Professional Documents
Culture Documents
Whitepaper How Cybercriminals Monetize Ransomware Attacks
Whitepaper How Cybercriminals Monetize Ransomware Attacks
HOW CYBERCRIMINALS
MONETIZE RANSOMWARE
ATTACKS
CrowdStrike White Paper 2
Over the past several years, cybercrime has evolved from “spray and pray” attacks to a
sophisticated criminal ecosystem where adversaries work together to maximize success and
profitability. At the core of the ecosystem is the use of highly effective monetization techniques
— such as demanding ransoms and extorting or auctioning data — that enable adversaries to
maximize the payoff from their illicit activity.
The first two white papers in CrowdStrike’s Tales from the Dark Web series examine two key
components of the criminal underground: access brokers and ransomware distribution.
Monetization is the step attackers take to receive a payout when an operation is complete.
This white paper examines trends in eCrime monetization and how an investment in cyber threat
intelligence can assist defenders in the battle against cybercriminals.
Figure 1 is an example of a ransom note demanding that $10,000 USD be sent to a specified
Bitcoin wallet.
CrowdStrike White Paper 3
Bitcoin by design is highly transparent. The monetary value of each transaction and the Bitcoin
wallet is publicly viewable. This transparency enables threat actors — as well as investigating
organizations such as law enforcement — to follow each transaction, including the final
destination of funds once the victim has paid the ransom.
While the wallet holder’s identity is hidden, at some point Bitcoin can be exchanged for fiat
currency at any number of cryptocurrency exchanges. When this happens, the identity of
the adversary is at risk of exposure, representing an opportunity for investigators to leverage
important transaction details.
To gain even more anonymity, threat actors often use “mixing services.” Bitcoin mixing, or
“tumbling,” is the process by which Bitcoin from various sources is redistributed across
different addresses to obfuscate the true source of the funds and hinder analysis of the
transaction. While not inherently malicious, mixing is commonly used by cybercriminals and
other illicit actors seeking to launder cryptocurrency.
Another method used to ensure anonymity and prevent tracing of funds is to "jump chains," in
which cybercriminals convert currency to another format such as Monero (XMR) — a form of
cryptocurrency many attackers prefer for its anonymity.
In 2021, CrowdStrike Intelligence identified a REvil affiliate actor sending 21.21 Bitcoin through the
mixing service Wasabi Wallet.
Later that year, the REvil affiliate combined funds sent from KuCoin.com and the darknet Hydra
Marketplace with their mixed funds.
inally, in June 2021, a total of 18.41 Bitcoin ($660,000 USD) was sent to the Russian exchange
F
Garantex.
Insights like these reveal important information not only for law enforcement but also for threat
intelligence analysts, as the information helps to create a reliable end-to-end view on actor tactics,
common monetization exchanges and adversarial progress on malicious activities.
CrowdStrike White Paper 4
The CrowdStrike Intelligence team continuously tracks the amounts of ransomware demands. In
2021, CrowdStrike experts calculated an average demand of $6.1 million USD, an increase of 36%
over 2020. Ransomware demands form one of the indicators in the CrowdStrike eCrime Index —
a computed value to assess the state of eCrime — and are susceptible to fluctuations as a result of
law enforcement or media attention putting some criminal activities on hold.
Asking prices vary for access; the CrowdStrike Intelligence team has observed prices ranging
from $100 to $64,000 USD, the highest price for access credentials the team has identified to
date. In addition, external events — such as targeting the academic sector to coincide with the
start of a new school term or targeting healthcare organizations during the COVID-19 pandemic
— influence access broker price and activity levels.
TARGET SECTOR LOWEST OBSERVED ASKING PRICE HIGHEST OBSERVED ASKING PRICE
ACADEMIC $350 $25,000
ENERGY $150 $10,000
FINANCIAL SERVICES $100 $20,000
GOVERNMENT $300 $26,000
HEALTHCARE $100 $15,000
INDUSTRIALS & ENGINEERING $200 $64,000
INSURANCE $400 $3,000
LEGAL $1000 $15,000
MANUFACTURING $350 $10,000
TECHNOLOGY $500 $9,000
Table 1. Lowest and highest asking price advertised for access in top 10 targeted sectors
CrowdStrike White Paper 5
Figure 3. Average asking price for top 10 targeted sectors Figure 4. Average asking price for top 10 targeted countries
The estimated annual revenue of the company — companies with higher annual revenues
are more likely to attract a larger ransom demand
The number of endpoints at the targeted company — this can determine how many
devices can be encrypted in a ransomware operation
The reputation of the broker among other eCrime actors — brokers with a reliable and
positive reputation are more likely to get a higher asking price
CrowdStrike Intelligence has observed one access broker advertise a charge of 0.01% of the
victim’s estimated annual revenue. This, on one occasion, led to the broker setting an asking
price of $64,000 USD for access to an industrial and engineering sector company due to the
company’s estimated annual revenue of $683 million USD. (The asking price was later reduced to
$35,000 USD; whether the access was successfully sold is unknown.)
