As the world differentiates the second Anti-Ransomware Day, there’s no way to deny it: ransomware became very the buzzword in the security community. And not without good reason. The threat may have been around a long time, but it’s changed. Time after year, the attackers have grown bolder, methodologies have been refined and, of course, systems have been breached. Yet, much of the media attention ransomware gets is focused on chronicling which companies fall prey to it. In their respective reports, we take a step back from the day-to-day ransomware news cycle and follow the ripples back into the heart of the ecosystem to understand how it is organized.

First, we will debunk three preconceived ideas that stymie proper guessing on the ransomware menace. Next, we dive deep into the darknet to demonstrate how cybercriminals interact with each other and the types of services they provide. And ultimately, we conclude with a look at two high-profile ransomware brands: REvil and Babuk.

No matter how much work we put into writing this report, before you start reading, make sure your data is backed up safely!

Part I: Three preconceived ideas about ransomware Suggestion# 1: Ransomware gangs are gangs

Along with the rise of big-game hunting in 2020, we considered the emergence of a number of high-profile groups in the ransomware world. Offenders detected victims would be more likely to pay ransoms if they could establish some shape of reputability beforehand. To ensure that their ability to restore encrypted files would never put questions, they cultivated an online existence, wrote press releases and generally made sure their epithet would be known to all potential victims.

But by put themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem. From the outside, they may appear to be single entities; but they are in fact only the tip-off of the spear. In most assaults there are a significant number of performers involved, and a key takeaway is that they furnish services to each other through dark web marketplaces.

Botmasters and account resellers are tasked with initial access inside the victim’s network. Other members of this ecosystem, which we’ll name the red team for the purpose of this discussion, use this initial access to obtain full control over the target network. During this process, they will gather information about the victim and steal internal documents.

These documents may be forwarded to an outsourced squad of analysts who will try to figure out the actual fiscal health of the specific objectives, in order to set the highest ransom price that they are likely to pay. Analysts will likewise retain a picket for any sensitive or incriminating knowledge which may be used to support their blackmail tactics- the goal being to put maximum pressure on decision-makers.

When the ruby-red squad is ready to launch the attack, it will buy a ransomware product from darknes web developers, usually in exchange for a cut of the ransom. An optional role here is the packer developer, who are able to add protection layers to the ransomware program and make it harder for security products to detect for the few hours it needs to encrypt the whole network.

Finally, negotiations with the victims may be handled by yet another team and when the ransom is paid out, a whole new set of skills is needed to launder the cryptocurrency obtained.

An interesting aspect of all this is that the various actors in the” ransomware value chain” do not need to personally know one another, and in fact they don’t. They interact with each other through internet handles, paying for services with cryptocurrency. It follows that arresting any of these entities( while useful for deterrence intents) does little to slow down the ecosystem, as the identity of co-perpetrators cannot obtain access, and other suppliers will immediately fill the void that was created.

The ransomware world must be understood as an ecosystem, and treated as such: it is a problem that can only be addressed systematically, for instance by preventing the money from circulating inside of it- which involves not paying ransoms in the first place.

Idea# 2: Targeted ransomware is targeted

The previous described in the ransomware ecosystem has noteworthy implications when it comes to the way victims are selected. Yes, criminal groups are getting bolder and ask for ever-increasing ransoms. But ransomware attacks have an opportunistic facet to them. As far as we are familiar, these groups do not peruse the Financial Times to decide who they are going after next.

Counter-intuitively, the people who obtain the initial access to the victim’s network are not the ones who deploy the ransomware later on; and it is helpful to think of access collection as an altogether separate business. For it is practicable, vendors need a steady creek of “product”. It might not make fiscal sense to invest weeks trying to breach a predetermined hard target like a Fortune 500 corporation because there’s no guarantee of success. Instead, access marketers go after the low-hanging fruit. There are two main sources for such access 😛 TAGEND

Botnet proprietors. Well-known malware families are involved in the biggest and most wide-reaching campaigns. Their main objective is to create networks of infected computers, though the infection is only dormant at this degree. Botnet proprietors( botmasters) sell access to the victim machines in bulk as a resource that can be monetized in many ways, such as organizing DDoS assaults, distributing spam or, in the case of ransomware, by piggybacking on this initial infection to get a foothold in a potential target. Access vendors. Hackers who are on the lookout for publicly disclosed vulnerabilities( 1-days) in internet facing software, such as VPN appliances or email gateways. As soon as such a vulnerability is disclosed, they compromise as many affected servers as possible before the defenders have applied the corresponding updates.

