TALES FROM

THE DARK WEB

HOW CYBERCRIMINALS
MONETIZE RANSOMWARE
ATTACKS
 CrowdStrike White Paper 2

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

Over the past several years, cybercrime has evolved from “spray and pray” attacks to a
sophisticated criminal ecosystem where adversaries work together to maximize success and
profitability. At the core of the ecosystem is the use of highly effective monetization techniques
— such as demanding ransoms and extorting or auctioning data — that enable adversaries to
maximize the payoff from their illicit activity.

The first two white papers in CrowdStrike’s Tales from the Dark Web series examine two key
components of the criminal underground: access brokers and ransomware distribution.
Monetization is the step attackers take to receive a payout when an operation is complete.
This white paper examines trends in eCrime monetization and how an investment in cyber threat
intelligence can assist defenders in the battle against cybercriminals.

FIVE OBSERVATIONS ABOUT HOW CYBERCRIMINALS

MONETIZE RANSOMWARE ATTACKS
Threat actors are constantly evolving their methods through trial and error to avoid getting
caught. The following five observations from the CrowdStrike Intelligence team outline how
adversaries maximize their odds of getting organizations of all sizes to pay.

OBSERVATION 1: CRYPTOCURRENCIES ARE THE PREFERRED METHOD FOR

RANSOMWARE PAYMENTS.
Threat actors generally prefer Bitcoin as their ransomware cryptocurrency. According to Marsh,
a leading insurance broker and risk advisor, approximately 98% of ransomware payments are
made via Bitcoin. Bitcoin is the crypotcurrency of choice in ransomware campaigns for a few
reasons: it is easiest to obtain, broadly available and Bitcoin wallets don’t require personally
identifiable information — requesting a ransom in Bitcoin makes it easy for victims to comply
with ransomware payment demands, while enabling the adversary to be anonymous. Big Game
Hunting (BGH) actors like TWISTED SPIDER, the criminal group behind the development and
operation of Maze and Egregor ransomware, threatened their victims to release stolen data if
the ransom wasn’t paid. TWISTED SPIDER made this act their anthem and created a dedicated
website to leak data if victims are unresponsive or refuse to pay ransoms.

Figure 1 is an example of a ransom note demanding that $10,000 USD be sent to a specified
Bitcoin wallet.
 CrowdStrike White Paper 3

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

Monero is another well-known cryptocurrency sometimes used by threat actors because it

provides anonymity and is untraceable. However, Monero isn’t as widely available as Bitcoin,
and it isn't as easy for victims to purchase.

Figure 1. Example ransomware payment request

Bitcoin by design is highly transparent. The monetary value of each transaction and the Bitcoin
wallet is publicly viewable. This transparency enables threat actors — as well as investigating
organizations such as law enforcement — to follow each transaction, including the final
destination of funds once the victim has paid the ransom.

While the wallet holder’s identity is hidden, at some point Bitcoin can be exchanged for fiat
currency at any number of cryptocurrency exchanges. When this happens, the identity of
the adversary is at risk of exposure, representing an opportunity for investigators to leverage
important transaction details.

To gain even more anonymity, threat actors often use “mixing services.” Bitcoin mixing, or
“tumbling,” is the process by which Bitcoin from various sources is redistributed across
different addresses to obfuscate the true source of the funds and hinder analysis of the
transaction. While not inherently malicious, mixing is commonly used by cybercriminals and
other illicit actors seeking to launder cryptocurrency.

Another method used to ensure anonymity and prevent tracing of funds is to "jump chains," in
which cybercriminals convert currency to another format such as Monero (XMR) — a form of
cryptocurrency many attackers prefer for its anonymity.

CrowdStrike Intelligence reveals destination of funds

for eCrime REvil affiliate

In 2021, CrowdStrike Intelligence identified a REvil affiliate actor sending 21.21 Bitcoin through the
mixing service Wasabi Wallet.

Later that year, the REvil affiliate combined funds sent from KuCoin.com and the darknet Hydra

Marketplace with their mixed funds.

 inally, in June 2021, a total of 18.41 Bitcoin ($660,000 USD) was sent to the Russian exchange
F
Garantex.

Insights like these reveal important information not only for law enforcement but also for threat
intelligence analysts, as the information helps to create a reliable end-to-end view on actor tactics,
common monetization exchanges and adversarial progress on malicious activities.
 CrowdStrike White Paper 4

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

OBSERVATION 2: VICTIM RANSOMWARE DEMANDS AND PAYMENTS VARY

SIGNIFICANTLY.
Reports from the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCen)
and the Office of Foreign Assets Control (OFAC) illustrate how lucrative ransomware has become
for cybercriminals. Many of the insights in these reports are based upon suspicious activity reports
(SARs) that financial services firms file with the U.S. government. According to FinCen, the value of
suspicious activity reported in ransomware-related SARs during the first six months of 2021 was
$590 million USD, far exceeding the $416 million USD reported for all of 2020.

