According to the Kaspersky Lab’s telemetry, in 2016 more than 1,445,000 users (including businesses) around the globe were attacked by 54 thousand modifications of 60+ families of crypto ransomware.
Out of 62 new crypto ransomware families discovered by Kaspersky Lab researchers in 2016, at least 47 were developed by Russian-speaking cybercriminals.
An analysis of the Russian-speaking ransomware underground, conducted by the company’s researchers, showed that the increase in crypto ransomware attacks observed in recent years is the result of a very flexible and user-friendly underground ecosystem, allowing criminals to launch crypto ransomware attack campaigns with almost any level of computer skills and financial resources.
In addition to this, crypto ransomware attacks are easy to monetize, thanks to crypto currencies.
The players in the Russian crypto ransomware market
The researchers identified three levels of criminal involvement in the ransomware business:
- The creation and update of new ransomware families
- The development and support of affiliate programs distributing ransomware
- The participation in affiliate programs as a partner.
The first type of involvement requires a participant to have advanced code-writing skills. The cybercriminals who create new ransomware strains are the most privileged members of the ransomware underground world, as they are the ones who create the key element of the whole ecosystem.
On the second level of the hierarchy, there are the developers of the affiliate programs. These are the criminal communities which – with the help of different additional tools, like exploit kits and malicious spam – deliver the ransomware issued by the malware creators.
The partners of affiliate programs are on the lowest level of the whole system. Utilizing different techniques, they help the owners of affiliate programs to distribute the malware in exchange for a share of the ransom received by owners of the program. Only intent, a readiness to conduct illegal actions, and a couple of bitcoins are required for participants of affiliate programs to enter this business.
The overall daily revenue of an affiliate program may reach tens or even hundreds of thousand dollars, of which around 60 percent stays in the criminals’ pockets as net profit.
“According to our observations, an elite partner generally earns 40-50 bitcoins per month. In one case we’ve seen clues that an especially lucky partner earned around 85 bitcoins in one month, which, according to the current bitcoin exchange rate, equals $85,000 dollars,” Anton Ivanov, security researcher at Kaspersky Lab, noted.
During their research into the underground ecosystem and multiple incident response operations, Kaspersky Lab researchers were able to identify several large groups of Russian-speaking criminals specializing in crypto ransomware development and distribution.
These groups may unite tens of different partners, each with their own affiliate program, and the list of their targets includes not only ordinary internet users, but also small and medium-sized companies and even enterprises. Initially targeting Russian and CIS users and entities, these groups are now shifting their attention to companies located in other parts of the world.
The mechanics of these new attacks are also very different from previous ones: they are not relying on exploit kits of spear-phishing emails to spread the ransomware throughout the target enterprise. Instead, they hack servers, use open source exploits and tools to spread to as many stations as possible, use RATs to establish persistence, study the network and identify the most important files, and then encrypt them with previously unseen ransomware.
“It is hard to say why so many ransomware families have a Russian-speaking origin. What is more important is that we’re now observing their development from small groups with limited capabilities to large criminal enterprises that have resources and the intent to attack more than just Russian targets,” said Ivanov.
“We’ve seen something similar with financial malware groups, like Lurk. They also started with massive attacks on online banking users, and then evolved into sophisticated groups capable of robbing large organizations, like banks.”