Crime Pays: Ransomware Bosses Make $90K Annually

If crime doesn’t pay, Russian ransomware bosses wouldn’t know it.

The average Russian ransomware boss makes US$90,000 a year — or 13 times the average income for citizens in the country who stick to the “straight and narrow,” according to a recent Flashpoint study.

What does a ransomware honcho do for those rubles? Basically, the job calls for supporting and maintaining the malware.

“The software has to be constantly updated so that antivirus systems won’t recognize it as malware,” explained Vitali Kremez, a cybercrime intelligence analyst with Flashpoint.

“It’s not a situation where you provide the malware and sit back on a couch waiting for your payments. You have to work on it on a daily basis,” he told TechNewsWorld. “The boss controls the source code for the malware.”

Ransomware as a Service

The malware model is evolving, according to the Flashpoint study, which focuses on the Russian ransomware scene.

“A new form of ransomware has been developed that is in effect ‘Ransomware as a Service’ (RaaS),” notes the report. It “enables ‘affiliates’ to obtain a piece of ransomware from a crime boss and distribute it to victims as these affiliates wish.”

That’s a departure from the past, when ransomware was available only to criminals willing to make a hefty upfront payment for the malware — $2,000 to rent or $5,000 to buy. That began to change last November, Kremez noted.

“We started to see developers considering giving their malware free of charge to criminals and keeping 40 to 50 percent of each ransomware payment made,” he said.

The new business model has lowered the barriers to getting into the business. It is not particularly hard for newcomers to start spreading ransomware quickly. They can attack corporations and individuals through botnet installs, email and social media phishing campaigns, compromised dedicated servers and file-sharing websites.

“It used to be a one-on-one business,” Kremez said. “At this stage, it’s all automated. We see marketplaces. We see services on the dark web where you deposit your money and buy what you have to buy without any direct communication with the seller.”

Malicious Infrastructure Growing

More evidence of the popularity of ransomware is evident in Infoblox’s latest quarterly report on malicious infrastructure building globally.

To measure that kind of activity worldwide, Infoblox has created a threat index. Upon its launch in the first quarter of 2013, the threat index was 76. During this year’s first quarter, the index reached it’s highest point ever: 137.

Activity related to ransomware has fueled the index’s rise.

“While exploit kits remain a major threat, this latest jump was driven in large part by a 35X increase in creation of domains for ransomware over the previous quarter, which in turn drove an increase of 290 percent in the overall malware category,” the report states.

The activity of malware kit developers is another indicator of ransomware’s attractiveness to criminals. Kits are used to infect devices with a variety of malware programs.

“A number of exploit kits and threat actor gangs behind them have started adding ransomware to their repertoire over the last few months,” said Sean Tierney, director of cyber intelligence at Infoblox.

“These are gangs that were using their kits to deliver other kinds of malware,” he told TechNewsWorld, that “have either started including or switched entirely to ransomware.”

It’s likely that the ransomware market will level off as security software makers get better at detecting it and consumers get smarter about avoiding it, suggested Tierney.

“Then the market will become saturated,” he said, “and the return won’t be able to support the amount of activity going on.”

Expanding 2FA

Two-factor authentication, which requires both something you have and something you know in order to access an account, has proven to be a good way to thwart data thieves. One problem with the technology, though, is that it isn’t easy for many rank-and-file developers to deploy. One authentication company aims to change that with a recently launched program.

Centrify actually goes beyond 2FA to include single sign-in — which allows the use of a single set of credentials to log into multiple accounts — along with password reset and access control of a device. Under the program, developers can plug into those features through Centrify system APIs.

“Developers who are building an application from a great idea aren’t necessarily expert in security,” said Chris Webber. security strategist at Centrify.

“We can give that to them,” he told TechNewsWorld.

“They can take advantage of all the user management and multifactor authentication that Centrify’s built, so they don’t have to learn about that world and can concentrate on their great idea,” Webber pointed out. “It’s more and more critical that we need to figure out how to put two-factor auth everywhere, because passwords alone are just not a great way to do authentication anymore.”

