Flashpoint, the global leader in Deep & Dark Web data and intelligence, today released the findings from a five-month study of an organized Russian ransomware campaign. The new research report, Inside an Organized Russian Ransomware Campaign delves into the details of how cybercriminals are using Ransomware as a Service (RaaS) to successfully target victims, with the healthcare industry being identified as a priority target. The report reveals ransomware campaign key metrics, including average salaries for various members of ransomware schemes, ransom amounts per US victim, and average monthly ransom payments. The typical ‘Ransomware Boss’ makes an average annual salary of $90,000 USD ($7,500 USD/month), or 13x the average current wages in Russia.[1] The company has also released a companion research report, titled Hacking Healthcare which provides further examples of some of the latest healthcare-focused attacks and the response in underground forums.
“Ransomware is clearly paying for Russian cybercriminals. As Ransomware as a Service campaigns become more wide-spread and accessible to even low-level cybercriminals, such attacks may result in difficult situations for individuals and corporations not yet ready to deal with these new waves of attacks,” said Vitali Kremez, Cybercrime Intelligence Analyst, of Flashpoint. “Corporations and users are unfortunately faced with a commensurately greater challenge of effectively protecting their data and operations from being held ransom, with no guarantee that sending a ransom payment will result in return of the stolen data.”
In the report, Flashpoint’s subject matter experts provide important context around the points of compromise, distribution, development, and the threat profile of one prolific Russian-organized ransomware campaign. The recent success of the Russian hacking community is due in part to increasingly lower barriers that unsophisticated Russian cybercriminals need to overcome in order to engage in ransomware campaigns. Once recruited by a crime boss, it then becomes relatively easy for newcomers, who become part of the boss’s affiliate network, to start spreading ransomware quickly, attacking corporations and users via botnet installs, email and social media phishing campaigns, compromised dedicated servers, and file-sharing websites.
As far as priority targets for these campaigns, Flashpoint found affiliate ransomware targeting hospitals and healthcare networks being advertised specifically on Deep & Dark Web forums and marketplaces. And while numerous users have purchased ransomware promoted specifically for targeting hospitals, Flashpoint analysts, who closely monitor these schemes, assess that cybercriminals utilize such malware across a wide spectrum of industries.
With recent, highly publicized ransomware attacks on several hospitals and health networks resulting in large payouts to retrieve critical files, cybercriminals are clearly beginning to recognize that holding the data hostage is often more lucrative than simply stealing the data and selling it on the black market
