The Murky World of Ransomware Attacks and Evolving Business Models

January 25, 2024

In this article we cover:

  • Consequences for the Medibank Hacker
  • What is Ransomware?
  • Examples of ransomware attacks.
  • Who is responsible for these crimes?
  • The Job Market for hackers.
  • What’s it worth?
  • How to Prevent Ransomware
  • How to Report Ransomware (in Australia, UK and US)

Consequences for the Medibank Hacker

Australia’s Department of Foreign Affairs and Trading (DFAT) announced on 22nd January 2024 they would be applying their first Cyber sanction against Russian man, Aleksandr Ermakov, for his part in the disastrous Medibank Ransomware attack and data breach of 2022 which saw 9.7 million Australian personal records made available on the black market. Australia's entire population is only 26 million.

The Australian Minister for Foreign Affairs, the Hon Penny Wong said “The use of these powers sends a clear message – there are costs and consequences for targeting Australia and Australians."

Aleksandr joins DFAT’s illustrious list of over 9,000 individuals and entities around the world who Australia holds sanctions against. DFAT made it clear that Australians are not allowed to do business with Aleksandr including giving him any type of ransomware payment. Although many governments recommend that Ransomware not be paid, many have ransomware payment reporting functions so that treasury and law enforcement departments can try to keep a track of events and the billions of dollars being extorted from citizens from across the world.

What is Ransomware?

  • Ransomware is an umbrella term used to describe a class of malware attacks intended for digital extortion of money from the victims.  
  • Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption.
  • In some cases ransomware attacks have resulted in tens of millions of dollars being paid to criminal groups making the crime an attractive pay off for the criminals who often sit in different parts of the world, in far away countries where they are unlikely to be extradited to their victims country for punishment.

Examples of ransomware attacks

Fake Windows update while encrypting files.

Fantom Ransomware posed as a Windows Update and displayed a a fake Windows Update screen while encrypting your files.

Fantom Ransomware Encrypts your Files while pretending to be Windows Update

Open a Resume and Get the Skull of Death

Spear phishing emails are sent to company HR departments containing a Dropbox link to a supposed resume. The link goes to an executable file that once opened, crashes and reboots the computer. That's when victims see the skull and crossbones image with a message that the disk is encrypted. The only way to get your data back is by paying the ransom which starts at .0099 Bitcoin (around $400 USD), the demand doubles after one week.

Source - Knowbe4

Fake Homeland Security Accusations

The name of this US authority is exploited by cyber criminals simply to make their deceptive message appear authentic, and thus, to trick more unsuspecting PC users into paying the bogus fine. Accusations of watching pornography involving children, using or sharing copyrighted files, and using unlicensed software, are false and used to scare computer users into paying this fake fine.

Source - pcrisk

Multiple Groups Claiming Responsibility

In September 2023 RansomedVC claimed to Bleeping Computer that it had breached Sony's networks and stolen 260 GB of data during the attack that they are attempting to sell for $2.5 million. However, the matters have become murky, with another threat actor 'MajorNelson' also claiming responsibility for the attack, and refuting RansomedVC's claims.

BreachForums post leaking gigs of data purportedly belonging to Sony Source -  Bleeping Computer

Underground Tools for Sale

Ransomware and other malicious software can be purchased in black market forums. For example basic encryption software sells for US$10-20 and a secure server for as little at US$15-$250.  Add the 10-30 percent that the Ransomware-As-A-Service (RaaS) gang takes from any successful ransom pay-out that you can extort from your victims and you could have a sophisticated ransomware attack ready to deploy for as low as $50.

Research shows that pre-made phishing scams specifically designed to mimic well-known companies are [sold for as low as $2, configuration files for cracking passwords for $2, and malware for emptying Bitcoin wallets for $6.07]

There are also reports that for as little at USD $60 you can get a hacker to poison your AI data set which can open the floodgates to possibly divulging confidential data for extraction, writing malicious instructions, and providing biased content that could lead to user dissatisfaction or potential legal repercussions.

Who is responsible for these crimes?

Gangs with technical skills and the ability to run a business are responsible for many attacks.

