How ransomware runs the underground economy

The unwanted attention attracted by ransomware attacks recently have caused several of the top cybercrime forums to ban ransomware discussions and transactions on their platforms earlier this year. While some hoped this might have a significant impact on the ability of ransomware groups to organize themselves, the bans only pushed their activity further underground, making it harder for security researchers and companies to monitor it.

If anything, the attacks in the months that followed the forum bans then have been more potent and audacious than ever. The truth is that ransomware is the life blood of the cybercrime economy and it will take extraordinary measures to put an end to it. The groups coordinating the attacks are highly professionalized and in many ways resemble modern corporate structures with development teams, sales and PR departments, external contractors and service providers that all get a cut from the illegal proceeds. They even use business lingo in their communications with victims, referring to them as clients who buy their data decryption services.

“The way I describe it is: You have the business world that we all know. The criminals have a parallel one that’s like the Upside Down from Stranger Things. It’s the exact same world, only darker and twisted,” Steve Ragan, security researcher at Akamai, tells CSO.

An underground economy relying on ransomware

By looking at what’s involved in ransomware operations and how the groups are organized, it’s easy to see that ransomware is at the center of the cybercrime economy. Ransomware groups employ people who:

• Write file-encryption programs (the development team)
• Set up and maintain the payment and leak sites, and the communication channels (the IT infrastructure team)
• Advertise the ransomware service on forums (the sales team)
• Communicate with journalists and post messages on Twitter and announcements on their blogs (the PR and social media team)
• Negotiate the ransom payments (the customer support team)
• Perform the manual hacking and lateral movement on victims’ networks to deploy the ransomware program for a part of the profit (external contractors known as affiliates or penetration testers)

The affiliates often buy access into networks from other cybercriminals who already compromised systems with Trojan programs or botnets or through stolen credentials. These third parties are known as network access brokers. Affiliates might also buy data dumps that contain stolen account information or internal information that could help with target reconnaissance. Spam email services and bulletproof hosting are also often used by ransomware gangs.

In other words, a lot of parties are in the cybercrime ecosystem that directly or indirectly earn money thanks to ransomware. So, it’s not unusual for these groups to become more professional and operate similar to companies with investors, managers, product marketing, customer support, job offerings, partnerships and so on. It’s a trend that has been slowly building up over the years.

“The cybercrime underground has become essentially an economy unto itself where you have service providers, product creators, financiers, infrastructure providers,” Brandon Hoffman, CISO of security firm Intel 471, tells CSO. “It’s an economy just like ours where you have all these suppliers and buyers of different things. Just like in our free market economy, as you have all these different types of service providers and product providers available it’s natural for them to start to come together and build a business together to offer a package of services and goods, just like we do here in the standard economy. So, I 100% agree that it is going that way. It’s just really hard for us to prove it.”

“We’ve known for years that criminals have a software development lifecycle just like the rest of us,” Ragan says. “They have marketing, PR, middle management. They have people responsible for lower-level criminals who report to bigger-level criminals. It’s not new. It’s just that more people are starting to hear it and are paying attention to the parallels.”

Ransomware groups adapt to market pressures

Ransomware attacks have crippled many hospitals, schools, public services, local and state government institutions and even police departments over the years, but the attack in early May on Colonial Pipeline, the largest pipeline system for refined oil products in the US, was a milestone.

The breach, attributed to a Russia-based ransomware group called DarkSide, forced the company to shut down its entire gasoline pipeline system for the first time in its 57-year history to prevent the ransomware from spreading to critical control systems. This resulted in fuel shortages across the US East Coast. The incident received widespread attention in the media and in Washington as it highlighted the threat that ransomware poses to critical infrastructure, spurring debates on whether such attacks should be classified as a form of terrorism. 

Even the operators of DarkSide understood the seriousness of the situation and announced the introduction of “moderation” for its affiliates—the third-party contractors that actually do the hacking and deployment of the ransomware—claiming they want “to avoid social consequences in the future.” But the heat was already too much for the group’s service providers.

