Tag: ransomware gangs

  • Ransomware Ecosystem: How Are Cybercriminals Structured?

    Ransomware Ecosystem: How Are Cybercriminals Structured?

    When the media reports on ransomware, you often see the end result: the stolen corporate data has ended up on the dark web. But what happened before that? Is there a single “hacker” or cybercriminal who is solely responsible for all of this, or does the ransomware ecosystem work differently?

    A Ransomware Ecosystem Based on Division of Labor

    Contrary to what is still frequently reported today, cyberattacks are generally not carried out by a single individual. Instead, the actors behind the scenes are highly organized, with a clear division of labor. The structure behind ransomware groups can be represented in an organizational chart, much like that of a typical company.

    Ransomware Organizational Chart
    Ransomware Ecosystem: CEO, Developer, Hosting, Customer Service, Affiliates, Initial Access Broker

    The Ransomware Operator / CEO

    At the very top of the organizational chart is the managing director (or “CEO”). He ensures that the individual “departments” work together as smoothly as possible, assigns tasks, establishes rules and principles, and primarily handles organizational responsibilities. This includes, for example, stipulating that no medical facilities (e.g., hospitals) may be attacked in the name of his organization. The position of managing director/organizer may be held by more than one person.

    Development

    The actual malware is programmed in the development department. In some cases, individual developers work here, while in others, teams handle the task. Generative AI is also being used more and more frequently in this area, either to assist with development or to take over entire development steps.

    Hosting

    Hosting is often outsourced to specialized “bulletproof hosting” providers. Their business model essentially consists of accepting (almost) anything on their servers, or, in other words, not looking too closely at what’s being hosted. They also generally do not respond to requests from authorities to hand over data or to shut down the hosted services.

    Affiliates

    Affiliates are individuals recruited externally, often on the dark web, who leverage the ransomware group’s existing infrastructure and established reputation to actually attack companies, steal data, and leave a ransom note. The affiliates’ methods are diverse, ranging from exploiting technical security vulnerabilities to using stolen credentials they have acquired on the dark web. These credentials are offered by so-called “initial access brokers” and often originate from computers that have been infected with infostealer malware.

    Customer Service

    If a company is willing to pay the demanded ransom despite all recommendations against doing so, it often does not want to pay the full amount. To allow for further negotiation, the criminals typically provide a customer service channel and are often willing to negotiate within certain limits. This customer service channel is also used to guide inexperienced victims, for example, by explaining how to purchase Bitcoins for the ransom and then “transfer” them to the ransomware operators. Once the ransom has been paid, a decryption code is often provided.

    Money Laundering

    Bitcoins are anything but an untraceable form of payment. Most cybercriminals are now aware of this as well. As a result, they often use services that claim to conceal the true origin of illegally obtained ransom payments. In some cases, there is also overlap with traditional organized crime (outside the purely digital realm).

    Conclusion

    The ransomware ecosystem is structured as follows: The actors work in a division of labor and are by no means lone wolves. Any gaps in knowledge are filled by recruiting people into their own organization or through outsourcing. Just like in a normal company, there is a sort of CEO and various departments reporting to them. This way, everyone fulfills a clearly defined role. These roles cover a wide range of tasks, from developing malware and launching attacks on corporate infrastructure to laundering the ransom payments they receive.