Over the past few years, ransomware operations have become increasingly sophisticated as they shake down everyday internet users, giant corporations, and government agencies for ransoms that can sometimes total in the millions of dollars. Now, according to the cybersecurity firm LIFARS, the underground world of ransomware is essentially developing its own venture capital ecosystem, with ransomware attackers pooling their funds to back new criminal operations in exchange for a cut of future earnings.
“Outside of ransomware, I don’t think that ever actually happened, that you’ve had a VC ecosystem in a criminal cyberscape,” says LIFARS cofounder and CEO Ondrej Krehel. “This is very unique.”
Not unlike in Silicon Valley, calls for investors are often accompanied by descriptions of founders and their prior achievements—in this case, notable previous hacks, Krehel says. The calls to invest that LIFARS is aware of take place through secure chat apps like Telegram, where certain groups are accessible only to people who can demonstrate they’re already involved in digital crime, usually by sending a token amount of cryptocurrency traceable to a ransomware incident or something similar to a certain address.
Ransomware attacks typically encrypt files on a victim’s computers, promising to provide a decryption key in exchange for a ransom usually paid in cryptocurrency. Some also threaten to leak sensitive data as a further incentive to victims to pay up.
In recent months, ransomware attacks shut down operations of Colonial Pipeline, a fuel transport company, leading to panic-buying gas shortages on the East Coast. Another attack struck the meat processing giant JBS, which reportedly paid $11 million in ransom. And numerous other institutions, from school districts to hospitals to a Massachusetts ferry service, have all seen disruption from ransomware infection.
While ransomware operations can be effectively self-funding based on their own ill-gotten gains, the burgeoning investment ecosystem provides a way for those in the data ransoming business to diffuse their risk, Krehel says. (He declined to comment in too much detail about what exactly the company has seen and how it got access to the information to avoid compromising its methods).
“You can put all your money in one basket or you can diversify,” he says.
New ransomware operations do have some startup costs, depending on exactly what they’re trying to achieve, Krehel says. They may need skilled coders to build or tweak the malware itself, and they need server infrastructure to process payments and distribute passwords to let those who pay decrypt their files. They also need to get access to valuable targets, which they can arrange themselves through phishing attacks or by probing networks for vulnerabilities, or by working with a class of cybercriminals known as initial access brokers, who do that work and then sell access to the compromised systems.
The cybersecurity company Intel 471 recently pointed out that a Russian-language cybercrime forum held a contest for technical papers presenting novel ways to hack cryptocurrency-related technology, including stealing crypto wallets, with more than $100,000 in prizes offered. It follows previous contests with smaller prize purses sponsored by other underground forums and even some ransomware groups in a continuing cat-and-mouse game with well-funded cybercriminals on one side and cybersecurity vendors and researchers on the other.
Everybody’s trying to innovate, even the criminals.”
Brandon Hoffman, Intel 471
“It’s very similar to the conferences that we on the defensive side are trying to run,” says Intel 471 chief information security officer Brandon Hoffman. “Everybody’s trying to innovate, even the criminals.”
In general, experts have been saying cybercrime—ransomware in particular—is becoming increasingly big business, with so-called ransomware-as-a-service companies offering ransomware for others with access to particular victims to use in exchange for a cut of the proceeds. DarkSide, the now purportedly defunct group said to be behind the Colonial Pipeline hack, was dubbed “ransomware-as-a-corporation” by the cybersecurity company Digital Shadows for its targeted approach and professional level of communications, including press releases.
To Krehel, the danger is that the venture capital approach will lead to the same kind of rapid advances previous seen in other areas of software and digital technology, making it increasingly easy to run a ransomware operation, just as it previously became easier to run an online store or other digital business.
“This is like what happened in Silicon Valley when all the investment money came in,” he says. “These enterprises are going to be much smoother to operate.”
