The Importance of Cryptocurrency, RaaS, and the Extortion Ecosystem

Ransomware is a multi-billion-dollar industry, albeit a ruthless and illegal one that destroys organizations and devastates people.

Overview

The professionalism of ransomware groups, like it or not, has to be acknowledged in any approach that attempts to stop them. This page looks at the ransomware operator economy and the different services that have sprung up to both to support and defend against ransomware.
As discussed on our "History of Ransomware" page, ransomware groups consider themselves professionals who are offering a valuable service to organizations that should've invested in security. On underground forums, ransomware groups often refer to themselves as “pen testers” looking to recruit other “pen testers.” (The phrase “pen testing,” short for “penetration testing,” is commonly used by legitimate security researchers for one type of research.) Part of the reason ransomware operators refer to access brokers as pen testers is that many underground forums ban the sale and advertising of ransomware, but even prior to the bans that was common terminology.
Of course, the truth is that these ransomware groups are nothing but crooks. But, without understanding how they see themselves, it’s difficult to address and deal with the ransomware problem.

Ransomware & Cryptocurrency

Periodically, conversation swells up around banning or regulating cryptocurrencies in the hope of stopping ransomware. Putting aside the objection that bans or external controls are unrealistic—because any law passed trying to ban cryptocurrency would likely fail spectacularly, even in very oppressive regimes—we can speculate about whether doing so would slow down ransomware attacks.

Ransomware existed prior to ...

... the advent of Bitcoin, and there were even successful campaigns that netted millions of dollars using MoneyPak, E-Gold, Western Union, and, of course, gift cards. In fact, some cybercriminals still rely on many of these same methods of collecting their ill-gotten gains. (How many grandparents have bought an iTunes or Amazon gift card to pay the “IRS” or “Sheriff’s Department”?) Despite the smaller dollar amount, these criminals still make millions of dollars a year operating out of call centers in India, Nigeria, and other places where law enforcement toward them is lax.
Ransomware was successful prior to the advent of cryptocurrency, though not nearly as successful as now. Other cybercriminals have found success using different forms of extortion payment. So could ransomware actors go back to these other forms of payment? Probably not.

Over the last few years, the size of ransom payments has ballooned exponentially. In 2020, Palo Alto reported that the average ransomware payment was $312,000, but in the first quarter of 2021 the average payment was $850,000. Those are just the averages; it’s not unusual to see ransom payments in the millions of dollars.
There are certainly arguments that the current success of ransomware isn't tied to cryptocurrency. While some argue that ransomware could be profitable, even without the availability of cryptocurrencies, much of the financial success seen by these threat actors is tied to the perceived anonymity and irreversibility of large ransom payments.

While even Bitcoin transactions can be ...

... partially reversed, as happened after the Colonial Pipeline ransomware attack, the advent of cryptocurrency has empowered threat actors to demand—and receive—significantly higher ransoms.
Food for thought

If We Can’t Regulate Cryptocurrency, Can We Regulate Cryptocurrency Exchanges?

There are also a lot of questions about whether cryptocurrency should be banned, because there are certainly benefits to a purely digital currency. If cryptocurrency cannot be banned or effectively regulated, what about cryptocurrency exchanges?

Eventually, even the most ardent supporter of cryptocurrency may have to trade in Bitcoin or Monero for cash. That’s where exchanges come in. Exchanges allow people to trade the digital currencies for other digital currencies or fiat currencies. Cryptocurrency users could, in theory, trade their cryptocurrency for a fiat currency without an exchange. For example, two people could meet in a dim garage after dark, one with a briefcase of fiat currency, and the other with a laptop and an Internet connection. The first person hands over the briefcase with cash, while the second person transfers the agreed-upon amount of cryptocurrency into the first person’s digital wallet.

Although this works and is sometimes done, it’s not really scalable, especially given the number of people who use cryptocurrency and the number of transactions that occur each day. It’s almost impossible for criminals who engage in ransomware attacks to conduct this kind of transaction, so cryptocurrency exchanges are a critical part of the ransomware ecosystem.

What would regulation of cryptocurrency exchanges look like? The most common answer is applying “know your customer (KYC)” laws to exchanges. This requires cryptocurrency exchanges to collect and verify information from clients looking to conduct transactions using the exchange’s services, similar to the requirements most banks have. Extending KYC to cryptocurrency exchanges could make it harder for ransomware gangs to accept cryptocurrency as ransom payments. Even if the ransomware groups were to figure out a way around that it would also make it harder to launder ransom payments and make it more difficult to pay affiliates.

