Sunday, September 19, 2021

Need to earn $10 million? Snitch on a cybercrook! – Bare Safety

Just over a week ago, we wrote about the REvil ransomware gang’s latest braggadoccio.

As you probably know, ransomware operators like REvil, Clop and others don’t generally work on the front line themselves by conducting the actual network intrusions that deliver the final ransomware warhead.

Instead, they recruit teams of “attack affiliates” – subcontractors, if you like – who are given their own variants of the ransomware code and let loose on the world.

The affiliates don’t bother, or even need to know how, to program the malware in the first place, or to get involved in the process of negotiating and collecting the final blackmail money from victims who decide to pay up.

The affiliates bring different skills to the operation, such as:

  • Breaking into networks and posing as sysadmins, sometimes for weeks or even months.
  • Mapping out the network, possibly even including assets the victims have lost track of.
  • Stealing what they can and exfiltrating data that might assist with subsequent attacks, or raise good money on the dark web, or be used for additional blackmail leverage after the ransomware has done its dirty work.
  • Opening backdoors and creating bogus accounts that let them walk straight back in if they get locked out on the way.
  • Finding out how the company does its backups, and trashing them in advance of the cryptographic denouement…

…in return for a big chunk of the ransomware payment, often as much as 70%.

(We have to guess that the core crooks originally set their share at 30% because that’s the number that seems to have worked out well for companies like Apple and Google when licensing products such as music and apps.)