Only days after the attack, the administrator of XSS, one of the largest Russian-language cybercrime forums, announced the banning of all ransomware-related activities on the platform citing “too much PR” and heightening of law enforcement risks to “hazardous level,” according to a translation by cybercrime intelligence firm Flashpoint.

Other high-profile ransomware groups including REvil, immediately announced similar moderation policies for its affiliates prohibiting attacks on healthcare, educational and government institutions, in an attempt to control the PR damage. That too wasn’t enough. Two other big cybercrime forums, Exploit and Raid, soon followed with bans on ransomware activities.

In the aftermath, DarkSide announced that it was going to shut down its operations after also losing access to its blog, payment server, Bitcoin wallet and other public infrastructure it had, claiming its hosting provider responded only with “at the request of law enforcement agencies.” One month later, the FBI would announce that it managed to recover the $4.4 million in cryptocurrency that Colonial Pipeline was forced to pay the hackers to decrypt its systems and resume normal operations.

The banning of ransomware activities on the most popular cybercrime forums was a significant development because for many years these forums served as the primary place where ransomware groups recruited affiliates. These forums offer an easy means of public and private communication between cybercriminals and even provide money escrow services for transactions where parties don’t know and trust each other.

The bans also affected, to some extent, the cybersecurity firms who monitor these forums to collect intelligence on threat actors and new threats. While most cybercrime researchers knew the forum bans would not stop ransomware operations overall, some did wonder what their next move would be. Would they migrate to less popular forums? Would they set up their own websites for advertising and communicating with affiliates? Would they move to real time chat programs like Jabber or Telegram?

“What that did was move those discussions to other private groups,” Ragan says. “They’re not going away. What they did was go out of the public spotlight. For the longest time, you could see their recruiting, their development, their discussions, what sort of features they were working on. Now that’s gone…. You’re not going to be able to predict a lot of changes. Unfortunately, that means you won’t know about new variants or a new function that got added until the first victim gets hit.”

According to Ondrej Krehel, the founder and CEO of incident response and digital forensics firm LIFARS, ransomware operations were not impacted by the forum bans because most of the actors involved in such activities were already communicating via private groups on Telegram and Threema that had existed for two or three years.

There was still some traction on the forums, as part of the marketing efforts, but if you really wanted to get something more concrete, you would have to be part of these groups already and some require paying a fraction of a Bitcoin with a wallet that has been associated with known criminal activities to prove yourself, Krehel tells CSO. “This rate of growth [of ransomware] will continue,” he says.

Cybercriminals quitting, or just evolving to different roles?

Every few months a high-profile ransomware group announces that it’s shutting down its operations. Last month it was Avaddon. Before that it was DarkSide. Before that it was Maze, and so on. Sometimes, when they decide to disband, these groups release their master keys which might help some victims who have not already paid a ransom or recovered their files from backups, but the criminals behind the groups don’t really disappear from the ecosystem or go to jail. They just move to other groups or change roles, for example from a manager of a successful ransomware operation to an investor.

Ragan compares this to traditional criminals using shell companies to funnel money and then, when the heat gets too high, disbanding them and moving on. “It’s almost exactly like that,” he says. “Again, that’s another parallel between the criminal world and what we see on our side of the little wall. They’re both criminal acts, but at the same time, organizations that aren’t thinking of cyber, they’re used to the concept of shell companies and how they can be used for nefarious means. Well, these brands that the ransomware and the malware groups use—same difference.”

According to Krehel, the lifespan of ransomware groups is usually around two years because they understand that after that time they’ll receive too much attention, especially if they’ve been very successful, and the best thing to do is to retire the group and create a new one. Maybe some members retire and become venture capitalists in other groups, but this shuffling of groups is more about generating confusion and making it harder for law enforcement to get all of the participants’ names, he says.

The ROI from ransomware is so good that career cybercriminals can’t afford not being involved in it. That’s why groups that have been associated with other forms of cybercrime, such as credit card theft or hacking into banks, have started either adopting ransomware as a revenue stream or collaborating with ransomware gangs.

