An assessment of ransomware distribution on darknet markets | Grind Tech

Posted on

Ransomware is a type of malicious software program (malware) that restricts entry to pc information, methods, or networks till a ransom is paid. In essence, a felony creates or purchases ransomware after which makes use of it to contaminate the goal system. Ransomware is distributed in numerous methods, together with however not restricted to hyperlinks to malicious web sites, contaminated USB drives, and phishing emails. As soon as contaminated, the felony encrypts the machine and calls for fee for the decryption key. Determine 1 offers a simplistic overview of the ransomware timeline.

Determine 1. Ransomware timeline.

how ransomware works

The primary recorded case of ransomware was the AIDS Trojan, which was launched within the late Nineteen Eighties. Now, in 2023, ransomware is taken into account the largest cybersecurity risk because of the frequency and severity of assaults. In 2021, the Web Crime Criticism Heart obtained greater than 3,000 ransomware stories totaling $49.2 million in losses. These assaults are particularly problematic from a nationwide safety perspective, as hackers aggressively goal vital infrastructure such because the healthcare trade, the vitality sector, and authorities establishments.

If ransomware has been round for over 40 years, why is it gaining reputation now? We argue that the rise in ransomware assaults could be attributed to the provision of ransomware being offered on darknet marketplaces.

Darkish internet markets

Darkish internet marketplaces present a platform for cybercriminals to purchase, promote, and commerce illicit items and providers. In a research funded by the Division of Homeland Safety, Howell and Maimon discovered that darkish internet marketplaces generate tens of millions of {dollars} in income promoting stolen knowledge merchandise, together with malware used to contaminate units and steal personally identifiable data. The Interdisciplinary Behavioral Analysis (CIBR) on Cybercrime on the College of South Florida (USF) sought to develop on this analysis. To do that, we drew cyber intelligence from darkish internet markets to supply a ransomware distribution risk evaluation. This report presents an summary of the important thing findings and the corresponding implications.

risk evaluation

Whereas medication stay the most well-liked commodity on darkish internet markets, our risk intelligence group has seen an increase in ransomware (and different hacking providers).

The research was carried out between November 2022 and February 2023. We started by looking Tor for darknet marketplaces that marketed illicit merchandise. In whole, we recognized 50 lively markets – that is greater than all earlier research. We then looked for distributors that publicize ransomware in these markets, figuring out 41 distributors which might be actively promoting ransomware merchandise. The variety of marketplaces and distributors highlights the provision of ransomware and the benefit of entry. Curiously, we discovered extra markets than sellers. Ransomware distributors promote their merchandise on a number of illicit marketplaces, growing vendor income and market resilience. If a market goes offline (by legislation enforcement or hackers), prospects can store with the identical vendor at a number of shops.

The 41 recognized distributors introduced 98 distinctive ransomware merchandise. This additionally reveals the accessibility of assorted types of ransomware available for buy. We extracted product description, value, and transaction data right into a structured database file for evaluation. In whole, we recognized 504 profitable trades (inside a 4-month interval) with costs starting from $1 to $470. On common, ransomware was offered on the darknet for $56, and the top-selling product was bought 62 completely different instances for $14 per sale. A screenshot of the best-selling ransomware commercial is offered in Determine 2. This product is listed as totally customizable, permitting the client to decide on their goal and ransom quantity. These findings illustrate that ransomware offered on the darkish internet is inexpensive and straightforward to make use of.

Determine 2. Ransomware commercial discovered on a darknet market.

dark web ransomware ad

Purchases on the darkish internet are facilitated utilizing cryptocurrencies that anonymize the transaction and guarantee safety for each purchaser and vendor. Bitcoin is the popular fee methodology, however some suppliers additionally settle for DOGE, Bitcoin Money, Litecoin, and Sprint.

Our final objective was to know what phrases are related to ransomware distribution. Utilizing the product description, we created a phrase cloud (offered in Determine 3) to signify the commonest phrases used when promoting ransomware. Generally used phrases embrace ransomware, encrypt, methods, urgency, decryption, victims, and software program. Realizing the phrases related to the distribution of ransomware makes it attainable to develop machine studying algorithms able to detecting and stopping illicit transactions.

Determine 3. Probably the most used phrases in a ransomware advert.

word cloud of ransomware ads


Safety points posed by the ransomware and darknet markets have been independently recognized by researchers, authorities businesses, and cybersecurity corporations. We broaden the dialogue by evaluating the synergistic risk posed by ransomware distributed by means of darknet marketplaces. Our findings recommend that the rise in ransomware could also be attributable to product availability, affordability, and ease of use. Cyber ​​criminals not want the superior technical expertise required to develop distinctive types of ransomware. As a substitute, they’ll merely purchase customizable ransomware on the darkish internet and launch an assault in opposition to their victims.


This analysis wouldn’t be attainable with out the scholars and school related to the CIBR lab. Particularly, we thank Taylor Fisher, Kiley Wong-Li, Mohamed Mostafa Abdelghan, and Mostafa Dawood, and Sterling Michel for his or her continued involvement with the cyber intelligence group. For extra cutting-edge cybersecurity analysis, observe Dr. C. Jordan Howell, Lauren Tremblay, and CIBR Lab on Twitter: @Dr_Cybercrime, @darknetlaurand @CIBRLab.

An assessment of ransomware distribution on darknet markets