Researchers from cybersecurity firm Kaspersky dug deep into darknet forums to release a report that helps organisations better understand how the ransomware ecosystem operates.

Ransomware is one of the key cybersecurity threats of 2021, according to experts.

“Attackers have built their brands and are bold in their advances like never before, with the news about organizations being hit with ransomware consistently on newspaper front pages. But by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem,” Kaspersky said.

Researchers took a deep look at REvil and Babuk gangs and beyond to debunk some of the myths about ransomware.

According to Kaspersky’s report, the ransomware ecosystem includes multiple players that take on various roles similar to other industries.

“Contrary to the belief that ransomware gang are actually gangs – tight, have been through it all together, Godfather-style groups, the reality is more akin to the world of Guy Ritchie’s ‘The Gentlemen’, with a significant number of different actors – developers, botmasters, access sellers, ransomware operators – involved in most attacks, supplying services to each other through dark web marketplaces,” it said.

These actors meet on specialised darknet forums where one can find regularly updated ads offering services and partnerships.

Prominent big-game players that operate independently do not visit such sites more often. However, well-known groups such as REvil that have increasingly targeted organisations in the past few quarters, publicize their offers and news on a regular basis using affiliate programs on such forums.

As per the research, this involves a partnership between the ransomware group operator and the affiliate where the ransomware operator takes a 24-40 per cent profit share ranging , while the remaining 60-80 per cent stays with the affiliate.

The ransomware operators set ground rules for the selection of such partners right from the beginning in a finely tuned process. Important factors taken into account include geographical restrictions and even political views. At the same time, ransomware victims are selected opportunistically, it said.

Operators often target organisations that are low hanging fruits as their primary objective is profit. With a desire for profit, they often target organisations that the attackers were able to gain easier access to.

“It could be both actors that work within the affiliate programs and independent operators that later sell access,” as per the report.

Access is sold in an auction form or as a fix, with the starting price as low as $50.

“These attackers, more often than not, are botnet owners who work on massive and wide-reaching campaigns and sell access to the victim machines in bulk, and access sellers on the lookout for publicly disclosed vulnerabilities in internet facing software, such as VPN appliances or email gateways, which they can use to infiltrate organizations,” it said..

Ransomware forums also include other types of offers. Some ransomware operators sell malware samples and ransomware builders for prices ranging from $300 to $4,000.

Some may also offer Ransomware-as-a-Service – the sale of ransomware with continued support from its developers. Rices for this can range from $120 a month to $1,900 per year packages.

“The ransomware ecosystem is a complex one with many interests at stake. It is a fluid market with many players, some quite opportunistic, some – very professional and advanced. They do not pick specific targets, they may go after any organization – an enterprise or a small business, as long as they can gain access to them. Moreover, their business is flourishing, it is not going away anytime soon,” said Dmitry Galov, security researcher at Kaspersky’s Global Research and Analysis Team.

“The good news is that even rather simple security measures can drive the attackers away from organizations, so standard practices such as regular software updates and isolated backups do help and there is much more that organizations can do to secure themselves,’ added Galov.

"Effective actions against the ransomware ecosystem can only be decided once its underpinnings are truly understood. With this report, we hope to shine a light on the way ransomware attacks are truly organized, so that the community can set up adequate countermeasures,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research and Analysis Team.