RANSOMWARE AS A SERVICE. Inside an Organized Russian Ransomware Campaign. By Vitali Kremez

Transcription

1 RANSOMWARE AS A SERVICE Inside an Organized Russian Ransomware Campaign By Vitali Kremez

2 Executive Summary In the course of monitoring an organized Russian ransomware campaign, Flashpoint analysts were able to gain significant visibility into the tactics, techniques, and procedures employed by a campaign boss operating a ransomware scheme out of Russia. As the Russian hacking community lowered the access requirements for unsophisticated Russian cybercriminals to engage in ransomware campaigns, corporations and individuals face a commensurately greater challenge of effectively protecting their data and operations from being held ransom. Recent threats powered by ransomware campaigns which have surfaced in the Deep & Dark Web appear to be specifically aimed at the healthcare industry. Cybercriminals consider this industry in particular to be a valuable target due to the treasure trove of personally identifiable information their systems house. While prior efforts focused on stealing and reselling the data, now criminals are turning to ransomware to hold the data hostage. 2

3 Introduction A new form of ransomware has been developed that is in effect Ransomware as a Service (RaaS) that enables "affiliates" to obtain a piece of ransomware from a crime boss and distribute it to victims as these affiliates wish. For example, a RaaS campaign such as Ranstone that targets Mac OSX users, utilizes a special type of malware designed to encrypt a computer s files using strong cypher algorithms. Its execution spurs the system-wide file encryption with a note urging an infected user to deposit a certain amount of money in a hacker s account in order to decrypt his or her files. As a result of their participation in such campaigns, low level Russian cybercriminals gained a fruitful understanding of the inner workings of ransomware campaigns. It is not particularly hard for newcomers to start spreading ransomware quickly and attack corporations and individuals via: 1. Botnet installs 2. and social media phishing campaigns 3. Compromised dedicated servers 4. File-sharing websites 3

4 Research Methods The purpose of this white paper is to provide the context around points of compromise, distribution, development, and the threat profile of one prolific Russian-organized ransomware campaign. The methodology of the study includes analysis of communications within larger cybercriminal communities and includes technical analysis of the ransomware sample. The timeframe of the study traces the campaign from December 2015 to the present. Recruitment for Ransomware Campaign The campaign boss organized a ransomware campaign designed to recruit low level cybercriminals without substantial coding skills to support the boss's scheme by reaching out to users in the Russian underground on the Deep Web: you will receive detailed instructions on how and what to do - even a schoolboy could do it; you need only time and desire. The scheme is simple, and tested and working 100%, revenue yields are decent. Thus, you are not risking anything in particular (money being the most important), and are getting valuable experience, and if you succeed - a good cash reward. At the same time, you do not need to bother looking for work ideas, encryption software, nor for receipts and processing of payments. Details - for all correspondence, write in this topic or personal message or Jabber. The apparent targets of this particular campaign are Western corporations and individuals. Good day, This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path. No fees or advance payments from you are required, only a large and pure desire to make money in your free time. I propose mutually beneficial cooperation in the sphere of distribution of my software. It is desirable, of course, that you have already had some minimal experience in this business. But if you have no experience, it is not a problem. In addition to the file, 4

5 Victim Identification & Propagation Methods Once the targets are identified, the ransomware can be distributed via several means, including: 1. Botnet installs (purchasing installs from other cybercriminals on cybercrime forums and loading ransomware on compromised systems) 2. and social media spam (employing spam botnets to distribute ransomware) 3. Compromised dedicated servers (bruteforcing and stealing credentials from botnet logs and installing ransomware on the system) 4. Dating, torrent, and other file-sharing websites (using joiners and other covert channels to mask ransomware as attractive content and uploading the malware on such websites) This particular ransomware campaign does not utilize a command-and-control infrastructure. Rather, it uses custom ransomware that encrypts the files on the infected machine and drops a text file containing an address that the victim needs to reach out to obtain a decryption key to retrieve the encrypted data. Ransomware Tactics, Techniques, & Procedures RANSOMWARE BOSS Hires Provides custom ransomware Compensates for each ransom (40%) AFFILIATE Boss Demands Ransom Distributes Ransomware INFECTED VICTIM 5

6 Ransom Scheme Scenario Once the low level criminals have deployed ransomware successfully, the boss will then do the rest of the work by communicating with the victims via , collecting and validating Bitcoin payments, issuing decryptors, and finally sending ransom payments to the affiliate. The boss keeps 60% of the collected ransoms and distributes the rest to his affiliates. On at least one occasion, the crime boss demanded additional payments even when a ransom payment had already been received, before providing a decryptor to the compromised victim. Money Flow Upon receiving the Bitcoin payment from the victim, the crime boss launders the money via Bitcoin exchangers. To compensate his partners, the crime boss sends Bitcoins from an unattributable clean Bitcoin wallet. He then forwards the rest of his Bitcoins to a Bitcoin exchanger to hide his tracks. Bitcoin is most often utilized because of its ability to partially obfuscate the true identity of the Bitcoin wallet owner making the tracking of transactions very difficult for law enforcement and security researchers. Adversary Profile Based on our coverage of the Deep & Dark Web, this particular ransomware crime boss has been active since at least His primary institutional targets have included corporations and individuals in various Western countries. Based on multiple indicators, it appears that the ransomware boss operates out of Russia. Motivation: Financial Gain Credibility: High Location: Russia Language(s): Russian (Native), English (limited proficiency) Sleep/Wake Cycle (GMT): Activity Ransomware Campaign Key Metrics: $7,500 $600 $ Low Ransomware Boss Average Monthly Salary (USD) Affiliate Average Monthly Salary (USD) Ransom Amount per US Victim (USD) Hour Avg. Monthly Ransom Payments Affiliate Partners Perceived Operation Risk by Ransomware Boss 6

7 Key Findings 1. From the ransomware affiliate perspective, such campaigns have significantly lowered the barriers for entry for low-tier Russian cybercriminals. 2. Ransomware revenue amounts are not as glamorous and fruitful as they are often publicly reported. Average ransomware crime bosses make only $90K per year on average. 3. Our findings dispute the common perceptions of cybercriminals as being larger-than-life, smart, well off, unreachable, undoxable, and unstoppable. 4. The report provides the complete payout structure and Bitcoin laundering operation related to the ransomware-as-a-service campaign. 7

8 Conclusion This ransomware campaign is similar to other Ransomware as a Service (RaaS) initiatives which Flashpoint has seen in the past under the names GinX and Ranstone. Notably however, this campaign relied on personal relationships between affiliates and the boss without a centralized command and control technical infrastructure. In fact, an affiliate has to rely on his own distribution method to determine how many of his ransomware infections have been installed while putting faith in the crime boss to deliver payments. As these campaigns become more wide-spread and accessible to low level Russian cybercriminals, such attacks may result in dire consequences for individuals and corporations not ready to deal with new waves of ransomware attacks. Though the loss of data can be devastating, Flashpoint has observed that sending ransom payments does not always work. In the case of this particular criminal enterprise, this group often prefers to collect payments without ever providing decrypting tools or methods for affected victims. 8

9 About Flashpoint Flashpoint helps companies and individuals understand the threats looming in the Deep & Dark Web in order to help mitigate and prevent both cyber and physical attacks. We provide data, tools, and expertise to security and intelligence teams across the Fortune 500 and government to help them both obtain actionable intelligence, as well as gain critical awareness of threatening actors and their relationships, behaviors, and networks prone to malicious activity. Contact web: Copyright 2016 Flashpoint, Inc, All rights reserved.