Of course, mandating a universal KYC requirement across all exchanges poses its own challenges. The United States, European Union, Japan, South Korea, and other countries can band together and mandate that cryptocurrency exchanges that want to operate in their countries follow KYC regulations, but there will always be exchanges that don’t comply and don’t care that they can’t do business in those countries (assuming those laws are even truly enforceable). Still, enforcing KYC laws would limit the number of exchanges ransomware actors could use to launder their money, which might make it easier for governments and private companies to more effectively track their transactions.

Ransomware
Negotiators

What is a ransomware negotiator? Why use a ransomware negotiator? What role do ransomware negotiators play?
While there's a lot of focus on cybercriminal activity that has sprung up in support of ransomware groups, there have also been new roles created on the defensive side in support of stopping or recovering from ransomware. Most notably, the advent of ransomware negotiators.
Ransomware negotiators are called in when a victim has decided they must pay the ransom for whatever reason. Negotiators are different than incident response (IR) firms, though some IR firms employ ransomware negotiators. Negotiators not only deal with the ransomware actors, they can often facilitate payment, especially for organizations that can’t quickly source hundreds of thousands or millions of dollars in cryptocurrency.
Though this is starting to change, many ransomware groups prefer working with some negotiators as the ransomware operators see the negotiators as dispassionate and reasonable. There were concerns, at first, that some negotiators were simply taking advantage of victims and not helping in any way but as the industry has matured, the unethical ransomware negotiators have been more or less weeded out.
Ransomware negotiators provide a valuable service and help ransomware victims, especially smaller ones, navigate through the ransomware process, not just the ransom payment. They can be critical to ensuring ransomware victims come out from an attack as quickly and with as much of their data as possible without violating any sanction laws.

The Commoditization 
of Ransomware

LARGER RANSOMWARE GROUPS ...

... like Conti and LockBit continue to expand as they collect hundreds of millions of dollars in ransomware every year while the number of smaller players continues to grow, along with the number of victims. The sheer scope of ransomware attacks has meant that several cottage industries have sprung up supporting ransomware operations. It’s still possible for one person to create and operate a ransomware variant by themselves, but that’s not the norm.

RANSOMWARE OPERATIONS ...

... usually involve contracting cybercriminals with specialized roles as shown in diagram below. Most of these roles have nothing to do with launching ransomware attacks. They’re involved in development, gaining initial access, processing the ransoms paid, and even handling negotiations. While many of these people are more like independent contractors, some of these ransomware groups are large enough to maintain a small cadre of workers on their “payroll” and consider them employees.

Initial Access Brokers

Recorded Future estimates that there were 65,000 hands-on-keyboard ransomware attacks in 2020. That’s simply too many victims for even the extensive network of actors and their affiliates to gain access to, steal files from, and deploy ransomware on them. That’s why Initial Access Brokers (IABs) have seen such meteoric growth on underground forums over the past couple of years.

The role of the IAB is to scan the Internet for vulnerable systems. 

How they do that is discussed elsewhere on this site. Some IABs specialize in credential stuffing, where the attacker attempts to log in with common username/password combinations using brute force in rapid succession, while others focus on credential reuse, where an attacker finds username/password combinations on underground markets and attempts to use them on a target. The IAB’s role in a ransomware attack is to gain and maintain the initial foothold. They then sell the access to ransomware actors for an average price of $5,400. Ads for IABs, like the screenshot below, appear all over underground forums, often using the euphemism “pen tester.” By some estimates, credential-based attacks on exposed Remote Desktop Protocol (RDP) servers have overtaken phishing as the primary method of initial access by ransomware actors or IABs.
But RDP isn’t the only opening for attack. Many IABs specialize in exploiting other vulnerable systems, such as:
Pulse Secure VPN
Citrix
Fortinet VPN
SonicWall Secure Mobile Access
Palo Alto VPN
F5 VPN
Essentially, any publicly exposed system that will allow remote access and doesn't have the correct patches applied (or could potentially allow for credential reuse) is a target of IABs, and a potentially profitable one.
Ransomware actor (Conti) recruiting “pen testers” on an underground forum. This image is the original ad in Russian.
Roughly translated English version is shown here:
Some IABs operate independently. Others work as contractors for specific ransomware groups, getting a guaranteed price for each network they infiltrate and turn over to the group. The ransomware groups often lure IABs into contract work by promising them bigger payoffs down the road. If the expected payoffs don’t happen, IABs may retaliate. One IAB dumped sensitive information about the ransomware group for the world to see. .