LOCKDATA AUCTION
One example is EcoPanel, a highly popular and customizable web panel developed and sold by
a Russian eCrime actor. EcoPanel allows users to manage and track various stages and aspects
of reshipping fraud as a means to monetize eCrime. In its simplest form, reshipping fraud involves
threat actors monetizing their efforts (typically compromised accounts or stolen payment card
data) by purchasing goods (such as high-value computers or cameras) and shipping them to
intermediaries known as “drops” or “mules.”
These “drops” — typically located in the U.S. or Europe, as direct shipments to Eastern Europe and
Russia are more easily flagged as suspicious by eCommerce platforms and therefore often not
permitted — reship the items to the eCrime actors, where they can sell the goods in local markets.
CrowdStrike White Paper 7
Drops are often recruited via legitimate job boards and misled to believe they are applying for
legitimate positions such as “reshippers” or “packaging specialists.” With some exceptions, drops
are promised a monthly salary but never paid, and eCrime actors typically cease contact with
them after one month and move on to newer recruits.
Therefore, you must take a holistic approach to monitoring and securing your data as your most
valuable asset — and protection must be multi-layered. You must determine the value of your data
and where it resides to build a multi-layered security strategy that prioritizes data as your most
valuable asset and protects it using proper identity management and principles of Zero Trust.
One way to think of it is all corporate data exists and transits between:
People
Then, monitor the identities, network infrastructure, endpoints and cloud workloads accessing
your data, and make sure your data is protected in multiple ways.
For example, to protect physical treasure, you may lock it in a chest, which may be locked in a
vault. This vault may be guarded 24/7 and may be within a fortress, which is surrounded by a
moat. Archers on the walls of the fortress may be defending the moat.
Your ability to imagine your own layered defense and ability to plan contingencies around the
potential failure of the components of that layered defense are critical. This requires a strategy
where security modules integrate and share security monitoring information about who, when
and where sensitive enterprise data is accessed.
CrowdStrike White Paper 8
SECURE AUTHENTICATION
Workloads &
People
Servers
CONTINUOUS
MONITORING
AUTHORIZATION data DATA LOSS PREVENTION CONTINUOUS
MONITORING
Extended
Endpoint
Network &
Devices
Applications
AUDIT
While the CrowdStrike ECX models a wide range of have been observed demanding as much as $60
data within the eCrime ecosystem, one example, big million USD, and PINCHY SPIDER REvil affiliates
game hunting data leakage, is an important factor have been observed issuing a ransom demand of
when evaluating current cyber threats. Another $80 million USD. Cybersecurity teams and decision
significant data point is ransomware demands. For makers can use the ECX to assess the current state
example, CARBON SPIDER’s BlackMatter affiliates of the cyber threat risks.
eCrime Index
100
MUMMY
Black Friday Microsoft
SPIDER
Addresses 56
Returns
Vulnerabilities
to Operations
11 Critical
Colonial
50
Spiked in
observed
ransomware REvil
demands Operations WIZARD
and price of corp access resume SPIDER’s
Adversaries
Conti targets
Mass exploitation Exploit
Hypervisors
of Microsoft Exchange Log4j
Christmas Vulnerabilities JBS Kaseya
0
10/19/20 11/23/20 12/28/20 02/1/21 03/08/21 4/12/21 05/17/21 6/21/21 8/23/21 9/1/21 10/15/21 11/01/21 12/31/21
SUMMARY
Cryptocurrencies have taken their place in the modern economy and in cybercrime monetization. While the amounts
and volumes of transactions between criminal crypto wallets fluctuate widely, they can reveal important eCrime activity
trends.
An organization's sensitive, exfiltrated data is the pivot point for criminals to get their payment from selling, extorting
or auctioning the data on criminal forums. Defenders must think about the value of their data, where it exists within the
organization and how it's protected, and then determine the proper mechanisms for monitoring it.
CrowdStrike provides cloud-delivered protection across endpoints, cloud workloads, identity and data. Powered by
the CrowdStrike Security Cloud and world-class artificial intelligence (AI), the CrowdStrike Falcon® platform leverages
real-time indicators of attack (IOAs), threat intelligence, evolving adversary tradecraft and enriched telemetry from
across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting
and prioritized observability of vulnerabilities.
The CrowdStrike Security Cloud provides the data behind the CrowdStrike ECX. By understanding key metrics
that include multiple monetization observables, defenders get a high-level view of what is happening in the criminal
ecosystem and gain early warning when criminal activities enter new activity levels.
CrowdStrike’s eCrime monetization research provides detailed insights via CrowdStrike Falcon Intelligence reports
and indicator feeds. Understanding how the actor monetizes your data provides threat researchers an end-to-end
view of the actor so security teams can take the appropriate steps to improve their defenses and better protect their
organization.
ABOUT CROWDSTRIKE
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s
most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads,
identity and data.
Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-
time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the
enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and
prioritized observability of vulnerabilities.
Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable
deployment, superior protection and performance, reduced complexity and immediate time-to-value.