Blurred lines: The challenges of taking down ransomware gangs

23 June 2020 (Last Updated June 24th, 2020 13:01)

Ed Targett speaks to a range of senior investigators to learn more about the challenges of taking on cybercriminals.

Blurred lines: The challenges of taking down ransomware gangs
“The last thing the board want is this pesky little IT problem they’ve heard about bothering them and knocking them off track.”

The stories dribble in weekly, sometimes more frequently; tales of yet another company crippled by ransomware. The servers and desktops of a law firm, a shipping company, a steel mill or a forensic test centre rendered unusable, because malware has found its way into their network and spawned – shutting down systems with a simple message: your money or your network’s life.

It is not so much a kidnapping as a 21st century highway robbery, and bandits scan the virtual highways of the internet like never before, shaking down organisations for ransoms payable in flavours of cryptocurrency that business leaders have sometimes never heard of, but which cost them real money: in forced downtime, credibility, and sometimes in the ransom itself.

Ransomware hit on Honda a reminder: Nobody’s immune

Among the prominent companies hit in recent months: Honda, one of the world’s biggest car manufacturers; Cognizant, a major IT services company; Finastra, a prominent banking services provider; MaxLinear, a NYSE-listed semiconductor specialist: the list goes on. By one estimate, a business will fall victim to a ransomware attack every 11 seconds this year.

Executives are often publicly pugnacious on their refusal to pay up. MaxLinear said in an SEC filing this month, for example, that it has “no plans to satisfy the attacker’s monetary demands”, despite their release of stolen material, and threats to release further proprietary information harvested in the attack.

Criminal and loot as binary code

Often however, as many security experts will tell you, business leaders swallow their pride and cough up; the ransom blinking through a string of wallets and disappearing, like the culprits, into a world in which both criminal and loot are just binary code, waving thanks and goodbye; no pursuing police officers waving handcuffs anywhere in sight, or even imaginable.

Ransomware may be nearly as old as the internet, but it is, in short, having a storming revival. And while it might be just one tool in the cybercrime armoury, it is one that for visceral, frustrating impact has few equals – all while netting cybercriminals an estimated $1bn a year, according to a 2018 report commissioned from a leading academic by security firm Bromium.

A look at some cryptocurrency wallets certainly shows that there is no shortage of liquidity. A recent Europol intelligence report, for example, notes that over an 18-month period the equivalent of €500m (£444m) flowed through one Bitcoin mixer (a wallet designed to obfuscate the source of funds). Thirty per cent of this came from the Dark Web, Europol said.

It is hugely challenging to track the precise source and volume of ransoms (more on that anon), but one thing is increasingly clear: ransomware is among the fastest-growing games in town for cybercriminals.

As Mike Hulett, head of technology and capabilities in the National Cybercrime Unit of the National Crime Agency (NCA), emphasises to Computer Business Review: “From a law enforcement perspective, if you had asked us three years ago, I would say ransomware was seen as a bit of an annoyance.

“It wasn’t the issue that it is now, and it certainly wasn’t as sophisticated. It was a little bit of a spray-and-pray; the demands were pretty low.

“Now, by far, ransomware is the biggest problem that we face.”

So is anybody actually trying to catch these bastards?

ransomware law enforcement

“A pesky little IT problem”

As Hulett tells it, law enforcement agencies are taking a range of reactive and proactive measures to take on cybercriminals, but the blistering speed at which the playing field is evolving makes this no small task.

“The massive changes that we have seen in the last ten years are probably exponentially different to any other ten years in law enforcement history,” he says.

“What really changed between 1950 and 1970? We had the explosion of motorways across the country, so criminals started travelling.

“What really changed between 1970 and 1980? Not a lot. Between 1980 and 1990: people travelling more, a few more computers. The nineties to noughties: an explosion of mobile phones. But there’s been a massive rise in different things in the last ten years that we simply couldn’t have conceived of.

He adds: “We are having to move faster; traditional training paths, etc in law enforcement are having to change to try and keep up.”

And, he notes, just in the past two years attackers have got significantly more sophisticated, not just in terms of the code base of their malware, but their broader sense of when to strike.

“The attack often happens when maybe there is a big acquisition about to be announced, a new product about to be launched, or a share offering which is taking the board’s full attention,” Hulett explains.

“The last thing they want is this pesky little IT problem they have heard about bothering them and knocking them off track.”

“Here’s your Windows 7 laptop and 50p for the slot on the side”

Seen from the outside, efforts to combat this plague often feel like a case of whack-a-mole: private sector companies teaming up with public sector partners to tear down the online infrastructure supporting such attacks. (The CTI League, one such partnership, took down an impressive 2,833 cybercriminal assets on the internet in just five weeks earlier this year).

Yet infrastructure itself is so fast-moving (“what is this, the 1990s?”, scoffs one security researcher when asked about private sector efforts to take down command & control infrastructure) and ransomware attacks keep coming like clockwork: it is exceptionally rare to hear of anyone ever getting caught.

Are the police simply outgunned?

Hulett is blunt in his response: “It would be difficult to argue credibly that we weren’t. The public sector is never going to be particularly cutting edge with its standard IT and training equipment that we give to people.

“We will bring in bright young things straight out of university; you come into law enforcement and it is a case of ‘here’s your Windows 7 laptop and 50p to put in the slot on the side’. We are not always keeping pace in general terms.”

