The document summarizes an analysis of an organized Russian ransomware campaign. Key points include: - The campaign recruited low-level Russian cybercriminals to spread ransomware through phishing emails and compromised servers. The mastermind kept 60% of ransom profits. - Ransomware was distributed through botnet installs, emails, social media, and file sharing sites. It encrypted victim's files until ransom was paid in Bitcoin. - On average, the mastermind earned $7,500 per month while affiliates earned $600. Ransoms averaged $300 per US victim. The operation had low perceived risk.

1. Inside an Organized Russian Ransomware Campaign
By Vitali Kremez
RANSOMWARE AS A SERVICE

2. 2
Ransomware as a Service
In the course of monitoring an organized Russian
ransomware campaign, Flashpoint analysts were
able to gain significant visibility into the tactics,
techniques, and procedures employed by a cam-
paign boss operating a ransomware scheme out of
Russia.
As the Russian hacking community lowered the
access requirements for unsophisticated Russian
cybercriminals to engage in ransomware cam-
paigns, corporations and individuals face a com-
mensurately greater challenge of effectively
protecting their data and operations from being
held ransom.
Recent threats powered by ransomware campaigns
which have surfaced in the Deep & Dark Web
appear to be specifically aimed at the healthcare
industry. Cybercriminals consider this industry in
particular to be a valuable target due to the treasure
trove of personally identifiable information their
systems house. While prior efforts focused on
stealing and reselling the data, now criminals are
turning to ransomware to hold the data hostage.
Executive Summary

3. 3
Ransomware as a Service
A new form of ransomware has been developed
that is in effect “Ransomware as a Service” (RaaS)
that enables "affiliates" to obtain a piece of ransom-
ware from a crime boss and distribute it to victims
as these affiliates wish.
For example, a RaaS campaign such as Ranstone
that targets Mac OSX users, utilizes a special type
of malware designed to encrypt a computer’s files
using strong cypher algorithms. Its execution spurs
the system-wide file encryption with a note urging
an infected user to deposit a certain amount of
money in a hacker’s account in order to decrypt his
or her files.
As a result of their participation in such campaigns,
low level Russian cybercriminals gained a fruitful
understanding of the inner workings of ransomware
campaigns. It is not particularly hard for newcomers
to start spreading ransomware quickly and attack
corporations and individuals via:
1. Botnet installs
2. Email and social media phishing campaigns
3. Compromised dedicated servers
4. File-sharing websites
Introduction

4. 4
Ransomware as a Service
Research Methods
The purpose of this white paper is to provide
the context around points of compromise,
distribution, development, and the threat profile
of one prolific Russian-organized ransomware
campaign.
The methodology of the study includes analy-
sis of communications within larger cybercrimi-
nal communities and includes technical
analysis of the ransomware sample. The
timeframe of the study traces the campaign
from December 2015 to the present.
Recruitment for Ransomware
Campaign
The campaign boss organized a ransomware
campaign designed to recruit low level cyber-
criminals without substantial coding skills to
support the boss's scheme by reaching out to
users in the Russian underground on the Deep
Web:
Good day,
This offer is for those who want to
earn a lot of money via, shall we say,
not a very righteous path. No fees or
advance payments from you are
required, only a large and pure desire
to make money in your free time.
I propose mutually beneficial coop-
eration in the sphere of distribution
of my software.
It is desirable, of course, that you
have already had some minimal
experience in this business.
But if you have no experience, it is
not a problem. In addition to the file,
you will receive detailed instructions
on how and what to do - even a
schoolboy could do it; you need only
time and desire. The scheme is
simple, and tested and working
100%, revenue yields are decent.
Thus, you are not risking anything in
particular (money being the most
important), and are getting valuable
experience, and if you succeed - a
good cash reward. At the same time,
you do not need to bother looking
for work ideas, encryption software,
nor for receipts and processing of
payments. Details - for all corre-
spondence, write in this topic or
personal message or Jabber.
The apparent targets of this particular cam-
paign are Western corporations and individuals.

