It's true: Russia really is the centre of ransomware development - Kaspersky

47 out of the 62 crypto-ransomware families developed by Russian speaking cyber-crooks

Russian security software company Kaspersky has revealed that 75 per cent of the top crypto-ransomware packages it has researched in the past year were developed by Russian, or Russian-speaking, cyber criminals.

The news was revealed by Kaspersky senior malware analyst Anton Ivanov at the RSA Security conference in San Francisco, California yesterday.

"Out of the 62 crypto ransomware families discovered by the company's researchers in the past year, 47 of them were developed by Russian-speaking cybercriminals," according to Kaspersky's Jeffrey Esposito, covering Ivanov's presentation for Kaspersky.

He continued: "What makes that figure even more staggering is that these ransomware families according to Kaspersky Lab telemetry attacked more than 1.4 million people around the globe in 2016."

The reason why ransomware has exploded in recent years, according to Ivanov, is because it has become relatively easy to buy a ransomware build or ‘builder' on the underground market, as well as related services, and because crypto-currencies, like bitcoin, make it quick and easy to monetise.

"In other words, this is a fine tuned, user friendly and constantly developing ecosystem," writes Ivanov in a paper examining the industry.

"It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighbouring countries," added Ivanov.

He continued: "Another possible reason is that the Russian cybercriminal underground has the richest background when it comes to ransomware schemes. Prior to the current crypto ransomware wave, there was another ransomware-themed malware epidemic.

"Between approximately 2009 and 2011, thousands of users in Russia and its neighboring countries experienced attacks which used so-called Windows- or browser-lockers.

"This type of ransomware blocks the user's access to their browser or OS and then demands a ransom in exchange for unlocking access.

"The epidemic withered for a number of reasons: law enforcement agencies responded adequately and caught several criminals involved in the business; mobile operators made the process of withdrawing money through premium SMS services harder; and the security industry invested a lot of resources into developing free unlocking services and technologies."

The business model of ransomware has also become highly sophisticated, with the ecosystem even offering affiliate programmes, with special schemes for "specific partners", according to Ivanov.

"Unlike the programs for everyone, ‘elite' programs won't accept just any kind of partner. In order to become a partner in an elite program, a candidate has to provide a personal recommendation from one of the acting partners in the program. Besides that, the candidate must prove that they have certain malware distribution capabilities.

"In one case we observed in the last year, the candidate had to demonstrate their ability to complete at least 4000 successful downloads and installations of the malware on victim PCs.

"In exchange, the partner gets some free tools for the obfuscation of ransomware builds (in order to make them less visible to security solutions) and a good conversion rate - up to three per cent, which is a very good deal," according to Ivanov.