An example of an offer to sell access to an organization’s RDP

In both cases, it is only after the facts of the case that the attackers take a step back and figure out who they have breached, and if this infection is likely to lead to the payment of a ransom. Performers in the ransomware ecosystem don’t do targeting in that they almost never choose to go after specific entities. Understanding this fact accentuates the importance for companies to update internet-facing services in a timely fashion, and to have the ability to detect dormant infections only if it is leveraged for wrongdoing.

Idea# 3: Cybercriminals are offenders

Alright, technically, then there. But this is also an area where there is more than fulfills the eye, because of the diversity of the ransomware ecosystem. Here i am, of course, a documented porosity between the ransomware ecosystem and other cybercrime domains such as carding or point-of-sale( PoS) hacking. But it is worth pointing out that not all members of this ecosystem were derived from the cybercrime underworld. In the past, high-profile ransomware attacks have been used as a destructive means. It is not unreasonable to think that some APT performers are still resorting to similar tactics to destabilize rival economies while maintaining strong plausible deniability.

On the same note, we released a report last year about Lazarus group trying its hand at big-game hunting. ClearSky recognized similar activity that they attributed to the Fox Kitten APT. Observers have noted that the obvious profitability of ransomware attacks has attracted a few state-sponsored threat performers to this ecosystem as a lane of circumventing international sanctions.

Our data indicates that such ransomware attacks represent simply a tiny fraction of the full amounts of the. While they do not represent a rift in what corporations need to be able to defend against, their very existence creates an additional risk for victims. On October 1, 2020, the US Department of the Treasury’s OFAC liberated a memo clarifying that companies wiring fund to attackers need to ensure that the recipients are not subject to international sanctions. This announcement appeared to be effective as it already impacted the ransomware market. It goes without saying that performing due diligence on ransomware operators is a challenge on its own.

Part II: The darknet shenanigans Through the market paths

When it comes to the sale of digital goods or services related to cybercrime on the darknet, most knowledge is aggregated on only a few large-scale platforms, though there are multiple smaller thematic ones focusing on a single topic or product. We analyzed three major meetings on which ransomware-related offers are aggregated. These meetings are the primary platforms where cybercriminals that work with ransomware actively communicate and trade. While the forums host hundreds of various advertisements and offerings, for analysis we selected merely a few dozen offers that had been verified by forum administrations and placed by groups with an established reputation. These ads included various categories of offers from the sale of source code to regularly updated recruitment ads, available in English and Russian.

Different types of offers

As we noted before, the ransomware ecosystem is a matter of players that take over different roles. Darknet meetings partly reflect this state of affairs, albeit the offers on these markets are aimed primarily at selling or recruiting. Simply as with any marketplace, when operators need something, they actively update their ad placements on forums and take them off as soon as that need is fulfilled. Ransomware developers and operators of affiliate ransomware programs( better known as Ransomware as a Service) offer the following 😛 TAGEND

Invitations to join partner networks, affiliate programs for ransomware operators Ads for ransomware source code or ransomware builders

The first type of involvement presumes a lengthy partnership between the ransomware group operator and the affiliate. Usually, the ransomware operator takes a profit share ranging from 20% to 40%, while the remaining part 60 -8 0% stays with the affiliate.

Examples of gives listing payment conditions in partner programs

While many ransomware operators look for spouses, some sell ransomware source code or do-it-yourself( DIY) ransomware packages. Such offers vary from US $300 to US $5000.

Sale of ransomware source code or the sale of leaked samples is the easiest way of making money off ransomware in terms of technological proficiency and effort expended by the seller. However, such offerings also build the least money, as source code and samples rapidly lose their value. There are two different types of offers- with and without support. If ransomware is purchased without support, once it is detected by cybersecurity answers, the buyer would need to figure out on their own how to repackage it, or find a service that does sample repackaging- something that it still easily detected by security solutions.

