Top Ransomware campaign managers stand to make $90k annually

A brief report issued by Flashpoint this morning examines a recent Ransomware campaign, which so far has generated a serious amount of profit considering it takes little effort to operate. It’s an interesting read, albeit a short one.

Tracking a campaign operating out of Russia since December 2015, Flashpoint says that the typical head of a Ransomware operation stands to earn about $90,000 a year, or about $7,500 per month.

In this role, the manager is responsible for recruiting distributors and malware development, which if their code skills are up to snuff, might require just a few hours a week as far as effort goes.

“Ransomware is clearly paying for Russian cybercriminals. As Ransomware as a Service campaigns become more wide-spread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks,” said Flashpoint’s Vitali Kremez in a statement.

As most security professionals know, starting a Ransomware operation isn’t all that complicated. The campaign manager will recruit Ransomware distributors, and pay them on commission for each victim that pays a ransom. Once a distributor is located and signed-up with a manager, they’re on their own to find victims.

But again, this doesn’t require much energy, as a distributor can purchase botnet installs from other criminals, develop their own botnet, use Phishing or social media lures, compromise websites, etc.

For this, they stand to earn about $600 a month. A typical campaign manager will run with about 10-15 distributors.

In the campaign followed by Flashpoint, the commission was 40-percent, which isn’t bad considering the malware is custom-made. Unfortunately, Flashpoint didn’t identify the Ransomware family, or list any additional information related to it (a bit of a let down considering they’re an intelligence firm).

The Ransomware in this campaign doesn’t use a C&C server, making it harder to track and shutdown. For the victim, this means the ransom payment / decryption process isn’t automated.

The victim will need to email the campaign manager in order to arrange payment and receive a key to unlock their files. All the payments are properly laundered, with a base ransom of $300 USD, and an average of 30 payments a month.

Unlike other Ransomware attacks, on at least one occasion, the manager in this campaign demanded additional payments after the first one was paid. Demanding a second payment is bad for business and is generally frowned upon by other Ransomware producers and distributors.

In their view, if a victim knows the files will be released upon payment with no additional strings attached, they’re more likely to pay. Demand additional payments, or refuse to unlock the files, people will stop paying. If that happens, the turnkey Ransomware industry comes to a halt.

There have been several Ransomware attacks this year in the medical industry, including MedStar Health, Hollywood Presbyterian Medical Center, the Chino Valley Medical Center, the Desert Valley Hospital, and Methodist Hospital in Henderson, Kentucky. But while healthcare is a popular target, Ransomware distributors will target organizations of any size, operating in any vertical.

In April, Salted Hash reported that incident response teams from Stroz Friedberg addressed 3 to 4 Ransomware incidents per week in the first quarter of 2016. The ransom demands in some of those cases went as high as $50,000 USD.

Dealing with Ransomware isn’t an impossible task, but when organizations lack the basics, such as properly maintained backups, recovery becomes a bit painful. For those needing a reminder, Salted Hash published a Blue Team’s reference guide on Ransomware in March.

In related news, researchers at Proofpoint this week discovered that CryptXXX v3.100 was recently released.

The Ransomware variant defeats (once again) the previously released decryption tools from Kaspersky. This new version targets shared resources via SMB, and includes a new payment portal.

It’s a safe bet Kaspersky will release an updated decryption tool shortly.