Russian-speaking cybercriminals face dwindling financial returns after Russia’s invasion of Ukraine, with many scams rendered redundant almost overnight by sanctions and increased scrutiny of Russian entities, Digital Shadows researchers say.
Based on anecdotal feedback posted by Russian-speaking cybercriminals on an undisclosed forum, Digital Shadows’ Photon research team said financial success Cyber criminals Often comes peaks and troughs.
This is because even if threat actors are able to make a consistent profit through schemes that work for a period of time, the method used will eventually become redundant, forcing them to spend time and resources identifying new methods.
According to a screengrab shared with Computer Weekly, one user said, “Always jumping, some scheme works, you manage to milk it, then the method ends and again you look for another one, study it, it takes a long time, ” said one user, according to a screengrab shared with Computer Weekly. .
Digital Shadows added that, following Putin’s invasion of Ukraine, which prompted sanctions and increased scrutiny of all cyber activity originating from Russian entities, many cybercriminals will have to refine and adapt their strategies “to get out of that trap” again. .
“A good example of this is the banning of GooglePay and other financial technologies for use across Russia. This makes many scams redundant almost overnight,” said the Digital Shadows researchers Blog postPublished on 1 September 2022.
The researchers added that, according to another user of the forum, cybercriminals were able to earn as much as they liked before the conflict, but later they lost the ability to successfully conduct “shadow” work.
“In principle, I earned as much as I needed until special military operations began. I lost my shadow work, and only have [RUB] 30,000 left in my QIWI wallet and $80 in Bitcoin,” the user wrote.
The researchers also added that, for those still able to find shadow work, the prices they can charge have dropped drastically. For example, one user suggested that before a conflict, a threat actor can typically earn $500 for providing initial access to a targeted network.
“In the context of conversations, users are suggesting that prices have dropped significantly since that time,” the researchers wrote. “We’ve written many times about the rise of the Initial Access Broker (IAB) and how this type of threat actor has greatly aided cybercrime, but it’s possible that the market has become oversaturated with IABs and prices have fallen as a result.”
The current lack of income was echoed by other users, who suggested that alternative methods had not worked and that they were “tired of living in poverty”.
However, the researchers noted that while the current economic and geopolitical situation has stifled the earning power of Russian threat actors, this may be a short-term deterrent. “Many types of cybercrime, including ransomware and account takeovers, have thrived over the past year, and will likely continue to do so as we enter the final quarter of 2022,” they wrote.
They added that carding activity — a form of credit card fraud in which stolen credit cards are used to charge prepaid cards — has declined, though it’s hard to say whether the decline is a result of Russia’s federally-led operation. Security Service (FSB) before 2022, or a general change in cybercriminal attitudes towards such schemes.
“During recent deployments we identified that there was a feeling among some cybercriminals that carding is a declining industry form, from which regular returns are becoming increasingly difficult,” the researchers said.
“Some users expressed concern about difficulties in obtaining up-to-date information on carding activities on the forum, while another suggested that they deliberately did not post carding-related information to prevent competitors from gaining an advantage.”
Because carding is often done by people on the lower end of the cybercriminal spectrum without much technical expertise, researchers say it can be difficult for budding cybercriminals to establish themselves if they can’t use the method as a way to build up. Sustainable income.
Alternatively, researchers contend that the increasing difficulty of carding means cybercriminals have simply moved on to more lucrative endeavors such as ransomware.
In May 2022, Verizon’s Threat Research Advisory Center (VTRAC) and 80 other independent industry contributors 2021 sees a 13% increase in ransomware breachesThe year-over-year jump is higher than the last five years combined.
According to separate information Published by the Photon Research Team in August 2022, a new cybercrime forum has been established that only and specifically targets victims in Russia and Belarus.
Known as Dumps, the forum has a small membership of about 100 people and includes sections offering cyberattacks on services, data leaks, illegal materials, carding support, malware and access to compromised networks.
The Photon team said Russia’s aggression in Ukraine has been condemned around the world but the conflict has proven to be controversial. The cybercriminal community is very divided.
“Russian President Vladimir Putin’s views on so-called ‘special military operations’ depend on a variety of factors, particularly the cybercriminal’s background, political beliefs or other nationalistic drivers,” they are wrote.
“As we have reported in previous blogs, some internet users have accepted it To take an active role in their conflictRussian organizations targeted with targeted data breaches, distributed denial of service [DDoS] Attacks and destructive activities.”