Ransomware is an increasing threat where malicious actors seek entry - often through phishing attempts - into a network, where they encrypt data and demand a ransom be paid to release the decryption key. It continues to happen because it works and it’s profitable. While there are organisations without good backups in place, and wherever there are people who unfortunately fall prey to ever more sophisticated phishing emails, there will always be ransomware.
In fact, ransomware is so profitable the ransomware groups can't even keep up with the opportunities and, as a CyberNews security researcher reports, are recruiting new members on hacker forums to solve their labour shortages. These forums are frequented by cybercriminals from wannabe to veteran status, but they are also visited by security researchers.
CyberNews reports their researcher encountered a recruitment ad alleging to be posted by a ransomware group offering a 70-80% cut of the profits of any successfully paid ransom. The researcher replied, purporting to be a Russian cybercriminal. They were invited to a private qTox chat room (a peer-to-peer chat room that runs over TOR) for a “job interview,” with people claiming to be running a ransomware affiliate operation for over a decade. The group turned out to be an affiliate of the REvil and Ragnar Locker cartels.
REvil gained infamy by using double-extortion; not only did the group ransom the decryption key to companies who had been locked out of their files, but they also threatened to sell or auction the stolen data for another ransom.
To prove the job posting was legitimate, and that the interviewers really had funds behind them, they deposited a million dollars of BitCoin into their forum wallet providing irrefutable evidence they had cash.
The interviewers didn't only want technically skilled and experienced operators; they demanded the potential partner be a native Russian speaker too. They explained they were a four-person team, and if the applicant aced the interview they would be team member five.
One interviewer stated the group's biggest ransom payout was $18m. Ragnar Locker took its 30% cut, and the group divided the remaining 70% among its team members, each receiving around $US 2.5m.
It's results like this that show why cybercriminals love ransomware. It works, and it works because it operates on human fallibility - both the inability to discern falsified and fraudulent emails and websites and the lack of security and disaster recovery processes in place in many organisations. The fact a company could afford to pay such a huge multi-million dollar ransom, and that this was the most effective way to get back to work when their files were encrypted, reflects poorly on organisations of all sizes.
The interviewers asked the cybercriminal imposter about their experience with Cobalt Strike, a threat emulation toolkit used legitimately to assess vulnerabilities. Of course, it’s also used by malicious actors to similarly explore weaponised exploits.
Following the technical conversation, the interview turned to money - how to receive the cryptocurrencies, and how to pay it out in a traditional currency.
The group claimed to have an insider contact at a cryptocurrency exchange who specialised in money anonymisation and would aid in cashing out, even possibly laundering future ransom payouts. The researcher was told to open an account on that exchange, to deposit ransom payouts there, and to convert them to USD in “small” instalments of a million US dollars at a time. Once done, the insider could then convert it to cash and deliver it anonymously for a 4% fee.
CyberNews states it believes the claims made to be credible.
The researcher appears to have been successful in their impersonation of a Russian cybercriminal and was asked to participate in attacks against several potential targets. CyberNews states its researcher cut off communication and declined to participate in any such illegal actions.
However, the researcher gleaned information about the group's attacks. Rather than mass-fire phishing emails and catching whoever they can, this specific group carefully selects targets, researching their financials, and understanding how disruptive an attack would be on their day-to-day operation. The threat actors begin their attacks on a Friday night, allowing them much of the weekend to operate with a lower probability of detection.
It's clear, despite the old adage, that crime does in fact pay. Millions, in fact. And while companies continue to operate insecurely, while humans are still involved, ransomware is not going away.
The ways to protect your organisation are still the same: ensure your data is robustly and securely backed up; block malicious websites and file types; keep software up-to-date; provide regular phishing training to staff; enable multi-factor authentication; practice zero-trust security; practice separation of duties; disable unnecessary administration accounts; and use hardware-based security keys.
iTWire resources on protecting yourself and your environment:
- Zero trust: SolarWinds speaks out and software dev can never be the same again
- FIDO security: FEITIAN keys, and YubiKey series 5
- Anti-phishing training: My two weeks with Phriendly Phishing
- BitDefender identifies state-sponsored cyber-criminal enterprise, StrongPity
- Integrate security into operations and make it easier for everyone, says Trend Micro
- You cannot keep ahead of future attacks without machine-speed response times, says Splunk