“The groups have shifted and joined up with other groups and made alliances,” Ragan says. “Literally, if you were to parallel that similar to the real world it’s mergers and acquisitions. They might think they obtained talent from other groups who joined them and now they’re developing their own ransomware, or they get their affiliate programs and merge it into one.”

“It’s quite clear that some of these ‘new strains’ are likely stemming from ‘old’ groups,” says Hoffman. “Maze, Egregor, REvil, all these guys, they splinter off and they create other things like AstraLocker and LV and all these new ones that are coming out. They’re not all related but there’s a lot of association between new groups and old groups.”

Some of the new groups might also serve the purpose of recruiting new people into the business and giving them a platform where they can gain experience. When the group has served its goal and lived its life, some of its affiliates will move on to more established groups.

“There is an ecosystem for criminals for hire, who do have a good criminal record, who conducted good offensive missions and they didn’t get arrested,” Krehel says. “Those people are now more expensive and their expertise has been added to their criminal CV and are trusted by criminal rings. It also seems to be the case that members are often changing groups. It’s almost like you look at Google and Facebook, or some large companies where people are switching jobs. So, there’s this constant job switch.”

Offensive actions might be needed

Cybercriminals are not going to give up on ransomware easily because it’s too profitable and many of them live in Russia or former Soviet Union countries where the likelihood of getting arrested for extorting money from Western organizations is low. Malware programs that originate in Russia or the Commonwealth of Independent States (CIS) often have had built-in checks that prevent their deployment on computers that use Russian or other languages from CIS countries. It’s an unwritten rule that malware creators and cybercriminals know: Don’t target local companies and you’ll be fine. Russia doesn’t extradite its citizens and given the current geopolitical climate between the country and the West, increased collaboration at the law enforcement level on cybercrime is not very likely.

Following another high-profile ransomware attack in July that impacted over a thousand companies from around the world, President Biden spoke with Russian President Vladimir Putin and declared himself optimistic about a collaboration on cyberattack issues, but he also hinted that the US is ready to attack servers used in ransomware attacks in retaliation. REvil, the group behind the attack, went silent shortly after, and Kaseya, the company whose software was hacked and was used to propagate the ransomware received the master decryption key from a source it didn’t disclose, but referred to as “a trusted third-party.”

If the diplomatic channels fail to produce results in the future and Russian law enforcement agencies don’t act domestically, a more offensive approach might be required to discourage these groups and stop attacks before they make a lot of victims.

“If a foreign government is targeting you [the ransomware gang], that’s it. There’s nothing you can do,” Ragan says. “You’re dealing with an adversary that has unlimited time and resources. They will get you. I don’t care how good you are. It’s a realistic fear that these criminals have and I think that is what’s causing the scurry. But here’s the problem: The mere mention of sanctions, policies and things like this, sent them scrambling, right? What happens if there’s no actual enforcement? What happens if these laws and policies come out, but they don’t have teeth? Then the criminals come back and they’ll come back stronger because now they know there’s no teeth and no enforcement.”

Hoffman sees an opportunity for the US to be more offensive in supporting businesses, noting that he’s not privy to the government’s domestic policy on offensive tactics. “Similar to other countries, the national infrastructure that’s used for nation-state purposes is not available to combat commercial crime, but in this case we may have to make it available to reduce some of the strain on the businesses here, to become offensive.”

Cybercriminals don’t want to fight the government versus a company that’s ill prepared. “So, if the full force of the national cyber infrastructure of the US comes to bear against the cybercrime world, which is exactly what the forum operators do not want, it could have a significant impact,” says Hoffman. “On the other hand, will that cause the ‘cyber war’ that’s been pending between US and Russia down the road and then Russia’s national cyber infrastructure will come to bear in a more apparent way against us? Maybe.”

If the US government was the one who hacked the people behind DarkSide, took their Bitcoins, destroyed that infrastructure and wrecked those computers, then that’s already pretty big, Krehel says. Imagine saying: We’ll fly over your house, we’re going to take every coin you have in the marketplace, we’re going to take your private keys, we’re going to destroy every server you ever touched, and we’re going to put you on the wall so that if you attack any other business going forward you’ll be a target for the rest of your life.