Cryptocurrencies, a Ransomware story
Ransomware, an ever so thriving way for hackers to make money from someone else’s files. In simple terms it is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Literally taking a server hostage until the sufferer pay a certain amount mentioned by the attacking group.
To start from the top down, a malware is the collective name for a number of malicious software variants typically consists of code developed by cyber attackers, designed to cause extensive damage to data and systems or to gain unauthorized access to a network. Malware is typically delivered in the form of a link or file over email and requires the user to click on the link or open the file to execute the malware [1]. The Early days of this attack date back to 1970 with the Creeper virus. Since then, the world has been under attack from hundreds of thousands of different malware variants, all with the intent of causing the most disruption and damage as possible.
Now that the definitions are cleared up, let’s check briefly how a ransomware works. There are a number of vectors of which can take access to a computer, one of the most common delivery systems is phishing spam attachments that come to the victim in an email, masquerading as a file they should trust. Once they're downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like “NotPetya”, exploit security vulnerabilities in the system itself to infect computers without needing to trick users. There are several things the malware might do after infecting a certain system and not limited to being a ransomware just to be clear, but the most common action is to encrypt the victim files. This is covered in a more technical way here. Moving on, the most important thing to know is that at the end of the process, the files cannot be decrypted without a mathematical key known only by the attacker. The user is presented with a message explaining that their files are now are now inaccessible and will only be decrypted if the victim sends an untraceable Bitcoin payment to the attacker. Failing to pay or to try to decrypt this malware in advanced cases will trigger a self-protection mechanism and wipe everything.
Example of a system infected by ransomware
Certain attacks are not even sophisticated but uses a method called Ransomware-as-a-Service which is covered in details here.
The targets of these attacks are either intentional or just bad security/luck combo. It is a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses. On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet and these organizations may be uniquely sensitive to leakware attacks.
This have led to immaculate losses and devastating long term effect on businesses which in many cases they never recovered and went bankrupt. It is estimated from the FBI Internet Crime Complaint Center in 2020 received 2,474 ransomware complaints resulting in adjusted losses of $29.1 million, a significant increase from the $8.9 million in reported losses in 2019, however, many other attacks go unreported while others undetected, the total amount paid by ransomware victims increased 311 percent in 2020 to reach nearly $350 million in cryptocurrency [2].
Ransomware attacks are borderless and many criminals operate from outside the US, talk about working from home right? The identity and location of a ransomware actor are often unknown. Similarly, ransom payments in the form of cryptocurrency can move rapidly across borders as they are not bound by geographic location. Cryptocurrency laundering methods can be used to obfuscate funds’ origins, making it difficult for law enforcement to track the source of funds derived from a ransom upon their inevitable reentry to the global banking system. Which brings us to the main issue here.
| Are Cryptocurrencies the main culprit which led us for this expanding dilemma?
Criminals demand ransom payments in cryptocurrency because it is quick, efficient, and they can easily verify if and when payments are made. The payment transparency of public blockchains provides a unique environment for ransomware actors to simply watch the public blockchain to see if the victim has paid. However, depending on the exchange, individuals sending transactions may not be required to identify themselves, and there is other ways around this from personal wallets to using services like tornado cash to launder crypto and transactions may not be monitored for suspicious activity reporting to national authorities, like in the traditional banking sector under anti-money laundering (AML) regulatory requirements. While citizens of Canada and USA are required to verify their identity known as KYC or know your customer, other countries have yet to apply AML expectations to crypto firms, resulting in gaps around the globe relating to crypto regulation and enforcement. The movie line that we know presenting that the US does not negotiate with terrorists is true and Law enforcement discourages victims from paying ransomware demands, but does recognize that entities need to consider business continuity and other obligations when deciding whether to pay a ransom and this happens only when law enforcements are aware of such attack.
The ransomware problem is a Bitcoin problem. Recently the Colonial pipeline was shutdown resulting in extensive outcomes on economy and citizens lives, overall Conservative estimates suggest the costs of direct extortion will be in the billions this year alone, and collateral damage to the economy is undoubtedly one or two orders of magnitude more. But in the end, this cyber pandemic is not a result of a ransomware problem. Instead, it’s because society has a Bitcoin problem.
