Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
10:00 AM
Ran$umBin Ran$omBin
Ran$umBin Ran$omBin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Crowdsourcing The Dark Web: A One-Stop Ran$om Shop

Say hello to Ran$umBin, a new kind of ransom market dedicated to criminals and victims alike.

Ransom attacks are at an all-time high; more and more criminals are using common tools to steal data and extort data owners. But this type of attack can be risky for the cybercriminal because, unlike stealthy advanced attacks, such operations require interaction with the victim. Furthermore, even if the victim is willing to pay to get their stolen data back, monetizing these attacks isn't so easy: not every criminal knows how to find a trustworthy Bitcoin launderer, or how to monetize their crime with minimal risk.

One cyber underground group saw this as a golden opportunity and created Ran$umBin, a Dark Web service that acts as a one-stop shop for monetizing ransomware. The website is dedicated to criminals and victims alike: it lets criminals upload stolen data (embarrassing information, user credentials, credit data, stolen identities, and any other kind of cyber-loot), and lets victims pay for the removal of said stolen data from the Dark Web, where it could be bought by any cybercriminal who's willing to pay.  

Source: Cymmetria
Source: Cymmetria

Ran$umBin has been active for under two months; it is very user-friendly and its business model is simple: hackers can upload stolen data and either sell it to other criminals or extort the data's owner – while the site takes commission. The site's cut is based on who the data owner is: criminals who want to buy data belonging to a pedophile would pay $100 and the site would take a 30% commission; if a criminal is looking for data belonging to a celebrity or a law enforcement representative, the price could be double and the commission would climb to 40%. Alternatively, the hacker who uploads the data can choose their own ransom demand and simply send their victim instructions on how to log in to Ran$umBin and pay. I've seen several Dox markets, but this one truly stands out: it’s a platform where any criminal can use what other criminals have stolen, like a cyber-ransom Uber or AirBnB.

Honor among thieves?

The people behind Ran$umBin define their initiative as a new kind of one-stop ransom market. They don't send extortion messages to victims, and see themselves as responsible only for the safety and privacy of their users. But what if a victim is being extorted over and over again using Ran$umBin? The operators say they try to make sure nobody is extorted more than 10 times, in order to keep their offerings fresh (but don't make any promises). While the operators mentioned that the stolen data is validated to make sure it's not old or irrelevant, they did not explain how this is done.

It is unknown who runs this operation, but their language and lingo, and the service's structure, suggest that these are American players. They try to promote Ran$umBin using a designated Twitter account, and have already gained some traction among cybercriminals: the service has been recommended on different forums, Dark Web and listed sites alike.

The cyber underground is teeming with markets of all kinds, so this type of service was certain to evolve. Ransom tools are cheaper and more available than ever before, and many criminals use them. The ability to sell Dox with minimal risk might appeal to many criminals, especially newcomers who don't have the right connections and can't tell who to trust. If Ran$umBin's operators are indeed Americans, their initiative might not hold for long; the North American underground market is less secretive than similar markets in Russia, Brazil, or the Far East. Therefore, websites are taken down more often by authorities. For the victims' sake, lets hope that this one will suffer a similar fate.

Related Content: 

 

Nitsan Saddan leads Cymmetria's threat intelligence research and manages the company's content. He is responsible for discovering new connections between threat actors, new attacker abilities and possible risk factor in order to help produce better enterprise-grade ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.