An analysis of the finances and operation of a ransomware outfit has shown it's entirely possible to bankroll a modest-sized crime gang on victims' payoffs.
Dark web monitoring firm Flashpoint has been following a ransomware-as-a-service campaign organized by Russian crooks since December 2015, tracking the recruitment of associates, distribution of the malware, and payment processes.
This particular campaign was launched by a ransomware boss, who has been operating against Western companies since at least 2012. The head honcho began by recruiting associates who would be responsible for finding infection victims in exchange for a share of the profits, and set the bar pretty low for entry.
"This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path. No fees or advance payments from you are required, only a large and pure desire to make money in your free time," the recruitment notice reads.
"It is desirable, of course, that you have already had some minimal experience in this business. But if you have no experience, it is not a problem. In addition to the file, you will receive detailed instructions on how and what to do – even a schoolboy could do it; you need only time and desire."
The boss hired 10 to 15 affiliates in this way and they are responsible for spreading the ransomware code. This was primarily done by either buying access to infected computers, spamming out files, finding unsecured servers or luring in victims via dating or social networking sites.
Once the code is installed and running, the boss then handles communications with the victim, obtaining a ransom averaging $300 for the decryption key, although in some cases an additional ransom was demanded from the victim before the key was dispatched.
Payment was in Bitcoins and the online currency was laundered via Bitcoin exchanges. The boss then doled out funds – 40 per cent of the ransom to the affiliate and 60 per cent for himself.
The investigators found there were an average of 30 ransom payments made every month, netting the boss around $90,000 a year and his affiliates about $600 a month, although that varied depending on how successful they were at infecting systems. Larger ransomware gangs will trouser far larger sums, of course, as much as $90,000 a week or more.
"From the ransomware affiliate perspective, such campaigns have significantly lowered the barriers for entry for low-tier Russian cybercriminals," the report [PDF] notes.
"Ransomware revenue amounts are not as glamorous and fruitful as they are often publicly reported. Our findings dispute the common perceptions of cybercriminals as being larger-than-life, smart, well off, unreachable, undoxable, and unstoppable."
That's true, up to a point. According to the International Labour Organization, the average annual salary in Russia is $21,600, so there's good money to be made by the bosses but the affiliates don't make that much.
Still, there is risk involved. The Russian police are cracking down on ransomware operations and, if caught, the bosses and affiliates are likely to get lengthy prison terms in a country not known for the high quality of its incarceration facilities. ®