As prolific and intrusive as ransomware has become, it would seem that the majority of cybercriminals are reveling in this lucrative attack vector. But a new report from security firms Anomali and Flashpoint found that there are many dark web forum administrators facing an ethical dilemma about its sale.

Money is the biggest priority for hackers, and ransomware is designed to be an easy attack vector. In just one click, they can send millions of messages, and with just a handful of paid ransoms, hackers can make thousands of dollars.

But prior to 2016, Russian underground administrators believed ransomware shouldn’t be used, as it wasted botnet installs and exploit kits, while others dubbed it a ‘low-end maneuver’ resulting in ‘intellectual death.’

An ethical dilemma

Ransomware first gained traction in 2016. The attack on Hollywood Presbyterian Medical Center was the first major hack on the healthcare industry that signaled what was to come. Hackers demanded the hospital pay about 40 bitcoin or about $17,000 at the time -- or risk a shutdown of operations.

The hospital paid up. And the attack again struck up the divisive conversation among hackers.
“The targeting and exploitation of Westerners -- in particular United States citizens -- is highly encouraged,” the researchers wrote. “Nevertheless, news of the attack against Hollywood Presbyterian was coldly received by Eastern European cybercriminals, many of whom regarded the incident as reckless and unacceptable.”

Some reputable members expressed frustration and condemned those who attack hospitals, while those who support and or sell the malware left emotion out of the equation: “[the attackers] scored. It means everything was done properly.”

In the months that followed in 2016 -- dubbed ‘The Year of Ransomware’ -- ransomware increased a whopping 6000 percent. Adding to its continued proliferation was the fact 70 percent of victims chose to pay the ransom, making it one of the most profitable attack vectors.

However, ethical concerns reared its head again in 2017 after WannaCry and Petya, specifically the WannaCry attack that shut down a large portion of the U.K. National Health Service.

Citing issues like too much noise, low-level crime and unethical, the researchers found that many threat actors are contemplating a ban on ransomware.

“It attracts attention to malware and causes companies to introduce measures to increase their security,” said one hacker. “It increases general awareness of topics related to information security.”

Other concerns were about ransomware causing organizations -- or potential victims -- to block malware tools.

“Allowing ransomware operators on the forum, we are digging our own grave,” the hacker continued. “Of course, banning this work on the forum doesn’t stop this type of business, but as a minimum, we can use community disapproval to make it more difficult to enter into it.”

Nearly 49 percent of the threat actors shared support of the ban. Those hackers not on board stressed that ransomware use is a personal decision. In fact, some threat actors pointed out there is only one rule on the dark web: Don’t target Russia.

Will ransomware fall to the wayside?

Don’t count on it.

“These multi-stage attacks and the high success rate ensure that the propensity of ransomware attacks is not declining in the near future,” ICIT Senior Fellow James Scott said. “Too many victims remain susceptible.”

“Consider that if ransomware were in decline, the ethical debate concerning victim choice would not have remained as consistent on low-level forums before and after massive attacks such as Hollywood Presbyterian,” he added.

In fact, Scott said he thinks that ransomware’s focus has slightly shifted since the mass proliferation in 2016. While it’s not necessarily the fastest profit generator anymore, ransomware is the new distributed-denial-of-service (DDoS) attack.

Consider Petya: The hackers disguised the wiper malware as ransomware. It dictated the media coverage, which allowed the virus to follow through with its true purpose -- to destroy data. In just a few hours the massive attack shut down a large portion of the Ukrainian government, while many large organizations like FedEx, Merck and Nuance are still attempting to get operations back to normal.

To Scott, it’s important to note the research focused on forums where the administrators are more revered. But not all dark web forums are created equal.

“On other forums, ransomware is not as taboo,” said Scott. “Many Deep Web market users buy whatever malware suits their intended attack without consulting the opinions of moderators or other members.”

Further, “most vocal forum users are script kiddies, hacktivists, and cyber-criminals. They participate on forums for attention and launch attacks for profit,” he added. “These are the attackers who might question the ethical dilemmas before launching an attack because they are not as technologically sophisticated or as capable as higher level attackers.”

Scott also noted that the more advanced, sophisticated cybercriminals rely on ransomware as a distraction for larger, multi-stage attack campaigns. Essentially, while responders handle the initial ransomware attack, the hackers are already deploying malware across the networks and exfiltrating data.

“In addition to theft, if all or most backup and redundancy systems were infected with ransomware then the victim cannot know if an attacker altered critical data sets,” said Scott. 

“Ransomware is not as profitable as some other malware campaigns, but it is much more distracting. It increases the success rate of other attacks, which may not be launched for profit.”

And for healthcare organizations, it’s these types of attacks that should be most alarming, as spikes in successful ransomware attacks are caused by low-level attackers hoping to find similar success.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com