How Ransomware Groups Rely On Cheap (Stolen) Data to Launch Extortion Campaigns

Lockbit, the world’s most prolific ransomware syndicate, received USD 91 million in ransoms since 2020 according to a joint advisory released in June 2023 by the US Cybersecurity and Infrastructure Security Agency (CISA). Over the past six months alone its apparent victims have included Britain’s Royal Mail; a supplier to SpaceX; nearly 9 million customers of MCNA Dental, America’s biggest dental insurer; and, in early June, the world’s largest zipper manufacturer.

Analysis by TRM Labs indicates that Lockbit and other large ransomware groups that extort millions from victims rely on stolen data purchased cheaply at specialized online marketplaces, which often deal exclusively in cryptocurrency. A “good-quality” hacked account credential on these platforms can be bought for as little as USD 10.

TRM analysis of on-chain activity shows that in February 2023, shortly before it breached MCNA Dental, Lockbit made two relatively small deposits to Russian Market –  a darknet vendor of so-called “stealer logs,” which comprise stolen web browser information including stored data and certain device details. Based on the size of the deposits, these payments could have allowed Lockbit to acquire data for more than 100 compromised accounts. 

The payment indicates that LockBit is likely to be purchasing compromised data from third-party online marketplaces such as Russian Market to carry out its malicious activities. 

As indicated in the graph below, a LockBit payment address, which has received payments from ransom victims, sends funds to two addresses – an affiliate address and a developer address. A ransomware affiliate refers to an entity that rents access to Ransomware-as-a-Service (RaaS) platforms. A ransomware developer develops and maintains the malicious software.

The breakdown observed in this exchange, with the affiliate receiving 80% of the funds and the developer receiving the remaining 20%, is typical among developer / affiliate relationships. In this case, the affiliate address then sends funds to Russian Market in order to replenish the account.

Russian Market, which launched in 2022, provides users with the opportunity to pre-order stolen credentials for a specific organization. Customers who maintain a minimum balance of USD 1,000 in their accounts on the platform have the opportunity to submit a list of domains they want to target. They will then receive advance notifications regarding the availability of logs associated with those domains. Early access to logs pertaining to their specified domains is granted to these customers before the logs become accessible to the wider market. The service does not come with any assurances, but this feature allows cybercriminals to advance from opportunistic attacks to more focused and targeted attacks. In November 2022 and January 2023 LockBit made transactions with amounts that are greater or equal to the minimum required balance indicating use of the service.

TRM’s on-chain investigation shows that LockBit has been sending funds to Russian Market each month since November 2022, presumably to purchase data. In November 2022 and January 2023 LockBit made transactions with amounts that are greater or equal to the minimum required balance indicating use of the service.

Following the takedown of Genesis Market, an invitation-only online marketplace that was selling stolen account credentials, Russian Market has experienced a surge in popularity. Dark web forums are buzzing with discussions about alternative sources for purchasing logs after Genesis’ demise. 

Currently, Russian Market and 2easyShop are the primary competitors in the market. However, 2easyShop has gained a negative reputation among cybercriminals who, according to popular cybercrime forums, accuse the site of scam activity. According to the forums, 2easyShop’s poor customer support and low-quality data render purchased logs invalid, providing a market advantage to Russian Market in the wake of the Genesis takedown. 

Since the demise of Genesis, Russian Market is gaining significant attention and has witnessed a surge in mentions on cybercrime forums. Additionally, there has been an increase in dedicated Telegram channels that facilitate the sale of similar products. Essentially, the Genesis takedown has triggered a Hydra effect, wherein eliminating one entity leads to the emergence of multiple others. One thing is certain, as long as there is demand from ransomware actors we will continue to see a proliferation of businesses that serve them fighting for market share.

In an update on Lockbit, on June 15, 2023, the U.S. Justice Department announced charges against Ruslan Magomedovich Astamirov, a Russian national, for his involvement in deploying numerous LockBit ransomware and other cyberattacks. According to the complaint, LockBit actors have executed over 1,400 attacks against victims in the United States and around the world, issuing over $100 million in ransom demands and receiving at least as much as tens of millions of dollars in actual ransom payments made in the form of bitcoin. In at least one circumstance, law enforcement was able to trace a portion of a victim’s ransom payment to a virtual currency address in Astamirov’s control.

The announcement follows LockBit-related charges in two other cases from the District of New Jersey. In November 2022, the department announced criminal charges against Mikhail Vasiliev, a dual Russian and Canadian national, who is currently in custody in Canada awaiting extradition to the United States. In May 2023, DOJ announced the indictment of Mikhail Pavlovich Matveev, for his alleged participation in separate conspiracies to deploy LockBit, Babuk, and Hive ransomware variants against victims in the United States and abroad.

This case is another great example of federal, state and global cooperation and coordination between the U.S. DOJ, FBI, Jersey City Police Department, New Jersey State Police, IRS-Criminal Investigation, Europol’s European Cybercrime Centre, Eurojust, National Police Agency of Japan, France’s Gendarmerie Nationale Cyberspace Command, the National Crime Agency and South West Regional Organized Crime Unit of the United Kingdom, Kantonspolizei Zürich of Switzerland, Landeskriminalamt Schleswig-Holstein and the Bundeskriminalamt of Germany, and Swedish Police Authority of Sweden.

‍

‍