5. Ransomware as a Service
Victim Identification & Propagation Methods
Once the targets are identified, the ransomware can be distributed via several means, including:
1. Botnet installs (purchasing installs from other cybercriminals on cybercrime forums and
loading ransomware on compromised systems)
2. Email and social media spam (employing spam botnets to distribute ransomware)
3. Compromised dedicated servers (bruteforcing and stealing credentials from botnet logs and
installing ransomware on the system)
4. Dating, torrent, and other file-sharing websites (using joiners and other covert channels to
mask ransomware as attractive content and uploading the malware on such websites)
This particular ransomware campaign does not utilize a command-and-control infrastructure. Rather, it
uses custom ransomware that encrypts the files on the infected machine and drops a text file containing
an email address that the victim needs to reach out to obtain a decryption key to retrieve the
encrypted data.
AFFILIATERANSOMWARE
BOSS
INFECTED VICTIM
Distributes RansomwareBoss Demands Ransom
• Hires
• Provides custom ransomware
• Compensates for each ransom (40%)
5
Ransomware Tactics, Techniques, & Procedures

6. 6
Ransomware as a Service
Ransom Scheme Scenario
Once the low level criminals have deployed
ransomware successfully, the boss will then do
the rest of the work by communicating with the
victims via email, collecting and validating
Bitcoin payments, issuing decryptors, and
finally sending ransom payments to the affiliate.
The boss keeps 60% of the collected ransoms
and distributes the rest to his affiliates.
On at least one occasion, the crime boss
demanded additional payments even when a
ransom payment had already been received,
before providing a decryptor to the compro-
mised victim.
Adversary Profile
Based on our coverage of the Deep & Dark Web, this particular ransomware crime boss has been active
since at least 2012. His primary institutional targets have included corporations and individuals in various
Western countries. Based on multiple indicators, it appears that the ransomware boss operates out of
Russia.
Motivation: Financial Gain
Credibility: High
Location: Russia
Language(s): Russian (Native), English (limited proficiency)
Sleep/Wake Cycle (GMT):
Ransomware Campaign Key Metrics:
Money Flow
Upon receiving the Bitcoin payment from the
victim, the crime boss launders the money via
Bitcoin exchangers.
To compensate his partners, the crime boss
sends Bitcoins from an unattributable clean
Bitcoin wallet. He then forwards the rest of his
Bitcoins to a Bitcoin exchanger to hide his tracks.
Bitcoin is most often utilized because of its
ability to partially obfuscate the true identity of
the Bitcoin wallet owner―making the tracking of
transactions very difficult for law enforcement
and security researchers.
$7,500 $600 $300 30 10-15 Low
Ransomware Boss
Average Monthly
Salary (USD)
Affiliate Average
Monthly Salary
(USD)
Ransom Amount
per US Victim
(USD)
Avg. Monthly
Ransom
Payments
Affiliate
Partners
Perceived
Operation Risk by
Ransomware Boss
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Activity
Hour

7. 7
Ransomware as a Service
1. From the ransomware affiliate perspective, such
campaigns have significantly lowered the
barriers for entry for low-tier Russian
cybercriminals.
2. Ransomware revenue amounts are not as
glamorous and fruitful as they are often publicly
reported. Average ransomware crime bosses
make only $90K per year on average.
3. Our findings dispute the common perceptions of
cybercriminals as being larger-than-life, smart,
well off, unreachable, undoxable, and
unstoppable.
4. The report provides the complete payout
structure and Bitcoin laundering operation
related to the ransomware-as-a-service
campaign.
Key Findings

8. 8
Ransomware as a Service
This ransomware campaign is similar to other
Ransomware as a Service (RaaS) initiatives which
Flashpoint has seen in the past under the names
GinX and Ranstone. Notably however, this campaign
relied on personal relationships between affiliates
and the boss without a centralized command and
control technical infrastructure. In fact, an affiliate
has to rely on his own distribution method to
determine how many of his ransomware infections
have been installed while putting faith in the crime
boss to deliver payments.
As these campaigns become more wide-spread
and accessible to low level Russian cybercriminals,
such attacks may result in dire consequences for
individuals and corporations not ready to deal with
new waves of ransomware attacks.
Though the loss of data can be devastating,
Flashpoint has observed that sending ransom
payments does not always work. In the case of this
particular criminal enterprise, this group often
prefers to collect payments without ever providing
decrypting tools or methods for affected victims.
Conclusion

9. Ransomware as a Service
About Flashpoint
Flashpoint helps companies and individuals understand the threats looming in the Deep & Dark
Web in order to help mitigate and prevent both cyber and physical attacks.
We provide data, tools, and expertise to security and intelligence teams across the Fortune 500
and government to help them both obtain actionable intelligence, as well as gain critical awareness
of threatening actors and their relationships, behaviors, and networks prone to malicious activity.
Contact
web: www.flashpoint-intel.com
Email: info@flashpoint-intel.com
Copyright © 2016 Flashpoint, Inc, All rights reserved.