Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
10:00 AM
Ran$umBin Ran$omBin
Ran$umBin Ran$omBin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Crowdsourcing The Dark Web: A One-Stop Ran$om Shop

Say hello to Ran$umBin, a new kind of ransom market dedicated to criminals and victims alike.

Ransom attacks are at an all-time high; more and more criminals are using common tools to steal data and extort data owners. But this type of attack can be risky for the cybercriminal because, unlike stealthy advanced attacks, such operations require interaction with the victim. Furthermore, even if the victim is willing to pay to get their stolen data back, monetizing these attacks isn't so easy: not every criminal knows how to find a trustworthy Bitcoin launderer, or how to monetize their crime with minimal risk.

One cyber underground group saw this as a golden opportunity and created Ran$umBin, a Dark Web service that acts as a one-stop shop for monetizing ransomware. The website is dedicated to criminals and victims alike: it lets criminals upload stolen data (embarrassing information, user credentials, credit data, stolen identities, and any other kind of cyber-loot), and lets victims pay for the removal of said stolen data from the Dark Web, where it could be bought by any cybercriminal who's willing to pay.  

Source: Cymmetria
Source: Cymmetria

Ran$umBin has been active for under two months; it is very user-friendly and its business model is simple: hackers can upload stolen data and either sell it to other criminals or extort the data's owner – while the site takes commission. The site's cut is based on who the data owner is: criminals who want to buy data belonging to a pedophile would pay $100 and the site would take a 30% commission; if a criminal is looking for data belonging to a celebrity or a law enforcement representative, the price could be double and the commission would climb to 40%. Alternatively, the hacker who uploads the data can choose their own ransom demand and simply send their victim instructions on how to log in to Ran$umBin and pay. I've seen several Dox markets, but this one truly stands out: it’s a platform where any criminal can use what other criminals have stolen, like a cyber-ransom Uber or AirBnB.

Honor among thieves?

The people behind Ran$umBin define their initiative as a new kind of one-stop ransom market. They don't send extortion messages to victims, and see themselves as responsible only for the safety and privacy of their users. But what if a victim is being extorted over and over again using Ran$umBin? The operators say they try to make sure nobody is extorted more than 10 times, in order to keep their offerings fresh (but don't make any promises). While the operators mentioned that the stolen data is validated to make sure it's not old or irrelevant, they did not explain how this is done.

It is unknown who runs this operation, but their language and lingo, and the service's structure, suggest that these are American players. They try to promote Ran$umBin using a designated Twitter account, and have already gained some traction among cybercriminals: the service has been recommended on different forums, Dark Web and listed sites alike.

The cyber underground is teeming with markets of all kinds, so this type of service was certain to evolve. Ransom tools are cheaper and more available than ever before, and many criminals use them. The ability to sell Dox with minimal risk might appeal to many criminals, especially newcomers who don't have the right connections and can't tell who to trust. If Ran$umBin's operators are indeed Americans, their initiative might not hold for long; the North American underground market is less secretive than similar markets in Russia, Brazil, or the Far East. Therefore, websites are taken down more often by authorities. For the victims' sake, lets hope that this one will suffer a similar fate.

Related Content: 

 

Nitsan Saddan leads Cymmetria's threat intelligence research and manages the company's content. He is responsible for discovering new connections between threat actors, new attacker abilities and possible risk factor in order to help produce better enterprise-grade ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...