Offers with supporting( admittedly, more widespread in the financial malware market ), usually give regular updates and make decisions about malware updates.

In this regard, darknet meeting offers have not changed much compared to 2017.

Ransomware developers sometimes advertise builders and source code as a one-off purchase with no customer support

An offer of a subscription for ransomware and additional services looks very similar to any other ad for a legitimate product, with differing their advantages and price range

Some of the big musicians aren’t seen on the darknet

Even though the number and the range of gives available on the darknet certainly is not small-scale, the markets do not reflect the whole ransomware ecosystem. Some large-scale ransomware groups either work independently or find spouses immediately( for instance, as far as we know, Ryuk was able to access some of its victims’ systems after a Trickbot infection, which suggests a potential partnership between two groups ). Therefore, the forums generally host smaller players- either medium-sized RaaS operators, smaller actors that sell source code and newbies.

Ground rules for affiliates on the darknet

The ransomware market is a closed one, and the operators behind it are careful about who they choose to work with. This caution is reflected in the ads the operators place and criteria they enforce when selecting partners.

The first general rule is that of geographical restraints placed on the operators. When malware operators work with collaborators, they avoid use the malware in the jurisdiction where they are based. This rule is strictly adhered to and partners that don’t be complied with it quickly lose access to the programs they have been working with.

Additionally, operators screen potential collaborators to reduce the chances of hiring an undercover official, for instance, by checking their knowledge of the country they claim to be from, as illustrated in the example below. They may also impose restrictions on certain nationalities based on their political opinions. These are just some of the ways operators try to ensure their security.

In this example the gang recommends vetting new affiliates by asking obliterate questions about the history of former Soviet republics and express that typically only native Russian talkers could answer

Avaddon may consider English-speaking affiliates if they have an established reputation or can provide a deposit, according to this ad

The sellers

For a more detailed overview we chose two of the most noteworthy Big Game Hunting ransomware in 2021.

The first one is the REvil( aka Sodinokibi) gang. Since 2019, this ransomware has been advertised on underground forums and has a strong reputation as a RaaS operator. The gang’s name REvil often appears in news headlines in the infosecurity community. REvil operators have demanded the highest ransoms in 2021.

The other is the Babuk locker. Babuk is the first new RaaS threat discovered in 2021, demonstrating a high level of activity.


An example of an ad placed by the REvil affiliate program

REvil is one of the most prolific RaaS runnings. The group’s first activity was observed in April 2019 after the shutdown of GandCrab, another now-defunct ransomware gang.

To distribute ransomware, REvil cooperates with affiliates hired on cybercriminal forums. The ransom demand is based on the annual revenue of the victim, and distributors earn between 60% and 75% of the ransom. Monero( XMR) cryptocurrency is for pay. According to the interview with the REvil operator, the gang earned over $100 million from the continuing operation in 2020.

The developers regularly update the REvil ransomware to avoid detection and improve the reliability of ongoing strikes. The group announces all major updates and accessibility of new spouse program items in their various threads on cybercriminal meetings. On April 18, 2021, the developer announced that the* nix implementation of the ransomware was undergoing closed testing.

REvil informs about the internal testing of the* nix implementing the ransomware

Technical details

REvil uses the Salsa2 0 symmetric river algorithm for encrypting the content of files and the keys for it with an elliptic curve asymmetric algorithm. The malware sample has an encrypted configuration block with many realms, which let attackers to fine-tune the payload. The executable can terminate blacklisted process prior to encryption, exfiltrate basic host information, encrypt non-whitelisted files and folders on local storage device and network shares. A more detailed account of the technical capabilities of REvil is available in our private and public reports.

The ransomware is now distributed primarily through compromised RDP retrieves, phishing, and software vulnerabilities. The affiliates are responsible for gaining initial access to corporate networks and deploying the locker- a standard practice for the RaaS model. It should be noted that the gang has very strict recruitment rules for new affiliates: REvil recruits simply Russian-speaking highly skilled collaborators with experience in gaining access to networks.

