Cybercrime Unicorns: What Everyone Needs to Know About Ransomware Gangs



Willie Sutton reportedly robbed banks “because that’s where the money is.” These days, the money is in giant corporations, and ransomware gangs go to great lengths to move it into their coffers. In an early-morning presentation at the RSA Conference, Finnish security maven Mikko Hypponen traced the growth of this massive cyber crime wave and speculated about its future.Hypponen has been involved in security research since the beginning. Notably, he analyzed the Brain virus (one of the earliest) at its inception and tracked down its creators for an interview 25 years later. Europol snagged him for its advisory board, and he has lectured at Cambridge, Oxford, and Stanford. He’s now the Chief Research Officer for WithSecure (formerly F-Secure for Business.)The First Ransomware…in 1989?

(Credit: Neil Rubenking/PCMag)

Hypponen led with some advice on becoming a noted expert, like himself. “Pick a field and work in the field forever,” he said. “Eventually, everyone will assume you’re an expert.”More than 30 years ago, there were only about 250 computer viruses. “I could collect them all, and analyze them all,” Hypponen said.Among them was the AIDS Information Trojan, released as a floppy disk in 1989 by a biologist with a doctorate from Harvard. The license agreement included language stating that if you used the information without paying, the publisher could use “any means necessary” to ensure payment. And indeed, on the 90th reboot, it would encrypt your hard drive and demand payment to restore it. In other words, ransomware.”This is a problem caused by strong encryption,” said Hypponen. “All tech has an upside and a downside. Strong encryption is great and awful. It gives us great security and privacy, but also enables ransomware.”Hypponen displayed examples of Trojans that lock your system and display a notice that you’ve done something wrong with your computer, perhaps pirated movies. You’re instructed to pay a fine to the fake law enforcement group using a prepaid card. “That’s a shortcoming for the criminals—payment. But in 2013, we saw CryptoLocker, the first ransomware using cryptocurrency. Now almost all attacks demand Bitcoin, or some other cryptocurrency. Crypto is the online equivalent of cash, as it’s easy to hide money movements.”Rise of the Cybercrime Unicorn”This is the age of the cybercrime unicorn,” said Hypponnen, displaying the estimated worth of numerous cybercrime gangs. “Look at those numbers. If the company was legit, you’d call it a unicorn. They are powerful. They are wealthy. They will never do an IPO.” He pointed out that when the value of cryptocurrency rises, the average investor is likely to cash out. These gangs just keep their investment, which gets more and more valuable. “And criminals have another benefit,” he added. “They don’t pay tax.”Hypponen likened the big cybercrime gangs to other sorts of gangs, noting that branding is important. “Yakuza. Hell’s Angels. MS-13. These are well-known scary gangs,” he said. “Now imagine you go into the office one morning. OMG we’re been hit by ransomware! OMG it’s LockBit! You know it’s serious. You know they’ve done their homework.”On the flip side, the reputation and the strong brand name mean that if you pay, they will fulfill their promises. “If the gangs don’t deliver, word gets around quickly, and nobody pays. These are criminals you can work with. Victims will tell you their experiences. ‘Oh, the criminal tech-support team helped us with recovery. Five out of five, would recommend.'”Ransomware Gangs Lose Face”The biggest hit to ransomware power happened in May and June of 2017,” said Hypponen. “That was WannaCry and then notPetya.” WannaCry was a worm, not a targeted attack, and it hit hundreds of thousands of PCs around the world in hours. Though it was designed to resemble the infamous Petya ransomware, notPetya simply deleted the hard drives of affected computers.Hypponen noted that notPetya was created by the GRU specifically to target Ukraine. A fake update to software from a Ukrainian company spread it. WannaCry got its power from an exploit discovered by the NSA and stolen by a contractor.The problem is, in both cases there was no way to recover. WannaCry requested ransom payments via email, and its email got shut down quickly. Machines hit by notPetya were simply not recoverable. The reputation of ransomware in general took a hit.A Shock to the System

Laptop sacrifice (Credit: Neil Rubenking/PCMag)

One big victim of notPetya was the international shipping company Maersk. “How did an attack in Ukraine affect Maersk?” said Hypponen. “The company has offices in Ukraine, and the infection spread through the network.””I know Andy, the CISO at Maersk,” he continued. “How did things go down? In 15 minutes they lost the network. They lost all visibility, with no idea what was happening. At some stage they wondered, were all computers in the world affected?””When something like this happens, you go into shock. It’s really hard to work when you’re in shock.” At this point, Hypponen smacked an onstage table, sending it and a laptop flying, batteries going everywhere. “Awake?” he asked.

Recommended by Our Editors

Ransomware Evolves to Double Extortion”Maze was the first double extortion ransomware,” said Hypponen. “You won’t pay to get your files back? You have a backup? OK, we will leak your data.” He noted that the gangs got very good at determining just how much money to ask for. On the ransomchat discussion site, you can see victims trying to negotiate down, and attackers saying, “We’ve reviewed your accounting. You can pay this.”Nation-State Takedowns NeededHypponen repeated a quote from President Joe Biden: “Responsible countries need to take action against criminals who conduct ransomware activities on their territory.” He noted that countries have started putting out bounties on ransomware gangs—$10 million and possible immunity from prosecution. “Ten million is the same reward as for terrorists,” he said. “We started seeing arrests.”He referenced the “spectacular success” of US agencies gaining insider access to the Hive ransomware gang. Over a period of months, agents managed to protect victims while keeping Hive in the dark. Hive never recovered. Just this week an international group of law enforcement agencies identified the alleged mastermind behind the LockBit ransomware, Dimitry Yuryevich Khoroshev. The Justice Department charged him, though he’s still at large in Russia.What’s Next for Ransomware?

(Credit: Neil Rubenking/PCMag)

Summing up, Hypponen characterized the next decade of ransomware thus:More groupsMore victimsMore ransoms paidWe’ve only seen the very beginning.Full automation of malware campaigns is coming.Where are we failing the hardest?So what can we do? He suggested keeping these points in mind:You can’t hide.You need to patch better.You need to authenticate better.You need to test your backups.You need to think about platforms.You need visibility in your network.You need to manage your exposure.You can’t manage what you can’t measure.”Cybercrime is organized crime,” concluded Hypponen, “and fighting crime is nothing new. Even if you’re a victim you can rebuild and recover.”

Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

We will be happy to hear your thoughts

Leave a reply

AnsarSales
Logo
Compare items
  • Total (0)
Compare
0
Shopping cart