{
	"id": "9009d563-3cc0-492d-b3cd-c5d331e9a67f",
	"created_at": "2026-04-06T00:16:02.113987Z",
	"updated_at": "2026-04-10T03:20:38.192361Z",
	"deleted_at": null,
	"sha1_hash": "3eabcbf6015c5acbc7ba005fc8c9f80edc66debb",
	"title": "Ransomware Gangs: Ocean's 11 of Cybercrime - Evolving Roles Revealed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2401469,
	"plain_text": "Ransomware Gangs: Ocean's 11 of Cybercrime - Evolving Roles\r\nRevealed\r\nPublished: 2021-07-08 · Archived: 2026-04-05 18:32:26 UTC\r\nRansomware Gangs are Starting to Look Like Ocean’s 11\r\nBy Victoria Kivilevich\r\nEdited by KELA Cyber Team\r\nPublished July 8, 2021\r\nThe cybercrime underground ecosystem once housed cybercriminals who would perform attacks from start to\r\nfinish on their own. This one-man show has nearly completely dissolved though as one of the most prominent\r\ntrends that emerged instead is the specialization of cybercriminals in different niches. If we take a typical attack,\r\nwe’ll see that not necessarily every cybercriminal will have the know-how to perform each stage involved in the\r\nattack:\r\nCode (code or acquire malware with the desired capabilities)\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 1 of 13\n\nSpread (infect targeted victims)\r\nExtract (maintain access to infected machines)\r\nMonetize (get profits from the attack)\r\nEach stage includes various malicious activities that different actors specialize in. As ransomware operations\r\nhave been growing and maturing, KELA’s researchers have been observing more cybercriminals offering\r\naccompanying services that fall into one of the four niches. When looking specifically into the ransomware\r\nsupply chain we can see many actors piling up in the “extract” niche – where actors focus on escalating\r\nprivileges within a compromised network – and the “monetize” niche – where actors are involved in the\r\nnegotiation process with victims, DDoS attacks and spam calls. In this post, KELA focuses on these two niches\r\nin order to better understand the actors who have surfaced around the growing RaaS ecosystem. Some of the\r\nmajor takeaways include:\r\nKELA assesses that domain admin access level of privileges eases ransomware attacks, therefore it is more\r\nvaluable for cybercriminals. However, only 19% of listings offer domain admin access rights, which\r\nraises demand for intrusion specialists capable of escalation of privileges.\r\nUsing DARKBEAST, KELA observed multiple posts describing a new role in the ransomware\r\necosystem – negotiators, whose purpose is to force the victim to pay a ransom using insider\r\ninformation and threats.\r\nAs ransomware attackers have begun using additional methods to threaten victims and their\r\npartners, such as DDoS attacks and spam calls, the need for such services also appeared. The\r\nransomware ecosystem therefore more and more resembles a corporation with diversified roles inside the\r\ncompany and multiple outsourcing activities.\r\nIn order to prevent the attacks and mitigate the risks of being attacked by such a skilled hacking\r\ncommunity, enterprise defenders should continually monitor their key assets and their supply chain to\r\nmitigate their most relevant threats from the cybercrime underground ecosystem before further damage\r\noccurs.\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 2 of 13\n\nThe figure above expresses how a ransom is split between ransomware developers and affiliates following an\r\nattack.\r\nAn attack involving multiple participants\r\nEscalation of Privileges\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 3 of 13\n\nFollowing more than a year of monitoring Initial Access Brokers using KELA’s intelligence technologies, KELA’s\r\nresearchers identified the influence that the obtained level of privileges (i.e. user or domain/local administrator\r\nrights) has on the price of access for sale. For instance, in previous research, KELA observed threat actors raising\r\ntheir prices by 25-115% following their success in escalating privileges up to the domain admin level. KELA’s\r\nanalysis of network access listings publicly offered for sale in January-May 2021 shows that average domain\r\nadmin access cost at least 10 times more than access to a machine with user rights. It seems to be a rarer type\r\nof offering: domain admin access was literally mentioned only in 19% of listings where initial access brokers\r\nspecified the level of privileges. That would mean that the majority of offers pertain to lower privileged access,\r\nmostly user rights level.\r\nNote: when we compared the listings, we included into the domain admin category only those listings where\r\nactors specifically mentioned it and not just the “admin” type\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 4 of 13\n\nPrices for access listings with different levels of privileges\r\nAs we see, the domain admin access is a more pricey and more valuable type of initial access.  