🕸️Inside the Ransomware Economy🕸️
Ryuk is the biggest Saas unicorn u've never heard of.
$150M ARR.
3 yrs old.
Maybe it’s taboo to learn business strategy from a cybergang. But the ransomware industry-- from supply chain operations to market microstructures-- is truly genius.
👇
Ryuk is the biggest Saas unicorn u've never heard of.
$150M ARR.
3 yrs old.
Maybe it’s taboo to learn business strategy from a cybergang. But the ransomware industry-- from supply chain operations to market microstructures-- is truly genius.
👇
1/ Some Highlights
$20B is the annual cost of global ransomware
$5M was the total payout to hackers @ Colonial Pipeline
$170K is the avg payout
2020 saw a 900% growth in fileless malware
67.3M attacks detected so far can be traced back to Ryuk
Every 11 seconds is a new attack
$20B is the annual cost of global ransomware
$5M was the total payout to hackers @ Colonial Pipeline
$170K is the avg payout
2020 saw a 900% growth in fileless malware
67.3M attacks detected so far can be traced back to Ryuk
Every 11 seconds is a new attack
So how much $ do tier-1 ransomware gangs actually make?
The pie chart below shows total ransom paid to the top 15 groups in 2019. By 2020, outflows increased 311% YoY to $350M. Financial success in the cyber underground is clearly top-heavy, tracing out a power law distribution.
The pie chart below shows total ransom paid to the top 15 groups in 2019. By 2020, outflows increased 311% YoY to $350M. Financial success in the cyber underground is clearly top-heavy, tracing out a power law distribution.
2/ Drivers of massive growth
In the 2000s, execs literally dropped money bags in parking lots & waited for mule pick-up. A lot has changed.
a) distributed cloud opened the floodgates on supersized botnets
b) Tor & Pastebin enabled mass market sales/sharing of leaked credentials
In the 2000s, execs literally dropped money bags in parking lots & waited for mule pick-up. A lot has changed.
a) distributed cloud opened the floodgates on supersized botnets
b) Tor & Pastebin enabled mass market sales/sharing of leaked credentials
c) the ability to spin up infinitely many virtual wallets w/ no real-world ID checks completely solved the fund delivery problem
d) decentralized payment infra made cross-border payments suddenly affordable
e) convertibility from XMR to BTC to USDT made money laundering a joke
d) decentralized payment infra made cross-border payments suddenly affordable
e) convertibility from XMR to BTC to USDT made money laundering a joke
f) perhaps most importantly, the BTC rallies of 2013, 2017, and 2020 completely shifted incentive equilibrium between crime & defense (i.e. upside of criminal work skyrocketed 100x w/ no increase in downside)
See this uncoincidential correlation between BTC price & ransomware👉
See this uncoincidential correlation between BTC price & ransomware👉
3/ The Ransomware Supply Chain
So what happens after a victim gets hacked? Usually, the DoomedCo will not wire BTC immediately. It'll call up lawyers + insurance, who'll bring in forensics + a go-to broker. This broker will then talk directly to hackers & negotiate for DoomedCo.
So what happens after a victim gets hacked? Usually, the DoomedCo will not wire BTC immediately. It'll call up lawyers + insurance, who'll bring in forensics + a go-to broker. This broker will then talk directly to hackers & negotiate for DoomedCo.
On lucky days these brokers can haggle 50% off original demand! And since there aren't too many of them & there aren't too many prolific ransomware gangs, after the Nth time butting heads, both sides are pretty much buddy-buddy. Meanwhile DoomedCo pays its broker a fat spread.
Extorted funds get pooled into a holding account, then passed to money laundering services, then either reinvested to support other gang operations or cashed out to fiat at crypto exchanges (most often Binance or Huobi using some unlucky unsuspecting bloke's stolen identity).
3/ Key Players in the Ransomware Economy
It's not just hooded basement-dwellers firing up Metasploit! There's...
- the gangs themselves (called APT groups) who often got funny names like CrouchingYeti & DeepPanda; they're made up of admins/bosses, malware researchers & mules
It's not just hooded basement-dwellers firing up Metasploit! There's...
