Raking in the Ransoms: How the Russian Ransomware Threat Landscape Ticks


In Tread 2016, the Cerber file encrypter first introduced itself to the excellent. This “ransomware that speaks” has gone through multiple usuals since its inception, adopting techniques such as redundant checks for put security software along the way. It’s no surprise its innovative dynamism has attracted the distinction of spammers and possibly other ransomware developers.

To put things in perspective, Cerber is honest one of the may crypto-ransomware families that researchers at Kaspersky Lab have detected since the onset of 2016. Out of the five dozen groups it’s observed, Kaspersky found that more than three posts of them (47) are related to Russian-speaking groups and individuals. The security multinational company reached this conclusion by analyzing the ransomware samples’ command and restraint (C&C) infrastructure, their distribution on underground forums, and other indicators.

But that’s one the beginning of Kaspersky’s findings. Such an exhaustive investigation yields myriad things. Chief among them is a deeper understanding of how Russian ransomware menace actors develop their creations, distribute them to users, and capitalize their criminal enterprises.

Let’s now use Kaspersky Lab’s analysis to better understand how the Russian ransomware warning landscape ticks.

In the Weeds of Russian Ransomware

If you think Russian portent actors code a piece of ransomware and directly target users with it, you’re awful. All native ransomware enterprises are much more sophisticated than that.

It all begins with a developer who creates the crypto-malware. They are the one directorial for coding the software, adding additional modules, and setting up IT infrastructure to sustain the ransomware’s distribution. To coordinate this operation, a creator inevitably rents or enlists the help of a manager. The manager is the only person in a Russian ransomware venture who gets to communicate with the author. Their job is to internalize the directives of the author and find partners who can realize the developer’s vision.

In other words, a head is responsible for finding partners who can help expand the ransomware initiative. Kaspersky Lab legitimatizes how they do this in a blog post:

“The primary task of partners is to pick up the new adaptation of ransomware and distribute it successfully. This means successfully infecting as scads PCs as possible and demanding a ransom. For this – among other tools – accomplices utilize the affiliate programs which they own. The creator earns wampum by selling exclusive malware and updates to the partners, and all the other participants of the machinate share the income from the victims in different proportions. According to our nous, there are at least 30 partners in this group.”

The structure of a maven ransomware enterprise. (Source: Kaspersky Lab)

Affiliate programs can be quite lucrative. For in the event, Cerber’s scheme nets the original author an average of one million dollars on an annual essence. This sum doesn’t include other attack campaigns spear-headed by the initiator.

Then again, affiliate programs need to generate lots of capital. The ransomware creator needs those funds to support the development of new modules, ordain in distribution channels like exploit kits and spam campaigns, aver an anti-virus check service, purchase credentials for hacked servers, and pay the IT dab hands who support the ransomware’s infrastructure. They must also account for the helpmates and affiliates, each of whom gets paid a fraction of the profits forged by the ransomware based upon their rank and/or how many infections they introduce. In total, operational costs for such an enterprise can exceed tens of thousands of dollars.

Unfortunately, most Russian crypto-malware gumshoes are at no loss for money. Affiliates usually must purchase a license in swop for their right to help distribute a single ransomware sample. They get to forbid a fraction of the revenue, but the rest goes to the creator to help perpetuate the gumption. This pays off in the end.

Kaspersky elaborates on that point:

“Based on what we’ve seen in discourses on underground forums, criminals are lining their pockets with more 60% of the revenue received as a result of their activities. So, let’s go back to our judge of the daily revenue of a group, which may be tens of thousands of dollars on a all right day. That’s of course an estimate of cumulative net income: the total sum of money which is toughened as payoffs to all the participants of the malicious scheme – starting from regular affiliate program associates and ending with the elite partners, manager and the creator. Still, this is a giant amount of money. According to our observations, an elite partner generally earns 40-50 bitcoins per month. In one crate we’ve seen clues that an especially lucky partner earned everywhere 85 bitcoins in one month, which, according to the current bitcoin swap rate, equals $85,000 dollars.”

The typical profits (green) vs. payments (red) of a ransomware scheme. (Source: Kaspersky Lab)

Given their profitability, assorted ransomware enterprises are now changing how they are structured or who they prefer to goal. For instance, some initiatives are accepting only elite partners that can evince their ability to reliably infect a certain number of hosts. At the just the same time, others are looking to up their revenue by going after groupings like Hollywood Presbyterian Medical Center and the San Francisco transport group instead of individual users.


Kaspersky notes in its blog pale that Russia has many adroit coders and some previous circumstance with ransomware-like software. These influences mean Russia’s ransomware warning landscape will only continue to evolve in the coming years.

Owning this trend, users and organizations alike should invest now in ransomware prohibition strategies. Those should include backing up their data, ground their systems, and maintaining anti-virus solutions on all computers.

Leave a Reply

Your email address will not be published. Required fields are marked *