Get More From Our Newsletter

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too.

Money Launderers

Money laundering is difficult for ransomware groups. In reality, laundering money has always been a challenge to pull off, but there's a difference between trying to move thousands of dollars versus millions of dollars at a time. Ransomware actors have gone from conducting a few simple transactions that hide their money to figuring out how to clean up millions of dollars in collected ransoms. When the money laundering arm of the Clop ransomware gang was arrested in June 2021, it was reported that they had successfully laundered more than $500 million in collected ransoms.

How do ransomware actors move so much ...

... money through cryptocurrency exchanges?
Ransomware attackers move most of the funds taken from their victims to mainstream exchanges, high-risk exchanges (meaning those with loose to non-existent compliance standards), and mixers. Several RaaS operators make a point to advertise their payment portal’s integration with mixing services as a feature to attract affiliate talent. Ransomware laundering activity is uniquely concentrated on a few platforms that move a majority of the funds. 73% of all the funds controlled by ransomware actors were sent to just 83 deposit addresses through June 2021 . Just eight deposit addresses have moved more than $1 million worth of ransomware funds this year. Those eight deposit addresses are also moving an additional half-billion dollars in funds connected with other types of illicit and licit activity as well.

Some of these exchanges are also home to over the counter (OTC) brokers to facilitate transactions. Ransomware groups may send the funds directly or hire professional launderers who do that for them. In 2020 Chainalysis Inc. identified 100 OTC brokers who appeared to specialize in moving money for cybercriminals. OTC brokers are individuals or companies that hold large amounts of cryptocurrency. When a trader wants to exchange cryptocurrency for another type of cryptocurrency or fiat currency anonymously, they can negotiate an agreed upon price with an OTC, who will then handle the transaction. There are many legitimate OTCs with robust KYC requirements; however, there are others that don’t maintain such standards, and are prime facilitators for criminals selling ill-gotten gains to parties looking to buy cryptocurrency at a discount without asking too many questions about where it came from. The OTC will handle the exchange and the original trader is able to maintain their anonymity.
Money laundering ransomware payments is an important part of any ransomware operation, especially as ransom payments have routinely reached seven and eight figures. Some might also employ advanced obfuscation techniques like “chain hopping,” a term used to describe the conversion from one cryptocurrency to another to try to cause investigators to lose their trail. For example, after receiving a ransom payment in Bitcoin, a threat actor may move funds to an exchange and swap it out for Monero or Ethereum. This may occur several times before cashing out to make the ransom harder to track. Having a good team of money launderers has been critical to allowing ransomware groups to grow. However, with laundering large sums of money comes attention from law enforcement. It’s important to remember that, at the end of the day, for all their sophistication, ransomware groups are in it for the money, if law enforcement can make it harder for them to get and keep their money, they'll find other, more profitable criminal activities in which to engage.

Exploit Brokers

Researchers have known for a while that ransomware actors buy exploits. The practice really came to light with the Kaseya REvil ransomware attack. In that attack, REvil, or one of its affiliates, exploited a previously unknown vulnerability (commonly referred to as a zero-day vulnerability) against Kaseya’s Virtual System Administrator (VSA) software. Kaseya VSA is remote management software often used by managed service providers (MSPs) to remotely administer and protect their clients, especially smaller clients with limited IT or security staff.

The Kaseya attack highlights the increased ...

... interest ransomware groups have in targeting MSPs and tools used by MSPs for exploitation. In this case, Kaseya’s network was never compromised—the REvil affiliate used the vulnerability to exploit MSPs using Kaseya’s VSA tool. Even then, the affiliate didn't encrypt the MSP networks, instead the affiliate used its access to deploy the ransomware to the clients of the MSPs.

The attack scenario is increasingly popular ...

... with ransomware groups. For example, in 2019 TSM Consulting, an MSP in Texas, was compromised by a REvil affiliate. Similar to the Kaseya attack, the ransomware operator didn't encrypt TSM Consulting’s systems, but used TSM’s access to deploy ransomware to 23 towns and cities in Texas. The difference between previous attacks and the Kaseya attack is the addition of the zero-day into the attack.
Small and midsize businesses are particularly susceptible to this type of attack because these businesses generally don’t have large IT and security staffs (if they have any). They are dependent on the MSPs for most IT functions, so if the MSP is compromised these businesses have no secondary line of defense.

