A growing body of evidence reveals that ransomware is increasingly the domain of multi-million dollar criminal enterprises, which recruit specialists and apply their skill sets broadly to extort money from their victims.
The business is highly lucrative and ransomware gangs are seeking cost-effective returns for their effort.
“The reality now is ransomware is an economy; it’s a service-based model,” said Raj Samani, Chief Scientist at cybersecurity firm McAfee.
Over the past six months, McAfee’s Advanced Threat Research team has undertaken a forensic examination of a new dangerous form of ransomware called Sodinokibi, publishing four blogs that provide insight into the group’s organisational structure and accounting models.
Sodinokibi malware, also known as REvil, first emerged in April 2019. Its goal, like other ransomware families, is to encrypt the victims’ files and then request a payment in return for a decryption tool from the attackers to decrypt them.
But to understand Sodinokibi, you have to look back further to GandCrab, a ransomware crew who announced they were shutting down their operations in May. However, McAfee’s analysis shows Sodinokibi shares 40 per cent of its code with GandCrab, suggesting a connection between the two groups.
“The emergence of REvil or Sodinokibi has led to a new form of ransomware taking over and what we have seen is actually this is not brand new. What we see and what we suspect is the individuals behind Sodinokibi have very close ties to, or in some way shape or form were very closely related to this older form of ransomware, GandCrab,” said Samani.
McAfee describes both GandCrab and Sodinokibi as Ransomware-as-a-Service (RaaS), where ransomware can be sold to other criminals to attack IT systems.
In the case of GandCrab, at the top of the organisation are the developers, who create the malware. They then delegate the job of infecting systems to affiliates who are responsible for spreading the ransomware and generating infections.
Samani described the graphic below as “an organisational chart for bad guys”.
The ransom is paid back to the developers who take a percentage and pass the rest on to the affiliates — usually a 80/20 or 70/30 split in favour of the affiliate.
“This is no longer ‘send an email to a consumer and wait for $200 to $300’, this is very much an organisation-driven motivated attack,” Samani said.
For developers, this business model keeps them at arm’s length from infecting the organisations and provides them some protection if they are operating from a country where developing malware is not a crime, McAfee’s research found.
For the affiliates, the structure lowers the barrier to entry meaning individuals with little technical skill can join the criminal network and begin spreading the malware.
The researchers also identified that ransomware crews have developed an accounting model to keep track of their finances by hard-coding values in the ransomware that identify an affiliate to measure the number of infections they have made in order to compensate them.
“What the criminals have done, which is really quite business-oriented, is they effectively created an accounting model to allow them to manage and understand which of their affiliates are making the infections, which of those infections are successful, which will allow them to determine how much money they get paid,” Samini said.
“This is a business model they have created and the accounting model is incredibly successful.”
The All Stars
The role of affiliates was a key factor in the success of both GandCrab and Sodinokibi, and McAfee’s research found GandCrab’s most productive affiliates were hired to join Sodinokibi, dubbing them the ransomware all-stars.
“We are seeing the hiring of the most profitable affiliates, coming together with developers who have some access to GandCrab, which has been the most prevalent form of ransomware since 2016 up to its demise in 2018, all of that coming together and driving larger ransomware attacks,” Samini said.
Understanding this model has implications for law enforcement. Identifying and disrupting a top affiliate’s activity could have a crippling effect on the income of the RaaS network, McAfee argues.
McAfee researchers John Fokker & Christiaan Beek suggest further ways to disrupt the economics at play. “Another way is disrupting the business model and lowering the ransomware’s profits by offering free decryption tools or building vaccines that prevent encryption. The disruption will increase the operational costs for the criminals, making the RaaS of less interest.”
A service economy
So far Australian businesses have largely been spared from Sodinokibi, according to visualisations from McAfee (pictured above).
However both the GandCrab and Sodinokibi examples illustrate a broader trend in the cybersecurity industry: criminals have become expert project managers.
David Eaton, Associate Director Cybersecurity Services at DataCom, says cyber threats can be divided into two large groups: criminal gangs and more sophisticated nation-states.
“If you look at the criminal gangs it’s important to understand it’s not a verticalised market. It is actually quite strongly segmented. So you will find that in order to put an exploit together you may deal with a number of different parties who specialise in particular aspects of the exploit and pull those together into a single exploit,” Eaton told Which-50.
Eaton explained that criminals will sell or trade skills to find specialists in different areas such as zero day exploits, gathering intelligence on a target or exfiltrating data from the environment.
“Ransomware fundamentally is a service in the sense that more and more of it is aggregated across a number of different suppliers. Whether they be criminal gangs or whether they be nation-states, it doesn’t really matter — the ecosystem is in play.”
This dynamic creates an asymmetry which favours the attackers, and the highly commercialised model is a challenge for vendors, governments, and companies, Eaton said.
In his view, organisations are more serious about cybersecurity than they have ever been, with boards and executive teams recognising cybersecurity risk now needs to be carried outside of technology and IT in order to protect brand and reputation.
The experts Which-50 spoke to advised against paying a ransom to hackers, and argued businesses need to focus on prevention including tools and reinforcing the “human firewall” with employee education.
According to CISO research from Adapt Research Advisory, Australian CISOs’ number one priority this year is preventing phishing attacks.
“From the overall security level, in general, what we are seeing organisations look at is not necessarily the issue of ransomware or of malware, but the root cause of how it presents itself within the organisation,” Matt Boon, director of Adapt Research Advisory told Which-50.
This is also affecting investment choices. According to Adapt’s research, awareness around security was the third major inhibitor for Australian organisations and the number one investment priority for CISOs for the next 12 months is around cyber security awareness and training.
Boon explained that meant CISOs are planning to spend more money making sure their people, “as the weakest link” stop causing cyber incidents within the organisation than on the tools and capabilities to stop attacks.
“Organisations can actually leverage the increased threat from ransomware to help them raise awareness [of cyber] within their organisation because ransomware is one of those malware areas which has pretty wide-ranging awareness within consumers,” Boon said.
“When you start thinking about how you can counter the risks that are posed by ransomware again really thinking about taking a much more holistic approach to how you educate and ensure you’re protecting the organisation.”
Boon also believes executive support for security as a whole is high, but “awareness about what the implications are from not making the right bets and not making the right investments” is still lacking.
This issue relates back to the need for CISOs to learn to speak the language of the business — much like CIOs had to when digital emerged — in order to fortify organisations against an ever-evolving threat landscape.