Security vendor Flashpoint who specialise in intelligence from the Dark Web has spent five months inside a Russian ransomware campaign. It has released the details in a report entitled “Inside an Organized Russian Ransomware Campaign” which can be downloaded for free here.
The report shows how cybercriminals see Ransomware as a Service (RaaS) as just another business and, in many ways, one that is run far better than some global companies. Each ransomware attack has a set of key metrics just like any business plan. Among those called out by the report are:
- Average salaries for those targeted
- Ransom amounts per US victim
- Average monthly ransomware payment
The report also discloses that the average ransomware boss earns around $90,000 per year which is 13x the average salary in Russia. This is the sort of figure that will drive more and more criminals into cybercrime, especially as the chances of getting caught are so low compared to other crimes. Moreover, even when these cybercriminals are caught very little of their proceeds of crime are ever recovered.
According to Vitali Kremez, Cybercrime Intelligence Analyst, of Flashpoint: “Ransomware is clearly paying for Russian cybercriminals. As Ransomware as a Service campaigns become more wide-spread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks.
“Corporations and users are unfortunately faced with a commensurately greater challenge of effectively protecting their data and operations from being held ransom, with no guarantee that sending a ransom payment will result in return of the stolen data.”
Active recruitment for cybercriminals
Before starting a ransomware campaign, campaign bosses advertise for cybercriminals. They are looking for those willing to do the distribution of the ransomware through botnets and phishing campaigns. For those with little or no experience there is even on the job training available, a sort of cybercrime apprenticeship. At a time when legitimate companies are continuing to cut back training, even security training, it seems that the criminal underworld understand the value of trained staff.
Good money IF you can get it
Everyone likes to be rewarded for their work and this is no different. The rewards for getting involved in a ransomware campaign, even as a low level worker are good. Each worker gets 40% of the money paid by their victims. Flashpoint reports that the average number of infections per campaign is one per day and the average pay-out is $300 per victim. This means that the average ransomware boss is making $180 per victim while his workers are getting $120 per successful infection.
What is surprisingly is that Flashpoint say this particular boss whose campaign they infiltrated has been doing this for several years. Judging by the high level of ransomware infections reported across the security industry and the advice from law enforcement to pay up, the ransomware boss should be earning far more than this.
What is not clear from this report is how many workers were involved in this campaign and how long the campaign was designed to run for. Most campaigns seem to be short lived, just a few months before a new target is chosen. That doesn’t mean old campaigns are closed down but it does suggest that either there are a lot of ransomware bosses out there or that each boss is responsible for multiple campaigns.
As Flashpoint points out in the report conclusions the barrier to getting involved with ransomware has been significantly lowered. At the same time the success of ransomware as claimed by other security vendors is not evident in the amount of money that Flashpoint saw through the campaign it was involved with. This raises a question as to whether the attacks are being overestimated by security tools vendors in order to sell their products.
Perhaps the biggest takeaway from this is the value of staff training. While corporates are constantly complaining about the lack of qualified staff they need to take a leaf out of the cybercriminals playbook. Uneducated staff do not make you money. Invest in your staff and you will earn that money many times over.