Who Makes Money from Ransomware?

September 30, 2021

Ransomware is the cyberattack that’s most likely to make the news because it packs dramatic and devastating consequences. Suffering a cyberattack like ransomware is also enough to inflict a fatal wound on the majority of companies – 60% of companies that are struck in a cyberattack go out of business within 6 months. Protecting businesses from ransomware is vital to keeping the doors open. A ransomware incident can devastate a company’s budget, but it’s a cash cow for bad actors. Every ransomware attack requires many players to get the job done and they’re all there for the same reason: money. Whether or not a business pays the ransom after falling victim to a ransomware attack, the cybercrime economy on the dark web is strengthened.  

In our new eBook, Cracking the RANSOMWARE Code, we explore the evolution of today’s ransomware threats and what’s next, as well as who makes money from ransomware. DOWNLOAD IT NOW FOR FREE! >>


How do Ransomware Operations Function? 


When a company pays a ransom, that money travels far and wide across the dark web. Ransoms don’t just go to one person or organization – even an ancillary participant in a ransomware attack will profit. The ransomware industry is its own ecosystem and a major contributor to the dark web economy. It’s also part of the cybercrime-as-a-service sector. That’s a major reason why cybercriminals of every stripe are quick to jump into a ransomware operation. Those criminals have a high chance of walking away with substantial cash, and everyone gets paid. 

The big, powerful ransomware gangs rarely run campaigns themselves. Instead, they operate cybercrime-as-a-service platforms that cybercriminals can use to conduct operations, attract talent, network with freelancers and receive payments. The boss gang makes their money from their cut of the profits when a successful ransomware attack occurs under their auspices. Those attacks are conducted by allied independent contractors known as affiliates. The affiliates are the ones doing the day-to-day work of mounting a successful ransomware attack.  

The affiliate is responsible for running everything about a ransomware attack against their chosen target from planning to execution to payment. The affiliate may be a smaller gang or just a group of freelancers getting together for one job. It is common for affiliates to hire specialists and freelancers for operations, like expert spear phishing creators or skilled hackers. Sometimes, the boss gang supplies the malware, or the affiliate may prefer to use their own. However an affiliate gets the job done, if their attack is successful, they’re obligated to send a cut up the chain to the boss – the gang that runs the platform – generally 10 – 20% of the take, as well as pay any subcontractors that they’ve hired. The rest of the money is theirs to enjoy. 


See how to avoid cybercriminal sharks in Phishing 101. DOWNLOAD IT>>


Now Hiring: A Ransomware Organization 


Everyone’s looking for great help because the right employees are a key component of making a business successful – even cybercrime gangs. After two well-known Russian forums banned ransomware operators, two large ransomware gangs, identified as Himalaya and LockBit, started using their own sites to promote their encryption tools and recruit new affiliates. LockBit had just released a new version of its signature ransomware, and it tried to leverage improved software performance as a way to attract talent. Himalaya just went straight for the wallet, touting the generous payments they offer for associates on their site, just like any other company that is looking for help. 

But not every gang is hiring folks off the street. Several of the biggest ransomware operators don’t recruit publicly at all. Instead, you’ve got to know somebody in the organization to get a foot in the door, just like a traditional crime operation. You’re not going to see hiring posts from an organization like REvil. Experts note that the REvil gang prefers to operate discreetly and rely on its network of affiliates and connections for fresh blood when needed. Some other cybercrime players also prefer to stay quiet and work in the shadows and groups that also carry out operations like business email compromise as part of their ransomware operation especially want to remain invisible. In the wake of the international hunt for the hackers involved in the DarkSide attack on Colonial Pipeline, many gangs, hackers and data brokers went even further underground. Nation-state groups are never hiring either, instead relying on a trusted network of allied threat actors to do their work.  


Still relying on an old-fashioned SEG? See why Graphus is better! SEE THE COMPARISON>>


Money Flows Around the Dark Web 


Demand for all kinds of skilled cybercrime work is high – experts estimate that 90% of posts on popular dark web forums are from buyers looking to contract someone for hacking services. An estimated 69% of those dark web forum hiring posts were looking for cybercriminals to do some website hacking, while another 21% were looking for bad actors who could obtain specifically targeted user or client databases.  Not all “hackers” are actually hackers. Some have specialized expertise in highly specialized areas like social engineering or spear phishing operationsPutative cybercriminals can also profit from selling their own tech. A little over 2% of the forum posts measured by the researchers were made by cybercriminal developers who were selling the tools of the trade like password crackers, payment skimmers, malware, ransomware and other hacking programs. Hackers also use those forums as a way to meet people interested in planning or participating in cyberattacks — about 1% of the surveyed dark web forum posts were made by hackers seeking hackers for a team-up.    