- the gangs themselves (called APT groups) who often got funny names like CrouchingYeti & DeepPanda; they're made up of admins/bosses, malware researchers & mules
- money "mules": consists of (a) low-paid foot soldiers spinning up new crypto wallets & running bookkeeping and (b) unwitting carriers whose stolen bank accounts/identities the gangs use to process laundered money flow
- researchers: develop exploits
- admins: collect fat stacks
- researchers: develop exploits
- admins: collect fat stacks
- sponsors: kinda like VCs, but they're nation states; sometimes provide R&D capital or resources for exploit development & reconnaissance
- SaaS providers: to a cyber gang, SaaS means (1) exploit kits (2) botnets & (3) ransomware-as-a-service (RaaS) -- why build when u can buy?
- SaaS providers: to a cyber gang, SaaS means (1) exploit kits (2) botnets & (3) ransomware-as-a-service (RaaS) -- why build when u can buy?
- distributors: kinda like EC2 Spot, they own a buncha botnet infra & will rent out to gangs on demand
- data vendors: (more folks looking to sell shovels in the gold rush) they hunt & (re)sell wholesale lists of leaked intel both personal & corporate (e.g. emails, SSN, credit)
- data vendors: (more folks looking to sell shovels in the gold rush) they hunt & (re)sell wholesale lists of leaked intel both personal & corporate (e.g. emails, SSN, credit)
- sheep-in-wolf-skin FBI: will fake-buy RaaS services & exploit kits to catch gang members (but only noobs fall for it)
- cyberinsurers: they might pay out but more likely will point to some 20 pg exclusion clause & weasel out
- brokers: will haggle w/ gangs to bring down ransom
- cyberinsurers: they might pay out but more likely will point to some 20 pg exclusion clause & weasel out
- brokers: will haggle w/ gangs to bring down ransom
4/ Business Models
- aggregators:
e.g. brokers -- instead of plugging into each new "client" (victim) cyber gangs can streamline their collection processes thru a few brokers
- marketplaces:
e.g. Tor forums like Silkroad (rip) where gangs advertise & procure services or tools
- aggregators:
e.g. brokers -- instead of plugging into each new "client" (victim) cyber gangs can streamline their collection processes thru a few brokers
- marketplaces:
e.g. Tor forums like Silkroad (rip) where gangs advertise & procure services or tools
- SaaS:
e.g. Ransomware as a service (RaaS) & exploit kits where buyers pay monthly subscription fees or pay-per-use to access pre-made tools.
- revenue share:
e.g. RaaS & exploit creators that command a percentage of each successful ransom payout rather than subscription fees
e.g. Ransomware as a service (RaaS) & exploit kits where buyers pay monthly subscription fees or pay-per-use to access pre-made tools.
- revenue share:
e.g. RaaS & exploit creators that command a percentage of each successful ransom payout rather than subscription fees
5/ Competition & Cooperation
Cyber gangs don't compete for market share. Most play symbiotically since more players allows each to focus on its strengths.
RaaS gangs often just build encryption modules & outsource network penetration to affiliates; upside is shared upon success.
Cyber gangs don't compete for market share. Most play symbiotically since more players allows each to focus on its strengths.
RaaS gangs often just build encryption modules & outsource network penetration to affiliates; upside is shared upon success.
6/ Attribution
This basically means looking at some malware files & deducing which gang did it.
Very arduous task. But easy to tell when malware hails from Russia. Just look for an IF statement that reads "if current location within the motherland: don't execute!"
I'm serious.
This basically means looking at some malware files & deducing which gang did it.
Very arduous task. But easy to tell when malware hails from Russia. Just look for an IF statement that reads "if current location within the motherland: don't execute!"
I'm serious.
7/ Admission & Recruiting
So how does one get into an elite gang like REvil or Ryuk?
Step 1: learn Russian.
Step 2: um if I knew I wouldn't be here👺.
Also there's 2 types of "getting in" w/ the It crowd.
(1) Gaining admission to top-secret forums
(2) Actually getting hired
So how does one get into an elite gang like REvil or Ryuk?
Step 1: learn Russian.
Step 2: um if I knew I wouldn't be here👺.
Also there's 2 types of "getting in" w/ the It crowd.
(1) Gaining admission to top-secret forums
(2) Actually getting hired
The #1 risk insiders want to guard against is accidentally admitting a "whitehat" spy. So referral & trust from another insider is key.
I hear interviews also involve olympiad math puzzles...
If any of u gets in, plz put in a good word. I am a good morally agnostic math nerd 🙋♀️.
I hear interviews also involve olympiad math puzzles...
If any of u gets in, plz put in a good word. I am a good morally agnostic math nerd 🙋♀️.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