The CrowdStrike Intelligence team continuously tracks the amounts of ransomware demands. In
2021, CrowdStrike experts calculated an average demand of $6.1 million USD, an increase of 36%
over 2020. Ransomware demands form one of the indicators in the CrowdStrike eCrime Index —
a computed value to assess the state of eCrime — and are susceptible to fluctuations as a result of
law enforcement or media attention putting some criminal activities on hold.

OBSERVATION 3: ACCESS BROKERS FOLLOW NO STANDARD PRICE LIST.

Access brokers enable the eCrime ecosystem by gaining access insights into victim
infrastructure and selling the illegitimately obtained credentials or access methods in
underground communities. By purchasing this access information, malware operators or their
affiliates eliminate the need to identify targets or gain initial access themselves, resulting in faster
and more targeted weaponization of their payload.

Asking prices vary for access; the CrowdStrike Intelligence team has observed prices ranging
from $100 to $64,000 USD, the highest price for access credentials the team has identified to
date. In addition, external events — such as targeting the academic sector to coincide with the
start of a new school term or targeting healthcare organizations during the COVID-19 pandemic
— influence access broker price and activity levels.

CrowdStrike Intelligence observed that advertisements in criminal forums by access brokers

declined in the aftermath of the May 2021 Colonial Pipeline DarkSide ransomware incident as
media attention tapered off. However, an increase in activity — including the emergence of likely
new access brokers — was subsequently observed starting in September 2021.

TARGET SECTOR LOWEST OBSERVED ASKING PRICE HIGHEST OBSERVED ASKING PRICE
ACADEMIC $350 $25,000
ENERGY $150 $10,000
FINANCIAL SERVICES $100 $20,000
GOVERNMENT $300 $26,000
HEALTHCARE $100 $15,000
INDUSTRIALS & ENGINEERING $200 $64,000
INSURANCE $400 $3,000
LEGAL $1000 $15,000
MANUFACTURING $350 $10,000
TECHNOLOGY $500 $9,000

Table 1. Lowest and highest asking price advertised for access in top 10 targeted sectors
 CrowdStrike White Paper 5

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

Figure 3. Average asking price for top 10 targeted sectors Figure 4. Average asking price for top 10 targeted countries

HOW DO ACCESS BROKERS CALCULATE THEIR PRICE?

Several factors determine access broker asking prices. Access brokers offering elevated
privileges — such as a domain administrator — typically ask for a higher price. Other factors that
may influence the asking price include:

The estimated annual revenue of the company — companies with higher annual revenues

are more likely to attract a larger ransom demand

The number of endpoints at the targeted company — this can determine how many

devices can be encrypted in a ransomware operation

The potential volume of data available for exfiltration



The reputation of the broker among other eCrime actors — brokers with a reliable and

positive reputation are more likely to get a higher asking price

CrowdStrike Intelligence has observed one access broker advertise a charge of 0.01% of the
victim’s estimated annual revenue. This, on one occasion, led to the broker setting an asking
price of $64,000 USD for access to an industrial and engineering sector company due to the
company’s estimated annual revenue of $683 million USD. (The asking price was later reduced to
$35,000 USD; whether the access was successfully sold is unknown.)

OBSERVATION 4: WHEN A RANSOM ISN’T PAID, THE DATA MAY BE AUCTIONED.

When an eCrime victim refuses to pay a ransom, its data may be auctioned by threat actors on the
dark web or on a dedicated leak site (DLS). This tactic enables the threat actor to still monetize
the data in the event of an unsuccessful extortion by selling it to other parties. Sometimes the
data is sold to other threat actors, who may use the data to identify new victims or find personal
identifiable information (PII) or financial data to commit fraud or plan new attacks.
 CrowdStrike White Paper 6

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

LOCKDATA AUCTION

In July 2021, CrowdStrike Intelligence

identified LOCKDATA AUCTION, a
site accessible via The Onion Router,
an open-source web browser more
commonly known as Tor. LOCKDATA
AUCTION has reportedly been active
since May 2021 and offers eCrime
actors a marketplace to auction data
stolen during ransomware operations.
Membership is restricted, and members
must pay a fee to the site administrator
for each auction hosted on the site. The
fee varies based on the perceived value
of the victim and the amount of data
uploaded. Each auction listing includes
the following:

