Demystifying Russian Ransomware Campaigns
By Christine Kern, contributing writer
Flashpoint research on organized Russian ransomware highlights campaign methods and targets.
Flashpoint has released the findings from a five-month study of an organized Russian ransomware campaign. The new research report, Inside an Organized Russian Ransomware Campaign explores how cybercriminals are using Ransomware as a Service (RaaS) to successfully target victims across industries with healthcare a priority target. A companion research report, Hacking Healthcare, provides further examples of some of the latest healthcare-focused attacks and the response in underground forums.
The report reveals ransomware campaign key metrics, including average salaries for various members of ransomware schemes, ransom amounts per U.S. victim, and average monthly ransom payments. According to the report, the typical Ransomware Boss makes an average annual salary of $90,000 U.S., or 13 times the average current wages in Russia.
“Ransomware is clearly paying for Russian cybercriminals. As Ransomware as a Service campaigns become more wide-spread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks,” said Vitali Kremez, Cybercrime Intelligence Analyst, of Flashpoint. “Corporations and users are unfortunately faced with a commensurately greater challenge of effectively protecting their data and operations from being held ransom, with no guarantee that sending a ransom payment will result in return of the stolen data.”
The report asserts the recent success of Russian hackers is partly a response to lower barriers for Russian criminals to engaging in ransomware campaigns. Researchers highlight the context around points of compromise, distribution, and development and provide the threat profile of one specific prolific Russian-organized ransomware campaign to underscore the magnitude of the threat.
The research also determined hospitals and healthcare networks are now priority targets with affiliate ransomware focused on these institutions advertising specifically on Deep and Dar Web forums and marketplaces.
The recent publicity surrounding ransomware attacks on hospitals including hospitals in California, Kentucky, and Maryland, some of which resulted in large payouts to the hackers, is convincing the cybercriminals that holding data hostage is more lucrative than selling stolen data on the black market. In fact, most hospitals admit they have been targeted by ransomware attacks in the last year, as Health IT Outcomes reported.
The ransomware report concludes, “As these campaigns become more wide-spread and accessible to low level Russian cybercriminals, such attacks may result in dire consequences for individuals and corporations not ready to deal with new waves of ransomware attacks.”
The report also warns paying the ransom is not wise, as the criminals often collect the payment without ever providing decrypting tools or means to recover affected systems for the victims.