In March 2016, the Cerber file encrypter first introduced itself to the world. This “ransomware that speaks” has gone through multiple variations since its inception, adopting techniques such as redundant checks for installed security software along the way. It’s no surprise its innovative dynamism has attracted the attention of spammers and possibly other ransomware developers.To put things in perspective, Cerber is just one of the may crypto-ransomware families that researchers at Kaspersky Lab have detected since the beginning of 2016. Out of the five dozen groups it’s observed, Kaspersky found that more than three quarters of them (47) are related to Russian-speaking groups and individuals. The security firm reached this conclusion by analyzing the ransomware samples’ command and control (C&C) infrastructure, their distribution on underground forums, and other indicators.But that’s only the beginning of Kaspersky’s findings. Such an exhaustive investigation yields many things. Chief among them is a deeper understanding of how Russian ransomware threat actors develop their creations, distribute them to users, and fund their criminal enterprises.Let’s now use Kaspersky Lab’s analysis to better understand how the Russian ransomware threat landscape ticks.In the Weeds of Russian RansomwareIf you think Russian threat actors code a piece of ransomware and directly target users with it, you’re wrong. All native ransomware enterprises are much more sophisticated than that.It all begins with a developer who creates the crypto-malware. They are the one responsible for coding the software, adding additional modules, and setting up IT infrastructure to support the ransomware’s distribution. To coordinate this operation, a creator inevitably hires or enlists the help of a manager. The manager is the only person in a Russian ransomware enterprise who gets to communicate with the author. Their job is to internalize the directives of the creator and find partners who can realize the developer’s vision.In other words, a manager is responsible for finding partners who can help expand the ransomware initiative. Kaspersky Lab explains how they do this in a blog post:“The primary task of partners is to pick up the new version of ransomware and distribute it successfully. This means successfully infecting as many PCs as possible and demanding a ransom. For this – among other tools – partners utilize the affiliate programs which they own. The creator earns money by selling exclusive malware and updates to the partners, and all the other participants of the scheme share the income from the victims in different proportions. According to our intelligence, there are at least 30 partners in this group.”
The structure of a professional ransomware enterprise. (Source: Kaspersky Lab)Affiliate programs can be quite lucrative. For instance, Cerber’s scheme nets the original author an average of one million dollars on an annual basis. This sum doesn’t include other attack campaigns spear-headed by the author.Then again, affiliate programs need to generate lots of money. The ransomware creator needs those funds to support the development of new modules, invest in distribution channels like exploit kits and spam campaigns, maintain an anti-virus check service, purchase credentials for hacked servers, and pay the IT professionals who support the ransomware’s infrastructure. They must also account for the partners and affiliates, each of whom gets paid a fraction of the profits generated by the ransomware based upon their rank and/or how many infections they produce. In total, operational costs for such an enterprise can exceed tens of thousands of dollars.Unfortunately, most Russian crypto-malware operations are at no loss for money. Affiliates usually must purchase a license in exchange for their right to help distribute a single ransomware sample. They get to keep a fraction of the revenue, but the rest goes to the creator to help perpetuate the enterprise. This pays off in the end.Kaspersky elaborates on that point:“Based on what we’ve seen in conversations on underground forums, criminals are lining their pockets with nearly 60% of the revenue received as a result of their activities. So, let’s go back to our estimate of the daily revenue of a group, which may be tens of thousands of dollars on a good day. That’s of course an estimate of cumulative net income: the total sum of money which is used as payoffs to all the participants of the malicious scheme – starting from regular affiliate program members and ending with the elite partners, manager and the creator. Still, this is a huge amount of money. According to our observations, an elite partner generally earns 40-50 bitcoins per month. In one case we’ve seen clues that an especially lucky partner earned around 85 bitcoins in one month, which, according to the current bitcoin exchange rate, equals $85,000 dollars.”
The typical profits (green) vs. costs (red) of a ransomware scheme. (Source: Kaspersky Lab)Given their profitability, many ransomware enterprises are now changing how they are structured or who they prefer to target. For instance, some initiatives are accepting only elite partners that can demonstrate their ability to reliably infect a certain number of hosts. At the same time, others are looking to up their revenue by going after organizations like Hollywood Presbyterian Medical Center and the San Francisco transport system instead of individual users.ConclusionKaspersky notes in its blog post that Russia has many adroit coders and some previous experience with ransomware-like software. These influences mean Russia’s ransomware threat landscape will only continue to evolve in the coming years.Recognizing this trend, users and organizations alike should invest now in ransomware prevention strategies. Those should include backing up their data, patching their systems, and maintaining anti-virus solutions on all computers.