跳到主体内容

More Than 75% of Crypto Ransomware in 2016 Came From the Russian-Speaking Cybercriminal Underground

2017年2月18日

Out of 62 new crypto ransomware families discovered by Kaspersky Lab researchers in 2016, at least 47 were developed by Russian-speaking cybercriminals

Out of 62 new crypto ransomware families discovered by Kaspersky Lab researchers in 2016, at least 47 were developed by Russian-speaking cybercriminals. This is one of the findings of an overview of the Russian-speaking ransomware underground, conducted by Kaspersky Lab researchers. The review also found that small groups with limited capabilities are transforming into large criminal enterprises that have the resources and intent to attack private and corporate targets worldwide.

Crypto ransomware – a type of malware which encrypts its victim’s files and demands a ransom in exchange for decryption – is one of the most dangerous types of malware today. According to Kaspersky Lab telemetry, in 2016 more than 1,445,000 users (including businesses) around the globe were attacked by this type of malware. In order to better understand the nature of these attacks, Kaspersky Lab researchers conducted an overview of the Russian-speaking underground community. One of the major conclusions is that the increase in crypto ransomware attacks observed in recent years is the result of a very flexible and user-friendly underground ecosystem, allowing criminals to launch crypto ransomware attack campaigns with almost any level of computer skills and financial resources.

Kaspersky Lab researchers identified three levels of criminal involvement in the ransomware business:

  • The creation and update of new ransomware families
  • The development and support of affiliate programs distributing ransomware
  • The participation in affiliate programs as a partner

The first type of involvement requires a participant to have advanced code-writing skills. The cybercriminals who create new ransomware strains are the most privileged members of the ransomware underground world, as they are the ones who create the key element of the whole ecosystem.

On the second level of the hierarchy, there are the developers of the affiliate programs. These are the criminal communities which – with the help of different additional tools, like exploit kits and malicious spam – deliver the ransomware issued by the malware creators.

The partners of affiliate programs are on the lowest level of the whole system. Utilizing different techniques they help the owners of affiliate programs to distribute the malware in exchange for a share of the ransom received by owners of the program. Only intent, a readiness to conduct illegal actions, and couple of bitcoins are required for participants of affiliate programs to enter this business.

According to Kaspersky Lab estimations, the overall daily revenue of an affiliate program may reach tens or even hundreds of thousand dollars, of which around 60% stays in the criminals’ pockets as net profit.

Moreover, during their research into the underground ecosystem and multiple incident response operations, Kaspersky Lab researchers were able to identify several large groups of Russian-speaking criminals specializing in crypto ransomware development and distribution. These groups may unite tens of different partners, each with their own affiliate program, and the list of their targets includes not only ordinary Internet users, but also small and medium-sized companies and even enterprises. Initially targeting Russian and CIS users and entities, these groups are now shifting their attention to companies located in other parts of the world. 

«It is hard to say why so many ransomware families have a Russian-speaking origin, but what is more important is that we’re now observing their development from small groups with limited capabilities to large criminal enterprises that have resources and the intent to attack more than just Russian targets. We’ve seen something similar with financial malware groups, like Lurk. They also started with massive attacks on online banking users, and then evolved into sophisticated groups capable of robbing large organizations, like banks. Sun Tzu said: If you know the enemy and know yourself, you need not fear the result of a hundred battles. That’s why we’ve created this overview: ransomware gangs are turning into very powerful enemies, and for the public and the security community, it is really important we learn as much about them as possible,» - said Anton Ivanov, security researcher at Kaspersky Lab, and the author of the overview.

Read more about how Russian-speaking underground ransomware ecosystem works on Securelist.com

More Than 75% of Crypto Ransomware in 2016 Came From the Russian-Speaking Cybercriminal Underground

Out of 62 new crypto ransomware families discovered by Kaspersky Lab researchers in 2016, at least 47 were developed by Russian-speaking cybercriminals
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