Privilege elevation, reconnaissance and lateral movement follow a successful breach. The operators then evaluate, exfiltrate and encrypt sensitive files. The next stage is negotiations with the attacked company. If the victim decides not to pay their ransom, the REvil operators will start publishing the sensitive data of the attacked company on the. onion Happy Blog site. The tactic of publishing exfiltrated confidential data on leak sites has recently run mainstream among Big Game Hunting players.

An example of a post on REvil’s blog that includes data been stealing from the victim

It’s worth noting that ransomware operators have started applying voice calls to business partners and journalists, as well as DDoS attempts, to force their victims to pay a ransom. In March 2021, according to the operator, the gang launched a service at no extra cost for affiliates that contacts the victim’s partners and the media to exert maximum pressure, plus DDoS( L3, L7) as a paid service.

REvil announces a new feature to arrange calls to the media and the target’s partners to exert additional pressure when demanding a ransom

According to our research, this malware affected virtually 20 business sectors. The largest share of victims fell into the category Engineering& Manufacturing( 30% ), followed by Finance( 14% ), Professional& Consumer Services( 9 %), Legal( 7 %), and IT& Telecommunications( 7 %).

The victims of this campaign include companies such as Travelex, Brown-Forman Corp ., the pharmaceutical group Pierre Fabre, and the celebrity law firm Grubman Shire Meiselas& Sacks. In March 2021, the gang breached Acer and demanded the highest recorded ransom of $50 million.

On April 18, 2021, a member of the REvil group announced that the gang was on the cusp of saying its” most high-profile attack ever” in a post on forums where cybercriminals recruit new affiliates. On April 20, different groups published a number of alleged blueprints for Apple machines on the Happy Blog site. According to the attackers, the data was stolen from Quanta’s network. Quanta Computer is a Taiwan-based manufacturer and one of Apple’s partners. Quanta’s initial ransom demand was $50 million.

In the past few one-quarters there has been a sharp spike in REvil’s targeted activity

The REvil gang is a prime example of a Big Game Hunting player. In 2021, we are seeing a trend towards bigger ransoms for sensitive company data. The apply of new tactics to pressure the main victims, the active development of non-Windows versions and the regular recruitment of new affiliates all suggest that the number and scale of onslaughts will merely develop in 2021.


Another player in the Big Game Hunting scene in 2021 is the Babuk locker. At the opening up of 2021 we observed several incidents involving this ransomware.

At the end of April 2021, security threats actors behind Babuk announced the end of their activity, stating that they will make their source code publicly available in order to” do something like Open Source RaaS “. This means that we’ll probably visualize a new wave of ransomware activity as soon as various smaller menace actors adopt the leaked source code for the continuing operation. We’ve seen this sort of situation happen before with other RaaS and MaaS programmes- the Cerberus banking Trojan for Android is a good example from last year.

Babuk announcement about the end of operations

The group obviously customizes each sample for each victim because it includes a hardcoded epithet of “the organizations activities”, personal ransomware note and expansions of the encrypted files. Babuk’s operators also use the RaaS model. Prior to infection, affiliates or the operators compromise the target network, so they can identify how to deploy the ransomware effectively and evaluate the sensitive data in order to set the highest realistic ransom cost for the victim. The squad behind Babuk defines their group as CyberPunks that” haphazardly test corporate networks security ,” applying RDP as an infection vector. The gang offers 80% of the ransom to their affiliates.

An example of an ad placed by the Babuk affiliate program

Babuk publicizes on both Russian-speaking and English-speaking underground meetings. At the beginning of January 2021, an announcement appeared on one meeting about the new ransomware Babuk, with subsequent posts focusing on updates and affiliate recruitment.

Babuk’s announcement to the press explaining their strategy and victim selection

Babuk’s whitelist avoids any targeting in the following countries: China, Vietnam, Cyprus, Russia and other CIS countries. The operators also proscribe the compromise of hospitals , non-profit charities, and companies with an annual revenue of less than $30 million according to ZoomInfo. To join the affiliate program, a partner must pass an interview on Hyper-V and ESXi hypervisors.

