It should be pointed out these are affiliates, not actual members. Later down article mentions the bounty for actual REvil leadership members.
This is what makes Ransomware as a Service so dangerous. It's basically franchising. The actual REvil gang gets to outsource the arrest risk to a third party and still gets paid billions.
Including inner city drug gangs. The kingpins basically just hand out a franchise "package" to a corner, selling the equipment and method, training and often even fashion statements.
Can you please cite a reference for this concept? I'm interested in learning more and I'd like to read some verified information about how they operate
The TED tak “ The freakonomics of crack dealing” might interest you.
> What I'm going to tell you today is that, in fact, based on 10 years of research, a unique opportunity to go inside a gang -- to see the actual books, the financial records of the gang -- that the answer turns out not to be that being in the gang was a glamorous life. But I think, more realistically, that being in a gang -- selling drugs for a gang -- is perhaps the worst job in all of America. And that's what I'd like to convince you of today.
This is somewhat analogous to how regular corporations operate: the majority of the risk lies not with the people making most of the money, probably even more so when white collar crime is involved.
The thing I like about corporate law is that, unlike how organized crime usually works with the lowest members of the hierarchy getting charged and dealing the consequences of their actions that their bosses forced them to take, it's the shareholders taking responsibility (corporate fines) for the lowest members' actions. Corporate law forces shareholders to optimize their system and corporate hierarchy to disincentivize doing illegal things. As opposed to organized crime, which does the opposite; the mob bosses organize their system and hierarchy to incentivize doing illegal things because this gets the mob bosses money. Man, I could rant for hours about how much I viscerally despise the unintelligent internet commentators that talk down on corporate law. Without corporate law (the only thing holding shareholders responsible for the actions of their employees), all we get is unaccountability and organized crime!
Yep. And the affiliates might be government agents. Both ringleaders and affiliates need to take anonymity measures, so they seem equally vulnerable to me.
Problem is this isn't exactly like a street meeting between mafia thugs in New York in the 60's. There's no face to face contact for cops to monitor. There's no wires to record voices and tie into identities. Sure, there's meetings, but they're online and can be anonymized. Of course, it's not 100%, but it's a higher chance of success than say, wiretapping a phone.
All of those apply to both the affiliates and the ringleaders.
Also, wiretapping a phone only captures future calls. A warrant against a website, or the website's hosting provider can provide message history, assuming it's not E2E encrypted. And it could even get the message history of every single user in one go if the site is e.g. hacked, or if there's a broad warrant against a crime website's hosting provider.
We can see from this article that tons of these criminal websites get hacked, and then people like Brian Krebs can investigate the leaked databases to see info about the criminals' accounts.
The gang themselves aren't doing the actual customer engagement (breaking in, phishing, etc.). The affiliates are. The affiliates are the ones themselves potentially exposing their IP address. REvil just provides the tools, training, and guidance.
The ringleaders also risk their IP when they access any website, such as some crime forum to sell their malware. Crime forums regularly get hacked, and sometimes the databases have last logged in IP in them.
Also, I'm not sure about crime forums, but other forums sometimes allow image embedding, either by a profile picture hotlink, or bbcode, or html, which can get the IP of everyone who views the page.
Also, just by sending someone a link you can get that person's IP. Maybe DNS prefetching can get some info about the person even if the person doesn't click the link.
Also whatever hosting provider they use to distribute the malware to the affiliates could end up leaking their IP.
IIRC REvil does not sell the malware to criminals, they give the malware to criminals but hold some control over the decryption keys needed for the ransom to ensure that they get a share of it.
I.e. it's truly an affiliate / revenue sharing system, not a sale of tools.
Russian hacking gangs are putting silicon valley entrepeneurs to shame. They've made every element of ransomware something that can be specialized in and outsourced. Initial access? Ransomware? C2 infrastructure? Negotiation? Customer service? It can all be outsourced to a Russian company that specializes in their niche.
Everyone is scrambling to build a cyber army. Looks like Putin is letting the invisible hand build it for him.
"Silicon valley entrepreneurs" are doing business in a war zone.
The general security situation is fraught because multiple nation states are at least sheltering and sometimes sponsoring attackers who damage the economy of the opponent.
Despite what narcissistic Zero-to-Oners would tell you, their startups aren't important in the grand scheme of things. Nation states are hacking intelligence agencies, governments, established IT vendors (not startups), power grids, and hospitals in that rough order. Ransomware gangs are hacking companies that have real moneyright now, not lottery tickets pre-IPO. These companies can afford good cybersecurity but don't want to spend more money than the damages they would incur from a successful attack.
> Ransomware gangs are hacking companies that have real money right now, not lottery tickets pre-IPO
Funded startups have a lot of money. Milking money out of startups is a highly profitable market segment. Why would ransom gangs not want to get in on that? They don’t tend to ask for the ransom to be paid in ISOs…
Most startups don't have a ton of data you can encrypt and chokehold them with. If hospitals don't have their medical records then people die. If your startup has to reimage all its laptops and redeploy its application code from github then it's a lost weekend.
> These companies can afford good cybersecurity but don't want to spend more money than the damages they would incur from a successful attack.
A bit off your "real" point: No company should ever spend more mitigating a risk than the potential cost they could incur from the risk. That is just good business, but the reality is that companies generally won't spend more on cybersecurity than their peers (either as a percentage of revenue or percentage of IT spend). Whether that is the proper balance for a risk/spend calculation is the real topic.
The problem is that we can't accurately calculate the probability of a cyber event and the cost impact of that event. So the company is stuck waiting for an attack on themselves or one of their cohorts so they can adjust.
It’s genuinely interesting how poorly companies perform when you gauge their ability to cost out a successful attack. Pre-attack, many seem to make an economic decision not to mitigate it. Post attack, the fifth CISO in four years gets fired, the CEO vows to do better and the cycle repeats all over…
>No company should ever spend more mitigating a risk than the potential cost they could incur from the risk.
I've heard hospital administrators make this argument after I've warned them about their security infrastructure being vulnerable to ransomware. I'm not convinced.
>No company should ever spend more mitigating a risk than the potential cost they could incur from the risk.
basically you summed up the opening scene from the FightClub. The human life cost H millions, so until it is going to kill N such that N * H >= cost of the fix ...
Mostly true, although the ceiling at which you become interesting is dropping for multiple reasons.
Given the time cost of retrofitting effective security, waiting until you become a worthwhile target doesn't work. But hiring secops and spending time on security engineering instead of your product is also deadly to startups. It is another knife-edge for startups to walk.
Except normal entrepreneurs can sleep easy at night and not worry about going to jail for life. Or at least right now, political situations can change and even conducting legal business can be dicey.
RICO is quite dicey--the main charges in these indictments are 18 USC §1030 charges, which do not qualify as predicate acts for RICO charges. But the 18 USC §1956 charge (i.e., money laundering) does qualify, although the fact that there's only one count in these indictments means it's going to be harder to describe the necessary pattern for RICO. If it does, then I believe the other elements of 18 USC §1962(c) could be straightforwardly shown. (In particular, the defendant and the enterprise are clearly different).
But IANAL, and the details here can be incredibly convoluted, so make of that what you will.
This is what makes Ransomware as a Service so dangerous. It's basically franchising. The actual REvil gang gets to outsource the arrest risk to a third party and still gets paid billions.