It is also reported that certain states are likely to leaning to help so that groups create instability in certain regions while they maintain a safe level of plausible deniability.

Hacker gangs advertise for roles. Getting a job as a hacker does not require criminal background checks and some roles even offer sick leave and vacation time.

Some hacker gangs also have their own style of ethics. Take for example this ransomware screen for from the BlackMatter malware. They offer free decryption for companies in certain sectors. How nice of them!

BlackMatter's dedicated data leak site Source: Recorded Future

The RaaS Business Model

Ransomware developers provide a suite of services in either a subscription or affiliate based model.

For a Monthly subscription fee you can get access to DIY kits ranged US$0.50 to US$3000 with the median price of US$10.50 and/or enroll in a pay-per-use scheme that provide updates, new malicious versions, and other experimental features.

Affiliate models offer the same as a monthly fee model but with a percent of the profits going to the ransomware developer/operator. These partnerships also provide ransomware payloads and payment portal for the victims and additional services such as leak site hosting, decryption negotiation, payment pressure and cryptocurrency transactions.

Ransomware Affiliates run the show and typically purchase a range of underground services that enable ransomware.

Recovery Companies offer victims cyber extortion incident response services which often includes negotiating with the ransomware affiliates and getting the encryption keys required to unlock the victims data.

Inside a RaaS Organisations day-to-day business discussions

Following a leak of a well known ransomware gangs chat messages analysis was able to be undertaken of 160,000 chat messages.

Just like a typical technology company discussion threads cover a range of subjects and in some cases do not relate to malware or technical subjects at all.

You can see in the graph provided by the researches some roles focus almost wholly on customer service and problem solving while others spend a lot of time discussing task management and business matters.

Topic Distribution per Actor

What’s it worth?

The money criminals can get from deploying malicious software can be significant.

There are two ways of making money from ransomware:

  1. Get the victims to pay
  2. Sell the data

Given these are criminals with an obvious distaste for law abiding actions it would not be surprising if they tried to make money both ways from the same attack.

Chainanalysis states that Ransomware payments in 2023 surpassed the $1 billion mark,

Chainanalysis

The DarkSide attackers asked for a ransom of 75 bitcoin  , when they attacked Colonial Pipeline in 2021 which was worth approximately $4.4 million. The US Department of Justice was able to find the digital address of the wallet that the attackers used and got a court order to seize the bitcoin. The operation recovered 64 of the 75 bitcoin that Colonial Pipeline paid. At the time of the recovery, the 64 bitcoin were worth approximately $2.4 million.

Initially the REvil group demanded a payment of US$22.5 million, from JBS when they were attacked but negotiations between JBS and REvil seemed to bring that price down to $11 million, which was paid.

What criminals buy and sell personal data for depends on the type of information being sold and other market factors.

A hacked gmail account could be sold for $60 while a Pinterest account with 100 followers for $2. For stolen credit cards the amount paid can depend in the balance of the card with a $5000 balance getting $120 and a $1000 balance getting $60. Physical forged documents still reap higher prices than digital as the dark web index shows.

When compared with the potential jail time if caught, in some cases, the benefits appear to outweigh the consequences. Take for example Mikhail Vasiliev a Candadian/Russian dual national who in 2022 was charged by the District of New Jersey in the United States for his alleged participation in the LockBit global ransomware campaign. LockBit is a ransomware variant that first appeared around January 2020. Since first appearing, LockBit was been deployed against at least as many as 1,000 victims in the United States and around the world. LockBit members have made at least $100 million in ransom demands and have extracted tens of millions of dollars in actual ransom payments from their victims.  According to court documents, Vasiliev allegedly participated in the LockBit campaign. He is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. On February 9th 2024 he admitted guilt, was charged and is facing a maximum of only five years in prison. What is 5 years in prison worth to a person?

Data Exfiltration results in higher payments

A report published in 2024 analyses 452 ransomware attacks reported to the Dutch police and to an Incident Response company. The report states:

  • Criminals use data exfiltration to increase the willingness of victims to pay; and
  • Criminals change the ransom requested on victim characteristics.
Paying the Ransom

Of 452 ransomware attacks analysed:

Negotiations

  • The average ransom requested before negotiation was 1,029,320 euro (sd=3.0 million euro).
  • After negotiation the average ransom request is 578,956 euro (sd=1.9 million euro), a decrease of 44%.

