Monday, 26 April 2021 21:27

Crime does pay - how one hacker group rakes in millions from ransomware Featured

0
Shares
By

A cybersecurity researcher persuaded Ragnar Locker ransomware operators into thinking they were a cybercriminal and to offer a job. The researcher has released information on the gang’s payout structure, cash-out schemes, and target acquisition strategies providing a look behind the scenes into the real business of shadowy underground criminal syndicates - and the millions of dollars it brings in.

Ransomware is an increasing threat where malicious actors seek entry - often through phishing attempts - into a network, where they encrypt data and demand a ransom be paid to release the decryption key. It continues to happen because it works and it’s profitable. While there are organisations without good backups in place, and wherever there are people who unfortunately fall prey to ever more sophisticated phishing emails, there will always be ransomware.

In fact, ransomware is so profitable the ransomware groups can't even keep up with the opportunities and, as a CyberNews security researcher reports, are recruiting new members on hacker forums to solve their labour shortages. These forums are frequented by cybercriminals from wannabe to veteran status, but they are also visited by security researchers.

CyberNews reports their researcher encountered a recruitment ad alleging to be posted by a ransomware group offering a 70-80% cut of the profits of any successfully paid ransom. The researcher replied, purporting to be a Russian cybercriminal. They were invited to a private qTox chat room (a peer-to-peer chat room that runs over TOR) for a “job interview,” with people claiming to be running a ransomware affiliate operation for over a decade. The group turned out to be an affiliate of the REvil and Ragnar Locker cartels.

REvil gained infamy by using double-extortion; not only did the group ransom the decryption key to companies who had been locked out of their files, but they also threatened to sell or auction the stolen data for another ransom.

To prove the job posting was legitimate, and that the interviewers really had funds behind them, they deposited a million dollars of BitCoin into their forum wallet providing irrefutable evidence they had cash.

The interviewers didn't only want technically skilled and experienced operators; they demanded the potential partner be a native Russian speaker too. They explained they were a four-person team, and if the applicant aced the interview they would be team member five.

One interviewer stated the group's biggest ransom payout was $18m. Ragnar Locker took its 30% cut, and the group divided the remaining 70% among its team members, each receiving around $US 2.5m.

It's results like this that show why cybercriminals love ransomware. It works, and it works because it operates on human fallibility - both the inability to discern falsified and fraudulent emails and websites and the lack of security and disaster recovery processes in place in many organisations. The fact a company could afford to pay such a huge multi-million dollar ransom, and that this was the most effective way to get back to work when their files were encrypted, reflects poorly on organisations of all sizes.

The interviewers asked the cybercriminal imposter about their experience with Cobalt Strike, a threat emulation toolkit used legitimately to assess vulnerabilities. Of course, it’s also used by malicious actors to similarly explore weaponised exploits.

Following the technical conversation, the interview turned to money - how to receive the cryptocurrencies, and how to pay it out in a traditional currency.


The group claimed to have an insider contact at a cryptocurrency exchange who specialised in money anonymisation and would aid in cashing out, even possibly laundering future ransom payouts. The researcher was told to open an account on that exchange, to deposit ransom payouts there, and to convert them to USD in “small” instalments of a million US dollars at a time. Once done, the insider could then convert it to cash and deliver it anonymously for a 4% fee.

CyberNews states it believes the claims made to be credible.

The researcher appears to have been successful in their impersonation of a Russian cybercriminal and was asked to participate in attacks against several potential targets. CyberNews states its researcher cut off communication and declined to participate in any such illegal actions.

However, the researcher gleaned information about the group's attacks. Rather than mass-fire phishing emails and catching whoever they can, this specific group carefully selects targets, researching their financials, and understanding how disruptive an attack would be on their day-to-day operation. The threat actors begin their attacks on a Friday night, allowing them much of the weekend to operate with a lower probability of detection.

It's clear, despite the old adage, that crime does in fact pay. Millions, in fact. And while companies continue to operate insecurely, while humans are still involved, ransomware is not going away.

The ways to protect your organisation are still the same: ensure your data is robustly and securely backed up; block malicious websites and file types; keep software up-to-date; provide regular phishing training to staff; enable multi-factor authentication; practice zero-trust security; practice separation of duties; disable unnecessary administration accounts; and use hardware-based security keys.

Image"Anonymous Hacker" by dustball is licensed under CC BY-NC 2.0.

iTWire resources on protecting yourself and your environment:

 


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Published in Security
Tagged under
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Latest from David M Williams

Related items

More in this category: « Mimecast report: 61% of organisations were infected with ransomware in 2020
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top