Even the\r\npercentage of payment ransomware affiliates receive for their work can depend on the level of privileges. For\r\nexample, in one post, users were looking to work with a ransomware affiliate program or affiliates who supply\r\ninitial access. They specified: “In the case when we started the process with user rights and encrypted the network\r\nafter successfully escalating it, our share [of the ransom – KELA] will be a little higher.”\r\nThreat actors stating they want a higher fee for encrypting the network starting from an unprivileged user’s\r\nmachine (auto translated by Google from Russian)\r\nHowever, not all Initial Access Brokers and threat actors know how to gain such types of privileges. This is where\r\nactors experienced with privilege escalation enter the stage. In order to understand their work, let’s refresh our\r\nmemory on how the RaaS supply chain works. Here is a possible scenario of a ransomware attack involving\r\nmultiple participants: it starts from opportunistic attacks involving phishing attacks or mass exploitation of\r\npublicly known vulnerabilities. Such attacks can be performed by Initial Access Brokers themselves or different\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 5 of 13\n\nactors then selling gained credentials on markets or directly to other cybercriminals. These attacks enable threat\r\nactors to gain an entry point that they can transform into a wider compromise and establish a sustainable entry\r\nchannel for other cybercriminals – remote access through RDP, VPN, and other methods. Once the entry channel\r\nis finalized, the broker puts up the access for sale where it can be bought by ransomware affiliates who are then\r\nproceeding to lateral movement and further malicious processes with the ultimate goal to plant ransomware. The\r\nquestion is: how do they move from user-privileged access to a ransomware attack?\r\nPossible ransomware attack scenario illustrated by KELA.\r\nIf ransomware attackers start a lateral movement from a machine of domain admin, they have better chances to\r\nsuccessfully deploy ransomware in a compromised network. However, if all they have is user access, then they\r\nneed to escalate privileges by themselves – or call for the help of skilled fellows.\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 6 of 13\n\nDemand for cybercriminals able to escalate privileges (auto translated by Google from Russian)\r\nKELA located multiple posts seeking skilled intrusion specialists (“pentesters,” as Russian-speaking\r\ncybercriminals slangy name them) capable of gaining domain admin-privileged access. One of them\r\nmentions escalating privileges up to admin rights on “bots from a botnet, European corporations,” which shows\r\nanother role in the ransomware supply chain that can be outsourced: botnet operators, which can supply the leads\r\nto initial access brokers, intrusion specialists, and ransomware affiliates. The post reads: “This is teamwork, we\r\npay a percentage of the profit. We are looking for one person to work out 2-3 bots per day. Constant flow until the\r\nend of the year is guaranteed. A little about teamwork: we already have specialists, you can count on fixed\r\nbonuses in USD and about 10% from the financial profit.” This means that these actors are looking for an\r\nintrusion specialist to escalate privileges on machines from the corporate networks included in a botnet. Then,\r\nthey would be able to use the access for attacks, including ransomware. Since they mention a fixed fee and 10%\r\nshare from the “financial profit”, it can mean such specialists will get a percentage of the ransom. Based on\r\nseveral different offers, KELA assesses the intrusion specialists can be paid 10-30% of the ransom for\r\nescalating privileges up to the domain user level. Users ready to escalate privileges often offer other services\r\nand perform other roles in the ransomware ecosystem, namely as Initial Access Brokers or affiliates/affiliates’\r\npartners. For example, in a thread titled “Will escalate admin rights, will gain domain administrator,” an author\r\noffers to perform the whole ransomware encryption process: to bypass antivirus solutions, steal data, delete\r\nbackups and shadow copies and even encrypt a network. There are other users ready to do the whole job once\r\nthey’re provided with initial access. Another example shows an Initial Access Broker who usually sells VPN\r\naccess listings – also ready to escalate privileges for a fee.