If you want to extort millions of dollars from a large U.S. company, you can't do it alone. It takes a village. A village of hackers with advanced computer skills, who hang out on the Dark Web, and most likely live in Russia.
"Ransomware has become a huge business, and as in any business, in order to scale it, they're coming up with innovative models." said Dmitri Alperovitch, head of the technology group Silverado Policy Accelerator in Washington.
At Wednesday's summit in Geneva, President Biden called on Russian President Vladimir Putin to crackdown on cyber crimes. But the Russian leader has shown little interest in combatting an emerging criminal industry in his country that's called 'ransomware-as-a-service.'
Three key actors in ransomware
Alperovitch said this model is its own ecosystem that includes three key players. The top tier is made up of small gangs that make the sophisticated malware that locks up the computer systems and encrypts the data at targeted companies.
More than a hundred such groups are believed to be active, though Alperovitch estimates about a dozen are doing this on a large scale. Russia and neighboring countries account for many of the gangs, he said. The best known include DarkSide, blamed for the attack on Colonial Pipeline, and REvil, accused in the hack of the meat supplier JBS.
But, he added, "The people that are building the software are not actually the ones, most of the time, that are going to use it. They're going to recruit others."
Wendi Whitmore, a senior vice president at the cybersecurity firm Palo Alto Networks, said these malware makers figured out it's more lucrative to disseminate their crippling software through a second key group, known as "affiliates."
"What they're doing is outsourcing parts of the supply chain, and then giving these (affiliates) that they work with a cut of the profits," she said.
'Affiliates' carry out the attack
The affiliates do much of the actual work. They launch the malware attack, demand the ransom, negotiate with the victimized company, and collect the money, almost always in a cryptocurrency like Bitcoin.
As a result, the affiliates usually keep most of the money, often 75 percent or more.
Still, the affiliates can't unleash these strikes until they first gain access to a company's computer network.
This brings us to the third key group — the old-fashioned hackers, or access brokers, who find a way in. If you need these guys, you'll find them on the Dark Web.
"You go into the underground forums and there's this whole category of threat actors we call an access broker," said Adam Meyers, senior vice president for intelligence at the cyber defense firm CrowdStrike. "And what they do all day is hacking into different businesses. And then they advertise that access. You want say, company X, it's four thousand dollars."
A small price to pay if that access then leads to a multi-million dollar ransom.
Criminals trusting criminals
Of course, all these relationships require a lot of trust among criminals hiding behind online pseudonyms.
"How do you trust someone who is fundamentally untrustworthy, who is fundamentally a thief?" said Alperovitch.
"It's very difficult to get into these criminal forums. You kind of have to prove that you're a criminal by committing some act of cybercrime," he added. "They validate that you're not law enforcement. That's been a huge problem for them in the past."
Another potential pitfall is success — or more precisely — too much of it.
Ransomware groups that repeatedly pull off big heists quickly develop a reputation. While the hackers may be protected by living in a country like Russia, they still draw attention from Western cybersecurity companies and law enforcement.
These successful groups sometimes disband temporarily and lay low — only to later resurface later under a different name.
"It may be a new group, and a new team with a new coach, but they've got very capable team members," said Wendi Whitmore.
In a new report on the costs of ransomware, the firm Cybereason found that the costs of recovering from an attack often far exceed the ransom payment itself.
A survey found that even when the hackers provided a "key" to unlock data following a ransom payment, information was corrupted in nearly nearly half the cases. Also, about two-thirds of companies reported significant drops in revenue following an attack.
At Wednesday's summit, Biden said he would respond if the U.S. continues to be hit, especially in a critical industry, like energy supplies of the water system.
"Responsible countries need to take action against criminals who conduct ransomware activities on their territory," Biden said at a news conference immediately following the summit.
Russian hackers already take precautions not to hit organizations in their homeland or in friendly countries. Putin could tell Russian hackers to cut out the attacks on the U.S. if he wants to, said Alperovitch.
"They're not part of his inner circle. They're not generating any significant revenue for the Russian state," Alperovitch noted. "So this is the one issue that, if pressed on, Putin can actually give on, and and we can get some concessions."
So will he? Biden said he expects the answer to be clear within a few months.
Greg Myre is an NPR national security correspondent. Follow him @gregmyre1.
You won’t find a paywall here. Come as often as you like — we’re not counting. You’ve found a like-minded tribe that cherishes what a free press stands for. If you can spend another couple of minutes making a pledge of as little as $5, you’ll feel like a superhero defending democracy for less than the cost of a month of Netflix.