In this article we cover:
Australia’s Department of Foreign Affairs and Trading (DFAT) announced on 22nd January 2024 they would be applying their first Cyber sanction against Russian man, Aleksandr Ermakov, for his part in the disastrous Medibank Ransomware attack and data breach of 2022 which saw 9.7 million Australian personal records made available on the black market. Australia's entire population is only 26 million.
The Australian Minister for Foreign Affairs, the Hon Penny Wong said “The use of these powers sends a clear message – there are costs and consequences for targeting Australia and Australians."
Aleksandr joins DFAT’s illustrious list of over 9,000 individuals and entities around the world who Australia holds sanctions against. DFAT made it clear that Australians are not allowed to do business with Aleksandr including giving him any type of ransomware payment. Although many governments recommend that Ransomware not be paid, many have ransomware payment reporting functions so that treasury and law enforcement departments can try to keep a track of events and the billions of dollars being extorted from citizens from across the world.
Fantom Ransomware posed as a Windows Update and displayed a a fake Windows Update screen while encrypting your files.
Spear phishing emails are sent to company HR departments containing a Dropbox link to a supposed resume. The link goes to an executable file that once opened, crashes and reboots the computer. That's when victims see the skull and crossbones image with a message that the disk is encrypted. The only way to get your data back is by paying the ransom which starts at .0099 Bitcoin (around $400 USD), the demand doubles after one week.
The name of this US authority is exploited by cyber criminals simply to make their deceptive message appear authentic, and thus, to trick more unsuspecting PC users into paying the bogus fine. Accusations of watching pornography involving children, using or sharing copyrighted files, and using unlicensed software, are false and used to scare computer users into paying this fake fine.
In September 2023 RansomedVC claimed to Bleeping Computer that it had breached Sony's networks and stolen 260 GB of data during the attack that they are attempting to sell for $2.5 million. However, the matters have become murky, with another threat actor 'MajorNelson' also claiming responsibility for the attack, and refuting RansomedVC's claims.
Ransomware and other malicious software can be purchased in black market forums. For example basic encryption software sells for US$10-20 and a secure server for as little at US$15-$250. Add the 10-30 percent that the Ransomware-As-A-Service (RaaS) gang takes from any successful ransom pay-out that you can extort from your victims and you could have a sophisticated ransomware attack ready to deploy for as low as $50.
Research shows that pre-made phishing scams specifically designed to mimic well-known companies are [sold for as low as $2, configuration files for cracking passwords for $2, and malware for emptying Bitcoin wallets for $6.07]
There are also reports that for as little at USD $60 you can get a hacker to poison your AI data set which can open the floodgates to possibly divulging confidential data for extraction, writing malicious instructions, and providing biased content that could lead to user dissatisfaction or potential legal repercussions.
Gangs with technical skills and the ability to run a business are responsible for many attacks.
It is also reported that certain states are likely to leaning to help so that groups create instability in certain regions while they maintain a safe level of plausible deniability.
Hacker gangs advertise for roles. Getting a job as a hacker does not require criminal background checks and some roles even offer sick leave and vacation time.
Some hacker gangs also have their own style of ethics. Take for example this ransomware screen for from the BlackMatter malware. They offer free decryption for companies in certain sectors. How nice of them!
Ransomware developers provide a suite of services in either a subscription or affiliate based model.
For a Monthly subscription fee you can get access to DIY kits ranged US$0.50 to US$3000 with the median price of US$10.50 and/or enroll in a pay-per-use scheme that provide updates, new malicious versions, and other experimental features.
Affiliate models offer the same as a monthly fee model but with a percent of the profits going to the ransomware developer/operator. These partnerships also provide ransomware payloads and payment portal for the victims and additional services such as leak site hosting, decryption negotiation, payment pressure and cryptocurrency transactions.
Ransomware Affiliates run the show and typically purchase a range of underground services that enable ransomware.
Recovery Companies offer victims cyber extortion incident response services which often includes negotiating with the ransomware affiliates and getting the encryption keys required to unlock the victims data.
Following a leak of a well known ransomware gangs chat messages analysis was able to be undertaken of 160,000 chat messages.
Just like a typical technology company discussion threads cover a range of subjects and in some cases do not relate to malware or technical subjects at all.
You can see in the graph provided by the researches some roles focus almost wholly on customer service and problem solving while others spend a lot of time discussing task management and business matters.
The money criminals can get from deploying malicious software can be significant.
There are two ways of making money from ransomware:
Given these are criminals with an obvious distaste for law abiding actions it would not be surprising if they tried to make money both ways from the same attack.
Chainanalysis states that Ransomware payments in 2023 surpassed the $1 billion mark,
The DarkSide attackers asked for a ransom of 75 bitcoin , when they attacked Colonial Pipeline in 2021 which was worth approximately $4.4 million. The US Department of Justice was able to find the digital address of the wallet that the attackers used and got a court order to seize the bitcoin. The operation recovered 64 of the 75 bitcoin that Colonial Pipeline paid. At the time of the recovery, the 64 bitcoin were worth approximately $2.4 million.
Initially the REvil group demanded a payment of US$22.5 million, from JBS when they were attacked but negotiations between JBS and REvil seemed to bring that price down to $11 million, which was paid.
What criminals buy and sell personal data for depends on the type of information being sold and other market factors.
A hacked gmail account could be sold for $60 while a Pinterest account with 100 followers for $2. For stolen credit cards the amount paid can depend in the balance of the card with a $5000 balance getting $120 and a $1000 balance getting $60. Physical forged documents still reap higher prices than digital as the dark web index shows.
When compared with the potential jail time if caught, in some cases, the benefits appear to outweigh the consequences. Take for example Mikhail Vasiliev a Candadian/Russian dual national who in 2022 was charged by the District of New Jersey in the United States for his alleged participation in the LockBit global ransomware campaign. LockBit is a ransomware variant that first appeared around January 2020. Since first appearing, LockBit was been deployed against at least as many as 1,000 victims in the United States and around the world. LockBit members have made at least $100 million in ransom demands and have extracted tens of millions of dollars in actual ransom payments from their victims. According to court documents, Vasiliev allegedly participated in the LockBit campaign. He is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. On February 9th 2024 he admitted guilt, was charged and is facing a maximum of only five years in prison. What is 5 years in prison worth to a person?
A report published in 2024 analyses 452 ransomware attacks reported to the Dutch police and to an Incident Response company. The report states:
Of 452 ransomware attacks analysed:
Negotiations
Payments made
A report published in 2021 identified four distinct fears of victims which might explain the increased willingness to pay:
These fears increase the willingness to pay and give an incentive for criminals to perform data exfiltration, or pretend that data is exfiltrated.
There are a lot of techniques the can be deployed to help protect your organisation from ransomware attacks. The most basic top-three include:
In Australia there are a number of different reporting channels to follow depending on what type of incident you have experienced.
For Cyber security advice during a ransomware attack...
Report or Contact CISA.
For criminal investigations...
Report to FBI.
Contact local United States Secret Service field office.