\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 7 of 13\n\nIntrusion specialists advertise their services, including escalation of privileges (auto translated by Google from\r\nRussian)\r\nInitial access broker offers to “raise DA” for a fee in addition to his listings (auto translated by Google from\r\nRussian)\r\nIt is important to understand not every actor that offers escalation of privileges may be willing to cooperate with\r\nransomware affiliates. For example, one offer KELA discovered specifically mentions “we do not work with\r\ncrypto lockers,” meaning ransomware. These threat actors stated they focus on working with payment processing\r\nsystems and using credit card data to gain profits. It illustrates the variety of monetization methods employed by\r\ncybercriminals; while now all eyes are on ransomware, it is crucial to remember defending against other threats.\r\nA team claiming, they can escalate privileges, among other services, but they do not work with ransomware\r\ndevelopers and affiliates (auto-translated by Google from Russian)\r\nNegotiators\r\nA brand-new position seems to appear in the RaaS landscape: negotiators. Initially, most ransomware operators\r\ncommunicated with victims via email which was mentioned in ransom notes. As RaaS grew and became more\r\nprominent and business-like, many actors started establishing their own portals through which all communications\r\nwere held. The ransomware developers or affiliates were determining the ransom sum, offering discounts, and\r\ndiscussing conditions of payment. However, now this part of the attack also seems to be an outsourced activity –\r\nat least for some affiliates and/or developers. Why do ransomware gangs need negotiators? Two hypotheses seem\r\nvalid:\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 8 of 13\n\nVictims started using negotiators – while a few years ago there was no such profession, now there is a\r\ndemand for negotiating services. Ransomware-negotiation specialists partner with the insurance\r\ncompanies and have no lack of clients. Ransom actors had to up their game as well in order to make\r\ngood margins.\r\nAs most ransom actors probably are not native English speakers, more delicate negotiations –\r\nspecifically around very high budgets and surrounding complex business situations – required better\r\nEnglish. When REvil’s representative was looking for a “support” member of the team to hold\r\nnegotiations, they specifically mentioned “conversational English” as one of the demands. This is not a\r\nnew case: actors are interested in native English speakers to use for spear-phishing campaigns.\r\nREvil hires “support [manager] with conversational English” to negotiate with victims, speak with media outlets,\r\nrecovery and information security companies.\r\nAvaddon describes its administration panel to potential affiliates, mentioning “a chat for communication.”\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 9 of 13\n\nProLock ransomware gang negotiating with a victim.\r\nKELA noticed several threads on Russian-speaking underground forums where actors were looking for\r\nnegotiators or discussing their work. In March 2021, a threat actor stated they have access to a large company,\r\nmost likely in Saudi Arabia, and need a negotiator to contact top managers of several companies. The actor\r\nspecified they look for an insider or someone with well-established contacts among “recovery and cybersecurity\r\ncompanies in Saudi Arabia.” In the case of the ransom successfully received, the actor promised to pay 1-5 million\r\nUSD to the negotiator. Several actors responded to the offer.\r\nThe actor looks for negotiators to receive ransom from a Saudi Arabian company (auto-translated by Google from\r\nRussian)\r\nThe work process of such negotiators can be inferred from a dispute between the Conti and REvil (Sodinokibi)\r\noperators from one side and a negotiators’ team they worked with – from another. This is how Conti’s\r\nrepresentative described the collaboration confirming that the service was quite new for the affiliates: “We got\r\ninterested. When we asked him how it works, we said that when there will be a suitable material [a victim network\r\n– KELA], we will offer it to outsourcers [negotiators, among others – KELA].” The dispute began after an attack\r\non Broward County Public Schools, in which Conti demanded a 40 million USD ransom. It turns out, the\r\nnegotiations were held both by Conti’s affiliates and side negotiators who didn’t manage to collaborate properly.\r\nThe negotiators claimed they managed to gain insider information that could force the victim to pay the ransom.\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 10 of 13\n\nHowever, according to the negotiators, the affiliates meddled in the process and ruined their efforts. Conti’s\r\nrepresentative argued the negotiators didn’t behave professionally. REvil’s representative also shared his\r\nexperience of working with the same negotiators’ team, accusing them of scamming.