Those in charge of launching the attacks receive from 70% to 80% of the profits. The malware developers set the ransom amount and collect it.
A spokesperson of REvil, the ransomware gang – also known as Sodinokibi- has reportedly made profits in the order of USD 100 million so far this year.
On the technology blog Russian OSINT, one of REvil’s operators, identified in hacker forums as “UNKN” and “Unknown,” provided details on his business model.
According to the spokesperson, the developers of the ransomware typically receive between 20% and 30% of the profits that they make from the victims’ payments to recover their data. They distribute the rest of the money among the affiliates, who are in charge of launching the attacks, stealing data, and detonating malware on corporate networks.
UNKN says that the affiliates do most of the work, thus receiving a large percentage of the profits. However, the developers set the ransom amount, conduct the negotiations, and collect the money that they divide with the affiliates.
Also known as “ransomware as a service” (RaaS), most ransomware gangs use this REvil scheme of work. “Distributors do most of the work, and the ransomware is just a tool, so it is a fair division,” said the REvil representative.
In 2020, REvil hackers have claimed to have launched attacks on several companies. The list of victims includes foreign exchange company Travelex, software provider SeaChange International, real estate investment firm CyrusOne, IT firm Artech Information Systems, New York Airport, Albany International Airport, and car manufacturer GEDIA Automotive Group.
Data Leakage and New Tactics to Force Victims to Pay
The declarant of the well-known ransomware does not indicate which or how many of the attacked companies have paid for the recovery of their data. However, he notes that one in three victims is willing to pay to avoid data leakage. He refers to the new strategy that hackers have been implementing since the end of 2019.
Something new about ransomware attacks is that hackers publish confidential information on dark web sites (darknet). That happens when they do not receive any money for the recovery of the data. They aim to force the hacked companies to pay.
In a report, the firm Coverware estimates that payments for ransomware attacks during the first two quarters of 2020 almost reached USD 300,000. That figure far exceeds the USD 100,000 that they charged in 2019. The study ranks REvil, Maze, and Phobos among the top hackers of this year.
The data leakage method appears to be profitable as it plays on companies’ fear of regulatory penalties, damage to reputation, and legal action for the disclosure of third-party information. Data leakage can also affect corporate stock prices through the loss of intellectual property.
UNKN considers that REvil now makes more money for not publishing stolen data than for cracking a hijack. He adds that they also plan to implement distributed-denial-of-service (DDoS) attacks to force victims to (re)start their computer systems or negotiate a payment.
The gang recently deposited USD 1 million worth of Bitcoin on a Russian forum to attract new partners for the distribution of malware. Despite their wealth, REvil operators cannot leave the borders of the countries of the former Soviet Union. They are the target of investigations by law enforcement agencies worldwide.
By Alexander Salazar
