In Russia, it pays to be an internet thug.
The average Russian ransomware boss makes $90,000 (US dollars) a year–or 13 times the average income of honest citizens in the country who stick to the “straight and narrow,” reports a recent Flashpoint study.
So what is the job description for a ransomware Mafioso? Generally speaking, the job consists of supporting and maintaining the malware.
“The software has to be constantly updated so that antivirus systems won’t recognize it as malware,” explained Vitali Kremez, a cybercrime intelligence analyst with Flashpoint.
“It’s not a situation where you provide the malware and sit back on a couch waiting for your payments. You have to work on it on a daily basis,” he told TechNewsWorld. “The boss controls the source code for the malware
A Service vs A Commodity
The malware model is evolving, suggests the Flashpoint study, which focuses on the Russian ransomware scene.
“A new form of ransomware has been developed that is in effect ‘Ransomware as a Service’ (RaaS),” highlights the report. It “enables ‘affiliates’ to obtain a piece of ransomware from a crime boss and distribute it to victims as these affiliates wish.”
That’s a shift from the past, when ransomware was accessible only to criminals who paid a hefty deposit upfront for the malware—up to $2,000 to rent or $5,000 to buy. But last November the malware scene shifted Kremez noted.
“We started to see developers considering giving their malware free of charge to criminals and keeping 40 to 50 percent of each ransomware payment made,” he said.
The new business model has drastically lowered the barriers to getting into the online crime business. It is surprisingly easy to start spreading ransomware. Relatively unskilled criminals can attack corporations and individuals through botnet installs, email and social media phishing campaigns, compromised dedicated servers and file-sharing websites.
“It used to be a one-on-one business,” Kremez said. “At this stage, it’s all automated. We see marketplaces. We see services on the dark web where you deposit your money and buy what you have to buy without any direct communication with the seller.”
Ransomware Web Growing
Infoblox’s latest quarterly report reveals more bad news on the rapid spread of global malicious infrastructure. To accurately determine the scope of activity worldwide, Infoblox created a threat index. In the first quarter of 2013, when Infoblox launched, the threat index was 76. This quarters current level:137. It’s the highest reading to date.
“While exploit kits remain a major threat, this latest jump was driven in large part by a 35X increase in creation of domains for ransomware over the previous quarter, which in turn drove an increase of 290 percent in the overall malware category,” the report states.
The expanding production of malware kits is also attractive to criminals. Kits are designed to infect devices with a variety of malware programs.
“A number of exploit kits and threat actor gangs behind them have started adding ransomware to their repertoire over the last few months,” said Sean Tierney, director of cyber intelligence at Infoblox.
“These are gangs that were using their kits to deliver other kinds of malware,” he told TechNewsWorld, that “have either started including or switched entirely to ransomware.”
It’s likely that the ransomware market will level off as security software makers get better at detecting it and consumers get smarter about avoiding it, suggested Tierney.
“Then the market will become saturated,” he said, “and the return won’t be able to support the amount of activity going on.”