\r\nConti ransomware attackers communicate with Broward County Public Schools. Source: Hackread.com\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 11 of 13\n\nRepresentatives of REvil and negotiators team accuse one another of scamming (auto-translated by Google from\r\nRussian)\r\nThe actors and the forums’ administration didn’t come to a conclusion about who was a scammer in these cases.\r\nHowever, it illustrates the demand and supply for negotiating services. While the dispute was held on the\r\nRussian-speaking cybercrime forum Exploit, users from another forum XSS got interested and asked for\r\nthe negotiators’ contacts. The REvil gang, as mentioned above, was also looking to fill a negotiator\r\nposition, promising a monthly salary of 3,500-30,000 USD (a fixed fee plus “tips”). KELA’s findings show that\r\nfor such services negotiators ask for 10-20% of the ransom.\r\nA threat actor looking for the aforementioned negotiators’ team on a different forum (auto-translated by Google\r\nfrom Russian)\r\nDDoS and Spam Services\r\nBesides the cybercriminals directly involved in the ransomware supply chain, ransomware operators and affiliates\r\nuse other services that primarily help them to intimidate victims. For example, DDoS attacks became a common\r\nway for ransomware operators to force victims to pay the ransom. In order to perform the actual attacks,\r\nREvil was observed seeking to hire a team or a person with a botnet that could DDoS a targeted company\r\nand its clients as an additional measure. The REvil representative stated: “Estimate your potential – we can ask\r\nto shut down even Microsoft for a couple of days.” Another method of intimidating victims into paying is through\r\nspam calls and SMS campaigns to a victim company, its clients and partners, or to media outlets. These activities\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 12 of 13\n\nmay be carried out by the ransomware operators or, as with other auxiliary operations, outsourced to other actors\r\nwho specialize in them. As a showcase of the variety of pressure means used by ransom actors, KELA observed\r\nAvaddon ransomware operators looking for fax spam services – which can be used both for spamming the\r\nvictim with threats and as the ransomware delivery vector in certain cases.  In addition, just like corporate\r\nenterprises, ransomware operators have design and coding requirements. Since they need it for malicious\r\npurposes, they also look for such services on cybercrime forums.\r\nREvil advertises DDoS and spam services’ availability for their affiliates; Avaddon looks for someone to carry out\r\nspam fax.\r\nConclusion\r\nDuring recent years, ransomware gangs grew into cybercrime corporations with members or “employees”\r\nspecializing in different parts of ransomware attacks and various accompanying services. The recent ban of\r\nransomware on two major Russian-speaking forums does not seem to affect this ecosystem, because only the\r\nadvertisement of affiliate programs was banned on the forums. Ransomware operators and affiliates still remain\r\nactive participants in cybercrime discussions, they can hire others, buy their services and offers. Ransomware\r\noperations attract cybercriminals by being a fast way to make profits – not only for ransomware developers and\r\naffiliates but for everyone involved in their activities with millions of USD in ransom. Confronting such groups\r\nrequire enterprise defenders to invest in: 1. Cybersecurity awareness and training for all key stakeholders and\r\nemployees to ensure that key individuals know how to safely use their credentials and personal information\r\nonline. This cyber training should include specifying how to identify suspicious activities, such as possible scam\r\nemails, or unusual requests from unauthorized individuals or email addresses. 2. Regular vulnerability\r\nmonitoring and patching to continually protect their entire network infrastructure and prevent any unauthorized\r\naccess by Initial Access Brokers or other network intruders. 3. Targeted and automated monitoring of key\r\nassets to immediately detect threats emerging from the cybercrime underground ecosystem. Constant automated\r\nand scalable monitoring of an organizations’ assets could significantly improve maintaining a reduced attack\r\nsurface, ultimately helping organizations thwart possible attempts of cyberattacks against them.\r\nSource: https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nhttps://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/"
	],
	"report_names": [
		"ransomware-gangs-are-starting-to-look-like-oceans-11"
	],
	"threat_actors": [],
	"ts_created_at": 1775434562,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3eabcbf6015c5acbc7ba005fc8c9f80edc66debb.pdf",
		"text": "https://archive.orkl.eu/3eabcbf6015c5acbc7ba005fc8c9f80edc66debb.txt",
		"img": "https://archive.orkl.eu/3eabcbf6015c5acbc7ba005fc8c9f80edc66debb.jpg"
	}
}