How the Ransomware Economy Has Grown
The breadth and magnitude of ransomware attacks occurring today suggest that the cyber extortion industry has evolved exponentially over the past 12 months. It is as difficult to keep up with the headlines as the security advice that follows. In the face of this media firehose, it is important to step back and understand how we got to the state. We feel there are three primary elements that have lead to the current state of cyber extortion, and ransomware in particular.
Element #1: Socio-economic conditions for STEM Educated Citizens of Eastern European Countries Cyber criminals and hackers are almost universally portrayed as hooded criminals, operating in the shadows. In reality, most cyber criminals likely resemble your average office worker, vs. a deviant cyber criminal. So who are these people, and why do they commit these crimes?
Element #2: Mainstream Development of the Cryptocurrency Ecosystem Before crypto currency, cyber criminals would target the theft of two things: fiat currency, or data that could be sold on a dark market for currency. Theft of currency via social engineering, business email compromise or direct hacks has one prickly drawback - time. In order for fiat currency to be stolen, it must escape the traditional banking system. This escape takes time, and if the victim is able to thwart the movement of currency before it escapes, the funds can be recovered. Roughly 75% of currency based theft (like Business Email Compromise) is recovered by law enforcement before it disappears off the grid of the banking system. Stolen data suffers from a different type of monetization problem. First, stealing large amounts of valuable data is very hard and a highly specialized skill. Second, finding a willing purchaser of stolen data can be time consuming and dillutive. Stolen currency has concrete value. Stolen data is only as valuable as what the marginal buyer is willing to pay for it. Enter crypto currency.
Element #3: Mass Availability of cheap Malware and Free Hacking Tools While the ransomware payload that, when detonated, encrypts files is often the focal point of a ransomware attack, it is actually the least spectacular and easiest to spot piece of malicious software involved. The malware that allowed the actor to get inside is much more sophisticated pervasive and troubling. Even more problematic than eradicating malware or persistence from a network, is the mass availability of free or cheap malware to anyone with a few dollars and criminal intent. So where did all of this malware come from? Well, a large volume of it was built by western governments, breached by hacking groups of various origins, and spilled into the wilderness for anyone to consume. Today, breached RDP credentials to a midsized US company can be purchased for less than one hundred dollars on numerous dark marketplaces, making the unit economics of a ransomware attack highly compelling. The open availability of ransomware as a service kits have also dramatically lowered the bar to entry. One does not need to be technical to distribute ransomware anymore. There is also an odd relationship between free availability of pen-testing tools like Empire, Mimikatz, Kali Linux, and Metasploit and use of these same tools for criminal tradecraft. There are even calls from the white-hat security ecosystem to regulate the use of these tools given how powerful they are, and how prevalent their use is in cyber crime. The end result is that your average dark marketplace has more malware SKU’s than a Home Depot has construction SKUs.
Read More
