Black hat hackers, and cyber-criminals are far more sagacious than most of us think. They are no longer script kiddies who are showing off their hacking skills to impress their social circles, but highly professional businessmen who are working meticulously hard to benefit from their exploitative attacks. Research studies have been done on how cyber-criminals market their skills and sell their exploitative tools. The darknet offers hackers a perfect ecosystem to commit cyber crimes without being monitored and traced by law enforcement agencies.
An entire economy has been growing on the darknet during the past few years, as a result of trading of illegal and illicit goods and services fueled by cryptocurrencies. The social framework of members in darknet marketplaces is strong enough to avoid any intrusions attempted by law enforcement agencies. The dynamic shifts and advancements in the cyber security sector has encouraged many researchers to suggest different methodologies that can identify the true intent of malicious attackers.
A recently published netnographic study was conducted to analyze the cyber-crime economy and nature of trading of ransomware and hacking services on the darknet. The data obtained via this study included observations of the darknet marketplaces, and the researcher’s reflections on the social communications between various actors involved in the development, marketing, and distribution of ransomware and other hacking services. Data collected from this study was also used to deduce a cost-benefit framework.
Data obtained from the darknet:
Data from darknet marketplaces was either archived or obtained from reflexive notes. The archived data included data dumps of cryptomarket sales and buyer feedbacks, publicly posted by researchers. All of the archived data are from cryptomarkets that are no longer active. Table 1 includes a list of the marketplaces that were included in the data dumps:
|Alphabay||Popular cryptomarket shutdown in July 2017 by LE in Operation Bayonet ||April 2015 – January 2017|
|Hansa||Cryptomarket also shutdown in Operation Bayonet||December 2016|
|TheRealDeal||Cryptomarket for digital goods, intentionally taken down by administrators||June 2015|
|Agora||Cryptomarket intentionally taken down by administrators||Unknown|
Table (1) Dead cryptomarkets with the dates of the data retrieved for this research
The reflexive notes included screenshots and observational points of active marketplaces. Ransomwares listed from active darknet marketplaces were also stored in spreadsheets with their price tags and descriptions. In addition to ransomware items, other digital goods had ransomware tags, such as hacking services. Also, the studied data included posts from a number of forums concerning RaaS. The data also included interviews that were conducted by DeepDotWeb with many darknet interviews. All these interviews were conducted by our staff using PGP encrypted chats.
Actor profiling of hackers and distributors of ransomware and hacking services:
Attacker profiling was based on the interpretation of darknet member feedback on cryptomarkets, forum posts and most importantly the interviews. From this information, we could extract investigative and non-investigative facts that are useful for actor profiling.
Vulnerability researchers are members of the darknet who hunt for zero-day exploits. These offer entry points for the ransomware to decrypt files on a device. These researchers are technically sophisticated members with high expertise in hardware and software vulnerabilities, operating systems and software development skills. Information of the services they offer on the dark web is not publicly available for all to see, but exchanged in invite-only IRC servers. New cryptomarkets that sell zero-day vulnerabilities and offer a variety of hacking services are being hosted on the Tor network. TheRealDeal marketplace had vendors offering illicit drugs for sale, along with digital goods to attract consumers to the marketplace, but the administrators promised that it would be removed when they reached a substantial number of users. Another marketplace called German Plaza followed their footsteps and supported multiple languages including German and English.
Malware authors either work individually or in groups to develop ransomware variants. They utilize information provided by vulnerability researchers to code efficient encryption algorithms that are capable of locking an entire device in the shortest time possible. The study included a private chat between a ransomware author and an interested buyer, first leaked and then posted in a clearnet forum. The author attempts to sell a newer version of ransomware with the intention of infecting 20,000 devices. In another case, the authors behind Petya and Mischa ransomware tried to combat ransomware sales by leaking the private keys of their ransomware rival, Chimera.
Vendors can be authors, but some vendors have no knowledge on how to code and probably sell a wide range of products that are not necessarily digital goods. Some vendors offer technical support if there are bugs in the ransomware or the distributor is struggling to run it.
