follow clear instructions. If you can do that you will never have to worry about your finances again."

Flashpoint says their findings dispute the common perceptions of cybercriminals as being larger-than-life, smart, well off, unreachable, undoxable, and unstoppable. The study also reveals that ransomware is still an ethical dilemma for top-tier cybercriminals, at least until the right opportunity knocks.

Report a problem with article
Previous Story

Microsoft wants to log you in with your phone, body and wearables - just not a password

Next Story

Microsoft's SQL Server 2016 is now generally available

3 Comments - Add comment