The researchers were with Flashpoint, an American cybersecurity company that investigates threats on the dark and deep web. Their undercover operation began when they came across a post on a Russian hacker forum on the dark web—a part of the internet that’s inaccessible to regular browsers—that read very much like a get-rich-quick ad you might find on Facebook.
“Good day. This offer is for those who want to earn a lot of money via, shall we say, not a very righteous path,” the ad began, according to Flashpoint’s report. “No fees or advance payments from you are required, only a large and pure desire to make money in your free time.”
The post went on to say that candidates weren’t required to have any particular prior experience. “Even a schoolboy” could do the job, the ad says, and the low-risk work comes with potentially high rewards. The Flashpoint researchers assumed a fake identity and responded.
They got the job, and were admitted to a small cybercrime ring loosely organized around a single crime boss, who farmed out much of his grunt work to a group of 10-15 “affiliates.” The group specialized in ransomware, a type of virus that infects a computer or server and locks away its contents with strong encryption. The attacker then demands a ransom—any amount from several hundred to several thousands of dollars—in exchange for the keys that will free the encrypted files.
In the crime ring, the business relationship was clearly delineated: The boss programmed custom ransomware viruses, which he then distributed to his affiliates. It was the affiliates’ job to infect targets and demand the ransom. Once they deployed the malware, the easy part of the job falls to the boss. He communicates with victims, extracts ransoms via Bitcoin, and shares 40 percent of each payment with the affiliate.
To convince the boss of their fake identities as Russian hackers, the Flashpoint researchers played along with his demands. “He thought that we were actually committing crimes,” said Andrei Barysevich, the firm’s director of Eastern European research and analysis. “He thought that we were infecting random people’s computers, and that we received payments from them, when in reality it was us doing it all in house: We infected our own computers, we made our own payments.”
Barysevich would not reveal how many computers the researchers infected, and how much money they paid out to the ransomware boss.
Posing as one of the kingpin’s 10 or 15 affiliates, the researchers found that they were afforded a surprising measure of independence. Affiliates were expected to find their own victims and set their own ransom demands. Some preferred to cast as wide a net as possible, using networks of compromised computers called botnets to infect many computers at once. Others preferred to chase high-value targets like rich individuals or critical services—think hospitals or government agencies—that might be willing to pay much higher ransoms to regain access to their systems.