Babuk made the headlines for being probably the first ransomware gang to publicly declare a negative stance towards the LGBT and Black Lives Matter( BLM) communities. It was due to this fact that the group excluded these communities from their whitelist. But in a post on the Babuk data leak site about the results of two months of study, the gang reported that they had added LGBT and BLM foundations and charity organizations to their whitelist.

Technical details

For encryption Babuk applies a symmetric algorithm combined with Elliptic curve Diffie-Hellman( ECDH ). After successful encryption, the malware drops a hardcoded ransom note as” How To Restore Your Files.txt” into each processed directory. In addition to the text, the ransom note contains a list of links to screenshots of some exfiltrated data. This proves that the malware sample is crafted after the victim’s data is exfiltrated. As mentioned above, each sample is customized for the specific target.

In the ransom note, the gang likewise suggests that the victim starts the negotiation process employing their personal chat portal. These steps aren’t exclusively tied to Babuk but are commonly present in Big Game Hunting campaigns. Remarkably, the process of drafting the ransom note also contains a private link to the referred post on the. onion data leak site, which is not accessible from the main page of the site. There are some screenshots, as well as a text description of the types of stolen files, and general menaces addressed to the victim. If the victim decides not to negotiate with cybercriminals, the link to this post will be made public.

The group behind the Babuk locker primarily targets large-scale industrial organizations in Europe, the US and Oceania. Targeted industries include, but is not restricted to, transportation services, the health sector, and various the providers of industrial equipment. In fact, recent occurrences show that Babuk operators are expanding their targets. On April 26, the D.C. Police Department confirmed that its network had been breached, with the Babuk operator claim responsibility and announcing the attack on their. onion leakage site.

Babuk’s announcement of a successful attack on the D.C. Police Department

According to the post on this website, the gang was able to exfiltrate more than 250 GB of data from Washington’s Metropolitan Police Department network. At the time of writing, the police department had three days to start the negotiation process with the attackers; otherwise, different groups would start leaking data to criminal gangs. Babuk likewise warned that it would continue to attack the US country sector.

Babuk operator’s screenshots of steal files from the D.C. Police Department’s network published on the darknet leakage site


On April 23, 2021, we released ransomware statistics that uncovered a significant decline in the number of users who had encountered this threat. These numbers shall not be required to be be misinterpreted: while it is true that random men are less likely to encounter ransomware than they used to, the health risks for corporations has never been higher.

Ever eager to maximize earnings, the ransomware ecosystem has evolved and can now be considered a systemic threat for corporations all around the world.

There was a time where SMBs could mainly dismiss the challenges posed by information security: they were small enough to stay under the radar of APT actors, but still big enough not to be affected by random and generic assaults. Those days are over, and all companies today are now in a position where they must be prepared to fend off criminal groups.

Thankfully, such attackers were typically go after the low-hanging fruit first, and setting up appropriate security practices will make a world of difference.

On May 12, which is Anti-Ransomware Day, Kaspersky fosters organizations to follow these best practices to help safeguard your organization against ransomware 😛 TAGEND

Ever maintain software up to date on all your devices to prevent attackers from infiltrating your network by exploiting vulnerabilities. Focus your defense strategy on find lateral movements and data exfiltration to the internet. Pay special attention to the outgoing traffic to detect cybercriminal linkages. Set up offline backups that interlopers cannot tamper with. Make sure you can quickly access them in an emergency. To protect the corporate environment, educate individual employees. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform. A free lesson on how to protect against ransomware attacks is available here. Carry out a cybersecurity examination of your networks and remediate any lacks discovered in the perimeter or inside the network. Enable ransomware protection for all endpoints. There is the free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with other installed security answers. Install anti-APT and EDR solutions, enabling abilities for advanced threat breakthrough and detecting, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. Ask for help from your MDR provider if you lack internal menace hunting experts. They will take responsibility for endlessly finding, detecting and in a response to menaces targeting your business. All of the above is available within the Kaspersky Expert Security framework. If you become a victim, never pay the ransom. It won’t guarantee you get your data back but will encourage criminals to continue their activities. Instead, report security incidents to your local law enforcement agency. Try to find a decryptor on the internet- quite a few are available at https :// en/ index.html

Read more: