The revelation that more than two-thirds of the top 1500 global ransomware families sell their software on illegal Blackmarket websites has been met with derision. Now the BBC has discovered that even a raft of big brand companies are doing business with them, and are telling victims not to worry.
The revelation came to light after password management app Dashlane, along with security firm Kaspersky Labs, flagged the approach taken by some sellers of ransomware. The high profile attempts to evade law enforcement by shifting their business online were revealed by Kaspersky Lab at a security conference earlier this month. They suggest that only a few of the more well known ransomware families – such as WannaCry, Petya and EmCrypt – are selling on Blackmarket marketplaces.
Despite its name, ransomware is in fact a malicious program that locks up a computer, encrypts the hard drive and then demands a ransom to unlock it. Typically it works by sending emails to the victim’s email address, either by themselves or copied from the original suspect spam message that appears in their inbox. In all cases it arrives with an email attachment that the email recipient will unwittingly open as an innocent distraction to get back to work.
Criminals add custom code, known as ransomware, to the physical software that the affected computer is running. Then when the hard drive is opened, as is the case when running a program such as this, it fills up with ransomware.
A victim then has to either pay the ransom via an intermediary like Moneyjailor.com, or they will lose the files on their computer as soon as they turn it back on.
Kaspersky and Dashlane suggest that only a couple of the best known vendors are running their extortion systems online. However, this doesn’t mean that others aren’t doing business without the public’s knowledge.
Chris Boyd, information security consultant for Dashlane, explains, “Ransomware sales are hugely profitable and are doing pretty well on the Blackmarket. Because of this many companies are making the mistake of only investigating the known providers of ransomware. But the figures released by Kaspersky show that ransomware sales are not limited to the well-known ransomware like WannaCry, Petya, CryptoLocker and CryptoWall. They could be anything from totally random malware to restricted variations of more common ransomware designed to fit a specific exploit.”
For a firm to advertise on a Blackmarket website is in itself criminal activity, not least because the victim is forced to pay a ransom without knowing where the money is going. Thus although it’s hard to convict these types of organisations, it’s very easy to prosecute them if they deliberately chose to skirt the law. If these firms choose to market ransomware through the wrong channels they may well be investigated and prosecuted.
There is a middle ground which is easy to find. The ransomware vendors themselves, or their sales agents, do not need to advertise their business in the documents associated with Blackmarket sites. That’s why these firms may choose not to make their customers aware of what they’re buying, even though they are clearly fully aware of the risks. However, in an ideal world, customers might wish to be alerted to the dangers of buying this type of software from what is meant to be the unregulated open marketplace.
For its part, Dashlane has said it is putting together a whitelist of trusted sources for its customers. This can be done in two ways, firstly in a registration process, where such firms are required to have a full list of their known vendors in one place for all customers. Secondly, they can only offer their products from this section of their site.
Photo credit: StyleStudio / Shutterstock