An auction countdown timer

An option to contact the seller

Page view count

Bidding and valuation details

Size of the data stolen in gigabytes (GB)
or terabytes (TB)
Brief description of the type of data
Screenshots of some of the files,
though these are not always included
Password-protected download links for
completed auctions
Figure 5. The LOCKDATA AUCTION website
Interested buyers can request “trial access to data” to ascertain the
validity of the advertised data.
Auctions provide an opportunity for threat actors to still realize a
payoff when their ransom demands are unmet, or to potentially profit
again following a successful extortion. CrowdStrike Intelligence has
noted positive reviews by some users of this site, confirming likely
successful auctions.

OBSERVATION 5: ECOSYSTEM SUPPORTING ECRIME CONTINUES TO THRIVE

Ransomware may be the most popular source of income for cybercriminals; however, many still rely
on other forms of moneymaking. CrowdStrike Intelligence found multiple traditional methods that
attackers still use to generate funds. Threat actors offer various services to support the broader
underground economy, including spambots, monetization services, pay-per-install and exploit kits.

One example is EcoPanel, a highly popular and customizable web panel developed and sold by
a Russian eCrime actor. EcoPanel allows users to manage and track various stages and aspects
of reshipping fraud as a means to monetize eCrime. In its simplest form, reshipping fraud involves
threat actors monetizing their efforts (typically compromised accounts or stolen payment card
data) by purchasing goods (such as high-value computers or cameras) and shipping them to
intermediaries known as “drops” or “mules.”

These “drops” — typically located in the U.S. or Europe, as direct shipments to Eastern Europe and
Russia are more easily flagged as suspicious by eCommerce platforms and therefore often not
permitted — reship the items to the eCrime actors, where they can sell the goods in local markets.
 CrowdStrike White Paper 7

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

Drops are often recruited via legitimate job boards and misled to believe they are applying for
legitimate positions such as “reshippers” or “packaging specialists.” With some exceptions, drops
are promised a monthly salary but never paid, and eCrime actors typically cease contact with
them after one month and move on to newer recruits.

ECRIME MONETIZATION LESSONS FOR CYBER

DEFENDERS
Learning how cybercriminals monetize ransomware campaigns is an important step in defending
against them. With this knowledge, you can improve your organization’s security program to
better protect against modern ransomware. Here are three key takeaways to assist you in the
fight against cybercrime.

YOUR DATA WILL HELP DEFINE YOUR SECURITY STRATEGY

The crown jewel for any adversary is your sensitive corporate data. Once stolen, your data can
be easily monetized, and you may be exposed to additional extortion techniques — and this
increased risk to your organization can be extremely difficult to mitigate.

Therefore, you must take a holistic approach to monitoring and securing your data as your most
valuable asset — and protection must be multi-layered. You must determine the value of your data
and where it resides to build a multi-layered security strategy that prioritizes data as your most
valuable asset and protects it using proper identity management and principles of Zero Trust.

One way to think of it is all corporate data exists and transits between:

People

Workloads and servers

Endpoint devices and cloud workloads

Extended networks and applications

Then, monitor the identities, network infrastructure, endpoints and cloud workloads accessing
your data, and make sure your data is protected in multiple ways.

For example, to protect physical treasure, you may lock it in a chest, which may be locked in a
vault. This vault may be guarded 24/7 and may be within a fortress, which is surrounded by a
moat. Archers on the walls of the fortress may be defending the moat.

Your ability to imagine your own layered defense and ability to plan contingencies around the
potential failure of the components of that layered defense are critical. This requires a strategy
where security modules integrate and share security monitoring information about who, when
and where sensitive enterprise data is accessed.
 CrowdStrike White Paper 8

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

Monitoring Data Access

SECURE AUTHENTICATION

Workloads &
People
Servers

CONTINUOUS
MONITORING
AUTHORIZATION data DATA LOSS PREVENTION CONTINUOUS
MONITORING

Extended
Endpoint
Network &
Devices
Applications
AUDIT

Figure 6. Continuous monitoring data within Zero Trust security

THREAT INTELLIGENCE THAT TRACKS ECRIME MONETIZATION IS ESSENTIAL

Threat intelligence offers many levels of critical security information, enriching monitoring tools
and providing aid to security analysts during the detection, investigation or response to discovered
anomalies. The continuous monitoring process especially requires actionable threat intelligence to
understand who may be targeting your data, how they may attack your data and the value of your
data within the eCrime ecosystem so security organizations can define the right investment levels in
various monitoring solutions.
Threat intelligence must also effectively track criminal monetizations to provide end-to-end
visibility into threat actor activity and expose how they might use your lost or stolen data.
Intelligence programs that do not expose monetization tactics will only see part of the actor's
activities, resulting in incomplete information and potentially leading security teams to create
inadequate data protection strategies.