Cybercrime organizations are willing to pay top dollar for access too. Popular dark web forums are the cybercriminal’s version of LinkedIn. Roughly 40% of listings that researchers viewed in a 2020 study were created by players in the Ransomware-as-a-Service (RaaS) space. Gangs offered up to $100 000 for initial access services with most actors setting their top price at a little more than half of that, $56,250. In other ads posted to a popular forum, threat actors were looking for targets specifically in the USA, Canada, Australia, and Great Britain with revenue of $100 million or more. For this access, they were willing to pay $3,000 to $100,000 – and that’s enough to tempt employees, especially in difficult economic circumstances.   


Be ready for trouble with the 5 Steps to Ransomware Readiness infographic GET IT>>


Inside the Colonial Pipeline Ransomware Attack 


Most ransomware attacks are complex, shadowy operations, and the exact details rarely come to light. But the Colonial Pipeline ransomware incident has been widely investigated, researched and reported on, giving everyone a rare inside look at exactly how a ransomware attack that damages infrastructure goes down. This incident has drawn ransomware even further into the spotlight as well as spurring action by governments around the world including the US government to protect infrastructure from ransomware and punish cybercriminals. The US government recently opened a Ransomware One-Stop to help US businesses fight back against the problem. 

The DarkSide ransomware gang gained renown for conducting a successful attack against Colonial Pipeline, scoring a payday that has been estimated at a little over $4 million. But that operation wasn’t run by the developers and operators of DarkSide directly. Instead, the Colonial Pipeline hack was carried out by an affiliate of the larger operation using DarkSide’s proprietary malware. That affiliate hired its own subcontractors through dark web forums and gathered resources from dark web data markets and dumps to do the deed. 

Then the satellite gang sprang their trap, snagging Colonial Pipeline in a devastating attack that shut down the largest fuel pipeline in the US. The point of entry for the gang was a single compromised employee password that gave them the keys to the kingdom, likely obtained through spear phishing. The DarkSide affiliate was then able to easily slip slipped inside Colonial Pipeline’s admittedly lax security and deliver their poisonous cargo: DarkSide’s proprietary ransomware, to encrypt Colonial Pipeline’s systems and data. After that came the easy part – the affiliate set a timer for the malware to deploy, made their ransom demand and sat back to wait for their money.  

A little more than one week after the initial intrusion, the ransomware infection began, kicking off the endgame of the affiliate’s operation.  An employee starting their day’s work in the Colonial Pipeline central control room saw a ransom note demanding cryptocurrency pop up on their computer and called in their supervisor. Then the race began for Colonial Pipeline as they tried to outpace the infection to preserve their systems and data. After shutting down the pipeline to try to mitigate the damage and prevent the hackers from further penetration, Colonial had no choice but to bring in experts to help – the situation was far beyond their ability to handle it in-house.  

The attackers locked Colonial Pipeline down to devastating effect. They also stole nearly 100 gigabytes of data. Ultimately, the DarkSide affiliate’s attack was a smashing success. Colonial Pipeline paid the attackers a $4.4 million ransom in short order. According to researchers at FireEye, DarkSide affiliates are required to pay the boss group up to 25% of ransom payments under $500,000, and 10% of any successful ransom collections over $5 million. 

Ransomware is very profitable, especially the double encryption strain that DarkSide preferred. Before the gang went dark after the Colonial Pipeline incident, DarkSide had received $90 million in bitcoin ransom payments over the course of its short lifetime according to blockchain analysts at Elliptic. They further estimated that the average ransomware payment in a DarkSide operation was about $1.9 million. Of the total haul that DarkSide operations pulled in, those experts estimate that $15.5 million went to DarkSide’s developer while $74.7 million went to its affiliates. 


What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>


Stop Ransomware by Stopping Phishing 


One of the best ways to protect a company from ransomware is to protect it from phishing. An estimated 94% of ransomware arrives at businesses via email. These messages often use sophisticated social engineering techniques to entice employees to download an attachment, visit a malicious website or give up their credentials to cybercriminals. Stopping ransomware starts with stopping phishing messages from reaching employee inboxes. 

Your business needs powerful, automated email security that can provide you with advanced protection against malicious messages that contain threats like ransomware without a high price tag. Graphus answers that call.  

  • Sophisticated smail security automation puts 3 layers of protection between your business and phishing messages 
  • Automated email solutions like Graphus catch 40% more malicious messages than conventional solutions or a SEG 
  • Smart AI never needs threat reports, instead using over 50 points of comparison to sniff out targeted spear phishing, ransomware, zero-day attacks and other complex threats. 

Don’t wait until you’re paying the bills for a ransomware attack to improve your email security – 60% of companies that are hit by a cyberattack go out of business. Stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today. Contact one of our solutions specialists today and put protection that never takes a day off to work for your business. 


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus