Redazione RHC : 9 July 2025 11:12
Many people often want to understand the ransomware phenomenon precisely, its meaning, the methods of violation, and the crime that revolves around it, struggling to find information scattered across thousands of articles. This article aims to answer all these questions, providing a comprehensive, yet simple, guide to understanding this phenomenon as a whole.
On the pages of every newspaper, we hear about huge cyber breaches, million-dollar ransoms, cyber gangs, RaaS, and cyber warfare. These are all words that can be very confusing for people who aren’t specialized in cyber security. With this article we want to explain what ransomware is, how the highly profitable business of organized cybercrime works, focusing on analyzing this phenomenon from all angles, first understanding the concept of “affiliation” and then moving on to the techniques and tactics of attack and extortion.
In the popular imagination, cybercrime is thought to be linked to individuals with exceptional computer skills. But if you want to extort millions of dollars from a large company, you can’t do it all alone, you need a “team”, that is: A group of criminal hackers with diversified, advanced and vertical IT skills, who frequent the Dark Web and who most likely live in Russia.
In fact, the vast majority of cybercriminals do not have all the technical skills necessary to do it alone and therefore create malware, extort money, penetrate companies. This is precisely how RaaS was born, Ransomware as a Service, of cybercriminals who collaborate in an “organized” way, for a single goal: to extort as much money as possible from a hypothetical organization.
Cybercrime has exploded in recent years because criminals have “specialized” and “sub-specialized” so that each could focus on a specific target, on a single stage of the breach and extortion process, and all of this works terribly (unfortunately) well.
By RaaS, as we said, we mean “Ransomware as a Service,” so Ransomware as a “service,” a criminal business model where the breach is conducted by a group of militarily organized cybercriminals. Now we will analyze this three-level pyramid, to better understand how it works and the division of tasks among cybercriminals.
At the first level we find the “Developers”. These are experts in writing malware and cryptography, who create them, continuously update them, and create tools to provide sophisticated dashboards and command and control systems to “affiliates,” capable of managing the entire infection phase, which, as we will see, is the final “active” phase of a ransomware attack, before moving on to extortion. The developers also provide technical support tools for affiliates, so they can get immediate answers from the developers on technical issues.
At the second level we have the “Affiliates.” These are other cybercriminals who rent the ransomware from the developers and conduct the actual attack and extortion activity, accessing the victim’s networks and remaining there for a long time, exfiltrating as much sensitive data as possible that will allow them an additional level of persuasion in case the company does not want to pay the ransom demand, which we will see in the second article.
The affiliates, therefore, rent the ransomware from the developers, accepting or agreeing on commissions within closed underground forums (such as forums in the darknet upon submission), but also on accessible forums present on the clearweb, such as the well-known XSS.is.
The affiliates, in many cases, in order to access a large company’s network, can purchase access from the third and last entity in the RaaS pyramid, namely the Access.
These are essentially cybercriminal groups who breach corporate networks to gain persistence. They are highly skilled in penetration testing techniques and, once they gain access to a large organization’s network, they put it up for sale on underground forums for a few thousand dollars. Affiliates are often customers of access brokers, as they allow them to speed up their workflow by providing them with pre-vetted and available illicit access at a low cost.
Obviously, RaaS exists when there is an organization to be compromised. This organization typically has internet-exposed endpoints that are not properly configured or updated, allowing access brokers to access their networks.
These companies are often identified through search engines such as Shodan, Zoomeye, Censys, IVRE, which allow you to easily identify an organization’s internet-exposed resources and the related vulnerabilities. As we have often said, RaaS does not target a specific company, it often hits a large company, only because it leaves an “indelible” signature on the web of its intrinsic vulnerabilities due to an incorrect cyber posture within it.
Now that we have discovered all the players in the great RaaS game, we will delve into the attack model and then discover the iteration methods between the three levels of RaaS. But first let’s start by showing you the numbered graphics of the attack path to make it easier for us to read.
Now we will understand precisely all the steps that are carried out in this perfect and military criminal organization which will allow, if everything works properly, to extort huge amounts of money.
Any ransom payment made by a victim is split between the affiliate and the ransomware developer. In the case of DarkSide (the ransomware that blocked Colonial Pipeline), the malware developer took 25% for ransoms under $500,000, but those commissions dropped to 10% for ransoms over $5 million.
This is all defined by policies described on “developer” blogs or underground forums such as XSS, which we’ve talked about a lot recently.
This division of ransom payments is very clear to see on blockchains, with the different actions separating the Bitcoin wallets controlled by the affiliates and the developer.
If we’re talking about DarkSide, the developer received $15.5 million worth of bitcoin (17%), with the remaining $74.7 million (83%) going to the various affiliates.
In total, just over $90 million in bitcoin ransom payments were made to DarkSide, originating from 47 separate wallets.
This gives a relatively accurate picture of the number of breached victims who paid a ransom. For example, according to DarkTracer, 99 organizations were infected with the DarkSide malware, suggesting that approximately 47% of victims paid a ransom and that the average payment was $1.9 million.
As we have seen, RaaS mainly revolves around “developers” and “affiliates”, but there are also other roles that are gradually taking shape, making RaaS a real corporate organization, with diversified roles and multiple outsourcing activities.
Cybercriminals who develop infrastructure that is resold to Ransomware developers to speed up their software development cycle, such as cryptocurrency payment systems, blogs, and so on.
These are effectively criminal software components, which are purchased by ransomware developers and used within their solutions, just as if they were designing legitimate software, using third-party software.
In order to maximize profit in situations where companies are reluctant to pay the ransom and to maximize the efforts put into breaching and encrypting a given company, RaaS can make use of people specialized in managing the “negotiations” between the breached company and the RaaS group.
In fact, several actors are making use of figures who manage the negotiation aspect, in addition to accumulating pressure on the company, for example through calls, DDoS (Distributed Denial-of-Service) attacks and threats including the loss of information stolen during a ransomware attack, in short, people specialized in pure “extortion”, who can facilitate the payment activity by the company.
Ransomware, starting from Joseph Popp’s AIDS Trojan, considered the first ransomware in history, which we talked about in an article in the past, up to getting to Wanna Cry and the sophisticated Maze ransomware, REvil and Darkside, have undergone many changes and innovations, both from a technical and extortion point of view.
First, we need to do some history to understand the three extortion tactics used to date, which are:
As we have seen, “access brokers” have great offensive technical capabilities, capable of violating an organization, therefore their task is to penetrate the company’s system and resell the access points to the “Affiliates”, who will remain within the networks until they have found sensitive data, capable of blackmailing the victim through double extortion, a method introduced by Maze (a cyber-gang no longer active today) at the end of 2019.
Everyone seems to agree that the tactics, techniques and procedures used by “affiliates” and “access brokers” reflect a common way of action that incorporates a mix of native Windows features, commodity malware and ready-to-use red team tools such as Cobalt Strike, Mimikatz, powershell and . NET backdoors.
The “access brokers” in fact have good skills in penetration-testing activities while the “affiliates” move laterally to access the infrastructures that contain the most valuable data, such as the research and development departments, the finance and control department or the Human Resource office, with the intent of extracting as much “sensitive” information from the organization.
Once persistence has been established, the criminal gang can remain within an organization for up to 45 days, but it is known that the number of days can reach up to 90 (so 3 months, which in fact we can compare it to an APT attack, an Advanced persistent threat), and only after having collected as much information as possible useful for the second extortion, they launch the ransomware payload.
We must therefore understand that the moment in which the cyber attack is perceived by users (if no access has been detected previously), is the end of the “technical” work carried out by cyber criminals.
The ransomware then does its job, encrypting the data on the servers and displaying a program on the screen that reports that the computer has been infected, the price to decrypt the data, and the time limit within which the ransom must be paid. In the case of ransomware like REvil (Sodinokibi), after that period, the cyber gang doubles the ransom price.
REvil (Sodinokibi) ransomware lock screen
Furthermore, a file is produced (although there are multiple forms of action), which states what the organization must do to obtain the encryption key that will allow them to decrypt the data. Specifically, it is instructed to “not waste time”.
Instructions for accessing the site in the onion network in complete safety are also provided, specifying that the use of a VPN and the TOR browser is recommended. Once you have accessed the .onion site with TOR, you will need to enter a code generally displayed by the program on the computer screen and then proceed with paying the ransom.
Text file containing the recovery instructions.
A multitude of new extortion techniques have been observed recently, capable of increasing the pressure on the organization and therefore inducing it to pay the ransom.
For example, in the incident suffered by Vastaamo (a Finnish psychiatric clinic), after encrypting the data, the affiliates proceeded to inform its clients that their medical records would be made public. In fact, 300 medical records were published on the internet and the company went bankrupt.
In other cases, we have witnessed affiliates making phone calls to journalists to inform them that a specific organization had been hit by ransomware, effectively increasing the circulation of news and therefore the pressure on the organizations.
In other cases, we have also witnessed pressure being applied to top managers of companies by threatening to publish sensitive information taken from their own PCs, this while the company was evaluating the payment of the ransomware ransom.
Another truly crazy example reported by Mandiant is related to a DarkSide affiliate, who was able to exfiltrate the company’s cyber insurance policy. This information was obviously exploited by the cyber-gang during the ransom negotiation process, refusing to reduce the amount, given his knowledge of the limits provided by the policy.
The art of deception has always been at the basis of cybercrime activities at all levels, so much so that many books have been written on spoofing and deception techniques, and therefore on how to fool others into believing they are being attacked by another entity.
Determining which country or government cyber gangs may be working for has become very difficult to understand in recent years, since many groups specifically try to leave “traces” to frame other countries or governments.
Codes alone are not enough to identify the nationality of the attackers, since cyber criminals can deliberately leave false traces, what in military jargon are called false flags.
“False flag” refers to a covert tactic pursued in military operations, intelligence activities and/or espionage, generally conducted by governments, secret services, designed to appear as if pursued by other entities and organizations, even through infiltration or espionage within the latter.
This is read on Wikipedia as a “military concept”, and This has obviously been acquired and implemented in cyber warfare and ransomware operations by inserting specific “traces” into malware, capable of influencing an analyst into incorrectly deducing the origin of a ransomware attack.
Russian is a language used in many former USSR countries, especially in the field of information technology, so today it may be quite complicated to draw conclusions about the malware’s fingerprint through comments, error messages, language/country restrictions, IP addresses of command and control systems and more.
Many groups working for the governments of various countries are specifically trying to leave artifacts in the code specifically crafted to mislead analysts from their true identities and countries of origin.
These are imitation techniques to make it appear that the attack was launched by a group from another state, or to simulate and impersonate a known threat actor, to throw off their tracks. Many groups have analyzed other competitors’ malware to report artifacts within their binaries that can be traced back to them.
As we have seen in these two articles, RaaS is a phenomenon highly specialized and organized criminal, where the negotiating power of information has an impressive value today.
The geopolitical landscape of this recent period makes these cyber attacks – especially if aimed at the critical systems of countries – a national security problem and this leads governments to manage them with the utmost attention and this is what cybercriminals do not like.
Furthermore, given the difficulty in identifying the origin of a ransomware attack (it was Russia, China or North Korea, obviously these are examples), it can lead to a destabilization of previously built geopolitical balances and the triggering of potential escalations.
The ransomware phenomenon is on the rise, this is because it is extremely profitable and low cost. Let us therefore expect that the extortion tactics used by cyber-gangs will continue to evolve in the coming years in a way that is unpredictable today and that ransomware will start to make the front pages of newspapers.
This is why it is essential (as often reported on the pages of Red Hot Cyber) to regulate cyber warfare freeing the mind from what “was” the Tallin Manual, trying to write a truly international treaty and not just written for the benefit of NATO and of the Five Eyes alliance.
Redazione