LEVERAGE THE CROWDSTRIKE ECRIME INDEX (ECX) TO KEEP AN EYE ON ECRIME

MONETIZATION
The eCrime ecosystem is an active and diffuse economy of financially motivated actors that engage in
a myriad of criminal activities to generate revenue. As observed by the CrowdStrike Intelligence team
over the past several years, the market dynamics are fluid. Adversaries devise new mechanisms and
schemes to generate revenue, identify new avenues of monetization, and as the global geopolitical
and economic landscape changes, continuously evolve their tactics to maximize profits.
To measure the ebbs and flows of this ecosystem, CrowdStrike created a computed index to
assess the state of eCrime. The CrowdStrike eCrime Index (ECX) is based on a range of cybercrime
data such as ransomware victims, big game hunting data leaks, attack activities and cryptocurrency
rates, all weighted by impact. The ECX is useful to better understand the broader trends of the
eCrime ecosystem, and these can be a factor in determining threat activity.
 CrowdStrike White Paper 9

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

CROWDSTRIKE ECRIME INDEX (ECX) 2021 REFLECTIONS

While the CrowdStrike ECX models a wide range of
data within the eCrime ecosystem, one example, big
game hunting data leakage, is an important factor
when evaluating current cyber threats. Another
significant data point is ransomware demands. For
example, CARBON SPIDER’s BlackMatter affiliates
have been observed demanding as much as $60
million USD, and PINCHY SPIDER REvil affiliates
have been observed issuing a ransom demand of
$80 million USD. Cybersecurity teams and decision
makers can use the ECX to assess the current state
of the cyber threat risks.

eCrime Index
100
MUMMY
Black Friday Microsoft
SPIDER
Addresses 56
Returns
Vulnerabilities
to Operations
11 Critical
Colonial

50
Spiked in
observed
ransomware REvil
demands Operations WIZARD
and price of corp access resume SPIDER’s
Adversaries
Conti targets
Mass exploitation Exploit
Hypervisors
of Microsoft Exchange Log4j
Christmas Vulnerabilities JBS Kaseya
0
10/19/20 11/23/20 12/28/20 02/1/21 03/08/21 4/12/21 05/17/21 6/21/21 8/23/21 9/1/21 10/15/21 11/01/21 12/31/21

Figure 7. CrowdStrike eCrime Index trendline, October 2020-December 2021

 CrowdStrike White Paper 10

HOW CYBERCRIMINALS MONETIZE

RANSOMWARE ATTACKS

SUMMARY
Cryptocurrencies have taken their place in the modern economy and in cybercrime monetization. While the amounts
and volumes of transactions between criminal crypto wallets fluctuate widely, they can reveal important eCrime activity
trends.
An organization's sensitive, exfiltrated data is the pivot point for criminals to get their payment from selling, extorting
or auctioning the data on criminal forums. Defenders must think about the value of their data, where it exists within the
organization and how it's protected, and then determine the proper mechanisms for monitoring it.
CrowdStrike provides cloud-delivered protection across endpoints, cloud workloads, identity and data. Powered by
the CrowdStrike Security Cloud and world-class artificial intelligence (AI), the CrowdStrike Falcon® platform leverages
real-time indicators of attack (IOAs), threat intelligence, evolving adversary tradecraft and enriched telemetry from
across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting
and prioritized observability of vulnerabilities.
The CrowdStrike Security Cloud provides the data behind the CrowdStrike ECX. By understanding key metrics
that include multiple monetization observables, defenders get a high-level view of what is happening in the criminal
ecosystem and gain early warning when criminal activities enter new activity levels.
CrowdStrike’s eCrime monetization research provides detailed insights via CrowdStrike Falcon Intelligence reports
and indicator feeds. Understanding how the actor monetizes your data provides threat researchers an end-to-end
view of the actor so security teams can take the appropriate steps to improve their defenses and better protect their
organization.

ABOUT CROWDSTRIKE
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s
most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads,
identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-
time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the
enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and
prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable
deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches.

Learn more: https://www.crowdstrike.com/

Follow us: Blog | Twitter | LinkedIn | Facebook | Instagram
Start a free trial today: https://www.crowdstrike.com/free-trial-guide/

© 2022 CrowdStrike, Inc. All rights reserved.

22-GC-096