THE RANSOMWARE BUSINESS
Very often, the people who write the ransomware are not the people perpetrating the attacks. They prefer to keep their hands (and noses) clean. Indeed, complex attacks often begin with a broker, sometimes someone inside the organisation, sometimes not, selling some kind of initial access credentials.
Once that’s achieved the attackers will, as stealthily as possible, probe internal networks to find important data (or further vulnerabilities). The ransomware itself, far from being some kiddie’s cobbled-together script, might be Ransomware as a Service (RaaS). It might have a customised payload, or even a dedicated page where buyers can monitor the damage, switch payloads or even receive technical support.
A new RaaS called ALPHV (also known as BlackCat) was discovered in
December on underground forums. This seems to have been the first in-the-wild example of ransomware written in Rust. Advertising on the forums (which we’re sure a determined Linux Format reader will manage to find without us naming them) promises 80-90 per cent of the ransomware payout to ‘pentesters’ wishing to try out their latest badware.
The first Linux ransomware that we could find record of was named
Erebus. Like RansomEXX, it appears to have been ported from Windows. But in 2017 it struck the servers (153 of them) of a South Korean web-hosting company, taking down over 3,000 websites. Such was the damage that the company paid just under 400 BTC, which at the time was $1 million in Bitcoin, making it the largest-ever payout at the time. Bitcoin is worth around 20 times its 2017 value today, so hopefully these particular fraudsters didn’t get to keep their earnings.