In recent years, headlines have been flooded with reports of cybercriminals arrested for orchestrating ransomware attacks and employing extortion tactics. Despite awareness and efforts to combat these threats, ransomware gangs continue to thrive, reaping profits from their activities. This begs the question: How are ransomware gangs as profitable as they are?
Lana: Are you ready for me Ralph?
Ransomware has undergone a dramatic evolution since its inception in the 1990s. Originally, it was largely a one-off endeavor, with cybercriminals conducting isolated attacks targeting individual users. However, as technology advanced and cyber defenses improved, ransomware tactics also evolved. Fast forward to the present day, ransomware has transformed into a sophisticated and lucrative business model, generating billions of dollars in illicit profits annually. Ransomware-as-a-service (RaaS) platforms give access to ransomware tools, allowing even those with limited technical expertise to launch attacks in exchange for a share of the ransom payments. This combination of technological advancements, economic incentives, recruitment tactics and offering support to victims has turned ransomware into a multi-billion-dollar industry, making it significant threat to individuals, businesses, and critical infrastructure worldwide.
Joels mother: Just use your best judgement, we trust you.
The rise of Ransomware-as-a-service (RaaS) platforms has democratized access to ransomware tools, allowing cybercriminals of varying skill levels to participate in extortion schemes. Raas provide everything from ransomware code to payment processing services, enabling affiliates to execute attacks in exchange for a percentage of the ransom proceeds. This model has lowered the barrier to entry for cybercrime, resulting in an influx of new actors entering the ransomware crime syndicate. RaaS platforms have revolutionized the ransomware business and actually reflect standard business practices and operations.
One such business practice is the support options that are available to victims. Ransomware groups have transformed their operations into sophisticated support services to their victims. These services extend beyond providing ransomware code and include technical assistance, customer support, and even negotiation services. Victims can access dedicated forums or communication channels such as TOX, where they can speak with support about any issue or issues they are facing. Some sites offer a detailed description on how to use their support system including the use of proper etiquette.
Another example is the mission statement of Ransomware groups. Despite their illicit nature, ransomware groups often display their mission statements through their actions and communications. While they may not articulate their objectives in formal documents or public declarations, their actions speak volumes about their goals and motivations. For instance, the targeting of specific industries or organizations can indicate a desire to maximize financial gain or exert influence over critical infrastructure. In essence, ransomware groups convey their mission through their actions.
Lana: This is a beautiful place, Ralph. Is it yours?
At its core, ransomware is a lucrative business venture for cybercriminals. The potential for high profits with relatively low risk has attracted individuals and organized groups alike to engage in ransomware operations. With the ability to target a wide range of victims, including individuals, businesses, and even critical infrastructure, the financial rewards can be substantial. “Joining the alliance advantage” option can gain you 90% of the payment. All that is needed is your Bitcoin wallet address as a payment method. They will pay you first and they will take their 10%…you may go to prison but that is the risk of success, I guess.
Just like the cybersecurity job market, cybercriminals are offering high salaries and assorted perks to attract the best for the job. Some job ads have annual salaries as much as $1.2 million for the most skilled cyber criminals. Other positions include attack specialists, reverse engineers, testers, analysts and administrators. In an article published by securelist.com “Just as any other business, cybercrime needs labor. New team members to participate in cyberattacks and other illegal activities are recruited right where the business is done – on the dark web. We reviewed job ads and resumes that were posted on 155 dark web forums from January 2020 through June 2022 and analyzed those containing information about a long-term engagement or a full-time job”. Below is an organizational chart workflow of how recruits would function.
“A total of roughly 200,000 employment-related ads were posted on the dark web forums during the period in question. The largest number of these, or 41% of the total, were posted in 2020. Posting activity peaked in March 2020, possibly caused by a pandemic-related income drop experienced by part of the population”.
Below are examples of Job postings resumes that ranged from a diverse group of individuals looking for various forms of work on the dark web.
Joel Goodson: Don’t steal anything. If I come back here and anything is missing, I’m going straight to the police. I mean it.
The transition to extortion in ransomware was a significant move in profitability for cybercriminals. While traditional ransomware attacks involved encrypting data and demanding payment for its release, extortion tactics expanded the scope of potential victims and increased the potential for higher payouts. By exfiltrating sensitive data before encrypting it, ransomware gangs gained leverage over victims, threatening to expose or sell the stolen information if ransom demands were not met. This approach proved to be more lucrative for several reasons. Firstly, victims faced the double threat of data loss and reputational damage, making them more likely to comply with ransom demands. Secondly, the value of stolen data could far exceed the ransom amount, especially for organizations storing valuable intellectual property or sensitive customer information.
The attack on Change Healthcare was an example out of many where Ransomware cybercriminals used extortion to turn more profit. According by cnbc.com “This development is likely to lead to more sophisticated and advanced extortion methods. For example, rather than relying solely on encrypting a company’s data for ransom, Eagan said she expects hackers will employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met.
With so much going on, Thakar said the cybersecurity landscape continues to be a cat and mouse game: “Companies come up with a better way to defend, the bad guys figure out another way to go after businesses.”
Joel Goodson: You know, Bill, there's one thing I learned in all my years. Sometimes you just gotta say, "What the f*ck, make your move."
When law enforcement agencies such as the FBI take down a website associated with ransomware operations, cybercriminals often execute their disaster recovery (DR) plans. These plans typically involve redundant infrastructure, decentralized communication channels, and backup mechanisms to ensure continuity of operations in the event of disruption. In response to takedowns, ransomware groups may leverage their networks and resources to quickly bring the website back online, either through alternative hosting providers, mirror sites, or through peer-to-peer communication protocols. Moreover, the takedown of a major website like Lockbit can serve as a rallying point for cybercriminal communities, prompting them to unite their efforts in restoring operations and retaliating against law enforcement actions. This coordinated response highlights the agility and adaptability of ransomware groups in the face of regulatory scrutiny and underscores the ongoing challenge of disrupting their illicit activities. According to techrepublic.com “LockBit is now running from backup servers and has a new Dark Web presence after their site's recent takedown by the FBI and international partners”.
In conclusion, the resilience and adaptability of ransomware gangs, coupled with their sophisticated business model and operational strategies, have solidified their status as highly profitable business of cybercrime. Their ability to communicate with other criminals and victims, coupled with their ability to restore operations swiftly following law enforcement takedowns, underscore the challenge to the world. Despite continuous efforts to combat ransomware, the nature of these operations, fueled by the potential for substantial financial gain and the anonymity afforded by cryptocurrencies, suggests that ransomware is a threat that is unlikely to disappear anytime soon. The Cybersecurity world will always be the phoenix rising from the ashes as ransomware gangs are the hydra remaining constant even when one head is removed…another takes its place.