A solution to this issue is of course, banning Bitcoin. Only an uneducated mind will propose such a solution, how can you ban something you are not able to control? After all the sole purpose of Bitcoin is preventing censorship and providing anonymity [3]. But for the sake of this proposal let us dwell further down this blackhole. We woke up tomorrow to find that the US banned owning and trading cryptocurrencies, everyone is panicking and rushing to sell to preserve the precious fiat, suddenly news broke out that a major company has been infected with a foreign ransomware originated in Russia (an example), where the US has no jurisdiction and cannot do anything, the attackers are protected from prosecution and waiting for their payment (There have been cases of Russia allegedly harboring hacking groups in which Russian government viewed cybercrime as a profit center as long as the impacts weren’t localized, check the article by NBC News article).
We are now back to square one, the malware is still present with no way to help. Outright banning crypto will pose a greater risk than reward, taking a look at the macro picture of cyber security attacks we see some trends that have been emerging. For example, losses from cyber-attacks grew 50% between 2018–2020, with the global losses adding up to over $1 trillion. It’s an unavoidable conclusion that speaks to the pervasiveness of security vulnerabilities available to exploit. A typical system has many vulnerabilities if set incorrectly, while ransomware is a big part of the issue, everyone tends to disregard other attacks in which the main target was to destroy data and hinder operations, a quick search from our friends at Google can show us the extent of the issue where system are left vulnerable (UnitedStates federal government data breach, Cyber attack on government agencies andhuman rights groups in 24 countries, most in the US).
The rise in cybercrimes is also spurred on by the availability of ready-made, off-the-shelf malware easily found on the dark web for those with little skill, but who still want to profit off of the free-money opportunities unsecured organizations present. Importantly, criminals themselves have continued to evolve their strategies to evade defensive security tactics, techniques and procedures (TTPs) to ensure they can continue to be profitable. Should cryptocurrency no longer be a viable option for payment, attackers would almost certainly pivot to a different payment approach, after all there were attacks in which the criminal requested for nudes(article here) in exchange for decrypting the victim data, which shows that their ultimate goal is not always money but to wreak havoc.The thought that they would simply stop attacking these organizations without crypto defies credulity. The “root cause,” if you will, of these events is not the payment method used to reward the criminals, it is the security gaps that enabled them to breach the enterprise and, obviously, the fact that there are criminals out there committing these crimes. Admittedly zero-hour attacks cannot be easily prevented but can be mitigated.
Around late 2019, more enterprises were prepared with backup strategies to meet these threats and declined to pay. Ransomware actors, such as the Maze ransomware group, emerged, evolved and shifted tactics. They began to exfiltrate data and extort their victims: “Pay, or we will also publicly publish sensitive data we stole from you.”[4]
Which further proves my point that Cyberattackers will keep evolving their tactics as long as there is someone or some organization to attack; they have been doing so since the beginning of hacking. Before crypto and even cybercrime, we had dropping cash in a bag at night and wire transfers as options for anonymous payments to criminals. Realistically talking and with the major cryptocurrencies open sourced, nothing can stop these prolific hackers to create their own coin/token using a fork of another blockchain like Bitcoin or creating another from the ground up like Ripple’s XRP. The time before crypto has passed and we cannot erase this creation but cyber security will have to evolve to help mitigate its risks.
At the end the correct choice from my point of view will be the correct orchestration between cyber security agencies and company, furthermore refining the current compliance and best practices for the greater benefit of all people even if It may be difficult, even (likely) impossible, to plug every security gap in the enterprise. But too often, security fundamentals are skipped, such as regular patching and security awareness training, which go a long way to reduce the risk of ransomware. Let’s keep our eye on the target the enterprise and not the prize “crypto”. Or, we may as well be blaming fiat for all other financial crimes.
References:
[1] What is a malware: https://www.forcepoint.com/cyber-edu/malware
[2] Ransomware attacks and the corresponding financial losses: https://bpi.com/top-7-things-to-know-about-ransomware-and-why-criminals-prefer-crypto-payments/
[3] What is Bitcoin: https://bitcoin.org/en/
[4] Maze Ransomware: https://www.crowdstrike.com/blog/maze-ransomware-analysis-and-protection/
Comments
Post a Comment