Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/26/2016
10:00 AM
Ran$umBin Ran$omBin
Ran$umBin Ran$omBin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Crowdsourcing The Dark Web: A One-Stop Ran$om Shop

Say hello to Ran$umBin, a new kind of ransom market dedicated to criminals and victims alike.

Ransom attacks are at an all-time high; more and more criminals are using common tools to steal data and extort data owners. But this type of attack can be risky for the cybercriminal because, unlike stealthy advanced attacks, such operations require interaction with the victim. Furthermore, even if the victim is willing to pay to get their stolen data back, monetizing these attacks isn't so easy: not every criminal knows how to find a trustworthy Bitcoin launderer, or how to monetize their crime with minimal risk.

One cyber underground group saw this as a golden opportunity and created Ran$umBin, a Dark Web service that acts as a one-stop shop for monetizing ransomware. The website is dedicated to criminals and victims alike: it lets criminals upload stolen data (embarrassing information, user credentials, credit data, stolen identities, and any other kind of cyber-loot), and lets victims pay for the removal of said stolen data from the Dark Web, where it could be bought by any cybercriminal who's willing to pay.  

Source: Cymmetria
Source: Cymmetria

Ran$umBin has been active for under two months; it is very user-friendly and its business model is simple: hackers can upload stolen data and either sell it to other criminals or extort the data's owner – while the site takes commission. The site's cut is based on who the data owner is: criminals who want to buy data belonging to a pedophile would pay $100 and the site would take a 30% commission; if a criminal is looking for data belonging to a celebrity or a law enforcement representative, the price could be double and the commission would climb to 40%. Alternatively, the hacker who uploads the data can choose their own ransom demand and simply send their victim instructions on how to log in to Ran$umBin and pay. I've seen several Dox markets, but this one truly stands out: it’s a platform where any criminal can use what other criminals have stolen, like a cyber-ransom Uber or AirBnB.

Honor among thieves?

The people behind Ran$umBin define their initiative as a new kind of one-stop ransom market. They don't send extortion messages to victims, and see themselves as responsible only for the safety and privacy of their users. But what if a victim is being extorted over and over again using Ran$umBin? The operators say they try to make sure nobody is extorted more than 10 times, in order to keep their offerings fresh (but don't make any promises). While the operators mentioned that the stolen data is validated to make sure it's not old or irrelevant, they did not explain how this is done.

It is unknown who runs this operation, but their language and lingo, and the service's structure, suggest that these are American players. They try to promote Ran$umBin using a designated Twitter account, and have already gained some traction among cybercriminals: the service has been recommended on different forums, Dark Web and listed sites alike.

The cyber underground is teeming with markets of all kinds, so this type of service was certain to evolve. Ransom tools are cheaper and more available than ever before, and many criminals use them. The ability to sell Dox with minimal risk might appeal to many criminals, especially newcomers who don't have the right connections and can't tell who to trust. If Ran$umBin's operators are indeed Americans, their initiative might not hold for long; the North American underground market is less secretive than similar markets in Russia, Brazil, or the Far East. Therefore, websites are taken down more often by authorities. For the victims' sake, lets hope that this one will suffer a similar fate.

Related Content: 

 

Nitsan Saddan leads Cymmetria's threat intelligence research and manages the company's content. He is responsible for discovering new connections between threat actors, new attacker abilities and possible risk factor in order to help produce better enterprise-grade ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.