A Peek Inside the Underground Ransomware Economy

Threat hunters weigh in on how the business of ransomware, the complex relationships between cybercriminals, and how they work together and hawk their wares on the Dark Web.

Author:Tara Seals

May 26, 2021 8:00 am

Ransomware is not just a type of malware – it’s also at the center of a sophisticated, flourishing underground economy that has all the conventions of legitimate commerce.

It’s a community made up of major malware developers, affiliates and channel partners, and those that provide adjacent services, such as selling network access. Operators even have their own publicity arms that put out press releases and maintain their “brands,” and they have customer-service operations.

They found that the general economy of ransomware is well-developed and complex, with “several actors supplying services to one another,” according to research from Kaspersky. For instance, botmasters offer access to already-compromised devices; software developers improve the malware; and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).

“This access can be sold in an auction or as a fixed price, starting as low as $50,” Kaspersky researchers said, in a recent posting. “The attackers who create the initial compromise, more often than not, are either botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, or hackers who are constantly on the lookout for publicly disclosed software vulnerabilities to exploit as soon as they are announced and before a patch is applied.”

RaaS Affiliates Are Carefully Vetted

At the center of the scene is the fact that ransomware operators often adopt affiliates, to whom they provide ransomware-as-a-service (RaaS) offerings. Affiliates can be seen as the channel partners of the underground, responsible for ransomware distribution to end victims. They usually pocket between 60 and 80 percent of the ransom, with the rest going into the operators and authors’ coffers.

“These gangs run like legitimate businesses: They have customer service and IT support, and will do what they can to boost their brand reputation,” according to experts at Intel 471, in a collaborative interview. “So, your most popular variants are those that result in higher payouts and take care of the criminal’s asks once they are brought into an affiliate program.”

RaaS operations carefully select their affiliate partners, with requirements that vary from technical expertise to the ability to prove they have roots in Russia or the former Soviet states.

“Well-established ransomware gangs are known to be rather picky,” according to Intel 471. “The basic requirement for a candidate willing to enroll into any high-profile RaaS aff