Alex - stock.adobe.com
A new trend in ransomware circles is creating an economy that experts liken to the Silicon Valley venture capital scene.
Ondrej Krehel, CEO and founder of incident response vendor Lifars, said some of the biggest new ransomware gangs, including the now-infamous DarkSide group, have been launched on the back of investments from older, more established operations. These investors provide backing in the form of bitcoin or other cryptocurrencies, then get a share of the payouts.
The most notable example of this, Krehel said, is DarkSide. The ransomware group made headlines earlier this year when it caused Colonial Pipeline Co. to suspend operations for several days, leading to a brief gas panic for much of the Eastern United States.
While the DarkSide gang seemingly came out of nowhere, it can, in fact, be traced back to another well-established operation. Krehel said DarkSide formed as an offshoot of ZLoader malware, which is a variant of the notorious Zeus banking Trojan. With some common members, DarkSide was able to get off the ground, thanks to bitcoin backing from ZLoader and, in turn, the ZLoader team enjoyed a share of the ransom payments DarkSide took in.
This sort of setup is becoming more popular within the close-knit circle of ransomware cybercriminals. Krehel explained that as various groups have sought to branch out with new operations, members have taken to a sort of venture capital (VC) structure where one crew will provide funds to help another get set up with the needed infrastructure and tools.
Much like VC investors, those backers take the risk of putting up money in exchange for a cut of the profits. When the new malware crew begins collecting ransom payouts, the backers will get the first cut of the haul.
"It is all a risk at any point in time," Krehel said, "but the investors get a priority payment from proceeds."
The dark web VC economy
In the case of DarkSide, Lifars estimated that the ZLoader crew is poised to collect a fixed percentage of the ransomware payments over the entire lifespan of the operation -- likely around two to three years.
Much like Silicon Valley, where getting funds can require having a reputation with the right connections, not just any aspiring cybercriminal can enjoy these ransomware investments. Getting into the conversation where the funds are handed out requires threat actors to prove they have already established themselves as capable operators. In many cases, a person will need to be able to move a small amount of money in or out of a bitcoin wallet connected to a major ransomware operation, showing they were involved in that crew.
"What we have seen is most of these conversations happen in private on Telegram," Krehel said. "You usually need to prove yourself and pay from a wallet affiliated with ransomware, and it is not easy to have a wallet like that to prove your identity."
Even with this highly selective process, there is enough new blood coming into the fold that the ranks of malware operations are growing exponentially as new offshoots are able to hit the ground running, thanks to their backers; those successful crews, in turn, spawn even more offshoots in what Krehel described as a "Chernobyl explosion" in high-cost ransomware attacks.
From script kiddies to kingpins
Part of the problem, Krehel said, is the ransomware market is maturing. A class of criminals who began operations as teenagers or "script kiddies" indiscriminately seeking payouts in the range of a few thousand dollars have grown into full-fledged criminal operations where hand-picked targets are infiltrated and pumped for six- and seven-figure ransoms. Krehel likened the metamorphosis to that of the drug cartels in the late 20th century.
"These people have apartments in Moscow just to store cash," he noted.
With more money comes more sophistication. The highly technical, experienced ransomware operators are able to create multiple new malware families and ransomware groups. And, as many threat researchers have noted, the operators can shop on dark web marketplaces for access to specific organizations through compromised credentials, unpatched vulnerabilities or other weak points.
As a result, security providers and law enforcement agencies find themselves dealing with far higher numbers of possible suspects and leads as they try to trace the attacks back to a single source.
"It is getting more complex, and the system is going to flourish by more mature individuals being leaders," Krehel said. "It is almost like the iPhone being released every year. What version do you have, [and] what are you chasing?"
All of this, Krehel said, has put the industry at an inflection point. Ransomware is poised to explode, and unless we want to find ourselves with another narco cartel situation, swift and decisive action must be taken to crack down on these ransomware operations.