OCTOBER 20, 2016
For some people, writing ransomware is just another day at the office
Data breaches seem to dominate the news these days but in the mind of to Joe Public, hacking is still the sole domain of antisocial nerds and computer geeks. A stereotype persists to this day that most (if not all) hackers are spotty, teenage basement-dwellers, crashing websites for giggles rather than multi-million-dollar paydays.
That might have been true in the early years of the internet, says Andy Patel, F-Secure security expert and resident 'Cyber Gandalf' (no, really). “In the days when you had the things that infected your Outlook and sent stuff to your contacts,” he tells IT Pro, “it was just about spreading stuff, it wasn't so much about monetising.”
That is no longer the case, however. Hacking is now big business, and cyber crime gangs are using techniques like ransomware, data theft and digital extortion to generate six-figure incomes. In fact, the FBI has calculated that ransomware alone will net cyber criminals a total of $1 billion in 2016.
While this may sound unbelievable, that estimate is actually too low according to ex-FBI agent and Carbon Black security specialist Eric O'Neill. “I’d push that number higher,” he says; “I’d go up to $1.5 [billion]. In May, they predicted $1 billion, and ransomware has increased pretty exponentially.”
That’s not an exaggeration - studies have indicated that the number of attacks increased by more than 170% in the first half of this year alone. In fact, the rate of incidents has skyrocketed by more 3,000% since the first recorded ransomware attack back in 2012.
The cause behind this explosion of ransomware is obvious, F-Secure chief research officer and battle-hardened industry veteran Mikko Hypponen tells IT Pro: “it has become such big business because of one megatrend, and that megatrend is Bitcoin”.
He explained that although large-scale ransomware operations had been attempted in the past, they were always caught when investigators followed the money trail left by traditional payment methods. In combination with dark web tools like the Tor network, cybercriminals can now receive anonymous, untraceable payments from their victims.
It’s clear that for ransomware gangs, business is booming, but these cyber criminals aren’t just making as much money as major businesses; they’re acting like them too. “There’s a whole structure there that’s needed,” Patel explains. “An individual can’t just go in and do this now; it’s not a one man job… these are companies.”
The most visible example of this is in their customer service. For an average victim, the process of buying and using bitcoin in order to pay a ransom is alien and intimidating, and the gangs have solved this problem by having dedicated support staff that can walk users through the process.
“You have a chatroom that you can log into anonymously through a secure VPN,” O’Neill explains, “and now you’re chatting with the person that you just attacked, and you’re very nicely explaining to them how to buy a bitcoin, and how to send the bitcoin to you.”
“I have to say that, in some cases, these guys have better customer support than legitimate businesses,” Patel says. Gangs have even proven willing to haggle with their ‘customers’, lowering the ransom for those who can’t pay as much, or offering to decrypt a subset of the victim’s most valuable files for a lower fee.
Ransomware gangs are even using adaptive, dynamic pricing models to adjust their prices based on the size of the infected network. “If you infect a computer that has two shared drives, it’s a home machine,” Hypponen explained. “However, if you infect a company that has 70 shares ... you can ask for ten times more.”
Not only that, but ransomware gangs also have also localised and translated their malware for different territories. Examples have cropped up in Dutch and Japanese, among others, and this often requires dedicated translators fluent in multiple target languages.
Many modern ransomware gangs have dedicated support staff, translators, money mules to convert ill-gotten bitcoins to fiat currency, and managers to co-ordinate them all – not to mention all the coders, engineers and sysadmins who write and deliver the malware itself.
So how does an illegal criminal operation muster that large a workforce? The answer is simpler and more brazen than you might expect. While many employees join through what might be considered ‘traditional’ hacker channels – underground forums, dark web messageboards and the like – many job vacancies in cybercrime gangs are filled via legitimate business recruitment platforms.
An investigation by Kaspersky Lab found that cybercrime gangs will often advertise jobs on the Russian equivalent of Monster.com. The gangs post listings for IT roles, with no mention of the fact that applicants will actually be helping develop malware, and in some cases, the applicants may not even be told at all.
The stereotypical image of a cybercrime gang is hardly synonymous with average IT workers clocking on from 9 to 5 but in reality, salaried employees make up a significant part of many ransomware operations. “I always had the impression that it was this tightly-controlled inner circle of black hat coders,” Patel admits, “but no, they actually recruit regular people.”
“These guys, by nature, have to be very agile,” Patel says. “They have to keep up with the landscape. They have very good threat intelligence, because the minute they start doing something that gets caught by antivirus, then that’s just a waste of time.”
In fact, the criminals are watching the security industry just as much as the hacker-hunters are keeping tabs on them. F-Secure conducted a study showing that if ransomware gangs lowered their pricing a little, the average victim would be around 37% more likely to pay up, and Patel revealed that after those findings were published, the hackers’ ransoms did indeed start to drop in price.
When it comes to expanding their business, ransomware gangs have an advantage that many legitimate businesses still haven’t secured – virtually infinite scalability. The core exploit that forms the heart of a ransomware attack can be used time and again, which opens up a whole new market of ransomware resellers.
“Here’s the thing about ransomware,” O’Neill explains: “it’s a brilliant business model.” Once the actual exploit kit has been built, he told IT Pro, all it takes is a little business savvy and a half-decent phishing campaign in order to mount an effective attack against an organisation.
This means that even when they’re not actively mounting ransomware campaigns, gangs can still leverage their malware for huge profits. “The people who create these ransomware attacks push them out into a franchise model,” he revealed, “where you can take it, and you just have to pay me a little of what you make from the attacks.”
While the actions and motivations of cybercrime gangs are obviously deplorable, the level of polish and sophistication present in their operation actually offers some useful examples that legitimate businesses can learn from.
Patel points out that incentivising employees is something that organised cybercrime has proved to be surprisingly effective at – while many people within these groups are paid a flat salary, many also receive a cut of the gang’s profits.
“If the guys who are answering the calls and the guys who are on support are actually getting a share of the income,” he says, “that’s a good incentive to give good customer support. If they’re just being paid some crappy salary, they’re probably not going to give very good support.”
This strong focus on customer support is also something that regular companies can learn from, according to Kaspersky Lab’s David Emm. He pointed out that while ransomeware gangs have a robust and well-oiled support structure, they’re not doing it out of altruism: it translates directly to increased revenue.
“If they’re investing in helpdesks and the rest of it, that’s because it’s going to help their business,” he says. “So if people don’t know how to make online payments, and they can offer a mechanism of guiding people through that payment process, they’re doing that because it helps their bottom line.”