How ransomware gangs operate like legitimate businesses


Today’s ransomware groups act like regular businesses with PR and advertising, escrow services and even customer support, says Cybersixgill.

Internet fraud, darknet, data thiefs, cybercrime concept. Hacker attack on government server. Dangerous criminals coding virus programs.
Image: Maksim Shmeljov/Adobe Stock

In the old days of cybercrime, many cybercriminals were seen as lone wolf hackers operating alone in the bowels of their basements. Though that image may still be true for individual attackers, it’s certainly not an accurate picture of today’s more sophisticated criminals. Ransomware gangs these days operate like businesses with all the personnel, services and subcontractors that make up a legitimate company.

In a report released Thursday, cyber intelligence provider Cybersixgill looks at the structure of typical ransomware gangs and offers advice on how to prevent yourself and your organization from becoming one of their victims.

What is the operating structure of a ransomware group?

Though they may do business on the dark web, many ransomware groups work like traditional software companies, albeit with an underground mentality. PR and advertising reps promote the gang by touting its past attacks and accomplishments, according to the report. Reconnaissance brokers scour criminal markets for account credentials and other sensitive data for sale and then cut a deal with the ransomware group to sell that information.

SEE: Mobile device security policy (TechRepublic Premium)

Ransomware gangs also depend on different types of subcontractors. Initial access brokers gain illegal entry to company networks and then sell that access to the group, Cybersixgill said.

Underground escrow services act as intermediaries between buyers and sellers by receiving and holding the victim’s ransomware payment until the ransomware gang has confirmed that the funds are in order. These services naturally take a certain cut of the overall payment and are sometimes used by IABs not just for ransomware but for drug and arms deals, according to Cybersixgill.

Further, a customer support group fosters communication between the gang and the ransomware victim. These groups also provide support for criminals who buy ransomware as a service and malware as a service. Each subcontractor then takes a piece of the profit, and even if a certain ransomware gang closes shop due to law enforcement efforts, its subcontractors remain active, waiting for the next gang to come along.

Like any startup business, a new ransomware group has to gain the trust of others along the chain. A group that’s unfamiliar on the dark web often has to prove itself to obtain access to underground chatrooms and forums where it can pick up customers. Forum admins will ask the group for references from other criminals. Some groups may earn their chops by offering free samples of hacking tools or by acting as mentors to other users.

How to protect your organization from these ransomware gangs

With today’s ransomware gangs running like legitimate businesses and posing more of a threat than ever, Cybersixgill provides a few tips to help you protect your own organization.

Practice good password habits

Discourage your users from sharing account passwords or keeping them in plain sight. Design a password policy and find an effective way to implement it.

SEE: 8 best enterprise password managers for 2022 (TechRepublic)

Use multi-factor authentication

Employ MFA to protect user accounts and sensitive information.

Limit the use of company email addresses

Don’t allow employees to use their company email address to access non-business accounts, such as streaming services.

Restrict business to business computers

Don’t allow employees to use a private network or home computer for sensitive or critical work.

Train your employees

No matter how strong your security, some phishing attacks and other threats are always going to get through to your users. Educating your employees in ways of cybersecurity can help keep your organization safer.

If you’re looking for cybersecurity training, the experts at TechRepublic Academy have partnered with CompTIA to offer a training bundle on a variety of cybersecurity topics.