Distributors are sometimes outspoken on the darknet. They share outcomes of the distribution of a ransomware, and give feedback on ransomware purchases. Some distributors search for partnerships involving malware developers on forums. From the preliminary study, two profiles of malware distributors emerged; novice and experienced.
Installing a malicious website from a trustworthy website is a good way to distribute ransomwares. Web designers are responsible for creating websites that look authentic to the user, and that could act as a trap. A developer’s hourly rate on the darknet is very expensive. The high cost can amount to other features such as developing the infrastructure of a darknet marketplace. This involves securing the anonymity of the users of the marketplace and protecting the marketplace from DDoS attacks.
Money Launderers and Mules:
The responsibility of a money launderer is to steal identities from individuals through social engineering mechanisms. The launderer then offers fake bank accounts opened with the stolen identities. Vendors that sell illegal products and services on darknet marketplaces, deposit the Bitcoins they profited into the fake accounts and then cash it out. Law enforcement trace back these bitcoins to unsuspicious individuals. On some occasions, the money mules are part of the team of assailants in which they get a greater share for acting up as innocent individuals. For this role, two profiles were listed, one is a professional whereas the other is innocent.
Ransomware-as-a-Service (RaaS) on darknet marketplaces had different prices. The differences in prices across items were reflected in differences in encryption algorithm, vendor reputation, customizable options, partnership opportunities and external costs. Observations included a connection between these factors and the listed price in the marketplace. The vast majority of the RaaS item listings in the cryptomarkets had redundant descriptions, hence, considered scam items. However, some ransomware items stood out as they were detected before in cyber security reports and articles. These ransomware variants were filtered out from the rest and their prices were recorded in US Dollars. Most of them were observed in Alphabay old data dumps, but some were also actively sold in Dream and Agora. Figure (1) shows the ransomware variants and their prices.
Figure (1): Prices of ransomware on darknet marketplaces
Customizable ransomware is a popular trend in the economy of ransomware-as-a-service. Figure 5.13 shows an example of a customizable ransomware that was identified in one of the private vendor markets.
Figure (2): The distributor is capable of customizing the displayed screen of the ransomware
The set of features in the ransomware that can be modified by the customer include but is not limited to the following:
• Ransom amount distorted in the ransom
• Bitcoin wallet address
• Timer duration (i.e. the number of hours left before the ransom amount is doubled)
• Deadline (i.e. number of days left before all files are removed)
• Warning message to be displayed on the screen
RaaS vendors are integrating innovative features to the service to attract potential buyers. These features offer a management interface in which the distributor can control and monitor ransomware infections on victims. The best example discovered during the netnographic study was that of Philadelphia Ransomware. Its management interface, coined as the “Headquarters” offered a wide range of options to the user. These were:
• Password protected login to the Headquarters
• Retrieve IP addresses of infected devices
• Retrieve geographical location of the victim
• Give mercy to victims with a press of a button
• Customizable ransomware window
• Group and filter victims and download PDF report summaries
• Unlimited and customizable builds (i.e. distributor can infect as many devices as possible)
• Depth of encryption on the victim’s drive
Figures (2) and (3) show how user friendly the Philadelphia ransomware is with its concise user manual that can be easily understood by low-skilled members of the darknet. The overall interface looks intriguing and interactive. The headquarters has its own login screen which implies that a user account needs to be created. The ransomware screen displayed to the victims is customizable with options to change the background color. If the distributor suffered from high psychic opportunity cost, he/she can offer mercy to the victims by restoring access to their device without receiving the ransom:
Figure (3): Distributor is capable of monitoring the infection advances, and giving mercy to compromised victims
This research is a promising start to the field of cyber security threat intelligence. However, cryptomarket research has yet to improve and focus more on the development and distribution of ransomware-as-a-service (RaaS). Tracking the amount of Bitcoin going into the wallets linked to a ransomware variant can give us better estimates on how much money is profited by the stakeholders involved in ransomware-as-a-service. For example, a Twitter bot managed by Quartz tweets every amount of money deposited into and withdrawn out of one of the wallets of WannaCry. Victim’s can share the wallet key with cybersecurity experts, making it easy to retrieve.