Cyber criminals who oversee “ransomware” campaigns, which hold data hostage for money, can make up to $7,500 per month using such schemes, according to a new report from Flashpoint.
“Ransomware is clearly paying for Russian cybercriminals,” Vitali Kremez, cybercrime intelligence analyst for Flashpoint, said in a statement.
“Corporations and users are unfortunately faced with a commensurately greater challenge of effectively protecting their data and operations from being held ransom, with no guarantee that sending a ransom payment will result in return of the stolen data.”
The cyber intelligence firm monitored an organised ransomware operation out of Russia since December 2015, and were able to gain “significant visibility” of the tactics and techniques employed by what it called the campaign boss.
It turns out the pay is pretty good for the boss: Flashpoint wrote that over an average month with around 30 ransom payments received at $300 each, the boss would take in about $7,500. He paid his crew a small percentage of the proceeds.
With Russia’s average monthly salary hovering at around $500, it’s easy to see why ransomware has become such a lucrative business.
The scam works like this: The boss recruits lower-level players by offering “a lot of money” to those willing to help, and no hacking skills are required. The boss then gives custom ransomware to his new recruits and they try and get it onto victims’ computers, through spam and phishing emails, or torrent sites.
Once a victim has their files encrypted, a text file tells them who to contact. It’s the boss, who says he’ll give the decryption key if the victim sends Bitcoin payment. Some pay, others don’t, but it’s clearly just a numbers game — the more computers compromised, the more money will surely come pouring in.
“If I’m some bad guy and I’m wanting to make a buck, I’m going to choose the easiest victim,” said Malcolm Harkins, global chief information security officer for Irvine, California-based Cylance. “That calculus I would go through would be based upon how easy is it to get my [malware] installed, what my belief is that they will pay and how quickly they will pay, as well as what’s the likelihood I’m going to get caught?'”
He added: “If I’m an intruder I’m doing a level of risk calculus, particularly if my goal is to profit.”
It’s not very risky for the boss at all, it seems. Once the payment is received, the already-hard-to-trace Bitcoin is laundered through what’s called a Bitcoin exchanger. Partners are paid from an untraceable Bitcoin wallet.
One noteworthy point in the conclusion is that, even if payment is made, there’s no guarantee that files are going to be given back:
“Though the loss of data can be devastating, Flashpoint has observed that sending ransom payments does not always work. In the case of this particular criminal enterprise, this group often prefers to collect payments without ever providing decrypting tools or methods for affected victims,” the report says.
Most cybersecurity professionals recommend not paying ransoms, since it usually just encourages attackers to keep up the practice. Instead, it’s best to keep regular backups so a system can be restored to pre-ransomware status if it’s compromised.
The lure of easy profits is certainly driving a rise in ransomware, which the FBI mentioned as one of the “hot topics” in its annual internet crime report. There were nearly 2,500 complaints of ransomware reported in 2015, amounting to $1.6 million in losses.
Hospitals are a particularly-favoured target, since they are more willing to pay.
In March, Maryland-based MedStar Health acknowledged that malware had infected its systems and spread throughout its network of 10 hospitals.
A Kentucky hospital said it was operating in an “internal state of emergency” about a week prior, after it was infected by similar malicious software (Ars Technica reports it paid at least $17,000 to get its system back). And in February, hackers crippled a Hollywood, California hospital’s systems and demanded $3.6 million in Bitcoin (It ended up paying $17,000).