They are a band of Brothers, these chaps
Ransomware as a Service and a Brotherhood may seem an odd combo, but apparently things in the Dark Web work differently in the Middle East.
Trend Micro today released a whitepaper, “Digital Souks: A Glimpse into the Middle Eastern and North African Underground”. Interestingly, this in-depth analysis of cybercriminals is the first ever of its kind done for the MENA region.
This is a study that Trend Micro undertook over a two year period, and they found that regional marketplaces closely reflect the societies in which they operate. Meaning the Middle Eastern and North African underground is one where culture, ideology, and cybercrime meet. In this region, this facilitates itself in the “spirit of sharing” mindset, held by those that operate here, with a feeling of brotherhood and religious alliance that transcends the illicit transactions that occur.
Here are a few findings:
Hacktivism, DDoS attacks and website defacements are a staple in this region. Major primary product categories are malware: 27%, fake documents 27%, Stolen data 20%, crimeware 13%, weapons 10%, and narcotics 3%. Crimeware sold include a variety of cryptors, malware and hacking tools, like worm USD1-USD 12, keylogger free-USD19, known ransomware USD 30-USD 50, malware builder Free-USD 500, citadel (FUD) USD150, ninja RAT (FUD) USD100 and Havij 1.8 (Cracked) for Free.
Hosting providers in the region make significant profit by selling regionalized hosting spaces, which allows for local language and time settings in addition to faster connection speeds. A single IP connection and 50 GB of hard disk space, for instance, are sold for USD 50. Smaller plans exist, and start as low as USD 3. To some extent, the price is at par with other underground marketplaces, such as that of China.
Similar to the Russian underground, cashout services also abound here. These are platforms from which physical items, usually stolen, are converted into cash. These services are paid in bankcards, Bitcoins (BTC) or via direct cash transactions.
A unique aspect of cashout services here is how they are used to bypass security mechanisms and legal requirements in the region, such as those in place for the purchase of cell phones, and disposable SIM cards. In the MENA underground, DDoS services can be purchased by hacktivists and threat actors to further their ideology.
Private and public organizations are often targeted – however the service is not as prevalent as is widely believed, and its rarity commands a steep price. The average is USD 45 per hour, with three-hour packages at USD 275, and involves tools such as Low Orbit Ion Cannon (LOIC) or Lizard Stresser.
Malware as a Service (MaaS) typically includes a purveyor, a malware developer selling a single binary or a combination of a binary and builder marketed as fully undetectable (FUD). Average prices are USD 20 for a binary, and USD 30–USD 110 for a binary with C&C infrastructure. A binary-builder package costs around USD 150–USD 400.
Stolen identities are sold in forums across the region. The Arabic forum hack-int in Egypt sells stolen identities for USD 18. The demand for personally identifiable documents is influenced by geopolitical tensions, their buyers wanting to flee active war zones, for instance, leveraging them to migrate to other countries as refugees. On the other hand, cybercriminals can also purchase fake documents to perpetrate insurance fraud or prove resident status. A daunting real-world implication is a dangerous person buying these fake documents, and slipping through to other countries as refugees.
Furthermore, Virtual Private Networks (VPNs) are a mainstay for cybercriminal activity and can be purchased due to the anonymity they provide. VPNs offered here are purportedly secure, don’t store logs, and have multiple hop points. Cybercriminals will typically use these servers as either part of a botnet, or a jump-off platform for further attacks.
For this research, Trend Micro delineated the MENA underground as marketplaces, websites, and forums hosted within the regions. Arabic is the prevalent language, although some sites are in Turkish, Farsi, English, and occasionally French.