HOW ARE THESE CRIMINALS ORGANIZED?
Some top ransomware criminals fancy themselves software service professionals. They take pride in their “customer service,” providing “help desks” that assist paying victims in file decryption. And they tend to keep their word. They have brands to protect, after all.
“If they stick to their promises, future victims will be encouraged to pay up,” Maurits Lucas, director of intelligence solutions at the cybersecurity firm Intel471, told a webinar earlier this year. “As a victim you actually know their reputation.”
The business tends to be compartmentalized. An affiliate will identify, map out and infect targets, choose victims and deploy ransomware that is typically “rented” from a ransomware-as-a-service provider. The provider gets a cut of the payout, the affiliate normally taking more than three-quarters. Other subcontractors may also get a slice. That can include the authors of the malware used to break into victim networks and the people running the so-called “bulletproof domains” behind which the ransomware gangs hide their “command-and-control” servers. Those servers manage the remote sowing of malware and data extraction ahead of activation, a stealthy process that can take weeks.
WHY DO RANSOMS KEEP CLIMBING? HOW CAN THEY BE STOPPED?
In Thursday’s report, the task force says it would be wrong to try to ban ransom payments, largely because “ransomware attackers continue to find sectors and elements of society that are woefully underprepared for this style of attack.”