As of this writing, the Kaseya VSA attack is ...

... the most high-profile use of an exploit by a cybercriminal ransomware group. But ransomware groups regularly chain together exploits as part of their attack strategy. Typically, they target well-known vulnerabilities for exploitation, rather than zero-days. The known exploits still work because ransomware groups and IABs are counting on the slow patch cycle that many organizations maintain.

In her excellent book ...

"This Is How They Tell Me the World Ends," journalist Nicole Perlroth details the growth of the exploit marketplace and the competition between nation-state actors to acquire zero-day vulnerabilities and exploit them. Because of the enormous sums of money ransomware groups have made over the last few years, especially with the rise of RaaS, they’re able to compete with many nation-state actors to acquire exploits.
Ransomware groups primarily rely on exploit brokers to produce exploits for well-known vulnerabilities, especially anything that allows the ransomware actors or their affiliates to gain administrative access to Windows systems. Similar to IABs, some exploit brokers are paid by the exploit while others are contracted to the ransomware groups.

Deep Dive: 
CISA Top Vulnerabilities

At the end of July 2021, the Cyber Infrastructure Security Agency (CISA) released a report of the top exploited vulnerabilities. Of the top 12 exploited vulnerabilities, none had been released in 2021 and only four had been released in 2020.

THE OLDEST IN THE TOP 12 WAS ...

... from 2017: CVE-2017-11882, a remote code execution (RCE) in Microsoft Office. CVE-2017-11882 was released in November 2019, making it three and half years old at the time the report was released.

A LOT OF ATTENTION IS PAID ... 

... to purchases of zero-day vulnerabilities by ransomware groups—and that’s a scary development—but the truth is that most of the time ransomware groups don’t need zero-days because there are plenty of unpatched systems waiting to be exploited.

The Rise of RaaS

RaaS HAS BEEN A FORCE MULTIPLIER ...

... for ransomware groups over the past few years. RaaS allows ransomware groups to go after dozens of targets simultaneously and greatly increase the money they make, to the tune of more than $350 million in 2020.

BIG GAME HUNTING RANSOMWARE ATTACKS ...

... are much more commonplace now than they were in 2016, but they're also more time-consuming than automated attacks. Because hands-on-keyboard attacks require direct execution by a ransomware operator, they often take days or weeks to complete (though some have been completed in a matter of hours). Ransomware actors operating alone can realistically complete one or maybe two of these attacks a week. Gaining administrative access, finding and exfiltrating files, getting access to the Domain Controller and deploying the ransomware takes time, even in heavily scripted operations. Contrast that number to the Conti ransomware gang who, as of August 2021, regularly post 25 to 30 new victims to their extortion site. (Only a fraction of victims, somewhere between 10% to 30%, are publicized on extortion sites.)

TO READ MORE ABOUT THE ...

... SamSam ransomware group and how they demonstrated that a more manual approach to ransomware attacks, commonly referred to as hands-on-keyboard attacks, could drive up ransom demands and make ransomware actors even more money, visit the "History of Ransomware" page. These hands-on-board attacks targeting ever larger victims are often called "Big Game Hunting" attacks.

Unsuccessful hands-on-keyboard attacks represent an underexplored area. Although an estimated 65,000 successful hands-on-keyboard ransomware attacks took place worldwide in 2020, based on anecdotal reporting, most attempted attacks fail. This is an area of study that isn’t well-documented and hard to quantify. After all, if a Security Operation Center (SOC), security team, or automated system stops a ransomware attack in progress it doesn’t make the news, and no one is collecting statistics on ransomware group failures. Despite how bad the ransomware problem is, it could actually be a lot worse.

Multilevel Marketing 
for Bad Guys

RaaS is often advertized using the same ...

... methods as multilevel marketing (MLM) schemes (see right-hand screenshot). Though it's not a pyramid scheme in the truest sense, there are some similarities. RaaS operators refer to the criminals who subscribe to their service as “affiliates.” But the similarities don’t end there. Most RaaS offerings require an initial buy-in, after which affiliates pay for the service and the RaaS operator takes money off the top of each ransom paid. Some ransomware groups have even been known to pay affiliates who recruit new affiliates.

Advertisement for GandCrab RaaS offering from 2018

Like ads for MLM schemes, RaaS ads often ... 