Payments made

  • 130 victims negotiated
  • 119 victims paid the ransom (27.8%)
  • Of these, 78.5% victims paid after negotiations and 21.5% paid without negotiations.

From Extortion to Blackmail

A report published in 2021 identified four distinct fears of victims which might explain the increased willingness to pay:

  1. Incrimination (e.g. exposure to data protection authorities),
  2. Reputational damage/lost revenue (e.g. exposure of sensitive data which could cause loss of customers),
  3. Exposure of intellectual property, and
  4. Humiliation (e.g. exposing embarrassing information about customers or a particular employee in an executive role).

These fears increase the willingness to pay and give an incentive for criminals to perform data exfiltration, or pretend that data is exfiltrated.

How to prevent Ransomware

There are a lot of techniques the can be deployed to help protect your organisation from ransomware attacks. The most basic top-three include:

  • Back up your data regularly and keep backup copies of your files on a disconnected external drive or in a separate location. Having a backup means you will be able to restore your system and files even if your PC gets infected.
  • Be cautious: Don’t open suspicious e-mail attachments, stay away from murky websites, and don’t click on dubious online ads.
  • Use an Anti-Virus solution and make sure your operating systems, applications and browsers are up-to-date.
  • Set up DKIM and DMARC to prevent attackers from using your domain for phishing attacks.
  • Monitor and remediate all vulnerabilities exposing your business to threats.

How to Report to Ransomware

Australia

In Australia there are a number of different reporting channels to follow depending on what type of incident you have experienced.

Phishing Scam
  • If you have received a scam email or phone message but not fallen victim contact Scamwatch.
Ransomware Attack
Dealing with Cyber Criminals

United States

Phishing Scam
  • If you have received a scam email forward phishing emails to reportphishing@apwg.org (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies).
  • Report Fraud to the FTC.  The FTC wont resolve your individual report but your report is shared with more than 2,800 law enforcers.
Ransomware Attack

For Cyber security advice during a ransomware attack...

Report or Contact CISA.

For criminal investigations...

Report to FBI.

  1. If you have fallen victim to a Ransomware attack file a report with the Internet Crime Complaint Center. Crime reports are used for investigative and intelligence purposes. Rapid reporting can also help support the recovery of lost funds.
  2. If you are the victim of a network intrusion, data breach, or ransomware attack, contact your nearest FBI field office or report a tip to the FBI.

Contact local United States Secret Service field office.

Dealing with Cyber Criminals

United Kingdom

Phishing Scam
Ransomware Attack
Dealing with Cyber Criminals
  • If you suspect a ransomware payment has been made to a sanctioned individual / (Designated Person (DP), report this to The Office of Financial Sanctions Implementation (OFSI) as soon as possible. Where a ransomware payment to a DP has been facilitated by a third party (such as a financial institution or cryptoasset business), OFSI will generally consider as a mitigating factor for the third party, a prompt and full voluntary disclosure made to OFSI as soon as practicable.
Secure your business.

"assurance"

confidence or certainty in one's own abilities.

“The business has given us assurance that they have security in place to protect our information”

Our Difference

Established and lead by industry experts.

At the helm of our privately owned, global RegTech firm are industry experts who understand that security controls should never get in the way of business growth. We empower companies large and small to remain resilient against potential threats with easily accessible software solutions for implementing information security governance, risk or compliance measures.

We support businesses every step of the way.

We don't just throw a bunch of standards at you and let you try and figure it out! We have designed a thoughtful way of supporting all businesses consider, articulate and develop security controls that suit the needs of the organisation and provide clever reporting capability to allow insights and outcomes from security assessments to be leveraged by the business and shared with third parties.

Our customers are the heart of our company.

Our platform places customers at the heart of our design process, while providing access to expert knowledge. With simple navigation and tangible results, we guarantee that all data is securely encrypted at-rest and in transit with no exceptions – meeting international standards with annual security penetration testing and ISO 27001 Certification.