Success factors in the cybercrime business

Most recently, international investigators struck heavy blows against the criminal REvil backers: In the course of a raid, the U.S. Department of Justice arrested so-called affiliates, i.e. partners or participants in the REvil network, in November 2021 and seized around six million U.S. dollars in ransom money. Then, in January 2022, Russia's domestic intelligence service, the FSB, and Russian police arrested 14 suspected additional REvil members and seized several million dollars in additional financial assets. In the eyes of the Russian authorities, this means that one of the most successful ransomware groups, with an annual turnover of $100 million and a market share of 16.5 percent, has been dismantled. To achieve such a result, RaaS operators attacked a wide range of industries - primarily manufacturing, legal services, and construction.

The business initially flourished and secured large profits for those involved: Bitdefender estimates that around ten core members and, at peak times, around 60 other partners took part in the promotions. The latter received around 70 to 80 percent of the profits. REvil exemplifies the power and level of organization of criminal ransomware-as-a-service models. In the network of affiliates, developers, the attackers and penetration test performers, and the ransomware collectors worked closely together, thinking of the infrastructure to collect agreed amounts. They even built support for victims who were willing to pay: They were able to deposit the ransom via a portal. In addition, the criminals advised the attacked organizations on how to acquire cryptocurrencies.