The unwanted attention drawn by ransomware attacks recently caused several of the top cybercrime forums to ban ransomware discussions and transactions on their platforms earlier this year. While some had hoped that this could have a significant impact on the ability of ransomware groups to organize themselves, the bans only pushed their activities to a lower level, making it harder for researchers and security companies to monitor them.Indeed, the attacks in the months following the forum's bans were more potent and audacious than ever. The truth is, ransomware is the lifeblood of the cybercrime economy and extraordinary measures will be needed to stop it. The groups coordinating the attacks are highly professionalized and in many ways resemble modern corporate structures, with development teams, sales and public relations departments, outside contractors and service providers receiving a share of the illegal proceeds. They even use commercial language in their communications with victims, referring to them as customers who buy their data decryption services."The way I describe it is: you have the business world we all know. Criminals have a parallel that's like Stranger Things' Upside Down. It's exactly the same world, only darker and more twisted," Steve Ragan , Security Researcher at Akamai, says CSO.An underground economy that depends on ransomwareLooking at what's involved in ransomware operations and how groups are organized, it's easy to see that ransomware is at the heart of the cybercrime economy. Ransomware groups employ people who:
- Write file encryption programs (the development team)
- Configure and maintain payment and leakage sites, and communication channels (IT infrastructure team)
- Advertise the ransomware service on forums (the sales team)
- Communicate with journalists and post messages on Twitter and advertisements on their blogs (the PR and social media team)
- Negotiate redemption payments (the customer support team)
- Perform manual hacking and sideways movement on victims' networks to deploy the ransomware program for a share of the profit (outside contractors known as affiliates or penetration testers)
Affiliates often buy access to the networks of other cybercriminals who have already compromised systems with Trojan programs or botnets or through stolen credentials. These third parties are known as network access brokers. Affiliates can also purchase data packages that contain stolen account information or inside information that can aid in target recognition. Bulletproof hosting and spam email services are also frequently used by ransomware gangs.In other words, many parties are in the cybercrime ecosystem that directly or indirectly make money thanks to ransomware. Therefore, corporate structuring, including with a determined hierarchy, is a trend that has been growing slowly over the years.Ransomware groups adapt to market pressuresRansomware attacks have paralyzed many hospitals, schools, utilities, state and local government institutions and even police departments over the years, but the attack in early May on the Colonial Pipeline, the largest pipeline system for refined petroleum products in the US, it was a milestone.The breach, attributed to a Russian-based ransomware group called DarkSide, forced the company to shut down its entire system pipeline, for the first time in its 57-year history, to prevent the ransomware from spreading to critical control systems. This resulted in fuel shortages across the East Coast of the United States and received widespread media and Washington attention due to the growing risk of critical infrastructure attacks.Even DarkSide operators understood the seriousness of the situation and announced the introduction of "moderation" for their affiliates - the third-party contractors who actually do the hacking and deployment of the ransomware - claiming they want to "avoid social consequences in the future". But the heat was too much for the group's service providers.A few days after the attack, the administrator of XSS, one of the largest Russian-language cybercrime forums, announced a ban on all ransomware-related activities on the platform, citing "too much PR" and increased law enforcement risks for "dangerous level," according to a translation by cybercrime intelligence company Flashpoint.Other high-profile ransomware groups, including REvil, immediately announced similar moderation policies for their affiliates, prohibiting attacks on healthcare, educational and government institutions in an attempt to control public relations harm. That wasn't enough either. Two other major cybercrime forums, Exploit and Raid, soon followed with banning ransomware activities.As a result, DarkSide announced that it would shut down its operations after also losing access to its blog, payment server, Bitcoin wallet and other public infrastructure it owned, claiming that its hosting provider responded only with "at the request of the application agencies of the law". A month later, the FBI announced that it had recovered the $4.4 million in cryptocurrencies that Colonial Pipeline was forced to pay hackers to decrypt their systems and resume normal operations.Banning ransomware activity on the most popular cybercrime forums was a significant development, because for many years these forums served as the main place where ransomware groups recruited affiliates. These forums provide an easy means of public and private communication between cybercriminals and even provide money escrow services for transactions where the parties don't know each other and don't trust each other.The bans have also affected, to some extent, cybersecurity companies that monitor these forums to gather information about threat actors and emerging threats. While most cybercrime researchers knew that forum bans would not stop ransomware operations in general, some wondered what the next step would be.Offensive actions may be necessaryCybercriminals will not give up ransomware easily because it is very profitable and many of them live in Russia or former Soviet Union countries, where the likelihood of being arrested for extorting money from Western organizations is low. Malware programs originating in Russia or the Commonwealth of Independent States (CIS) often have built-in checks that prevent their deployment on computers using Russian or other languages from CIS countries. It's an unwritten rule that malware writers and cybercriminals know: don't target local businesses and you'll be fine. Russia does not extradite its citizens and, given the current geopolitical climate between the country and the West, it is unlikely that there will be greater collaboration at the level of law enforcement in cybercrime.“If a foreign government is targeting you [the ransomware gang], that's it. There's nothing you can do," says Ragan. "You're dealing with an opponent who has unlimited time and resources. They will get you. I don't care how good you are. It's a realistic fear that these criminals have and I think that's what's causing the rush. But here's the problem: The mere mention of sanctions and policies and things like that confused them, right? What happens if there is no real application? What will happen if these laws and policies are enacted but lack force? Then the criminals will come back, and they will come back stronger, because now they know they have no strength and no application."