Russian cybercriminals are increasingly holding personal data ransom, and a new report shows just how it’s happening.
Imagine: All of the data on your computer locks up and you get an email demanding anywhere from $250 to $500 to set it free. If the money isn’t put into a Bitcoin account by a certain date, all of the pictures, files, and information on your computer will be deleted or sold on the black market. The hacker who emailed you is the only one with the key to decrypt your computer.
That is the idea behind ransomware. According to a report from Flashpoint, a firm that collects data on the deep web and dark web, teams of affiliate hackers led by “Ransomware Bosses” target everyday people and make their data inaccessible using custom ransomware.
After an affiliate hacker infects a computer through a contaminated email attachment or shared open wifi, the boss demands payment from the victim. Forty percent of the payment goes to the affiliate, and the boss holds on to the rest. The victim then gets the key to decrypt their data — sometimes.
Flashpoint researchers based their report on the activity of one ransomware team from December to April. Here’s how the scheme worked: the boss led a team of 10 to 15 people, and conducted 30 ransoms per month for an average payment of $300. The “Ransomware Bosses” make around $90,000 a year, or around 13 times the income of an average Russian person, according to data from Russia’s Ministry for Economic Development.
“Ransomware is clearly paying for Russian cybercriminals,” says Vitali Kremez, a Cybercrime Intelligence Analyst for Flashpoint. “As ransomware-as-a-service campaigns become more widespread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks.”
Ransomware hackers generally focus on everyday people, not large governments or businesses. The price to decrypt is set before the malware is put on a computer and generally can’t be altered after that — hence the relatively low ransom. The report, however, notes there may be a shift in targets toward hospitals and the healthcare system.
For example, on February 5, Hollywood Presbyterian Medical Center’s computer systems were infected with malware called “CryptoLocker.” Hackers demanded the hospital pay $17,000 to get access back to their information. Thirteen days later, the hospital paid the ransom price. While attacks against Westerners (and U.S. citizens in particular) are encouraged, Russian hacker forums decried the hospital attack as unethical.
Flashpoint’s report quotes a member of a Russian cybercrime forum:
“From the bottom of my heart I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with it (the malware).
Hospital data has specific information that may not go for much on the black market. Access to the data records is necessary for the hospitals, though, making them much more likely to pay for the encryption key. As another member of the cybercrime forum writes, success breeds copycats:
“They scored. It means everything was done properly.”
The higher payouts mean more incentive to hit healthcare providers. Flashpoint found one ransomware product called “BitcoinBlackmailer” that mentioned Hollywood Presbyterian in its advertisement and asked:
“What if you was that hacker? I bet he was just a 16 years old kid in the right place at the right time. Just like you are now.
All of the recent hacks have created a sort of hacking fatigue. Whether it’s the celebrity photo hack, the Myspace hack, or any one of the many Anonymous hacks, large data dumps have unfortunately become commonplace. But the realization that data may be more valuable held as ransom then dumped or sold could lead to the rise of ransomware attacks instead.
In addition to the incentives, there’s a low barrier to entry for novices. Bosses create the ransomware and distribute it, so little to no coding knowledge is required by the underlings. Bosses can gather new recruits by promising easy money, as the above advertisement for BitcoinBlackmailer shows.
If Flashpoint’s glimpse into the world of Russian ransomware is any indication, this is just the beginning.