In exchange for these "quality" tools and services, these cybercriminal platforms receive a portion of the ransoms as payment. These platforms charge various fees: 20% for Netwalker and up to 70% for other groups.
In our simulation, our group of cybercriminals has chosen to affiliate itself with the Egregor cartel, giving them about 30% commission for successful attacks.
Outsourcing parts of their cyberattacks allows less experienced cybercriminals to conduct more complex and ambitious raids and increase profits for the platforms. Thus, a team of affiliated cybercriminals will lead the attacks, heavily assisted by the Ransomware-as-a-Service cartel.
When cybercriminals are affiliated with a platform, their task becomes much easier. They no longer have to develop ransomware and an interface to drive the attack, nor do they have to manage the negotiations or the collection of the ransom. However, these affiliates maintain responsibility for the intrusion (via previously purchased access), the theft of data to facilitate negotiations and the ransomware deployment.
Relationships on these platforms are primarily based on trust between the seller (the platform) and the buyer (the cybercriminal conducting the attack). Affiliated cybercriminals must first prove themselves in basic attacks, before earning the necessary trust to conduct more ambitious operations.
In our simulation, we have assumed that of the 20 companies attacked by the criminals, a large number of the attacks have succeeded. Hence, we have estimated that only 4 victims (20%) have ultimately paid a ransom (negotiated at 20% cheaper on average).
Cover your tracks and launder your money
Once the cyberattack is successfully completed, cybercriminals have obtained a ransom paid in cryptocurrencies - usually in Bitcoins. Although more confidential cryptocurrencies exist, such as Monero, Bitcoin’s popularity has made it a perennial favorite.