A Good Inside Look At How Ransomware Operators Work

This is a post series on cyber crime. For more posts click here or the cybercrime tag below.

Francis Turner has some good stuff about how ransomware operators work here.


This post on Krebs sort of puts numbers to the equation.


Apparently the same people who created the CryptXXX variant of malware started with reveton.

So the operational level setup is pretty much the same. What’s changed is the software they spread.  Which they did not develop themselves.  As I point out in this post.


In a way, being in the malware business is a red queen’s race.  You keep having to change to keep up.  After all, there are a raft of security companies keeping an eye out for your “product” and shutting the product down ASAP.  For every exploit that a malware uses the time for a return on investment is low.  the typical exploit has about a week before the security people shut it down.  In my case, I suspect that the only reason that I was hit was that I missed ONE update because I was using windows defender and didn’t want to update to Windows 10. So the obvious thing to do is to try to increase the returns from their efforts.

Ergo moving from phony threats and locking computers which can be worked around to file encryption.  Especially when the code was easily available.  These people are just following the typical business model of adapting to changing circumstances.  The thing is that by changing to data encryption and now seemingly to data destruction they have raised the stakes.  I’m not sure if they understand how that’s going to change the game.



Now that ransomware has transitioned to actual data destruction people are starting to take malware seriously. Not just the usual security types, but institutions and heavy duty law enforcement.  The kind of people that can work across borders and cooperate on an international level.  There’s also the very large risk that at some point one of the malware that’s out there will destroy something that shouldn’t be.  I know that most critical stuff should be backed up, but suppose the program during the back up and his both drives. After all that’s essentially what happened to me.

It must have been frustrating when the security companies started providing decrypters. After all victims not paying was costing them revenue.  What the malware people didn’t understand was that those decrypters were the only thing standing between them and a whole new game. especially when people paid and they never got their keys.  If data is actually destroyed people get pissed off.  If you are putting stuff out at random you can’t control who you hit.  It might be granny and it might be the hospital that the families of  NSA operatives use.  Which would not be a good thing if you are doing something illegal. In the two months or so since I was hit I’ve seen an escalation of activity all around.  For the malware people, escalation is not a good thing.

Business likes a nice stable environment to do it’s buying and selling.  What the malware people have now done is turn the place upside down.  Now all they can do is ride the tiger by the tail.  Good luck with that.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s