Russian ransomware boss earns $90,000 per year

Despite too many users not even being aware of the existence of the ransomware threat, there is no doubt that it’s currently one of the most popular ways for cyber crooks to “earn” money.

What sums are we talking about here?

A recent report by Deep & Dark Web intelligence outfit Flashpoint details one organized Russian ransomware campaign, and the guy at the top is pulling in an average monthly “salary” of $7,500 (that’s $90,000 per year).

This boss, whom the researchers believe to be Russian, and active since at least 2012, is not the only one getting paid for the effort.

His is a Ransomware-as-a-Service (RaaS) setup, and he’s been recruiting less technically savvy criminals to spread his ransomware for him. These affiliates might operate botnets, or known how to compromise servers and websites in order to spread malware, or know how to spread it via file-sharing sites, but are not knowledgeable enough to create ransomware on their own.

So, they become affiliates of this boss, and get 40 percent of the ransoms paid by the victims, i.e. an average of $600 per month. This particular operation functions with the help of 10-15 affiliates.

The boss keeps 60 percent of the total for his efforts, which includes communicating with the victims via email, collecting and validating Bitcoin payments, issuing decryptors, sending (part of the) ransom payments to the affiliates, and laundering the money via Bitcoin exchangers.

“On at least one occasion, the crime boss demanded additional payments even when a ransom payment had already been received, before providing a decryptor to the compromised victim,” the researchers found. I expect this additional haul was not shared with affiliates.

All things considered, ransomware revenue amounts are not as fruitful as often reported or imagined, the researchers noted. But if the amount that the boss pulls in does not seem large to you, try looking at it from the perspective of an average Russian person, who earns 13 times less.

Granted, the affiliate revenues are not that big, but consider the fact that their efforts are not time-intensive and that there is a very small chance they will ever be held accountable for what they do, and you can see why many choose to become affiliates.

Obviously, things are going to become worse before they become better – and not just for home users.

Ransomware attacks on hospitals

Flashpoint researchers have also been following discussions by cybercriminals on the topic of ransomware attacks on hospitals.

While many of the criminals expressed outrage about this, and apparently draw the line at attacks that may result in people not receiving medical care and possibly dying, the sad truth is that the ransom amounts asked from healthcare organizations are much larger that the ones requested from individual users, and this is enough for some to set aside their scruples.

In fact, one malware author is offering for sale BitcoinBlackmailer, a ransomware that he advertizes as perfect for targeting hospitals, although it can also be used to target businesses in other industries.

Debates about the best ways to target healthcare organizations with ransomware are also going strong, and some crooks have been sharing their experiences.

“I compromised an entire clinic group recently by pulling RDP credentials out of cleartext while being on the guest wifi. Gained RDP access in off hours, escalated privlidges [sic], hit everything else on the network, got rootkits in their nice expensive printers, and even had to setup a dedicated server just to offload the huge amounts of data I was pulling,” one of them explained.

These attacks obviously require more skill and thought, but delivering ransomware via spammy, fake emails is also an option (and spreading it further is not that difficult).

Targeting the healthcare industry as a rich source of data is nothing new for cybercriminals, but will ransomware finally spur hospitals to improve security?

“Those who profit from selling patient data stolen from medical facilities are realizing that institutions may be willing to pay substantial ransoms worth much more than the value of the data itself on the black market in order to regain control over the functionality of critical systems and data. This reassessment of how to profit the most from the healthcare industry’s data could pose a substantial threat to hospitals and healthcare providers,” Flashpoint researchers noted.