Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
10:00 AM
Ran$umBin Ran$omBin
Ran$umBin Ran$omBin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Crowdsourcing The Dark Web: A One-Stop Ran$om Shop

Say hello to Ran$umBin, a new kind of ransom market dedicated to criminals and victims alike.

Ransom attacks are at an all-time high; more and more criminals are using common tools to steal data and extort data owners. But this type of attack can be risky for the cybercriminal because, unlike stealthy advanced attacks, such operations require interaction with the victim. Furthermore, even if the victim is willing to pay to get their stolen data back, monetizing these attacks isn't so easy: not every criminal knows how to find a trustworthy Bitcoin launderer, or how to monetize their crime with minimal risk.

One cyber underground group saw this as a golden opportunity and created Ran$umBin, a Dark Web service that acts as a one-stop shop for monetizing ransomware. The website is dedicated to criminals and victims alike: it lets criminals upload stolen data (embarrassing information, user credentials, credit data, stolen identities, and any other kind of cyber-loot), and lets victims pay for the removal of said stolen data from the Dark Web, where it could be bought by any cybercriminal who's willing to pay.  

Source: Cymmetria
Source: Cymmetria

Ran$umBin has been active for under two months; it is very user-friendly and its business model is simple: hackers can upload stolen data and either sell it to other criminals or extort the data's owner – while the site takes commission. The site's cut is based on who the data owner is: criminals who want to buy data belonging to a pedophile would pay $100 and the site would take a 30% commission; if a criminal is looking for data belonging to a celebrity or a law enforcement representative, the price could be double and the commission would climb to 40%. Alternatively, the hacker who uploads the data can choose their own ransom demand and simply send their victim instructions on how to log in to Ran$umBin and pay. I've seen several Dox markets, but this one truly stands out: it’s a platform where any criminal can use what other criminals have stolen, like a cyber-ransom Uber or AirBnB.

Honor among thieves?

The people behind Ran$umBin define their initiative as a new kind of one-stop ransom market. They don't send extortion messages to victims, and see themselves as responsible only for the safety and privacy of their users. But what if a victim is being extorted over and over again using Ran$umBin? The operators say they try to make sure nobody is extorted more than 10 times, in order to keep their offerings fresh (but don't make any promises). While the operators mentioned that the stolen data is validated to make sure it's not old or irrelevant, they did not explain how this is done.

It is unknown who runs this operation, but their language and lingo, and the service's structure, suggest that these are American players. They try to promote Ran$umBin using a designated Twitter account, and have already gained some traction among cybercriminals: the service has been recommended on different forums, Dark Web and listed sites alike.

The cyber underground is teeming with markets of all kinds, so this type of service was certain to evolve. Ransom tools are cheaper and more available than ever before, and many criminals use them. The ability to sell Dox with minimal risk might appeal to many criminals, especially newcomers who don't have the right connections and can't tell who to trust. If Ran$umBin's operators are indeed Americans, their initiative might not hold for long; the North American underground market is less secretive than similar markets in Russia, Brazil, or the Far East. Therefore, websites are taken down more often by authorities. For the victims' sake, lets hope that this one will suffer a similar fate.

Related Content: 

 

Nitsan Saddan leads Cymmetria's threat intelligence research and manages the company's content. He is responsible for discovering new connections between threat actors, new attacker abilities and possible risk factor in order to help produce better enterprise-grade ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.