Anyone Can Join the Ransomware Party

Ransowmare has been identified by the security community as a top threat of the cyber ecosystem in 2016. The proliferation of ransomware attacks in 2015 and 2016 resulted in a rapid evolution of new Ransomware types, yielding higher returns and fueling this epidemic.

However, Ransomware is more substantial than its technical sophistication. It is first and foremost a proven business model, and consequently attracts people who are looking to make a quick buck. It is also atypical of the cyber crime scene, in the sense that it has considerably lowered the entry barriers for “hackers” or “cyber-criminals”.

The following attributes account for much of the Ransomware industry’s success:

  • Appeals to novices:One can simply purchase or rent the tool, and get to work. No coding or cyber-crime experience is required and there is a highly professional technical support team available, should you encounter any issues.
  • Ease of use: With a dashboard management interface, similar to conventional SaaS software, one can easily manage all aspects of a Ransomware operation, from setting the ransom price to changing encryption.
  • High degree of flexibility: The user interface details real-time statistics of infection, collection and other metrics. The user can alter any of the parameters and conduct a/b testing to determine the highest impact method.
  • High and rapid return on investment: Ransomware can prove very lucrative and delivers results in a very short amount of time. Whilst it may not yield millions, it can generate a steady income of tens of thousands of dollars per month, while demanding only a modest initial investment.

  • Scalability: Scaling up a business is easy. Users simply need to buy or rent (if using the SaaS model) multiple Ransomware “models” and send them to multiple mailing lists, which can be bought or obtained on the Darknet.

  • No/minimal cash up front: According to the program employed, users can expect to pay a preliminary sum of a couple of hundred to a few thousand dollars, which should be earned back quickly. Recently, new business models have emerged that lower the cost of entry and increase the install base. Known as “Affiliate Programs”, they enable almost anybody to partake in Ransomware operations.

More About: Affiliate Programs

“Affiliate Programs” allow Ransomware creators to distribute their malware while making sure to increase their network, coverage and, consequently, income. Affiliates of Ransomware programs can gain up to hundreds of thousands of USD per month. Ransomware such as ‘Cerber’, ‘Chimera’ and ‘Ransom32’ are the most prominent examples of affiliate based Ransomware operations.

In the image below, a Ransomware named “GinX”, allegedly inspired by “Locky”, is sold on the black market at various prices. The more that the buyer is willing to share his income with his vendor, the less he pays for the malware up front.

This is a win-win situation for the distributor, since the main challenge in running a Ransomware operation is securing enough “installs” (meaning the number of infected

users) for the operation to be profitable.

GinX Ransomware
GinX Ransomware

Below, “PETYA / MiSCHA” Ransomware are sold on a dedicated Dark Net forum. Unlike “GinX” where revenue share is decided upon the ransomware purchase, this program offers a flexible, differential rev-share mechanism; the higher the infection and collection volume, the more the user of the software earns.

Petya & Mischa
Petya & Mischa

Ransomware relies on a proven business model, which ensures continued interest by cyber criminals and the constant evolution of new technology to improve ease of use and increase ROI. We will continue to monitor the evolution of Ransomware and will report new, interesting findings in future posts.

This post was composed by Intsights Cyber intelligence analyst Ido Wulkan.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.