A new trend in ransomware circles is creating an economy that experts compare to Silicon Valley’s venture capital scene.
Ondrej Krehel, CEO and founder of incident response provider Lifars, said some of the biggest new ransomware gangs, including the now infamous DarkSide group, were born on the back of investments from older, more established companies. These investors provide support in the form of Bitcoin or another cryptocurrency and then receive a share of the payouts.
The most notable example of this, Krehel said, is DarkSide. The ransomware group hit the headlines earlier this year when it caused Colonial Pipeline Co. to shut down for several days, sparking a brief gas panic across much of the eastern United States.
While the DarkSide gang appeared to come out of nowhere, it can actually be traced back to another well-established operation. Krehel said DarkSide is an offshoot of ZLoader malware, a variant of the infamous banking Trojan Zeus. With some joint members, DarkSide got off to a good start thanks to ZLoader’s Bitcoin support, and the ZLoader team, in turn, benefited from a portion of the ransom payments that DarkSide took.
This type of setup is becoming increasingly popular among the narrow circle of ransomware cyber criminals. Krehel explained that while various groups have tried to expand with new operations, members have moved to some sort of venture capital (VC) structure where one crew provides funds to help another set up the necessary infrastructure and tools to help.
Similar to VC investors, these financiers run the risk of investing money in exchange for a cut in profits. When the new malware crew starts collecting ransom payments, the funders receive the first part of the loot.
“It’s always a risk,” said Krehel, “but investors get a priority payment out of the proceeds.”
The dark web VC economy
In the case of DarkSide, Lifars estimates that the ZLoader crew is willing to collect a fixed percentage of ransomware payments over the life of the operation – probably around two to three years.
Much like in Silicon Valley, where raising funds can require a good reputation with the right connections, not every aspiring cybercriminal can benefit from these ransomware investments. To start talking about where the money is being spent, threat actors need to prove that they have already established themselves as capable operators. In many cases, a person needs to be able to move a small amount of money into or out of a Bitcoin wallet that is linked to a major ransomware operation to show that they were involved in that crew.
“What we’ve seen is most when these conversations take place privately over Telegram,” said Krehel. “Usually you have to prove yourself and pay with a wallet that is linked to ransomware, and it is not easy to have such a wallet to prove your identity.”
Despite this highly selective process, there are enough offspring that the number of malware operations is growing exponentially as new offshoots are able to gain a foothold immediately thanks to their supporters. These successful crews in turn produce even more offshoots of what Krehel referred to as the “Chernobyl explosion” in expensive ransomware attacks.
From script kiddies to kingpins
Part of the problem, Krehel said, is that the ransomware market is maturing. A class of criminals who began their operations as teenagers or “script kiddies” and sought indiscriminately for payouts in the thousands of dollars have evolved into full-fledged criminal operations in which handpicked targets are infiltrated and pumped for six- and seven-figure ransoms become . Krehel compared the metamorphosis with that of the drug cartels at the end of the 20th centurythe Century.
“These people have apartments in Moscow just to keep cash,” he noted.
With more money comes more sophistication. The highly technical, experienced ransomware operators are able to create several new malware families and ransomware groups. And, as many threat researchers have found, operators can shop on dark web marketplaces to gain access to specific organizations through compromised credentials, unpatched vulnerabilities, or other vulnerabilities.
As a result, security vendors and law enforcement agencies are faced with much higher numbers of possible suspects and leads when trying to trace the attacks to a single source.
“It becomes more complex and the system will thrive when more mature personalities act as leaders,” said Krehel. “It’s almost like the iPhone hits the market every year. Which version do you have? [and] what are you hunting? “
All of this, according to Krehel, has brought the industry to a turning point. Ransomware is threatening to explode and, if we do not want to get into a different drug cartel situation, swift and decisive action must be taken to stop these ransomware operations.