Using Affiliates Enables Crowdsourced Profits, But Leaves Operators More Exposed
Advertisement by Darkside operators on a cybercrime forum (Source: Kela)
Darkside is the latest ransomware gang to announce that it’s launched an affiliate program, as part of its bid to maximize revenue.
In recent days, the operators behind Darkside have taken to XSS and Exploit – two major, Russian-language cybercrime forums – to announce the details of its new affiliate program, reports, Israeli cyberthreat intelligence monitoring firm Kela reports.
“The share paid to affiliates is 10% to 25%, depending on the size of the ransom.”
Here’s how such affiliate programs work: Ransomware operators provide crypto-locking malware code to third parties. Each affiliate receives a version of code with their unique ID embedded. For every victim that pays a ransom, the affiliate shares the take with the ransomware operator.
Darkside ransom note (Source: Bleeping Computer)
For example, the affiliate program run by Sodinokibi – aka REvil – as of last year was giving 30% of every ransom payment to an affiliate, rising to 40% after three successful ransom payments (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
Darkside’s terms and conditions differ. “They stated that their average payments to their affiliates are about $400,000 and the share paid to affiliates is 10% to 25%, depending on the size of the ransom,” Kela says, noting that the claims the average ransom it receives is between $1.6 million and $4 million.
Ransomware affiliate programs abound. Victoria Kivilevich, a threat intelligence analyst at Kela, says some of the more famous, “big game” ransomware operators running affiliate programs – as well as blogs for leaking stolen data – include:
Other ransomware operations – some active, some now defunct – that have run affiliate programs, she says, include Chimera, Crylock, Exorcist, Gretta, Makop, Thanos and Zeppelin.
Affiliate Program Upsides
Running an affiliate program offers numerous upsides. For starters, the ransomware operator handles the technical side, including “product updates.” Once the operator has built all required infrastructure – typically including a self-service portal for victims to pay – they can in theory scale to handle as many affiliates as they want. This crowdsourcing model can give them the ability to realize much greater profits, especially compared to trying to hit victims themselves. Affiliates, meanwhile, don’t need to build and maintain their own malware and infrastructure.
Other upsides include the ability of the operation to attract specialists – for example in network penetration – who can focus on amassing victims, while leaving tech support and customer service, so to speak, to the operator.
Two Main Downsides
So, what are the downsides to running an affiliate program? Kivilevich highlights two main problems: reputation and infiltration.
Reputationally, if an affiliate does something bad, that reflects on the operator, as Darkside has noted in one of its posts. “For example, when an affiliate of Suncrypt attacked hospitals – you see SunCrypt writing: ‘A new affiliate locked it unknowingly, and for this he was punished! Hospitals, government, airports, etc., we do not attack,'” she says.
Relying on affiliates also means that the ransomware operation may be inadvertently recruiting undercover security researchers or law enforcement agents, who might potentially “gather more intelligence about their activities,” Kivilevich says.
What threat does Darkside pose? In terms of the crypto-locking malware that Darkside provides to affiliates, the operators say it can encrypt both Windows and Linux files. Having the ability to crypto-lock Linux files is also something researchers at Russian security firm Kaspersky recently spotted RansomEXX ransomware being able to do (see: RansomEXX Ransomware Can Now Target Linux Systems).
Like many types of malware, Darkside is also designed to not be able to infect PCs that are in one of the member states of the post-Soviet Commonwealth of Independent States, which includes Russia and 11 other nations (see: Russia’s Cybercrime Rule Reminder: Never Hack Russians).
“Press release” from Darkside in August announcing its debut (Source: Malwrhunterteam)
As proof of its success to date, Darkside has deposited 20 bitcoins – worth about $315,000 – with the XSS forum. Kivilevich says this is “a common method ransomware gangs will use to show that their operation generates plenty of profit.”
Like many other ransomware operations, the gang also maintains a leak site, where it names and shames victims, and can post samples of stolen data, to try and force victims to pay (see: Data-Exfiltrating Ransomware Gangs Pedal False Promises).
Even so, it’s not yet clear how many organizations Darkside or its affiliates might have hit.
“Darkside has been relatively quiet since the gang emerged: they’ve published only four victims on their site, with one being removed,” Kivilevich says. “It’s possible the gang is extending their efforts, meaning that we could expect to see them performing more attacks.”
In a likely bid to boost profits, the gang has also posted that it’s looking for initial access brokers that can give it access to U.S. businesses with annual revenue of at least $400 million.
In other words, “Darkside is aiming for big targets,” Kivilevich says, adding that it’s the first time she’s seen “ransomware operators offering initial access brokers the opportunity to directly trade with them,” rather than attempting to rely on “affiliates or other middlemen.”
As always with ransomware, criminal innovation – in a nonstop drive by attackers to maximize profits – appears to be paying, of course at victims’ expense.