Kelihos and the Ransomware Ecosystem
Botnets have been a serious problem on the web for more than 15 years, and as the network has changed, botnet operators have had to adapt in order to continue making money. While launching DDoS attacks on demand once was the main revenue stream for these cybercriminals, things have changed in recent years to include the paid installation of ransomware, banking trojans, and other types of malware.
One of the larger offenders in this arena for the last six or seven years has been the Kelihos botnet — a huge, diverse collection of compromised computers that has been responsible for a sizable fraction of the spam circulating online. Kelihos has been known for running a number of different cybercrime operations over the years, outside of its core spam business, including the theft of victims’ banking credentials, ransomware, and many other activities. But that’s all in the past now, thanks to an operation by the FBI that included an arrest and the disruption of the Kelihos botnet this week.
On Tuesday, the Justice Department announced that it had taken down Kelihos through a series of actions that included sinkholing the botnet's C2 servers and preventing them from sending further commands to infected machines. This is a tried and true method of disrupting botnets, essentially cutting off the head of the network. The takedown was coordinated with the arrest of Peter Yuryevich Levashov, a Russian citizen who Justice Department officials say was the operator of Kelihos. Authorities arrested Levashov in Spain last weekend and the civil complaint against him alleges that he was running a diverse and successful cybercrime enterprise.
“The Defendant is one of the world’s most notorious criminal spammers who was first indicted in the Eastern District of Michigan for email and wire fraud more than a decade ago. The charges arose out of the Defendant’s use of illegal spam to promote pump-and-dump penny stock schemes. In 2009, the Defendant was again the subject of criminal charges, this time in the District of Columbia. The D.C. criminal complaint charges the Defendant with computer fraud violations arising from his operation of the ‘Storm’ botnet, a predecessor to Kelihos that was also used to distribute illegal spam,” the complaint says.
Levashov is not an unfamiliar name in the cybercrime world. He has been on Spamhaus’s list of known spammers for some time, but the really interesting bit about the Kelihos operation is its role in the spread of ransomware. During its investigation, the FBI was able to gain access to conversations between Levashov and third parties in which he allegedly discusses his pricing structure for blasting out emails laden with ransomware. He offered to send a million ransomware messages for $500.
Consider the economics of this ecosystem for a minute. For a spammer, sending a million emails costs almost nothing, especially one who owns a botnet and can send the messages from other people’s computers. For the customer who pays the spammer, $500 is an incredibly low down payment on what could be a very large return. Depending upon the ransom demand, the customer would only need a small handful of successful installations and payments in order to make his money back, with the potential to make several hundred times his initial investment over time.
This structure is the major reason why the ransomware economy is only going to continue expanding. There is a huge amount of money to be made and the barriers to entry are almost non-existent. Once a criminal buys a ransomware variant — which is easy to do at this point — and finds a spammer to send his emails out, all he has to do then is sit back and watch the money roll in. The risk of being caught is low and is more than compensated for by the massive financial returns. The FBI’s takedown of Kelihos is an important piece of work, but ransomware is a problem with many pieces that won’t be solved through individual operations, unfortunately.