Prevent Ransomware and Protect Your Business
As the Russian hacking community lowered the access requirements for unsophisticated Russian cybercriminals to engage in ransomware campaigns, corporations and individuals face a commensurately greater challenge of effectively protecting their data and operations from being held ransom.
How does it work?
Ransomware is a specialize type of Malware designed to encrypt a computer’s files using strong cypher algorithms. Its execution spurs the system-wide file encryption with a note urging an infected user to deposit a certain amount of money in a hacker’s account in order to decrypt his or her files.
How is it Spread
Ransomware is spread using a variety of tehniques including thru software we use everyday.
1. Botnet installs (purchasing installs from other cybercriminals on cybercrime forums and loading ransomware on compromised systems)
2. Email and social media spam (employing spam botnets to distribute ransomware)
3. Compromised dedicated servers (bruteforcing and stealing credentials from botnet logs and installing ransomware on the system)
4. Dating, torrent, and other file-sharing websites (using joiners and other covert channels to mask ransomware as attractive content and uploading the malware on such websites)
How Do They Benefit
Upon receiving the Bitcoin payment from the victim, the crime boss launders the money via Bitcoin exchangers. To compensate his partners, the crime boss sends Bitcoins from an unattributable clean Bitcoin wallet. He then forwards the rest of his Bitcoins to a Bitcoin exchanger to hide his tracks. Bitcoin is most often utilized because of its ability to partially obfuscate the true identity of the Bitcoin wallet owner―making the tracking of transactions very difficult for law enforcement and security researchers.
The Business Model
Once the low level criminals have deployed ransomware successfully, the boss will then do the rest of the work by communicating with the victims via email, collecting and validating Bitcoin payments, issuing decryptors, and finally sending ransom payments to the affiliate. The boss keeps 60% of the collected ransoms and distributes the rest to his affiliates. On at least one occasion, the crime boss demanded additional payments even when a ransom payment had already been received, before providing a decryptor to the compromised victim.
As these campaigns become more wide-spread and accessible to low level Russian cybercriminals, such attacks may result in dire consequences for individuals and corporations not ready to deal with new waves of ransomware attacks. Though the loss of data can be devastating, Flashpoint has observed that sending ransom payments does not always work. In the case of this particular criminal enterprise, this group often prefers to collect payments without ever providing decrypting tools or methods for affected victims.