How ransomware is driving the underground economy

Credit: ID 72775991 © Ducdao Dreamstime.com

The unwanted attention drawn by ransomware attacks recently prompted several of the leading cybercrime forums to ban ransomware discussions and transactions on their platforms earlier this year. While some hoped it could have a significant impact on the ability of ransomware groups to organize themselves, the bans have only pushed their activity further underground, making it harder for security researchers and businesses. to watch her.

If anything, the attacks in the months following the forum bans were then more powerful and daring than ever. The truth is, ransomware is the lifeblood of the cybercrime economy, and extraordinary steps will be required to end it. The groups that coordinate attacks are highly professionalized and in many ways resemble modern corporate structures with development teams, sales and public relations departments, external contractors, and service providers all receiving a share of illegal income. They even use business jargon in their communications with victims, calling them customers who buy their data decryption services.

“The way I describe it is this: you have the business world we all know. Criminals have a parallel that looks like the Upside Down from Stranger Things. It’s exactly the same world, only darker. and twisted, “Steve Ragan, security researcher at Akamai, tells CSO.

An underground economy based on ransomware

By examining what is involved in ransomware operations and how groups are organized, it is easy to see that ransomware is at the center of the cybercrime economy. Ransomware groups employ people who:

  • Write file encryption programs (development team)
  • Set up and maintain payment and leakage sites, and communication channels (the IT infrastructure team)
  • Advertise the ransomware service on the forums (sales team)
  • Communicate with journalists and post on Twitter and announcements on their blogs (the PR and social media team)
  • Negotiate ransom payments (customer support team)
  • Perform manual hacking and lateral displacement on victims’ networks to deploy the ransomware program for a portion of the profits (external contractors called affiliates or penetration testers)

Affiliates often buy network access from other cybercriminals who have already compromised systems with trojan programs Where botnets or via stolen credentials. These third parties are called network access brokers. Affiliates can also purchase data dumps that contain stolen account information or internal information that can aid target recognition. Foolproof spam and hosting services are also often used by ransomware gangs.

In other words, many players in the cybercrime ecosystem make money directly or indirectly from ransomware. So, it is not uncommon for these groups to become more professional and operate in the same way as businesses with investors, managers, product marketing, customer support, job postings, partnerships, etc. It’s a trend that has slowly grown over the years.

“Underground cybercrime has essentially become an economy in and of itself where you have service providers, product makers, financiers, infrastructure providers,” Brandon Hoffman, CISO at security firm Intel 471, told CSO . “It’s an economy like ours where you have all these suppliers and buyers of different things. Just like in our market economy, because you have all these different types of service and product providers available, it is only natural that they start to come together and build a business together to offer a bunch of services and goods, like we do here in the standard economy. So I 100% agree that it is that way. C it is really very difficult for us to prove it. “

“We’ve known for years that criminals have a software development lifecycle like the rest of us,” says Ragan. “They’ve got marketing, PR, middle managers. They’ve got people responsible for lower level criminals who report to higher level criminals. This is nothing new. It’s just that more and more people. people are starting to hear it and pay attention to the parallels. “

Ransomware groups adapt to market pressures

Ransomware attacks have crippled many hospitals, schools, utilities, state and local government institutions, and even police departments over the years, but the attack in early May on Colonial Pipeline, the largest pipeline system for refined petroleum products in the United States, was a milestone.

The breach, attributed to a Russian-based ransomware group called Dark side, forced the company to shut down its entire pipeline network for the first time in its 57-year history in order to prevent ransomware from spreading to critical control systems. This has resulted in fuel shortages all over the eastern seaboard of the United States. The incident received wide attention in the media and in Washington as it highlighted the threat that ransomware poses to critical infrastructure, sparking debates over whether such attacks should be classified as a form of terrorism.

Even the operators of DarkSide understood the gravity of the situation and announced the introduction of “moderation” for its affiliates – the third-party contractors who actually do the hacking and deployment of the ransomware – claiming they want to “avoid the social consequences in the future. . “But the heat was already too strong for the providers of the group.

Just days after the attack, the administrator of XSS, one of the largest Russian-language cybercrime forums, announced a ban on all ransomware-related activity on the platform, citing “too much public relations “and increasing the risk of law enforcement to” a dangerous level, “according to a translation by the cybercrime intelligence firm Flashpoint.

Other leading ransomware groups, including the evil, immediately announced similar restraint policies for its affiliates prohibiting attacks on healthcare, educational and government institutions, in an effort to control damage to public relations. That was not enough either. Two other major cybercrime forums, Exploit and Raid, quickly followed with bans on ransomware activity.

In the process, DarkSide announced that it would shut down operations after also losing access to its blog, payment server, Bitcoin wallet and other public infrastructure it had, claiming that its hosting provider only replied “at the request of the police”. . “A month later, the FBI announces that it has successfully recovered the US $ 4.4 million in cryptocurrency that Colonial Pipeline was forced to pay hackers to decrypt its systems and resume normal operations.

Banning ransomware activity on the most popular cybercrime forums has been a significant development because for many years these forums have been the primary place ransomware groups recruited affiliates. These forums provide an easy way for public and private communication between cybercriminals and even provide escrow services for transactions where the parties do not know and trust each other.

The bans have also affected, to some extent, cybersecurity companies that monitor these forums to collect information on threat actors and emerging threats. While most cybercrime researchers knew that forum bans wouldn’t stop ransomware operations overall, some wondered what their next decision would be. Would they like to migrate to less popular forums? Would they like to create their own websites for advertising and affiliate communication? Would they switch to real-time chat programs like Jabber or Telegram?

“What it did was move these discussions to other private groups,” says Ragan. “They’re not leaving. What they did was step out of the public shadows. For a very long time you could see their recruiting, their development, their discussions, the kind of features they were on. were working. Now it’s gone … You won’t be able to predict a lot of changes. Unfortunately, that means you won’t know about new variants or new features added until the first victim is hit . “

According to Ondrej Krehel, founder and CEO of incident response and digital forensics firm LIFARS, ransomware operations were not affected by the forum bans because most of the actors involved in such activities were already communicating through groups. private on Telegram and Threema which had been around for two or three years.

There was still some traction on the forums, as part of the marketing efforts, but if you really wanted to get something more concrete you had to be one of those groups already and some require paying a fraction of a Bitcoin. with a wallet that has been associated with criminal activity known to work, Krehel told CSO. “This rate of growth [of ransomware] will continue, ”he said.

Read more on the next page …



Subscribe to the newsletter !

Error: Please verify your email address.

Ransomware Tags


Source link

Shawn G. Randall

Leave a Reply

Your email address will not be published. Required fields are marked *