This business model has ransomware-as-a-service (RaaS) developers selling or leasing malware to affiliates on the dark web. RaaS providers make arrangements with cyber criminals to attack targets in exchange for a percentage of the ransom. Seekers of this type of service can choose a monthly subscription, one time license fee with no profit sharing or other options with varying profit-sharing percentages. Ransomware assaults are a profitable business. Recent attacks on Colonial Pipeline and CNA Financial proved to the crooks that cyber crime does pay. And it pays a lot!
Ransomware attacks and payments are not readily disclosed, so it is difficult to know how big some of the ransoms have gotten, and organizations that have cyber liability insurance policies and house sensitive data are the biggest targets. These victims seem to be the most likely to pay.
Catching the thieves has proven difficult. Although many times the name of the group responsible is revealed, as in the DarkSide hackers of the Colonial Pipeline, it is nearly impossible to track down the individuals under the cloak. It becomes an upstream investigation into the actors involved. Add in a dash of nation state sponsorship and it carries political implications as well.
RaaS operations have made this illegal enterprise into quite the business model. They advertise to attract clients with slick marketing campaigns that outline who they will NOT attack, what will happen if the ransom is not paid and guarantees they will honor. They interview prospective crooks and create contracts and agreements. Now they even have their own kangaroo court where cyber attackers who aren’t getting paid by the provider can take them to court for non-payment and breach of contract.
All rise. Hackers Court is now in session.
Read this account, posted by Brian Krebs, on the back and forth haggling between a US company and the DarkSide gang:
A Closer Look at the DarkSide Ransomware Gang