Breach Diary

  • May 30. Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned, advises his subscribers that information on 65 million Tumblr accounts is being offered for sale on the dark web.
  • May 30. Twitter account of Katy Perry breached and her 89 million followers sent tweets filled with profanity and slurs, TechCrunch reports.
  • May 31. MySpace announces it has reset the passwords of all accounts created prior to June 11, 2014, due to a data breach.
  • May 31. A federal district court in Pheonix, Arizona, rules that insurance provider Chubb does not have to reimburse P.F. Chang under a cybersecurity policy for payments to credit card processors connected to a 2014 data breach.
  • June 1. U.S. Federal Reserve detected more than 50 breaches between 2011 and 2015, including several incidents described in internal documents as espionage, Reuters reports.
  • June 1. Medical information of thousands of NFL players is at risk after backback containing the data was stolen from an athletic trainer’s car, Deadspin reports.
  • June 1. FBI alerts public that extortion attempts are being made against victims whose personal information has been compromised in recent large data breaches. Extortionists are threatening to make victim’s personal informtion public if not paid two to five bitcoins.
  • June 1. TeamViewer reports it experienced a service outage due to a DDoS attack, but its systems were not breached by hackers.
  • June 2. Medical records of some 40,491 customers of the Stamford Podiatry Group in Connecticut impacted due to a system intrusion, HealthIT Security reports.
  • June 2. 2015 payroll tax data of employees of Verify Health Systems in California at risk after an employee was duped by a phishing scam, SC Magazine reports.

Upcoming Security Events

  • June 14. Best Practices for Mitigating Network Security Risks. 2 p.m. ET. Webinar by Cradlepoint. Free with registration.
  • June 15. Federal Trade Commission’s Start With Security — Chicago. Northwestern Pritzker School of Law, 375 E. Chicago Ave. (corner of Lake Shore Drive), Chicago. Free.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland.Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 16. Defending Oil & Gas Industrial Control System (ICS) Networks. 5 a.m. ET. Webinar by Arbor Networks and American Gas Association. Free with registration.
  • June 20. Center for New American Security Annual Conference. 9:30 a.m. to 5:30 p.m. J.W. Marriott, 1331 Pennsylvania Ave., Washington, D.C. Free with registration.
  • June 22. B-Sides Tel Aviv. Tel Aviv University, tel Aviv, Israel. Tickets: 20/40 NIS.
  • June 22. Combatting Targeted Attacks to Protect Payment Data and Identify Threats. 1 p.m. ET. Webinar by TBC. Free.
  • June 25. B-Sides Athens. The Stanley Hotel, 1 Odisseos Str., Karaiskaki Square, Metaxourghio, 10436, Athens, Greece. Tickets: free, but attendance limited.
  • June 25. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio. Tickets: free, sold out; with T-shirt, $5.
  • June 27-29. Fourth annual Cyber Security for Oil & Gas. DoubleTree by Hilton, 6 Greenway Plaza East, Houston. Registration: main conference, $2,295; conference and workshops, $3,895; single workshop, $549.
  • June 27-July 1. Appsec Europe. Rome Marriott Park Hotel, Colonnello Tommaso Masala, 54 Rome, Italy. Registration: members, 599 euros; nonmember, 610 euros; student, 91.50 euros.
  • June 27-July 1. Hack in Paris. Maison de la Chimie, 28 Rue Saint-Dominique, 75007 Paris. Tickets: before April 5, 288 euros; student or unemployed, 72 euros. Before June 9, 384 euros; student or unemployed, 108 euros. After June 8, 460.80 euros.
  • June 28. AuthentiThings: The Pitfalls and Promises of Authentication in the IoT. 10 a.m. and 1 p.m. ET. Webinar by Iovation. Free with registration.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.
  • July 30-Aug. 4. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before July 23, $2295; before Aug. 5, $2,595.
  • Aug. 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
  • Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
  • Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels