Ransomware as a service – a major crypto industry
Ransomware is big business. The Chainalysis 2022 Crime Report estimated that in 2020, $692 million in ransoms were paid. In 2021, the conservative estimate is $602 million. The ransomware economy is diverse – approximately 140 ransomware strains received payment in 2021. Ransom amounts have also increased. In 2021, average payments were $118,000, up from $88,000 in 2020.
For comparison, the market cap of the crypto market is currently just below 1 trillion. Ransomware only makes up a fraction of the crypto economy, but it has an outsize impact. Some critics argue that easy access to crypto causes ransomware attacks; a stance we’ve debunked.
The emergence of ransomware as a service (RaaS) is making cybercrime easier and more profitable. What is ransomware as a service? Microsoft calls it the cybercrime gig economy. Ransomware operators work like industry-disrupting tech giants. Both Uber and Conti rely on contracted workers to complete a given objective. The Uber employee drives people around, while the Conti affiliate hacks into systems to deploy ransomware.
Ransomware as a service (RaaS) is fascinating in its banality. There are offices and call centers all devoted to the business of extortion. These are not the geopolitically-motivated ransomware strains designed to topple nation-states. The motive is much simpler: profit.
Loose lips sink ships
The Conti leaks allow us unparalleled insight into the surprisingly mundane world of ransomware. In late February, a Ukrainian security researcher published years of Conti’s internal conversations. The leaks were retaliation for Conti’s public support of the Russian invasion of Ukraine. This wasn’t the first time bystanders got an intimate look into the famous ransomware outfit. In 2021, a disgruntled former affiliate leaked Conti’s training material.
The Conti leaks, also called the Panama Papers of Ransomware, show that RaaS projects like Conti and NetWalker operate like legitimate businesses. The actual ransomware is a product that is licensed to affiliates. Organizations have core teams of ransomware developers and project managers. RaaS groups recruit affiliates both via dark web forums and legitimate job sites. Affiliates then break into corporate networks and deploy licensed ransomware. In return, they get a hefty cut of the profits. The lure is that the affiliates who manage deployment (hackers) supposedly take most of the ransom money. The enterprise that manages the operations takes less.
Conti, LockBit, and Netwalker all openly recruit hackers who break into companies and deploy ransomware. In return, affiliate hackers do not need to manage boring infrastructure. Instead, they can focus on the fun parts: breaking, entering, and deployment. All hacks are deployed under the name of the ransomware strain, so the hackers get a measure of protection.
Affiliates must have some hacking ability from the get-go, though some large RaaS platforms will provide training. The Conti group provided an onboarding package with tutorials and guides. In-house developers support affiliates by improving ransomware and spamming tools. Chainalysis found that 16% of the funds sent to ransomware outfits get reinvested into tools and services.
Many RaaS services have centralized platforms where affiliates sign up. The platform has a place for negotiating with victims and accepting payments. Affiliates can interface with tech support, developers, sysadmins, and recruiters. RaaS platforms have ways of winnowing out good targets. Good platforms offer an unparalleled level of support to affiliates. They even offer professional customer support for victims.
Why outsource the actual hacking when everything else is in-house? It is possible to access more networks in less time, and the RaaS platform does not need to maintain complex lists of backdoors. Breaking into networks is a time-consuming, often tedious task. While it is often straightforward, it takes time. RaaS platforms have made a clever time-tradeoff. They maximize the number of networks they can infiltrate by subcontracting hacking work to affiliates.
The ransoms
RaaS organizations demand ransoms in crypto. The token of choice is often bitcoin. Some groups request Monero (XMR), a privacy-focused cryptocurrency that is harder to track than bitcoin. Advances in blockchain analysis have led to cases where ransoms are located and returned to victims.
While bitcoin has a reputation for being untrackable, that was never true. This year, the University of Maastricht recovered part of a $218,000 ransom paid in 2019. In 2021, the FBI recovered 63.7 of a 75 bitcoin ransom paid by Colonial Pipeline. It is unclear how exactly the FBI got the bitcoins back. DarkSide told affiliates on May 13th that servers and other infrastructure were seized. The FBI may have accessed the crypto wallets by going through the servers. However, they did not specify how they accessed the private keys to the bitcoin wallets containing the ransom.
One cybersecurity expert made a statement to Bloomberg, saying that the 75 bitcoin ($5 million) ransom was very low. “Ransom is usually around $25 million to $35 million for such a company. I think the threat actor realized they stepped on the wrong company and triggered a massive government response.” Ransomware attackers usually move crypto from wallet to wallet to avoid detection. In the case of the Colonial Pipeline hack, the attackers kept 63.7 bitcoin in the wallet it was recovered from.
FAQ
Why do some hacker groups request monero?
Monero (XMR) is a cryptocurrency designed to maximize privacy. Some ransomware groups demand payment in Monero since it is much harder to track than bitcoin. However, Monero is less valuable than bitcoin. Concerns about money laundering led exchanges to delist Monero. Kraken and Bittrex both delisted Monero, while major exchange Coinbase refused to list it, but still provides instructions on how to purchase XMR.
Transactions on Monero are designed to be untraceable and unlinkable. Cryptographic techniques are used to obscure the amounts, origins, and destinations of transactions. “Decoy” coins are added to transactions, so the true amounts sent are only visible to those involved.
Other features generate stealth wallet addresses. Each transaction uses a one-time public key, which contains bits of data that allow wallet owners to access the Monero in the wallet. The Dandelion ++ feature obscures IP addresses associated with nodes, further reducing the amount of identifying information in each transaction.
Monero’s privacy technology is so effective that the United States Internal Revenue Service announced a $625,000 bounty for anyone who could crack it.
How is Bitcoin encrypted?
Bitcoin users need a public key and a private key to send bitcoins. A public key acts as a sort of address, similar to a bank account number. People can send money to public keys, and see what transactions public keys have been involved in. A private key is needed to send any kind of transaction. You may have heard the phrase “not your keys, not your coins.” This refers to the private key. If anyone has access to it, they have full power over your bitcoins. It’s vital to make sure that your private key is kept secret.
Bitcoin uses something called asymmetric key encryption, or public key encryption. In asymmetric key encryption, the key is broken into two parts – public key and private key. If people have the public key, they can encrypt a message and send it to you, which you can decrypt with the private key. Using a very complicated mathematical formula called Elliptic Curve Digital Signature Algorithm (you do not need to remember this), it’s possible to derive a public key from a private key. It’s impossible to get a private key from a public key. You can give your public key from all and sundry, but they won’t be able to get your private key from it. With the private key, you can also sign a message, and people with the public key can verify it was you that signed it.
Interested in learning more about bitcoin? Check out Bite-Size Bitcoin, Coincub’s one-stop shop for everything bitcoin.