“We can get to an individual level and map what they are doing…”

Often however, such investigations straddle an amorphous boundary between ‘conventional’ law enforcement/investigations, and national security – with agencies in the latter realm punching harder than many realise.

As one senior investigator working with a UK intelligence agency told Computer Business Review, that visibility into criminal networks was more proactive than is often recognised; the challenge was making it prosecutable – then overcoming geopolitical issues that mean the culprits are often protected.

They said: “In the past, nation states haven’t been able to identify an individual. We can now. The scale of what we can do in an offensive capacity is similar to a targeted attack of the type that you could do if you were a [cyber] criminal. We can sit on an [criminal] organisation’s network and we can risk assess, to make sure that there is no loss to life or serious risk to property.

“My team have gone to CEOs to tell them that they about to get attacked. That comes from sitting on a suspect’s network, watching what they are doing; capturing all the IPs that they are going to be delivering from and crucially, the information that comes into their systems from – sometimes – the people who are funding them. So we can get to an individual level and map what they are doing; with all the necessary authorisations taken into account.”

Exploiting millisecond breaks in a VPN

Another law enforcement interviewee who preferred not to be named said: “Cybercriminals make mistakes. They will often use a VPN and we can map when/where there is a break [in the VPN] for a millisecond.

“And because we have got agreements in place with many providers, they are not breaching their terms with their users; we are just being able to take advantage of a natural occurrence [to gain intelligence on the attacker].”

Marc Rogers, an experienced white hat hacker who now heads up cybersecurity strategy at security firm Okta, told Computer Business Review that private sector actors – in terms of taking proactive measures to help combat cybercriminals – have often limited themselves to the low-hanging fruit, identifying indicators of compromise and taking down malicious domains, but “we are literally drinking from the fire hose”.

He adds: “Too often organisations make it easy for attackers. There is a lot of old infrastructure that has inadvertently been exposed to the internet; there is unpatched things that we would hope to have been patched by now…”

Yet Rogers, along with other public and private sector interviewees, agrees: collaboration between well-resourced security firms and law enforcement has never been better, nor more international. Formal and informal collaborations make intelligence gathering more robust than many give credit for, even if the consequences of that work rarely make it into the public domain: sometimes because it is just quietly disruptive, sometimes because attempts to prosecute run up against an unhelpful nation state shielding the culprits.

Tracking the links upstream

Shelton Newsham of Yorkshire and Humber Regional Cyber Crime Unit points Computer Business Review to the recent (and strikingly detailed) indictment of Maksim Yakubets, a Russia-based, Ukraine-born malware kingpin who drives a Lamborghini with a number plate that reads “Thief”, as an example of a successful investigation against a leading figure in the cybercrime world.

Images released by the FBI and NCA after the indictment of Maksim Yakubets, a Russia-based alleged cybercriminal.

As the de facto leader of Evil Corp, he was described unequivocally in December 2019 by British and American intelligence agencies as “the most significant cybercrime threat to the UK”.

Yakubets is now subject to a $5m US State Department reward – the largest ever reward offered for a cybercriminal – and faces extradition to the US if captured outside of Russia.

Newsham said: “If someone is sponsored by a nation state, ‘allegedly’, an individual is identified and links continue to be made with leaders of a nation state, that has political implications. Once you indict an individual, that has got personal, economic or whatever links to people within a political structure. That is a whole different animal; that’s the thing to get across.

“People think: you are a toothless tiger and by indicting somebody because you will never get them – but now there is a much bigger picture. There is a much more strategic view of this in relation to the disruption that attribution to an individual causes; but it also stops becoming as simple as prosecuting a crime.”

The NCA’s Hulett adds: “It is very difficult to tell whether you are being attacked by a cybercriminal or a hostile nation state. From a tactical perspective, what we see them do is virtually the same. And if you look at state actors, what do you mean by that? Is that state-trained? Is it state-sanctioned, state-turned-a-blind-eye-to? State-financed? There are all shades of grey.

“There are other OCGs [organised crime groups] who are tasked by the state, particularly in the Russian arena: ‘go and do a job for us’. So it becomes a very blurred line between what is criminal activity and what is hostile state activity. That has forced law enforcement and intelligence services far closer together.

Russia remains a problem

He adds: “I don’t want to give the impression that cybercrime is a Russian problem – it is not. But people actually in Russia, or Russians, or Russian-speaking people in other countries, are the majority of our problem.

“I think, sadly, from a law enforcement perspective, we play very much second fiddle to the wider geopolitical situation and diplomatic position. It seems to be an unwritten rule in Russia that if you if you attack a Russian bank, then the Russians will come after you. If you sit in Russia and attack the West, you can almost do so with impunity. The chances of there being cooperation from Russian law enforcement against a Russian national are slim.

“With things like child sexual abuse there is cooperation.

“We can exchange intelligence and information with the Russians and they will act on it. With cyber it is a different situation, I’m afraid. So we tend to rely on opportunities elsewhere in the world.”

Meanwhile, despite best efforts, attacks remain rampant.

And as Jasmit Sagoo from security firm Veritas puts it: “Companies have to prepare for when this happens, not if it happens.

“They have to take their data back-up and protection more seriously as a source of recovery. The ‘3-2-1 rule’ is the best approach to take. This entails each organisation having three copies of its data, two of which are on different storage media and one is air-gapped in an off-site location. With an off-site data backup solution, businesses have the option of simply restoring their data if they are ever locked out of it by criminals exploiting weaknesses in systems. Realistically, in today’s world, there is no excuse for not being prepared.”

See also: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign