Cybercrime, Cybercrime as a Service, Endpoint Security
Using affiliates allows for collective profits but leaves operators more exposed
Matthew J. Schwartz (Uranfusic) •
November 12, 2020
Darkside is the latest ransomware gang to announce that it has launched an affiliate program as part of its attempt to maximize revenue.
In recent days, the operators behind Darkside have taken to XSS and Exploit — two major Russian-language cybercrime forums — to announce details of the gang’s new affiliate program, according to a report by Israeli cyber intelligence watchdog Kela.
“The share paid to affiliates is 75% to 90%, depending on the size of the ransom.” – Kill
Here’s how these affiliate programs work: Ransomware operators provide malicious encryption-locking code to third parties. Each affiliate receives a version of the code with its unique embedded identifier. For every victim who pays a ransom, the ally shares the matter with the ransomware operator.
For example, the affiliate program operated by Sodinokibi – also known as REvil – as of last year was giving 30% of each ransom payment to an affiliate company, rising to 40% after three successful ransom payments (see: The Sodinokibi ransomware gang seems to be doing the killing).
Darkside terms and conditions vary. “They report that their average payments to their affiliates are around $400,000 and the share paid to affiliate marketers is around 75-90% of each shipment, depending on the size of the ransom, with the ransomware operators keeping the rest,” Killa says, noting that Darkside It claims that the average ransom he receives is between $1.6 million and $4 million.
Affiliate programs for ransomware abound. Victoria Kivilevich, a threat intelligence analyst at Kela, says that some of the more well-known “big” ransomware operators who run affiliate programs – as well as blogs to leak stolen data – include:
Other ransomware — some active, some not now — that ran affiliate programs include Chimera, CryLock, Exorcist, Gretta, Makop, Thanos and Zeppelin, she said.
Affiliate Program Pros
Running an affiliate program offers many rewards. For starters, the ransomware operator deals with the technical aspect, including “product updates”. Once the operator has built all the required infrastructure – usually including a self-service gateway for victims to pay – they can, in theory, expand to handle as many affiliates as they want. The crowdsourcing model can give them the potential to generate much greater profits, especially compared to trying to beat the victims themselves. Meanwhile, affiliates do not need to create and maintain their own malware and infrastructure.
Other gains include the operation’s ability to attract specialists – in network penetration, for example – who can focus on mobilizing victims while leaving technical support and customer service, so to speak, to the operator.
Two major downsides
So, what are the disadvantages of running an affiliate marketing program? Kivilevich highlights two main problems: reputation and intrusion.
If a partner does something bad, this is reflected in the operator, as Darkside noted in one of its posts. For example, when a Suncrypt affiliate attacks hospitals, you see Suncrypt write: ‘A new affiliate shut them down unknowingly, which is why he was punished! Hospitals, government, airports, etc., we don’t attack,” she says.
Reliance on affiliates also means that the ransomware process may inadvertently lead to the recruitment of covert security researchers or law enforcement agents who may “gather more intelligence about their activities,” says Kivilevich.
How big a threat does Darkside pose? The operators say the crypto-locking malware that Darkside provides to affiliates can encrypt Windows and Linux files. Researchers at Russian security firm Kaspersky recently determined that the RansomEXX ransomware can also lock encrypted Linux files (see: RansomEXX ransomware can now target Linux systems).
Like many types of malware, Darkside is designed not to infect computers located in one of the post-Soviet CIS member states, which includes Russia and 11 other countries (see: Remind Russia of the cybercrime rule: Never hack Russians).
As proof of its success so far, Darkside has deposited 20 bitcoins – worth about $315,000 – on the XSS forum. Kivilevich says this is “a common way ransomware gangs will use to show that their operations are making a lot of money.”
Like many other ransomware operations, the gang maintains a leak site, where it names and exposes victims, and can post samples of stolen data to try to force victims to pay (see: Data mining from ransomware makes false promises).
However, it is not yet clear how many organizations Darkside or its affiliates may have hit.
“Darkside has been relatively quiet since the gang’s appearance. They only posted four victims on their site, with one removed,” Kivilevich says. “It’s possible that the gang is expanding their efforts, which means we can expect to see them carry out more attacks.”
In a possible attempt to increase profits, the gang announced that it is looking for seed brokers who can give it access to US companies with at least $400 million in annual income.
“Darkside has big goals,” Kivilevich says, adding that it is the first time she has seen “ransomware operators offering primary access brokers the opportunity to trade with them directly” rather than trying to rely on “affiliates or other brokers.”
As always with ransomware, criminal innovation – in a constant drive by attackers to maximize profits – appears to be paying off at the victims’ expense.
This piece has been updated to clarify how much DarkSide pays to affiliates.