Ransomware is not a new concept and has been previously filed under the category of annoyances. But in recent years with the advent of the Dark Web (Onion Routing protocols) and Blockchain powered decentralised currencies, they are becoming extremely potent and detrimental to business operations.

To better understand how ransomware is built and targeted it is important to understand how malware is created, marketed, and operated. This understanding will hopefully allow the intended targets (or would be victims) to understand their place in the malware / ransomware threat eco-system.


Ransomware Supply Chain

The Developer

Ransomware developers are an interesting aspect of CryptoLocker and malware, with some malware being genuinely developed from nothing, others however are cobbled together in a rushed manner and have very little testing applied to them. Yet, when a developer’s malware is released into the wild, other developers begin dissecting their code to incorporate or emulate the released ransomware.

Developers can be engaged to produce ransomware either as a distributable toolkit, or as a part of a specific campaign against a target. Additionally, some such developers may opt to employ their own creations, taking the role of Operator.

Whilst specific data is not yet available to describe how much a ransomware developer is paid for their services, there are also (reportedly) nation-state sponsored groups who have developed ransomwares for participation in complex attacks against opposing nations (e.g. WannaCry reportedly built and released by DPRK sponsored group).

The Marketer

Malware marketers have been increasing their earnings through the peddling of CryptoLocker type variants across several dark web forums, with estimates that their gross earning across one such monitored forum went from $250,000 to $6 million dollars over the course of a year.

Whilst the monetary value appears to be low, it is worth reflecting on that this is for the supply of either the ransomware itself, or the renting of Ransomware-as-a-Service (RaaS). The procuring operator would then use the supplied code to target their own victims, extorting a ransom in the event of a successful mark.

The cost of entry however for various ransomware variants can vary but remain extremely affordable and lowers the economic barrier for entry. Ransomwares market for between $3,000 for custom built architectures and targeted vulnerabilities, right down to $1 for very basic nuisance malwares designed to lock users out of their devices with a rudimentary lock screen.

The Operator

Once an operator has procured the ransomware code, and the combined it with an appropriate delivery mechanism they then begin the process of targeting would-be victims in the hope they will execute the payload on delivery.

The operator will likely customise the supplied code from the marketer and apply their own configuration changes. This may involve the specific targeting of file types, user accounts, or even supplementing the cryptocurrency payment details to which ransoms would need to be paid.

It is also worth noting, that whilst the developer and marketer may have intended for the ransomware to be functional and be capable of decrypting files on payment, there is no guarantee that the operator will configure their variant to do the same. Effectively, a victim would need to trust the ransomware operator to unlock their files or systems when the ransom is paid.

The Victim(s)

Victims may be targeted specifically, or through wider scale campaigns through phishing, or broad network analysis. Specifically, targeted victims are subject what is termed Spear phishing campaigns, and the efforts behind conduct such a campaign requires immensely more effort than a phishing campaign.

Victim devices may be exploited through seemingly trusted email messages, or infected binaries introduced directly to the intended target. All these vectors involve an element of social engineering to convince a user to open an infected payload.

Once the executable is run, the ransomware operator may be informed of a successful infection, and they may receive one half of the cryptographic key used to encrypt the victim’s files. The user will then be displayed a ransom message indicating their files have been encrypted, and how long their files will remain available for decryption – this mechanism is designed to influence the user to pay the ransom or else.

Whilst the ransomware has been executing in the background, it is entirely possible that it may exploit other neighbouring assets on the user’s network, spreading its ransomware code across to more machines, and possibly sending pre-generated social engineering messages with the ransomware code attached.

Its intent is to maximise the profitability to the ransomware operator, through infecting more targets and degrading the victim’s ability to recover from the infection.