The increasing sophistication of the cybercriminal underground is now reflected in how ransomware operations put together their crews, seeking out specialist talent and skillsets. Indeed, according to Kela’s new research, a threat intelligence service provider, some gangs are becoming resemble corporations, with diversified roles and outsourced negotiations with victims. Kela analyst Victoria Kivilevich and other team members spent over a year monitoring the dark web cyber job ecosystem. They quickly established the existence of four primary areas of specialization:
- Coding or acquiring malware with needed capabilities.
- Infecting targeted victims.
- Maintaining access to victim systems and exfiltrating and processing their data.
- Monetization, cashing out, selling, or otherwise monetizing the stolen data.
Each stage involves various malicious activities where different skills may come in handy. Kivilevich said her team had found that when looking specifically at the ransomware supply chain, many actors concentrate around the extraction niche, escalating their privileges within the compromised network, and the monetization niche, where actors extract ransoms during victim negotiations.
Kela found that people with the appropriate – and not necessarily technical – skillsets to succeed in ransom negotiations are particularly valued. “We observed multiple posts [on the dark web] describing a new role in the ransomware ecosystem, negotiators, whose purpose is to force the victim to pay a ransom using insider information and threats,” said Kivilevich.
“Victims started using negotiators – while a few years ago there was no such profession, now there is a demand for negotiating services. Ransomware negotiation specialists partner with insurance companies and have no lack of clients. Ransom actors had to up their game as well to make good margins.
“As most ransom actors probably are not native English speakers, more delicate negotiations – specifically around very high budgets and surrounding complex business situations – required better English. When Ravil’s representative was looking for a ‘support’ member to hold negotiations, they specifically mentioned ‘conversational English’ as one of the demands. This is not a new case: actors are interested in native English speakers to use for spear-phishing campaigns.”
Kivilevich found several threads on Russian-speaking underground forums where cybercriminals sought negotiators and discussed their work.
In the image below – which Kela translated from Russian using Google services – a threat actor who has already established persistence on the network of a victim in Saudi Arabia appears to call for an insider, or someone with contacts, at Middle Eastern cyber security companies who can hand over contact details for the victim’s IT managers to conduct negotiations. Remuneration, in this case, would be between $1m and $5m (£720,000 to £3.6m, or €840,000 to €4.22m), or likely about 20% of the ransom.
And just as a legitimate organization might book a contractor who turns out to be a bad fit, ransomware gangs can also make bad hiring decisions. On some forums, Kela found evidence of disagreements between ransomware gangs and their hired guns (see image below).
In one documented instance, miscommunication between a Conti affiliate and a hired negotiator blew into an outright dispute in the attempted April 2021 extortion of the Florida Broward County Public School District.
The negotiator claimed they had insider information that would force the victim to pay up – they had demanded $40m, a massive overreach – but then accused Conti’s affiliate of meddling in the negotiations and running their efforts. Conti countered by accusing the negotiators of behaving unprofessionally.
Others then weighed in on the forum with their experiences. A representative of REvil – currently at the center of the unfolding Kaseya incident – accused the negotiator of being a scammer.
Kela’s report goes into more detail about some of the specialist roles ransomware operators are prepared to pay big bucks for, such as access brokers, intrusion specialists (or penetration testers), and owners of botnets for associated distributed denial of service (DDoS) attacks. It can be read in full here.