#Irisscon: Ransomware Shifts to use Affiliate Distributors, and Infect via RDP

Written by

Speaking at Irisscon in Dublin, McAfee chief scientist Raj Samani said that ransomware has evolved from a one to one “relationship” between the author of the malware and the victim, to using more affiliates to distribute the malware.

Citing the WannaCry ransomware epidemic of 2017, Samani said that was further proof that “cybersecurity is about more than just computers” as people were turned away from hospitals, and the internet was switched off to protect networks in some cases. However we now “live in a world where a nurse can open an email and this leads to a hospital turning away patients” he said, and that anyone can be a cyber-criminal if they have the means to pay.

This has led to ransomware developers outsourcing delivery of files to an affiliate, who can target many more victims. Between 2016 it the operators’ retirement in 2019 retirement, the Gandcrab ransomware allegedly made around $2 billion. He also said that the average ransomware payment in Q4 2018 was $24000, while in Q1 2019 it was $36000 and the price is going up because people are paying.

Samani said that developers and cyber-criminal gangs are actively recruiting affiliates globally, and each infection has a separate form to track the affiliate who infected each victim. “We have not seen this level of accounting and diligence ” he said, having looked at 280 samples. 

Samani went on to talk about the Sodinokobi ransomware, also known as REvil, which he said causes remote desktop protocol (RDP) to be “reborn as a vector” for infection, as in Q1 of 2019 was responsible for 63.5% of all attacks by ransomware, compared to 30.4% over email and 6.1% by using a software vulnerability.

He encouraged delegates to lock down this protocol, “as we believe this is how the successor of Gandcrab is how getting in.” He admitted that this is hard to track though, as a different Bitcoin wallet is allocated to each attack, but one that McAfee was able to track saw that one individual earned $287,000.

“It is no longer some group of individuals sitting in a basement, this is organized crime and they understand how to launder money and outsource attacking organizations,” he said.

What’s hot on Infosecurity Magazine?