The business of ransomware is booming, and some of the criminals running these operations have so much work and money on their hands that they’re building out affiliate networks to help them handle it all.
In their efforts to extort as many victims as possible with their malware, ransomware authors have been spreading their creations in a variety of ways. Most campaigns begin with phishing emails with malicious links or infected attachments, but now many have moved on to using more efficient tactics such as drive-by downloads. This allows the attackers to infect as many people as possible, with a minimal effort.
With that same goal in mind, some ransomware crews, specifically in Russia, have adopted a model used by malware gangs for many years: the affiliate network. Many malware gangs include a clear division of labor comprising developers and engineers, affiliates, money mules, and other workers who all have a stake in the success of the operation. As in a traditional organized crime structure, the boss at the top gets his cut, no matter what’s happening further down the pyramid. Researchers at Flashpoint have come across ransomware groups employing this same model, to good effect.
“A new form of ransomware has been developed that is in effect ‘Ransomware as a Service’ (RaaS) that enables ‘affiliates’ to obtain a piece of ransomware from a crime boss and distribute it to victims as these affiliates wish,” a new report from Flashpoint says.
On the Wire Podcast: Ransomware
“As a result of their participation in such campaigns, low level Russian cybercriminals gained a fruitful understanding of the inner workings of ransomware campaigns. It is not particularly hard for newcomers to start spreading ransomware quickly and attack corporations and individuals.”
The installs are done through the methods we’ve come to expect: phishing emails, infected sites using drive-by downloads, botnets, and dedicated malware distribution servers. The ransomware gang boss recruits a number of affiliates and provides them with the ransomware to infect victims. The affiliates then choose and infect victims and the boss then makes the ransomware demand of the victims. When the victims pay, as they usually do, and usually in Bitcoin, the boss gives the affiliate a percentage of each ransom for which he was responsible. Simple and efficient.
“Upon receiving the Bitcoin payment from the victim, the crime boss launders the money via Bitcoin exchangers. To compensate his partners, the crime boss sends Bitcoins from an unattributable clean Bitcoin wallet. He then forwards the rest of his Bitcoins to a Bitcoin exchanger to hide his tracks,” the Flashpoint report says.
In the affiliate network that the researchers looked at, the boss of the ransomware gang is earning about $90,000 a year. That’s a very nice living, but it’s not exactly the avalanche of money that has been associated with some ransomware operations, such as CryptoLocker.
“Based on our coverage of the Deep & Dark Web, this particular ransomware crime boss has been active since at least 2012. His primary institutional targets have included corporations and individuals in various Western countries. Based on multiple indicators, it appears that the ransomware boss operates out of Russia,” the report says.
That’s one operation of many that’s being run this way, and there are still plenty of others that are smaller scale or sole proprietorships.