For several weeks after we released the McAfee Labs Threats Report, May 2015, in which we discussed the topic of ransomware in depth, we frequently saw the same questions: “Why is ransomware increasing, and why is it so successful?
In our report we offered a few answers to this question. We’d like to zoom in a bit more on one of them: the ease of getting ransomware and how the affiliate program works.
A ransomware author starts an affiliate program to earn money with as little risk as possible. How does that work? An affiliate buys an interest in a ransomware campaign. Usually we see a maximum of 8 to 10 affiliates because more would likely overlap their campaigns and target the same countries. The revenue split is discussed upfront and embedded in affiliate or distribution servers. These are the hidden servers that an affiliate logs into to track campaigns and much more.
The revenue-split model differs, but we have seen 80/20 and 75/25 models in which the larger percentage goes to the affiliate and the smaller to the author/owner of the ransomware infrastructure. Why such a low percentage for the author/owner? They bear the least risk. The affiliate, on the contrary, has to create or buy a custom packer/crypter to make the sample less detectable by antimalware solutions, rent a botnet or exploit kit to spread the samples, buy lists of email addresses, detect ways to bypass security solutions, etc.
Besides the spreading the threat, the affiliate needs to track the campaigns, monitor the Bitcoin wallets for payments, and redistribute these amounts over several wallets before cashing out. The telemetry options in the affiliate/distribution server give an affiliate information on how successful a campaign is and which countries pay the best. In some cases we have even seen the exact amount of files and total file size encrypted on a victim’s machine. This telemetry data is very useful to determine, for example, which language to support in the next release (because country X pays well). In the past after payment of the ransom, the private key was not always received. This hardly happens today; ransomware authors want to keep their reputations healthy.
Here’s an anecdote about language support. In a recent underground market, one author announced support for Russian in his ransomware. Shortly thereafter, the author received a few nasty comments asking why he would target Russian-speaking countries with his ransomware.
Whenever the big guys make money, there are always others who want to make a few dollars. However, they don’t see the (personal) damage, disruption, and financial loss they cause with their actions. A few hours of research on forums and market places on the Deep Web reveal a lot of people offering their services or code to create ransomware. Here are a few:
A group of Russian hackers offering their services:
Another author offered ransomware:
The marketplace data of this advertisement revealed that this particular package had already sold 16 times since April, and the average price was around US$34.
An example of Multilocker:
One advertisement demonstrates the ambition of the author: “Let’s kidnap the planet!”
We are just scratching the surface of the possibilities of today’s ransomware. We have seen attempts on mobile devices, but restoring files from a phone backup or the cloud is easy and is enabled by default once you connect your phone to your computer or the Internet. In the Intel Security Malware Operations Labs we are working with different scenarios and possible ransomware variants that we expect to surface in a short time. Our goal is to protect our customers from those threats. Intel Security not only operates on the detection and prevention of ransomware, but we are also heavily involved in working with law enforcement and other organizations to combine our forces and battle against ransomware.