Ransomware is a type of malicious software program (malware) that restricts entry to pc recordsdata, programs, or networks till a ransom is paid. In essence, an offender creates or purchases ransomware, then makes use of it to contaminate the goal system. Ransomware is distributed in a number of methods together with, however not restricted to, malicious web site hyperlinks, contaminated USB drives, and phishing emails. Once contaminated, the offender encrypts the gadget and calls for cost for the decryption key. Figure 1 offers a simplistic overview of the ransomware timeline.
Figure 1. Ransomware timeline.
The earliest recorded case of ransomware was the AIDS Trojan, which was launched within the late Nineteen Eighties. Now, in 2023, ransomware is taken into account the best cybersecurity menace as a result of frequency and severity of assaults. In 2021, the Internet Crimes Complaint Center acquired over 3,000 ransomware experiences totaling $49.2 million in losses. These assaults are particularly problematic from a nationwide safety perspective since hackers aggressively goal essential infrastructure such because the healthcare trade, vitality sector, and authorities establishments.
If ransomware has been round for over 40 years, why is it now growing in recognition? We argue the rise in ransomware assaults might be attributed to the supply of ransomware offered on darknet markets.
Darknet markets
Darknet markets present a platform for cyber-criminals to purchase, promote, and commerce illicit items and providers. In a research funded by the Department of Homeland Security, Howell and Maimon discovered darknet markets generate tens of millions of {dollars} in income promoting stolen knowledge merchandise together with the malicious software program used to contaminate gadgets and steal private figuring out info. The University of South Florida’s (USF) Cybercrime Interdisciplinary Behavioral Research (CIBR) sought to develop upon this analysis. To do that, we extracted cyber-intelligence from darknet markets to supply a menace evaluation of ransomware distribution. This report presents an summary of the important thing findings and the corresponding implications.
Threat evaluation
While medicine stay the most popular commodity on darknet markets, our menace intelligence group noticed an increase in ransomware (and different hacking providers).
The research was carried out from November 2022-February 2023. We started by looking Tor for darknet markets promoting illicit merchandise. In whole, we recognized 50 lively markets: that is greater than all prior research. We then looked for distributors promoting ransomware throughout these markets, figuring out 41 distributors actively promoting ransomware merchandise. The variety of markets and distributors spotlight the supply of ransomware and ease of entry. Interestingly, we discover extra markets than distributors. Ransomware distributors promote their merchandise on a number of illicit markets, which will increase vendor income and market resiliency. If one market is taken offline (by regulation enforcement or hackers), prospects can store with the identical vendor throughout a number of retailer fronts.
The 41 recognized distributors marketed 98 distinctive ransomware merchandise. This too reveals the accessibility of assorted types of ransomware available for buy. We extracted the product description, value, and transaction info right into a structured database file for evaluation. In whole, we recognized 504 profitable transactions (inside a 4-month interval) with costs starting from $1-$470. On common, ransomware offered on the darknet for $56 with the best-selling product being bought on 62 totally different events at $14 per sale. A screenshot of the best-selling ransomware commercial is introduced in Figure 2. This product is listed as totally customizable, permitting the shopper to decide on their goal and ransom quantity. These findings illustrate that ransomware offered on the darknet is each reasonably priced and user-friendly.
Figure 2. Ransomware commercial discovered on a darknet market.
Purchases on the darknet are facilitated utilizing cryptocurrencies that anonymize the transaction and guarantee each the client and vendor’s safety. Bitcoin is the favored methodology of cost, however some distributors additionally settle for DOGE, Bitcoin Cash, Litecoin, and Dash.
Our ultimate purpose was to grasp which phrases are related to ransomware distribution. Using the product description, we created a phrase cloud (introduced in Figure 3) to depict the most typical phrases used when promoting ransomware. The mostly used phrases embrace ransomware, encrypt, programs, urgency, decryption, victims, and software program. Knowing the phrases related to ransomware distribution permits for the event of machine studying algorithms able to detecting and stopping illicit transactions.
Figure 3. The most used phrases in a ransomware commercial.
Implications
The safety issues posed by ransomware and darknet markets have been independently recognized by researchers, authorities companies, and cybersecurity firms. We develop the dialogue by assessing the synergetic menace posed by ransomware distributed by way of darknet markets. Our findings counsel the uptick in ransomware might consequence from product availability, affordability, and ease of use. Cyber-criminals now not want the superior technical expertise required to develop distinctive types of ransomware. Instead, they’ll merely buy customizable ransomware on the darknet and launch an assault towards their victims.
Acknowledgements
This analysis wouldn’t be attainable with out the scholars and school related to CIBR lab. Specifically, we thank Taylor Fisher, Kiley Wong-Li, Mohamed Mostafa Abdelghany Mostafa Dawood, and Sterling Michel for his or her continued involvement on the cyber-intelligence group. For extra cutting-edge cybersecurity analysis, observe Dr. C. Jordan Howell, Lauren Tremblay, and the CIBR Lab on Twitter: @Dr_Cybercrime, @DarknetLaur, and @CIBRLab.