How Russian Hackers Built a Business Model Slick Ransomware: NPR
Patrick Semansky / AP
If you want to extort millions of dollars from a big American corporation, you can’t do it alone. It takes a village. A village of hackers with advanced computer skills, who frequent the Dark Web and most likely live in Russia.
“Ransomware has become a huge business and, like any business, in order to make it evolve, they come up with innovative models. ” mentionned Dmitri Alperovich, head of the technology group Silverado Policy Accelerator in Washington.
At Wednesday’s summit in Geneva, President Biden called on Russian President Vladimir Putin to crack down on cybercrime. But the Russian leader has shown little interest in tackling an emerging criminal industry in his country called “ransomware-as-a-service”.
Three key players in ransomware
Alperovitch said this model is its own ecosystem which includes three key players. The top tier is made up of small gangs that manufacture the sophisticated malware that locks down computer systems and encrypts data from targeted companies.
More than a hundred of these groups are believed to be active, although Alperovich estimates that a dozen are doing so on a large scale. Russia and neighboring countries have many gangs, he said. The best known include Dark side, blamed for the attack on Colonial Pipeline, and the evil, accused in hacking the meat supplier JBS.
But, he added, “The people who build the software are not actually the ones, most of the time, who are going to use it. They are going to recruit others.”
Wendi whitmore, senior vice president of cybersecurity company Palo Alto Networks, said these malware makers have realized that it is more lucrative to distribute their stun software through a second key group, called “affiliates.”
“What they do is outsource parts of the supply chain and then give those (affiliates) they work with a part of the profits,” she said.
“Affiliates” lead the attack
Affiliates do a lot of the actual work. They launch the malware attack, demand the ransom, negotiate with the victim company, and collect the money, almost always in a cryptocurrency like Bitcoin.
As a result, affiliates typically keep most of the money, often 75 percent or more.
However, affiliates cannot start these strikes until they first gain access to a company’s computer network.
This brings us to the third key group – the old-fashioned hackers, or access brokers, who find a way in. If you need these guys, you’ll find them on the Dark Web.
“You go into underground forums and there’s this whole class of threat actors that we call an access broker,” said Adam meyer, senior vice president of intelligence at cyber defense firm CrowdStrike. “And what they do all day is hack into different companies. And then they advertise that access. You mean, Company X is four thousand dollars.”
A small price to pay if this access then leads to a ransom of several million dollars.
Criminals trust criminals
Of course, all of these relationships require a lot of trust from the criminals behind pseudonyms online.
“How do you trust someone who is fundamentally untrustworthy, who is fundamentally a thief?” Said Alperovich.
“It is very difficult to get into these criminal forums. You have to somehow prove that you are a criminal by committing an act of cybercrime,” he added. “They validate that you are not law enforcement. This has been a huge problem for them in the past.”
Another potential pitfall is success – or more accurately – too much success.
Ransomware groups that repeatedly succeed in major break-ins quickly build a reputation. While hackers can be protected by living in a country like Russia, they still attract the attention of Western cybersecurity companies and law enforcement.
These successful bands sometimes break up temporarily and remain discreet, only to resurface later under a different name.
“It might be a new group and a new team with a new coach, but they have very capable team members,” said Wendi Whitmore.
In a new ransomware cost report, the firm Cyber Reason have found that the costs of recovery after an attack often far exceed the payment of the ransom itself.
An investigation found that even when hackers provided a “key” to unlock data after a ransom was paid, the information was corrupted in almost half of the cases. In addition, about two-thirds of businesses reported significant drops in revenue following an attack.
At Wednesday’s summit, Biden said he would respond if the United States continues to be affected, especially in a critical industry, like the energy supply of the water system.
“Responsible countries must take action against criminals who carry out ransomware activity in their territory,” Biden said at a press conference immediately after the summit.
Russian hackers are already taking precautions not to strike organizations in their home country or in friendly countries. Putin could tell Russian hackers to stop attacks on the United States if he wishes, Alperovich said.
“They are not part of his inner circle. They do not generate significant revenue for the Russian state,” noted Alperovich. “So this is the only issue on which, if in a hurry, Putin can really give in, and we can get concessions.”
So will he do it? Biden said he expects the answer to be clear in a few months.
Greg Myre is a national security correspondent for NPR. Follow it @ gregmyre1.