... tout the money that affiliates can make and post news articles showing the amounts that different victims paid. The ads cite the ransoms paid by these victims as a lure to attract new affiliates. RaaS operators maintain a brash and bold persona across underground forums, routinely hosting “hacking contests” offering prizes to those who come up with interesting proof of concept (PoC) exploit code. The difference between RaaS offerings and legal MLM schemes is that most of the affiliates actually make money.

Unfortunately, it works.

Despite all the bluster and often ridiculousness of RaaS ads including YouTube videos, RaaS has been a very effective way of expanding the ability of ransomware actors to conduct multiple simultaneous attacks and collect increasing ransom payments from thousands of victims around the world.

Double, Triple, and 
Quadruple Extortion

Almost hand-in-hand with the growth of RaaS has been the expansion of the extortion ecosystem. As ransomware groups saw a drop in the number of victims willing to pay a ransom to decrypt their files, the attackers had to go to more extreme lengths to wrestle payment from their victims. As discussed on the "History of Ransomware" page, MAZE was the first ransomware group to create an extortion site for stolen files, but other groups quickly followed suit, to the point where it’s unusual for a ransomware group to lack an extortion site. The image below shows an example.
The Grief Ransomware extortion site—not only does it list victims and files, but it includes an incorrect interpretation of GDPR enforcement, as well as a slideshow about the cost of ransomware recovery

Ransomware extortion sites are used for more than just posting files.  

They also serve as a conduit for press and researchers to reach out to the ransomware group. Thus, many extortion sites have announcement sections where the ransomware group can post updates and “press releases.” These sites, despite being hosted on The Onion Router (TOR) anonymizing network, often serve as the public face of ransomware groups.

Extortion has become so important to ransomware that RaaS operators often include instructions about which systems to search once affiliates are inside the network in order to find the types of files to retrieve in order to maximize the chances of getting the ransom paid.
Double extortion isn’t enough. Ransomware groups have expanded the extortion ecosystem in ways designed to maximize their chance of getting a ransom payment from victims. Ransomware actors have threatened to launch DDoS attacks against victims who refuse to pay, have used call centers to call customers of ransomware victims to try to get those customers to convince the victims to pay, and have even attempted to blackmail corporate executives. In addition, ransomware groups routinely try to find information about cyber insurance policies during the reconnaissance phase of the ransomware attack. Ransomware actors often cite these policies during negotiations.

Several ransomware groups have threatened to sell information about the ransomware attacks to stock markets or unscrupulous traders who could use the information to short victim companies’ stock.

And ransomware groups are just getting started. Paying a ransom continues to be frowned upon and, some have argued, should be illegal. As a result, ransomware groups have to go to greater lengths to convince organizations that not paying a ransom is going to be more expensive than paying the ransom and suffering the associated consequences.

In fact, in September 2021, several ransomware groups took these threats to the next level by threatening to delete the files and decryption key of any victim that called law enforcement or brought in a ransomware negotiator. The screenshot above shows a notice posted to the DoppelPaymer ransomware extortion site, threatening to do just that. DoppelPaymer is just one example of a ransomware group doing this, others include Grief, BlackMatter, and REvil.

Take Ransomware Seriously

Not only is Ransomware not going away any time soon, it's evolving to an ever more dangerous form of cybercrime that has to be taken seriously by organizations of all sizes. The diagram below summarizes the extortion mechanisms used by ransomware groups.

Liked This? You'll Love The Free 313 Page Book:
Ransomware: Understand. Prevent. Recover

Get the Book 
in Your Inbox

Download The 
"How To Prevent Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Prevent Ransomware" resource on your site or blog using this code.

Share this Infographic On Your Site

Download The 
"Ransomware Backup Strategy"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Ransomware Resistant Backup Strategy" resource on your site or blog using this code.

Share this Infographic On Your Site

how-to-remove-ransomware-infographic

Download The 
"How To Recover From Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Recover a From Ransomware Attack" resource on your site or blog using this code.

Share this Infographic On Your Site

how-to-remove-ransomware-infographic

Download The 
"Running Ransomware Tabletop Exercises"
Cheat Sheet

Tabletop exercises are key to successfully preventing Ransomware. Grab this free PDF resource today.
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Running Ransomware Tabletop Exercises" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT PASSIVE DEFENSE
Label
apartmentenvelopeusers
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Share via
Copy link
Powered by Social Snap